PDA

View Full Version : Smitfraud-C



frustrated11
2006-01-12, 22:39
I am unable to fix Smitfraud-C. I read in another thread that this problem will be fixed in a subsequent update. However, I can't get rid of it. Has it been updated? Is this in fact a false positive?

tashi
2006-01-13, 03:19
Hello.
We need a little more information before we can say if it is a f/p or not.

We may ask for a Spybot-S&D log but first:

Open Spybot>Help>About
Let us know the version and latest detection update.

Also what is your Operating System and which other security programs do you have installed.

Cheers.

frustrated11
2006-01-13, 04:09
i have spybot 1.4, last updated 01-06-06.

i have windows 2000. the other security programs i have are adaware, hijackthis, ewido, and spysweeper 3.0.

please let me know if you need anything else.

tashi
2006-01-13, 04:17
Thank you. No anti virus program?

HJT is a tool btw, not a security program so please do not use it without expert guidance. :)

<snip>

Edit: we posted at the same time.

Please post the full log and I will ask Lonny to take a look.
Open SpyBot, close all browsers, check for problems and fix everything found. Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except

Uncheck[ ] do not report disabled or known legitimate Items.
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.

Now select (near the top) view report.
Press export in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report please.

frustrated11
2006-01-13, 04:45
--- Search result list ---
Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\adulthell.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bin.wordsx.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cc20foreva.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\crl.thawte.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\datingforlove.org\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\e-finder.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\fast-look.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\letgohome.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\love-catalog.net\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\makechoice.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\meetyourfriend.biz\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msnprotection.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\t34rulit.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\terra.hcworld.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\toprefsys.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\tracking.allposters.com\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\visitfriend.net\*!=W=4

Smitfraud-C.: User settings (Registry change, fixing failed)
HKEY_USERS\S-1-5-21-15412401-895157793-1247027225-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\www.niger.ru\*!=W=4


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2006-01-12 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-01-06 Includes\Cookies.sbi (*)
2006-01-06 Includes\Dialer.sbi (*)
2006-01-06 Includes\Hijackers.sbi (*)
2006-01-06 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-01-06 Includes\Malware.sbi (*)
2006-01-06 Includes\PUPS.sbi (*)
2006-01-06 Includes\Revision.sbi (*)
2006-01-06 Includes\Security.sbi (*)
2006-01-06 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-01-06 Includes\Trojans.sbi (*)



--- System information ---
Windows 2000 (Build: 2195) Service Pack 4
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security Update for Microsoft Data Access Components
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB896688
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB896727
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB905495
/ Internet Explorer 6 / SP1: Windows 2000 Hotfix - KB905915
/ Outlook Express 6 / SP1: Windows 2000 Hotfix - KB897715
/ Windows 2000 / SP4: Windows 2000 Service Pack 4
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB823182
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB823559
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB824105
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB826232
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828035
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828741
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB828749
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB835732
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB837001
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB839643
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB839645
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB840987
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB841356
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB841533
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB841872
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB841873
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB842526
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB842773
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB871250
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB873333
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB873339
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB885250
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB885835
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB885836
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB888113
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB890046
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB890859
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB891781
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB893066
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB893086
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB893756
/ Windows 2000 / SP5: Windows Installer 3.1 (KB893803)
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB894320
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896358
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896422
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896423
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB896424
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB899587
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB899588
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB899589
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB900725
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB901017
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB901214
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB902400
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB904706
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB905414
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB905749
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB908519
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB908523
/ Windows 2000 / SP5: Windows 2000 Hotfix - KB912919
/ Windows 2000 / SP5: Update Rollup 1 for Windows 2000 SP4
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player: Windows Media Update 817787


--- Startup entries list ---
Located: HK_LM:Run, BJCFD
command: C:\Program Files\BroadJump\Client Foundation\CFD.exe
file: C:\Program Files\BroadJump\Client Foundation\CFD.exe
size: 368706
MD5: ba9af06103549a96f77036861fde357b

Located: HK_LM:Run, CMPDPSRV
command: C:\WINNT\system32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
file: C:\WINNT\system32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
size: 40960
MD5: 5ea609093dc1dfa8ae828b1c7c8a3024

Located: HK_LM:Run, CPQEASYACC
command: C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
file: C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
size: 409600
MD5: 8f96b6cfce326d0dde5a8d68d5352d68

Located: HK_LM:Run, EACLEAN
command: C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
file: C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
size: 122880
MD5: bf3f57aa9b052a93750ade09a1c4e4b4

Located: HK_LM:Run, IPInSightMonitor 02
command: "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
file: C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
size: 122880
MD5: 7187b64d933c478227e6ccc04c0b68f7

Located: HK_LM:Run, nmapp
command: "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun
file: C:\Program Files\Pure Networks\Network Magic\nmapp.exe
size: 487424
MD5: c8287b18285db7710aa3f52f3179b7b0

Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINNT\system32\mobsync.exe
size: 111376
MD5: 9b2f5b9e745deaaa57fb78329ed03061

Located: HK_LM:Run, SynTPEnh
command: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
file: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 249856
MD5: 1ee09cdc2ff456cedf01f50a9884c976

Located: HK_LM:Run, SynTPLpr
command: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
file: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
size: 94208
MD5: 32ba3932acd6dea5c670b918a792f503

Located: HK_CU:Run, AIM
command: C:\Program Files\AIM\aim.exe -cnetwait.odl
file:

Located: HK_CU:Run, msnmsgr
command: "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
file: C:\Program Files\MSN Messenger\MsnMsgr.Exe
size: 6856704
MD5: 05acc06b81fda7e01f7fbeae9dfc5a3d

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38

Located: Startup (common), Adobe Gamma Loader.lnk
command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: c2ff17734176cd15221c10044ef0ba1a

Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: deb88aef013dd1eefb462d7cad642166

Located: Startup (common), D-Link AirPlus Xtreme G Configuration Utility.lnk
command: C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
file: C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
size: 512082
MD5: d93e0fa172827c1d1e4db6745ae7c1f6

Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office\OSA9.EXE
file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
size: 65588
MD5: f09fdff42a95cf027d63743b8c1d420a

Located: Startup (common), WinZip Quick Pick.lnk
command: C:\Program Files\WinZip\WZQKPICK.EXE
file: C:\Program Files\WinZip\WZQKPICK.EXE
size: 118784
MD5: 67b2e7b6ae3b400d832f0456068ea83d

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, wzcnotif
command: wzcdlg.dll
file: wzcdlg.dll

frustrated11
2006-01-13, 04:47
--- Browser helper object list ---
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name: SDHELPER.DLL
Date (created): 1/12/2006 7:55:52 PM
Date (last access): 1/12/2006
Date (last write): 5/31/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0

{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} ()
BHO name:
CLSID name:

{c0a51265-0105-4e1e-a79c-50286d8043ec} ()
BHO name:
CLSID name:



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINNT\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{0000000A-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\wmsp9dmo.inf
Codebase: http://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.

{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} ()
DPF name:
CLSID name:
Installer:
Codebase:
description: Yahoo! Installation helper
classification: Legitimate
known filename: %SystemRoot%\Downloaded Program Files\yinsthelper.dll
info link:
info source: Patrick M. Kolla

{31564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\wmvax.inf
Codebase: http://codecs.microsoft.com/codecs/i386/wmvax.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.

{32564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\wmv8ax.inf
Codebase: http://codecs.microsoft.com/codecs/i386/wmv8ax.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.

{33564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\WMV9VCM.inf
Codebase: http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.

{49232000-16E4-426C-A231-62846947304B} ()
DPF name:
CLSID name:
Installer:
Codebase:
description:
classification: Open for discussion
known filename: SysInfo.dll
info link:
info source: Safer Networking Ltd.

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINNT\Downloaded Program Files\wuweb.inf
Codebase: http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124237829784
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\system32\
Long name: wuweb.dll
Short name:
Date (created): 5/26/2005 4:19:32 AM
Date (last access): 1/5/2006
Date (last write): 5/26/2005 4:19:32 AM
Filesize: 173536
Attributes: archive
MD5: C459F2D5E64C942F3F66E1CD7F1C4C00
CRC32: EEF66B50
Version: 5.8.0.2469

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer: C:\WINNT\Downloaded Program Files\muweb.inf
Codebase: http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124237814061
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\system32\
Long name: muweb.dll
Short name:
Date (created): 5/26/2005 4:19:32 AM
Date (last access): 1/5/2006
Date (last write): 5/26/2005 4:19:32 AM
Filesize: 178408
Attributes: archive
MD5: EE37AA2C0700221CD8B02FADCD4C7FB5
CRC32: F5494B06
Version: 5.8.0.2469

{74D05D43-3236-11D4-BDCD-00C04F9A3B61} ()
DPF name:
CLSID name:
Installer:
Codebase:
description: Trend Micro Antivirus online scanner
classification: Legitimate
known filename: XSCAN53.OCX
info link:
info source: Patrick M. Kolla

{88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0)
DPF name:
CLSID name: XML DOM Document 4.0
Installer: C:\WINNT\Downloaded Program Files\msxml4.inf
Codebase: http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.
Path: %SystemRoot%\System32\
Long name: msxml4.dll

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/shockwave/cabs/flash/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name:
CLSID name: ActiveScan Installer Class
Installer: C:\WINNT\Downloaded Program Files\asinst.inf
Codebase: http://acs.pandasoftware.com/activescan/as5free/asinst.cab
description:
classification: Open for discussion
known filename: ASINST.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\Downloaded Program Files\
Long name: asinst.dll
Short name:
Date (created): 12/19/2005 1:35:32 PM
Date (last access): 1/12/2006
Date (last write): 12/19/2005 1:35:32 PM
Filesize: 135168
Attributes: archive
MD5: 20C07B231040B49AFCE82397BFC35F9C
CRC32: 9301377D
Version: 58.4.0.0

{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
Installer: C:\WINNT\Downloaded Program Files\iuctl.inf
Codebase: http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38492.9377314815
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla

{A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class)
DPF name:
CLSID name: YahooYMailTo Class
Installer: C:\Program Files\Yahoo!\Common\ymmapi.inf
Codebase: http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
description:
classification: Legitimate
known filename: ymmapi.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Yahoo!\Common\
Long name: ymmapi.dll
Short name:
Date (created): 5/20/2005 7:17:38 PM
Date (last access): 1/11/2006
Date (last write): 7/12/2003 3:54:56 PM
Filesize: 145120
Attributes: archive
MD5: 938E7F8E1F9116BAFC241C521037B265
CRC32: 34B4B129
Version: 2003.7.12.1

{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class)
DPF name:
CLSID name: MsnMessengerSetupDownloadControl Class
Installer: C:\WINNT\Downloaded Program Files\MsnMessengerSetupDownloader.inf
Codebase: http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
description:
classification: Legitimate
known filename: MsnMessengerSetupDownloader.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINNT\Downloaded Program Files\
Long name: MsnMessengerSetupDownloader.ocx
Short name: MSNMES~1.OCX
Date (created): 3/17/2005 2:48:34 PM
Date (last access): 1/11/2006
Date (last write): 3/17/2005 2:48:34 PM
Filesize: 113152
Attributes: archive
MD5: 92D24B6643919005213F60D5B537196A
CRC32: 31684779
Version: 1.0.0.2

{B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class)
DPF name:
CLSID name: YAddBook Class
Installer: C:\Program Files\Yahoo!\Common\yab_af.inf
Codebase: http://download.yahoo.com/dl/installs/yab_af.cab
description: Yahoo! Address book
classification: Legitimate
known filename: %ProgramFiles%\Yahoo!\Common\yaddbook.dll
info link:
info source: Patrick M. Kolla
Path: C:\PROGRA~1\Yahoo!\Common\
Long name: yaddbook.dll
Short name:
Date (created): 5/20/2005 7:17:42 PM
Date (last access): 1/11/2006
Date (last write): 7/14/2003 2:34:22 PM
Filesize: 208896
Attributes: archive
MD5: 62F761A0DD956C1939D3892A7D2E78AF
CRC32: 88082425
Version: 2003.7.14.1

{D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class)
DPF name:
CLSID name: PhotosCtrl Class
Installer:
Codebase:
description:
classification: Legitimate
known filename: YPhotos.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Yahoo!\Common\
Long name: YPhotos.dll
Short name: YPHOTOS.DLL
Date (created): 5/20/2005 7:17:42 PM
Date (last access): 1/5/2006
Date (last write): 6/9/2003 4:52:08 PM
Filesize: 468128
Attributes: archive
MD5: B367D4316F0C8EFF50FEEABD9F01E5E5
CRC32: B99476A1
Version: 2003.6.9.1

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINNT\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINNT\system32\macromed\flash\
Long name: Flash.ocx
Short name: FLASH.OCX
Date (created): 6/9/2004 3:59:26 PM
Date (last access): 1/12/2006
Date (last write): 6/9/2004 3:59:26 PM
Filesize: 939224
Attributes: archive
MD5: FC3E17E12C2E31FAC34B416B3DAB829F
CRC32: D1CF3A57
Version: 7.0.19.0

frustrated11
2006-01-13, 04:48
--- Process list ---
PID: 0 ( 0) [System]
PID: 136 ( 8) \SystemRoot\System32\smss.exe
PID: 160 ( 136) \??\C:\WINNT\system32\csrss.exe
PID: 180 ( 136) \??\C:\WINNT\system32\winlogon.exe
PID: 208 ( 180) C:\WINNT\system32\services.exe
size: 92944
MD5: B861B4E6E9637EB76A40C10C552E0229
PID: 220 ( 180) C:\WINNT\system32\lsass.exe
size: 33552
MD5: F19D0A319AB4BF5496F08807CB9B8651
PID: 404 ( 208) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 436 ( 208) C:\WINNT\system32\spoolsv.exe
size: 47376
MD5: FACFB75ECC070103619FA044E0B210D3
PID: 468 ( 208) C:\WINNT\System32\ati2evxx.exe
size: 57344
MD5: 5BFB89A40C843708E94A871BA292AC96
PID: 484 ( 208) C:\WINNT\System32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 500 ( 208) C:\Program Files\ewido anti-malware\ewidoctrl.exe
size: 13888
MD5: 26830B750372AB1BF29C95DEEBEB802F
PID: 556 ( 208) C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
size: 161344
MD5: 54DE679A0911E2E5C6BA0D07BC27D907
PID: 644 ( 208) C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
size: 99904
MD5: ADE71361B6A70D3418080494C262B341
PID: 688 ( 208) C:\WINNT\system32\MSTask.exe
size: 122128
MD5: B00529EAE5D0CE97010B69CC677128C8
PID: 724 ( 208) C:\WINNT\system32\stisvc.exe
size: 61712
MD5: B75235626B950FF821146555C612F814
PID: 192 ( 208) C:\WINNT\System32\WBEM\WinMgmt.exe
size: 196706
MD5: 05B2001E1BC653FD6091E741B46F71B4
PID: 916 ( 912) C:\WINNT\Explorer.EXE
size: 243472
MD5: 59CF2B7DCED9111F48F51B4B570E672D
PID: 928 ( 208) C:\WINNT\system32\mspmspsv.exe
size: 53248
MD5: AF619B3908BB1C9336FB6981609018FE
PID: 944 ( 208) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 1056 ( 916) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
size: 94208
MD5: 32BA3932ACD6DEA5C670B918A792F503
PID: 1064 ( 916) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 249856
MD5: 1EE09CDC2FF456CEDF01F50A9884C976
PID: 1072 ( 916) C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
size: 122880
MD5: 7187B64D933C478227E6CCC04C0B68F7
PID: 1088 ( 916) C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
size: 409600
MD5: 8F96B6CFCE326D0DDE5A8D68D5352D68
PID: 1100 ( 916) C:\Program Files\BroadJump\Client Foundation\CFD.exe
size: 368706
MD5: BA9AF06103549A96F77036861FDE357B
PID: 1116 ( 916) C:\WINNT\system32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
size: 40960
MD5: 5EA609093DC1DFA8AE828B1C7C8A3024
PID: 1124 ( 916) C:\Program Files\Pure Networks\Network Magic\nmapp.exe
size: 487424
MD5: C8287B18285DB7710AA3F52F3179B7B0
PID: 1156 ( 916) C:\Program Files\MSN Messenger\MsnMsgr.Exe
size: 6856704
MD5: 05ACC06B81FDA7E01F7FBEAE9DFC5A3D
PID: 1192 ( 916) C:\Program Files\AIM\aim.exe
size: 67160
MD5: D160472D7A8DBADD35DFE34D525F1CBC
PID: 1216 ( 404) C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
size: 106496
MD5: DA31CF72A49CD4C78487987CEB588D33
PID: 1224 ( 916) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496EEE0DDBE485F658693826F44D38
PID: 1256 ( 916) C:\Program Files\WinZip\WZQKPICK.EXE
size: 118784
MD5: 67B2E7B6AE3B400D832F0456068EA83D
PID: 1268 (1216) C:\PROGRA~1\Compaq\EASYAC~1\EAUSBKBD.EXE
size: 73728
MD5: 5C8A22395AB0383F3011B25B4F002B81
PID: 1296 ( 916) C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
size: 512082
MD5: D93E0FA172827C1D1E4DB6745AE7C1F6
PID: 1172 ( 916) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 1080 ( 916) C:\Program Files\Mozilla Firefox\firefox.exe
size: 6637156
MD5: CA35469F8987EBD2FB779DD915499462
PID: 8 ( 0) System
PID: 1160 ( 916) C:\WINNT\system32\NOTEPAD.EXE
size: 50960
MD5: CF8C98E8B3979F15DF77A7DE2E51BCC1
PID: 612 ( 916) C:\WINNT\system32\NOTEPAD.EXE
size: 50960
MD5: CF8C98E8B3979F15DF77A7DE2E51BCC1


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 1/12/2006 9:41:23 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINNT\SYSTEM32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://search.msn.com/spbasic.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINNT\SYSTEM32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD nwlnkipx [IPX]
GUID: {11058240-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP Novell Netware UPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkipx *

Protocol 6: MSAFD nwlnkspx [SPX]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 7: MSAFD nwlnkspx [SPX] [Pseudo Stream]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 8: MSAFD nwlnkspx [SPX II]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 9: MSAFD nwlnkspx [SPX II] [Pseudo Stream]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 10: MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{64E22B80-9613-4A2E-A8D4-804243760D96}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{64E22B80-9613-4A2E-A8D4-804243760D96}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{63A90920-8FB6-42DF-A383-7A0F9F72284D}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{63A90920-8FB6-42DF-A383-7A0F9F72284D}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6AC9D252-AD4A-4596-BCE1-262B4BF8CE53}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6AC9D252-AD4A-4596-BCE1-262B4BF8CE53}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{902D940F-8554-4A61-BD33-14B991634643}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{902D940F-8554-4A61-BD33-14B991634643}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2D95955D-CBA2-4D71-9E1A-8A83BB078BF8}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2D95955D-CBA2-4D71-9E1A-8A83BB078BF8}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F50BD617-023D-4246-95B0-B7A6F490552C}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F50BD617-023D-4246-95B0-B7A6F490552C}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\msafd.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\rnr20.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
GUID: {E02DAAF0-7E9F-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\nwprovau.dll
Description: Microsoft Windows NT/2k/XP Novell Netware name space provider
DB filename: %SystemRoot%\system32\nwprovau.dll
DB protocol: NWLink IPX/SPX/NetBIOS*

frustrated11
2006-01-13, 04:48
sorry, it was too big to attach or post all at once. had to post it in 3 parts. if you want it a different way, please let me know.

LonnyRJones
2006-01-13, 05:39
Hi frustrated11

Try this please
Download this file to your desktop
http://www.mvps.org/winhelp2002/DelDomains.inf
Close all browsers, right-click and select: Install
It realy doesnt install, just clears all sites in the domains and Ranges keys.
Afterward's you will need to immunize again in SpyBot and re-protect again with SpywareBlaster or re-install iespyadds if its installed, then the file itself can be deleted (DelDomains.inf)

frustrated11
2006-01-13, 06:10
THANK YOU! it's all gone!

after doing everything up to and including spwareblaster, i ran a spybot scan and no threats were found. (for my own edification, could you tell me what iespyadds are?)

also, can you recommend a good, free antivirus program?

thanks again to the both of you. i really appreciate it.

LonnyRJones
2006-01-13, 06:20
Good

IEspyadds description by Tom Coyote
http://tomcoyote.org/totw.php?act=show&id=4

tashi
2006-01-13, 06:20
Good. :bigthumb:

This article is well worth reading and you will see free AV's recommended.
So how did I get infected in the first place? By Tony Klein (http://forums.spybot.info/showthread.php?t=279)

Happy New Year to you. tashi

SidneyKidney
2006-11-18, 14:33
Hi guys

I think i'm having more Smitfraud-C problems. I followed all the advice that this thread has offered. I have run Spybot S+D several times, downloaded 'DelDomains' as suggested. However, every time my computer restarts and I check using Spybot S+D again I once again have Smitfraud-C! Its driving me nuts! I downloaded Smitfraudfix to remove another sort of Smitfraud but this still remains.

I really hope someone can help me. I will attach 2 images- the first is the shortcut which installs itself on my desktop every time I restart and the second is the icon which appears in the taskbar with the balloon that says "Security Warning: your computer may be infected with harmful or unwanted software!"

I am of course aware that this is just to encourage me to install malware but when clicking it it it brings up something called 'Spyware Detection Alert'- some odd sort of program....

Please help- I cant delete this thijng every time I start up! :(

Sandy

Zenobia
2006-11-18, 15:12
You could ask for help in the malware removal forum.

The instructions are here:
http://forums.spybot.info/showthread.php?t=288

Malware Removal:
http://forums.spybot.info/forumdisplay.php?f=22

Nawitch
2007-06-04, 07:30
OK, here is how to terminate the Smitfraud ,..,

1. Hard Boot your computer, (example)
"flip the power switch, wait for fan to stop, turn power back on"

Removed


I am unable to fix Smitfraud-C. I read in another thread that this problem will be fixed in a subsequent update. However, I can't get rid of it. Has it been updated? Is this in fact a false positive?

tashi
2007-06-04, 08:07
OK, here is how to terminate the Smitfraud ,..,

1. Hard Boot your computer, (example)
"flip the power switch, wait for fan to stop, turn power back on"


Etc... No. ;)

If one can find the file/s, zip and send to: detections(AT)spybot.info (Replace AT with @)

Also include the results of a Spybot-S&D scan.

Open Spybot-S&D and start a scan ("check for problems").
After the scan, right-click in the results field and choose either "Save full report to file..." or "Copy full report to clipboard".
Attach the file (or copy the report) to the email.


Then follow the procedure in this link: "BEFORE you POST" -Preliminary Steps (http://forums.spybot.info/showthread.php?t=288) and start a topic in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22)

Once posted a trained malware remover helper will advise.

BTW, for those who would like to be trained to help others in the removal of malware, please see this topic:

http://forums.spybot.info/showthread.php?t=10777

Nawitch
2007-06-04, 21:48
ehh, ; yes,

I already tried your method, and it did nothing
to remove the problem from my computer, yet my method aloud me
to delete, and permantly remove the threat from my computer,
so ya, it works <grin>
:fear::fear::fear::fear::fear::fear:


Etc... No. ;)

If one can find the file/s, zip and send to: detections(AT)spybot.info (Replace AT with @)

tashi
2007-06-04, 22:54
Hello.



I already tried your method, and it did nothing
to remove the problem from my computer,

I don't see a topic of yours in malware removal, all users logs are analysed individually.

Regards.

md usa spybot fan
2007-06-04, 23:54
Nawitch:

I hope you are not offended by the remove of your malware removal instructions, but I also hope that you realize that there is a rationale behind that. Generic removal instructions without the details surrounding the exact nature of the infection can be risky.

There can be many nuances (differences) in the infections currently identified as "Smitfraud-C" and what worked for you to remove "Smitfraud-C" may not work for others. In fact without specific details of what is running in a particular individual's system, generic removal instructions could conceivably cause more difficulties for the user (particularly when those instructions are posted in a thread over six (6) months old).

Those are some of the reasons why this forum requests that you not provide malware removal instructions unless it is done in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum and restrictions for helping in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum indicate:


Malware Removal: only people with the following titles above their avatar may assist members.

Helper, Warrior, Expert, Developer, Team Spybot.

Jyhwei0507
2007-08-25, 15:49
I've ran spybot many times, each time fixing the problem...I have also tried Deldomains...it hasn't helped much...

I'll post a S&D log...please help!! :sad:

Jyhwei0507
2007-08-25, 16:09
I've ran spybot many times, each time fixing the problem...I have also tried Deldomains...it hasn't helped much...

I'll post a S&D log...please help!! :sad:

That's the log...help!

md usa spybot fan
2007-08-25, 18:07
Jyhwei0507:

If Spybot-S&D fails to remove a problem you can request assistance in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum and having someone take a look at your system. Please follow the procedure in this link to run scans and produce a HijackThis log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) ( http://forums.spybot.info/showthread.php?t=288).
After you have completed the required scans and produced the requested logs, start your own thread in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum, making sure to post the logs produced from the above instructions.

Nachtfueur
2008-04-22, 08:12
I am unable to fix Smitfraud-C. I read in another thread that this problem will be fixed in a subsequent update. However, I can't get rid of it. Has it been updated? Is this in fact a false positive?

go to Removed.

tashi
2008-04-22, 09:02
Hello Nachtfueur,

Aside from the original poster starting this thread in 2007, md usa spybot fan already gave Jyhwei0507 correct advice.

We don't want our members to run the risk of ending up with pcs as doorstops, :eek: and thus we have trained malware removal helpers. ;)

Best regards.