PDA

View Full Version : Smitfraud-C



ramodagama
2007-08-22, 08:47
I got this today and i have no idea how i got it. Im kind of new to most of this kind of stuff. Everytime i get rid of it it comes back.

Zenobia
2007-08-22, 09:04
It would be best if you showed what Spybot is finding,so that someone here could see if it may be a false positive or not.So,could you please do this?


Open SpyBot.
Check for problems.
When finished, right click and choose copy results (not the full report) to clipboard and post that into topic.

ramodagama
2007-08-22, 09:09
Heres the results:

DeepDive: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}

DeepDive: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}

DeepDive: Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}

Smitfraud-C.: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\MSVPS.MSVPSApp

Smitfraud-C.: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{283A0EE3-2CC1-45AB-8207-B1D7B69C7F83}

Smitfraud-C.: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{283A0EE3-2CC1-45AB-8207-B1D7B69C7F83}


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-01-27 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-08-15 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-08-15 Includes\DialerC.sbi (*)
2007-07-11 Includes\Hijackers.sbi (*)
2007-08-15 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-08-15 Includes\KeyloggersC.sbi (*)
2007-08-01 Includes\Malware.sbi (*)
2007-08-15 Includes\MalwareC.sbi (*)
2007-08-08 Includes\PUPS.sbi (*)
2007-08-15 Includes\PUPSC.sbi (*)
2007-08-15 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-08-15 Includes\SecurityC.sbi (*)
2007-08-01 Includes\Spybots.sbi (*)
2007-08-15 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-08-01 Includes\Trojans.sbi (*)
2007-08-15 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

Yodama
2007-08-22, 15:40
hello,

please make another scan with spybot and do the following:

click on the blue icon right of the findings, a double click on the first icon will open the windows registry editor and navigate to the registry location.
Please rightclick the key (keys look like folders) within the registry editor and choose export.
Repeat this for each of the listed findings and sent the .reg files to detections-at-spybot.info (replace -at- with @).
With these registry exports we can see what is entered in those keys and can better determine if it is a false positive or an infection that is not fully detected.
Please also sent a complete Spybot Log with your email to the address above.

ramodagama
2007-08-23, 04:52
How long do you have to wait until they reply? It gets annoying when the warnings keep popping up.

tashi
2007-08-23, 06:19
ramodagama has started a topic in the malware removal forum: http://forums.spybot.info/showthread.php?t=17143

Yodama
2007-08-23, 13:09
Received requested files from ramodagama and sent a email with TED to ramodagama.

ramodagama
2007-08-23, 21:59
After the removal Spybot says that i have no infections but i still get the same popups.

ramodagama
2007-08-23, 23:06
After a few restarts i found the spywares again but no popups. Here is the results:

DeepDive: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}

DeepDive: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}

DeepDive: Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}

Smitfraud-C.: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\MSVPS.MSVPSApp

Smitfraud-C.: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{283A0EE3-2CC1-45AB-8207-B1D7B69C7F83}

Smitfraud-C.: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{283A0EE3-2CC1-45AB-8207-B1D7B69C7F83}

Smitfraud-C.MSVPS: Library (File, nothing done)
C:\WINDOWS\duocore.dll


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-01-27 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-08-22 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-08-22 Includes\DialerC.sbi (*)
2007-07-11 Includes\Hijackers.sbi (*)
2007-08-22 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-08-22 Includes\KeyloggersC.sbi (*)
2007-08-01 Includes\Malware.sbi (*)
2007-08-22 Includes\MalwareC.sbi (*)
2007-08-22 Includes\PUPS.sbi (*)
2007-08-22 Includes\PUPSC.sbi (*)
2007-08-22 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-08-22 Includes\SecurityC.sbi (*)
2007-08-01 Includes\Spybots.sbi (*)
2007-08-22 Includes\SpybotsC.sbi (*)
2007-08-23 Includes\TED-Smitfraud-C.MSVPS.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-08-01 Includes\Trojans.sbi (*)
2007-08-22 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

Yodama
2007-08-28, 14:43
hello,

I followed the other thread, is it still correct that this
Smitfraud-C.MSVPS: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-3085632509-3235412490-3220655986-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{283A0EE3-2CC1-45AB-8207-B1D7B69C7F83}

is still beeing found?

Actually it is not harmful by itself since it is only a trace of the originial trojan horse. You may not be able to remove this due to access right restrictions on your computer. Please try scanning and fixing as an Administrator or in Windows safe mode.

ramodagama
2007-08-29, 00:06
Ok thank you very much. I was wondering if it was harmful or not.