Spybot finds "Sfonditalia" and "Citofarera" but doesn't destroy them

B

blind_I

New member
Spybot finds "Sfonditalia" and "Citofarera" but doesn't destroy them

Hello,

I know there are other threads for "Sfonditalia" but as far as I can see, none for "Citofarera". The other threads dont help me - sorry.

Spybot S&D finds the intruders but doesn't get rid of them, an imediate scan shows them again. All three enties show in Spybot as: >>>
Citofarera: Settings (Registry change, fixed)
View attachment 886HKEY_USERS\S-1-5-21-448539723-1202660629-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\otherchance.com\www\*!=W=4

Sfonditalia: Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-448539723-1202660629-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\redfunny.com\www\*!=W=4

Sfonditalia: Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-448539723-1202660629-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\archiviosex.net\www\*!=W=4
<<<
Information on the web says that "Sfonditalia" is a dialler and "Citofarera" is a hijacker.

They are not identified by any of my other `normal` forms of protection (see below).

Because I use `Trend` software I contacted them. I have run Trends `Housecall`, it's did not find them. I've run Trends `Spyware scan`~ still no luck. Trend suggested I run the trial version of `Anti Spyware`, it finds 1 of them (and another different one) but doesn't destroy them. I have run HiJackThis, the resultant log doesn't show anything (at least not to me). Is it possible that Spybot is in error?

Historical stuff:
PC: Win XP + SP2 // AuthenticAMD ~1202 Mhz processor // Netgear wg111vs WLAM // Firefix (I dont use IE).
Anti infection: PC-cillin v14 + Firewall // Spybot S&D 1.3 + tea-timer // AdAware se 1.06r1 // SpywareBlaster 3.5.1 // Tweak XP pop-up-blocker (old version). All updated except Tweak.

The `infections` have not yet got control of my PC - possibly because: A) I use DSL and not a dial-up, B) I do most of my surfing / browsing on a desktop which does *not* have admin rights. [The scans are done with admin rights of course]

I include for your perusal ~ HKT log + Spybot log + Trend Micro Anti Spyware (TMAS) log. [Sorry I had to split 2 of them so now 3 becomes 5]

Thanks in anticipation

blind_I
 
Hello,
sorry - blind_I again. The attachment in the 4th line named "attachment 886" should not be there - I didn't do it - honest.

blind_I
 
Hello

In windows control panel addremove programs uninstall SpyBot 1.3
then Restart the PC, and delete SpyBots folder in program files,
usualy > C:\Program Files\Spybot - Search & Destroy
Next: download and install 1.4 once thats done, check for updates, then check for problems, fix everything found, always reboot if SpyBots needs to, to finish the cleanup.
http://www.safer-networking.org/index.php?page=tutorial
Download found here
http://www.safer-networking.org/en/download/index.html

Let us know of any problems
 
Hello and thanks LonnyRJones,

Are you suggesting that `Sptbot 1.3` isn't able to deal with these `interlopers`, OR that `1.3` is giving some sort of a false reading?? I ask for the benifit of others also.

I did find it strange that they appeared in `Spybot` but not (as far as I could see) in HJT. However, they (at least 2 of them) *did* appear in `Trend Micro Anti-Spyware` along with another - but `TMAS` couldn't deal with them either.

While I'm asking - can you tell me if `Spybot 1.4` goes OK on Win 98SE? My wife uses `'1.3` with Win 98 on her laptop.

I will now carry out what you suggest and let you know of the results. I give a little warning - I'm attempting to get stuff ready for a trip so I might not get back quickly.


Thank again - hope it works


blind_I
 
Hello,

Thanks again Lonny - the short answer is YES they are gone - here are the details / comments and some more questions - I realise that some of these may not "exactly" go with this thread but for me they are connected. Move or re-move if you feel the need, I will understand:bow:

Uninstalled 1.3 ~ installed 1.4 and updated ~ checked out the various settings etc which leads me to my first questions.

Q1. In >System Start-up< I have lots more entries ~ do I need them, should I switch them off? They are *all* `system.ini` ~ see log "060919sb_start.txt".

Q2. When I looked at >Ignore cookies< it listed 54 cookies ~ all had `IE` icons except 4 with `Opera` ones ~ at least 23 of the `IE` cookies came from Microsoft. All the cookies (except the 4 Opera ones) say "Firefox default in the column "Browser/Profile". Now - I do NOT use `IE6` ~ I usually use Firefox and used it to download `Spybot`. I am trialling "Opera".
Can you explain: Why IE cookies? And why via Firefox? What is the point of purposely using another `browser` instead of IE when they "get to you" via other software? Why were the cookies there at all as I had deleted them only hours before and certainly NOT surfed any MS site nor used MS IE? Is MS the new Spy threat?:spider:

To continue with the installation of 1.4. The first scan shows: 4 tracking cookies (via Opera) these were not showing before; still showing the 2 `offenders` though "Sfonditalia" now only shows one `HKEY_USERS` and not 2. I deleted them all. I also scanned with all the other `anti-infection` software ~ no sign of them. I switched off ~ re-booted ~ re-scanned ~~ nothing. I checked all again after another re-boot ~ still nothing. So they are gone.

Q3. It still begs the question: Why did Spybot 1.3 `not` do the job?


Q4. Now my final question ~ a few weeks ago I made a donation to Spybot ~ it shows on my bank statement but how do I know that "Moneybookers" paid it? It's not a large amount of money ~ I dont want any medals ~ I'd just like to know.


Much gratitude ~ and thanks for the answer on Win 98.:2thumb:


blind_I
 
SpyBot 1,4 is much improved over the older version's

all these items in your report are normal, leave them be
> Located: System.ini etc etc'
they are located here
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
You can check each file out here if you like
http://www.castlecops.com/O20.html


Cookies are just cookies, if i understand corectly one site can add its own and look to see where else you have been,
I suggest that if you want to manage them get a cookie managment program.

Installing a hosts file such as http://www.mvps.org/winhelp2002/hosts.htm
and SpywareBlaster (By JavaCool): http://www.javacoolsoftware.com/spywareblaster.html
will certialnly help prevent them.
 
Hello again Lonny,

Thanks for the info on the .ini files in >start-up<, I haven't yet checked out the web page you suggest but you say they are OK - so OK.

Cookies:- I'm not `too` much worried about cookies per say though I do like to keep my PC as clean as I can, which includes cookies. My point was that these cookies appeared *without* me (knowingly) accessing any MS software/programme. As such they `could` have been *anything* and clearly a cookie is a form of `Spyware`. I `hate` anything being stuck on my machine without my knowledge. I also now believe that MS is attempting to *control machine and 'man* through their software. If you have MS software (which most of us do) then ""THEY"" are in control, you only think you are.

If you glance back to my original mail you will see I already have `Spywareblaster` and I, of course, also have `Spybot`. I was a bit worries that another `host file` program might upset either / both of these. Isn't there another `host file` prog, called something like `IE Spyads` and isn't this the one everyone recommends? Which (if any) is most suitable to use with Spybot + Spywarebalster + Ad-Aware?

Er! My 4th question? Or did you purposely not get into that?


Thanks again

blind_I
 
Hi
Cookie: Do you use SpyBot 's file sets "select all available checks" when you check for problems ? in addition to that you can use the secure schredder
to add and delete IEs temp's/cookies and cache.
In other words I'm not sure why the remaining cookies you say were still there, but using secure schredder should deal with them if you use it occasionally.

I recommend winhelps2002's hosts file , iespyadds is an good alternative to and either work well with the programs you mention.
With either one ad-aware (or other anti-spyware) might think there is an offending site in the hosts at times, but you will no its a false positive because you manage the hosts file yourself.

I will ask the other's about you question 4.
 
Hello again Lonny,

I usually do a thorough clean-up of cookies, temp files, cache etc at least twice a week and usually before I use my various anti-intrusion software to scan the M/c which again is usually at least twice a week or more if I think there may be a problem. I have an `automated` virus scans every night. I ask for updates of all my anti-intrusion almost every night, PC-cillin auto updates several times a day.

When I do a clean up:
I go into IE >props > delete cookies, files (including offline) and history.
In Ffox > tools > private data > delete browsing history, cookies, cache, authenticated sessions
In Opera > tools > private data > `everything` except `password protections / wand
I search for and delete all files in `Temp Internet files`; any `.tmp`; anything in `recent` and anything in any `Temp` folder (of which I have a few for some reason).
I ensure my anti-intrusion software is updated and scan with all of them (obviously Spyware blaster constantly scans (you know what I mean)).
With `Spybot` I always ensure the settings are correct for >System Start-up/nothing unusual >Hosts file/add Spybot hosts >Ignore products/all unticked. I also glance through the other stuff to look for unusual signs.

This is why I would like to know *how* and *why* MS keeps stuffing my M/c with it's cr'p. I pick on MS (yes I do hate them, hope they don’t read this) because when I do my clean-ups (as described above) they have more files to get rid of than anyone else. When I look at my `Add/Remove Programs` ~ they have the most entries. MS keep sending me updates and telling me I need to install the latest security updates for MS programmes that I have `uninstalled`.
Also, if I buy a Ford car, I don’t get Ford knocking on my door (nor indeed secretly spying on me) to see if I'm using their oil/radio/speakers/tyres/petrol/"and have I got Ford windscreen wipers" etc etc and threatening to do me a nasty if not!!!!!

I had a quick look at the site (winhelps2002) ~ I'm still a bit iffy about it because so far I have had no problems running the other programmes together (I'm talking about me here, I don’t call myself blind_I for nothing). If I start getting pop-ups about allowing or not host file changes I'll be worried that I'm opening the door to a `nasty`


blind_I
 
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let one of us know via a PM (personal message).
 
You must log in or register to reply here.
Back
Top