Jump to content


Smitfraud-C.Toolbar888

Started by Canary, Nov 05 2006 10:26 AM

  • You cannot reply to this topic
6 replies to this topic

#1 OFFLINE   Canary

    Advanced Member

  • Members
  • PipPipPip
  • 253 posts

Posted 05 November 2006 - 10:26 AM

I've run all kinds of scans and programmes, but I can't seem to locate "Smitfraud-C.Toolbar888".

However, whenever I run Spyboy S&D, it says it exists on my system.

Any ideas?

Thanks in advance.

#2 OFFLINE   PicAFlic

    Member

  • Members
  • PipPip
  • 32 posts

Posted 05 November 2006 - 05:42 PM

Hi Canary,
Take a look at this: http://forums.spywar...showtopic=88615

#3 OFFLINE   Canary

    Advanced Member

  • Members
  • PipPipPip
  • 253 posts

Posted 05 November 2006 - 06:20 PM

Thanks.

I've dowmloaded those files and unzipped them. When I run the program, though, I'm not sure what option to choose.

It offers:
1. Search
2. Clean (safe mode recommended)
3. Delete Trusted zone
4. Check for updates

What should I do now? I'm guessing it should be either option 1 or 2?

#4 OFFLINE   rridgely

    I hate computers

  • Moderators
  • 8,858 posts
  • Gender:Male

Posted 05 November 2006 - 07:10 PM

Do this:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

#5 OFFLINE   Canary

    Advanced Member

  • Members
  • PipPipPip
  • 253 posts

Posted 05 November 2006 - 07:17 PM

Hi, and thanks - as ever - for your help.

Here's the log:


SmitFraudFix v2.119

Scan done at 19:18:24.71, 05/11/2006
Run from C:\Documents and Settings\Adam\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Adam


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Adam\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Adam\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.foxnews.com/images/175963/25_1_090105_katrina5.jpg"
"SubscribedURL"="http://www.foxnews.com/images/175963/25_1_090105_katrina5.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="http://static.sky.com/images/skymovies/static/background.jpg"
"SubscribedURL"="http://static.sky.com/images/skymovies/static/background.jpg"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#6 OFFLINE   rridgely

    I hate computers

  • Moderators
  • 8,858 posts
  • Gender:Male

Posted 05 November 2006 - 11:09 PM

Thats coming back clean.
If you really do want to run the cleaner just to make sure here is how:

Quote

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
----------

Its probably just a false positive by spybot. Do you have superantispyware? You may wish to give it a try because it will detect some of the smitfrad variants as well.

#7 OFFLINE   Canary

    Advanced Member

  • Members
  • PipPipPip
  • 253 posts

Posted 06 November 2006 - 12:08 AM

Thanks for your help, guys.

I've run it in safe mode, just in case, but it's good to know that it's probably a false positive.

Never had it come up before, though, so it's a strange one.
Back to Spyware Hell


  1. Piriform Community Forums
  2. Computer Help and Discussion
  3. Spyware Hell