Not again - possibly false spyware alert, please help

EyesOnly · July 2005

I have all kinds if spyware apps yet spybot once again reported some. And this time it threw in some big names: cws and smitfraud. Interestingly though both seemed to involve internet domains (see pasted text below) yet according to the sf removal guide it's supposed to change your desktop though mine is fine.

This makes me think about my last post in this forum where i apparently had some false messages. Now if i remember correctly it could have been caused by some conflict involving spywareblaster. If there's even a hint that it's the cause this time it's gone. I've got plenty of spyware apps though it does seem like a nice app but i don't want spybot telling me i got spyware unless i really do.

Thankfull for advice.

Here's what spybot has to say

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\win-eto.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vparivalka.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\veryeasysearch.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\v-224.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\rf104.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msnprotection.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\letgohome.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ga31.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\****-****.org\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\fast-look.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ewizard.cc\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cc20foreva.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\scoobidoo.com\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\05p.com\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ysbweb.com\*!=W=4

Shadow2018 · July 2005

Smitfraud has different variants now.

Run Activescan and post those results. This will tell you if you have contracted smitfraud.

http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

Please post a Hijack log This with the activescan results.

EyesOnly · July 2005

Here's what hjt has to say. Nothing strange except for that zuper thing down the list. For a few days now at boot a message would appear saying i lacked win 98, 1 gig free on c: and so on. Yesterday i used mmh cleaner to stop it from launching and since i've not seen the message. Is it spyware.

Logfile of HijackThis v1.99.1
Scan saved at 11:51:50, on 2005-07-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
E:\Program\APC\APC PowerChute Personal Edition\mainserv.exe
E:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
E:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Folding @ Home\FAH502-Console.exe
C:\WINDOWS\system32\MsPMSPSv.exe
E:\Folding @ Home\FahCore_65.exe
E:\Program\Raxco\PerfectDisk\PDSched.exe
C:\ASUS\Probe\AsusProb.exe
E:\Program\Grisoft\AVGFRE~1\avgcc.exe
E:\Program\Grisoft\AVGFRE~1\avgemc.exe
E:\Program\HP\hpcoretech\hpcmpmgr.exe
E:\Program\Java\jre1.5.0_01\bin\jusched.exe
E:\Program\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
E:\Program\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
E:\Program\MSN Messenger\MsnMsgr.Exe
E:\Program\framxpro\FreeRAM XP Pro 1.40.exe
E:\Program\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
E:\Program\JetToolBar\JetTB.exe
E:\Program\Logitech\SetPoint\KEM.exe
E:\Program\Personal\bin\Personal.exe
E:\Program\APC\APC PowerChute Personal Edition\apcsystray.exe
E:\Program\Logitech\SetPoint\KHALMNPR.EXE
E:\Program\DC++\DCPlusPlus.exe
C:\WINDOWS\system32\ntvdm.exe
E:\EMIII\EMIII.exe
E:\Lego\mlcad320\MLCAD.exe
E:\Program\Corel\Corel Graphics 12\PROGRAMS\CORELPP.EXE
C:\WINDOWS\System32\svchost.exe
E:\Wfwin\WFReader.exe
E:\Wfwin\FIEMouse.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\Program\Grisoft\AVGFRE~1\avgwb.dat
E:\Program\Mozilla Firefox\firefox.exe
E:\Spyware apps\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - E:\Program\FreshDevices\FreshDownload\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\Program\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [HP Component Manager] "E:\Program\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SmcService] E:\Program\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] E:\Program\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "E:\Program\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [NewPatch] C:\windows\ZuPeR.exe
O4 - Startup: Electron Microscope.lnk = E:\EMIII\EMIII.exe
O4 - Startup: FAH.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = E:\Program\APC\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: jetToolBar.lnk = E:\Program\JetToolBar\JetTB.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Personal.lnk = E:\Program\Personal\bin\Personal.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - E:\Program\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - E:\Program\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120226871812
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - E:\Program\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: FAH@E:+Folding @ Home+FAH502-Console.exe - Stanford University - E:\Folding @ Home\FAH502-Console.exe
O23 - Service: PDEngine - Raxco Software, Inc. - E:\Program\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - E:\Program\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program\Sygate\SPF\smc.exe

And here's the panda log.

Incident Status Location

Virus:Backdoor Program Disinfected Operating system

Spyware:spyware/istbar No disinfected E:\PROGRAM\DELADE FILER\Totem Shared

Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET

Adware:adware/searchexe No disinfected HKEY_CLASSES_ROOT\Interface\{72423E8F-8011-11D2-BE79-00A0C9A83DA3}

Spyware:spyware/bargainbuddy No disinfected HKEY_CLASSES_ROOT\Interface\{71a27036-c7d8-11d2-bef8-525400dfb47a}

Possible Virus. No disinfected E:\Program\Meridian Advance\Input\in_gbs.dll

Possible Virus. No disinfected E:\Program\Meridian Advance\Input\in_gym.dll

Adware:Adware/Trymedia No disinfected E:\SS spel\Spel\mindrover\MindRov
er-dm.exe

Shadow2018 · July 2005

Place a checkmark next to this entry:

O4 - HKCU\..\Run: [NewPatch] C:\windows\ZuPeR.exe

Delete these files or directories if they exist:

C:\windows\ZuPeR.exe
E:\PROGRAM\DELADE FILER
E:\Program\Meridian Advance (is this a legitimate program you have?)
E:\SS spel

Download ewido security suite.

Run ewido security and remove all objects found.

Run activescan and post the results.

Do you have spyware shooter? It has been known as of recent to give false positives. You do not have smitfraud. Panda software is the only program I have found to date that actually detects smitfraud. No sign of CWS either.

EyesOnly · July 2005

Shadow2018 wrote:

Place a checkmark next to this entry:

O4 - HKCU\..\Run: [NewPatch] C:\windows\ZuPeR.exe

Delete these files or directories if they exist:

C:\windows\ZuPeR.exe
E:\PROGRAM\DELADE FILER
E:\Program\Meridian Advance (is this a legitimate program you have?)
E:\SS spel

Download ewido security suite.

Run ewido security and remove all objects found.

Run activescan and post the results.

Do you have spyware shooter? It has been known as of recent to give false positives. You do not have smitfraud. Panda software is the only program I have found to date that actually detects smitfraud. No sign of CWS either.

Ok i need to claryfy something here. zuper is going. I don't know what it is but it wasn't installed by me hence malware.

E:\PROGRAM\DELADE FILER Is called shared files or so in english. I can understand that you didn't know that but it's legit trust me. Most have it in c:program but my programs folder is on E:

Meridian Advance is a music player homepage So legit

and finally E:\SS spel contains my games files and cheats plus whatever.

It seems i should remove spywareshooter since it gives fasle reading as you said and the try ewido.

Shadow2018 · July 2005

Once you remove the zuper file your log will be clean. Let me know if I can close the thread.

Also look into spywareblaster:

http://www.javacoolsoftware.com/spywareblaster.html

EyesOnly · July 2005

Shadow2018 wrote:

Also look into spywareblaster

Using it already

Shadow2018 wrote:

Once you remove the zuper file your log will be clean. Let me know if I can close the thread.

Not so fast. Panda showed some stuff. Why aren't any other apps picking up this.

Incident Status Location

Spyware:spyware/istbar No disinfected E:\PROGRAM\DELADE FILER\Totem Shared

Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET

Spyware:spyware/bargainbuddy No disinfected HKEY_CLASSES_ROOT\Interface\{71a27036-c7d8-11d2-bef8-525400dfb47a}

Ran ewido which found and deleted some files. None had anything to do with these entries.

Shadow2018 · July 2005

You will have to do some searching for these.

Open start menu>click run>type in "regedit" click ok>you'll see a menu in the upper left side of the display>double click HKEY_LOCAL_MACHINE>double click SOFTWARE>double click the subfolder labeled CLASSES>Scroll down until you find this entry- MAGNET>right click on this entry and click delete.

This entry will also be removed in the registry editor-HKEY_CLASSES_ROOT\Interface\{71a27036-c7d8-11d2-bef8-525400dfb47a}.
scroll back up until you see this directory and double click on it- HKEY_CLASSES_ROOT>Double click the subfolder titled Interface>You will see a number of entries that look like this-{71a27036-c7d8-11d2-bef8-525400dfb47a}. Search for this exact CLSID number and right click on it. Click delete.

Delete this directory in your Delade Filer directory:

Totem Shared

Let me know if you were not able to remove one/all of these items.

EyesOnly · August 2005

All items removed with regedit, and ewido and panda are scanning. I'll update when the results are in.

No viruses found. Finally i can put this behind me. Anyways ewido will be uninstalled. I have enough spyware apps and ewido is just taking up to much memory. Or should i keep it. It's just that i have so many apps running already.

BTW spybot once again found spyware. The same ones as before. While reading this thread i've run many apps but non have actually fixed the things that first made me to create this thread. You mentioned spywareshooter giving false readings. In a previous thread a few months ago i once again had false spyware. That time it was caused by some glitch in spywareblaster, another app that seems good but i'm tired of this sh*t. So give it to me straight. Is there any reasons to keep these apps despite the problems they cause. They both come well recommended from people of this site but i don't like reading about spyware unless it's really spyware.

SpywareShooter · August 2005

Those were false positives caused by Spyware Shooter. Spybot seems to be getting dumber and dumber with every update and not reading the full key that determines whether it is spyware or not. If you still want spyware protection you should reinstall Spyware Shooter and just ignore those entries with Spybot.

EyesOnly · August 2005

SpywareShooter wrote:

Those were false positives caused by Spyware Shooter. Spybot seems to be getting dumber and dumber with every update and not reading the full key that determines whether it is spyware or not. If you still want spyware protection you should reinstall Spyware Shooter and just ignore those entries with Spybot.

So i shouldn't panic untill i've read what it's really about then. Seems reasonble. Hope they fix this soon.

Shadow2018 · August 2005

EyesOnly wrote:

All items removed with regedit, and ewido and panda are scanning. I'll update when the results are in.

No viruses found. Finally i can put this behind me. Anyways ewido will be uninstalled. I have enough spyware apps and ewido is just taking up to much memory. Or should i keep it. It's just that i have so many apps running already.

BTW spybot once again found spyware. The same ones as before. While reading this thread i've run many apps but non have actually fixed the things that first made me to create this thread. You mentioned spywareshooter giving false readings. In a previous thread a few months ago i once again had false spyware. That time it was caused by some glitch in spywareblaster, another app that seems good but i'm tired of this sh*t. So give it to me straight. Is there any reasons to keep these apps despite the problems they cause. They both come well recommended from people of this site but i don't like reading about spyware unless it's really spyware.

Spywareblaster is a keeper. I have been had spywareblaster installed on both of my systems with spybot for some time and I have never had any issues with spybot giving false positives. If there was an issue with it I believe it has been resolved. You could take Spyware Shooter's advice and re-install spyware shooter and ignore the false readings or not re-install it. That is personal preference on your part. I would keep ewido. After the trial version runs out it will no longer run in your running processes. Then you will just need to update it once a week and run it every couple of weeks. Ewido security suite is a good program to keep but that is also going to be personal preference.

Remember that it will take multiple apps to keep your system free, or as much as possible, of unwanted spyware/malware. If you have anymore questions please feel free to ask.

EyesOnly · August 2005

Ok then ewido stays. As far as spywareshooter is involved i just installed the newest version of it and now there's even more cws.

I'll try using the uninstaller and then reinstall but this is getting redicilous. All new "spyware" involved internet zones so it's false. Oh well.

Since i'm not having real spyware i think we can consider this thread done for and ready for closing unless someone else has anything to say. BTW ad-aware which seems so much better by the minute only found a tracking cookie. Considering the amount of spyware apps i'm using, they prolly posess a greater threat than spyware.

Oh and just for the heck of it, here's the spybot log:

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\win-eto.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vparivalka.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\veryeasysearch.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\v-224.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\rf104.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msnprotection.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\letgohome.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ga31.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\****-****.org\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\fast-look.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ewizard.cc\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cc20foreva.com\*!=W=4

Smitfraud-C.: User settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\scoobidoo.com\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\05p.com\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ysbweb.com\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bestcounter.biz\*!=W=4

CoolWWWSearch.Leftovers: Trusted Site (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\greatplugin.com\*!=W=4

CoolWWWSearch.Mupdate: Trusted Site (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\masspass.com\*!=W=4

CoolWWWSearch.Toolband: Trusted Site (Registerändring, nothing done)
HKEY_USERS\S-1-5-21-1757981266-746137067-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\isprime.com\*!=W=4

--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-07-29 Includes\Dialer.sbi
2005-07-29 Includes\Hijackers.sbi
2005-06-23 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-07-29 Includes\Malware.sbi
2005-07-22 Includes\PUPS.sbi
2005-04-27 Includes\Revision.sbi
2005-07-29 Includes\Security.sbi
2005-07-29 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-07-29 Includes\Trojans.sbi

Not again - possibly false spyware alert, please help

Comments