Hello.
First of all, thank you in advance for any assistance on spyware removal. Your services are much appreciated. This spyware stuff is maddening.

I had picked up the Smithfraud-C problem, which was confirmed by Spybot SD version 1.4.

The Short-Media post from Buckeye_Sam of 5-12-2005 7:35pm described my problem...a constant alert to send me to a website selling their spyware removal software. Also, a program called SpyAxe seemded to install itself into my computer.
Well, I didnt click on their message. But I did follow Buckeye_Sams techniques in that post.

While I was lucky enough to get rid of the "spyware present" message on my screen, and in my program bar, Spybod SD is still indicating the presence of Smithfraud-C. It finds it, but is not able to remove it. I have run it both in normal mode, and in safe mode. Same results....it finds it but cannot remove it.

I always have Norton antivirus (ver 10) running. This smithfraud thing blew right past it. After my attempted cleaning, I have also used Adaware, and PC Tools version 2.0.1.25. None of these even see this Smitfraud.....they show my computer is clean. Only Spybot sees it.

SInce I am not getting that message anymore, is it even possible that what Spybot is finding is only remnants of the prior infection? Maybe Im truly clean?

One thing that I have not tried is the Microsoft antivirus program. I see in my Hijackthis log that a mention of that program popped up. I tried that program several months ago, but have since uninstalled it. At least I think in uninstalled it. I didnt think of trying it before now.

I have been fighting this for quite a few days, and am at wits end. If anyone can offer any help, I would really appreciate it.

Thank you for your time. I look forward to hearing any other removal techniques.

Here is the detection message from Spybot, and also the HijackThis log:

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-3500907897-1366934796-870614205-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\free-spy-cam.net\*!=W=4

Logfile of HijackThis v1.99.1
Scan saved at 8:38:37 PM, on 12/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\DOCUME~1\ALLUSE~1\DOCUME~1\SHARED~2\WinZip\winzip32.exe
C:\Program Files\A More Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.postgazette.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\AMOREP~1\SpyBot\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {E661209C-9652-4053-922F-BB4A0626668A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E661209C-9652-4053-922F-BB4A0626668A} - (no file) (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124408103187
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - c:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe

SpyBot is finding False Positives. Your log doesn't show any of the infections you once had. :)
--

Your log is mainly clean, just one entry to remove.

Check the following in HJT and click 'Fix Checked'


R3 - Default URLSearchHook is missing
--


Are things alright now?

Hello.
I fixed that item via Hijackthis as you indicated.
I was able to manually delete that particular entry in my registry that was indicated by Spybot as containing the SImtfraud-c reference. Subsequent scans by Spybot are not turning up the Smitfraud message anymore!
Thing look great!
It has been suggested that I use the Tea Timer, and start to use the Firefox browser to perhaps avoid this sort of problem in the future. I will do that unless you see a problem. I think I read that Spybot will protect that Firefox also.
Thank you very much for reviewing and advising on my situation. I was at wits end, and appreciate the help.

Yes, Firefox is an excellent browser and is more secure then IE which means less infections. SpyBots TeaTimer is also good protection.

SpyBot will always work no matter your browser :)
--


Link for Firefox:
http://www.mozilla.com/firefox/


How to enable SpyBots TeaTimer:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Check "Resident TeaTimer" and OK any prompts
5) Exit SpyBot
--


Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here (http://bshagnasty.home.att.net/browsersettings.htm) and following the instructions there.

Better yet, use an alternative browser! Download FireFox (http://www.mozilla.org/products/firefox/) and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera (http://www.opera.com/download/) which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables.

Install and keep updated, Ad-Aware SE, (http://www.lavasoftusa.com/software/adaware/) and Spybot S&D. (http://www.computercops.biz/zx/phoenix22/spybotsd13.zip)
Run them both on a regular basis, following the manufacturer's recommendations.

Install and keep updated, SpywareBlaster 3.4 (http://short-media.com/download.php?dc=69)

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. (http://windowsupdate.microsoft.com/) Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.


Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here. (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig. Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.


Please consider joining the Folding@Home Project :)
Join (http://www.teamshort-media.com/join) our Folding@Home team! Alzheimer's, Parkinson's, cancer... we're trying to cure them with our computers! You've at least read a little about it in the greeting I sent you when you signed up for the site. We're always really pleased to greet new members to the team, and it's a quick way to become an appreciated member of the community.
MORE INFO: READ THIS (http://www.teamshort-media.com/join)

Hello.

Thanks for your advice.

Is it OK to run that SpywareBlaster 3.4 and Spybots Teatimer at ths same time?

I downloaded it (spywareblaster), but have not installed it yet. I have performed all the cleaning that you had indicated, restarted the restore process, have teatimer running, and have started to use Firefox.

((PS. I almost made it to London this past October for a business trip. We were going to stay in the Cambridge University area. Unfortunatly it was cancelled 5 days before we were to leave. I was looking forward to that trip. Maybe someday I will have another chance.))

Yep, its perfectly fine to run SpywareBlaster and SpyBots TeaTimer together.

Have a good time IF you do come back to London...


Can I mark this resolved?

Yep, its perfectly fine to run SpywareBlaster and SpyBots TeaTimer together.

Have a good time IF you do come back to London...


Can I mark this resolved?


Yes. Thanks for your help.

Done! :thumbsup: