i want to get rid of smithfraud.c

The READ ME FIRST states:

 

Did they find anything?

Attach a new HJT log for BJ to look at when he gets back!

 

I think you should attach the log from Spybot too. This one sounds like it could be some registry entries that must be fixed.

 

Spybot produces a log of what problems it finds when it runs a scan. That is what we need to see.

Normally it is named: SpybotSD.Results.txt

 

Download the attached zip file and extract the fixdSF.reg file from it to your desktop and then follow the steps below.

Then double-click on the fixSF.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.


Then reboot your PC and run a new scan with Spybot. Let me know how things look.

Note the below item in Spybot is not a problem:

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

 

I would not run it. At least not without verifying that they actually sent it to you. And also ask them if it is still happening since you have already been working on cleaning things. What was the name of the attached file? I

 

I know what Microworld is but I do not know what "spyware free online scan " is?

It would be better if you posted the logs. Also since they do not clean anything, run Ewido which you already seem to have installed.

• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Since you also have SpySweeper installed, I would also suggest running a full scan withit while in safe mode. Save its log too.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report and the log from SpySweeper.
Also post (you will need a second message) the log from Microworld.

 

Your welcome! Never trust messages like this. Even if they look valid, they should be questioned first.

 

Okay! Looks like everything is in pretty good shape now. Are you having any other malware problems?

 

Most of what you posted in the summary appears to be false positives. Some point to files related to your NBA game just because the filename is the same as that of malware. That is poor programming on Microworlds part. I would not be too concerned about them. What version of the scanner are you running?

But just as a safety net, try scanning and fixing problems using the below (save a log to post too):

Spy Sweeper

 

You're welcome! You can uninstall SpySweeper if desired or keep it (it's up to you). I find it to be pretty good.

Okay so other then what Mircoworld was saying, how is everything working?
If everything is working well then you should work through the steps in the below sticky:

How to Protect yourself from malware!

 

Read the end of message # 12 again!

 

Okay! That registry was also mentioned in your Mircoworld log and I thought maybe it was a false positive related to all the stuff for:

C:\Documents and Settings\utilisateur\Mes documents\nba live 2004

Is this a legal copy of this game? Or did you install a cracked illegal version from somewhere? This program may be the source of your infection and may have to be uninstalled. According to Microworld the below registry key and files should be deleted.
However again, I have to emphasize that it is possible that the file being named could be legit and just part of that game. If the game is legal, I would be less concerned. Even the last index.html file seems to be legit from Dell. But the two registry keys are more than likely from Cydoor and should be deleted. Tell me what you would like to do.


HKEY_CLASSES_ROOT\interface\{ce9b37ec-d243-47a2-83db-3a8350175193}
HKEY_LOCAL_MACHINE\software\classes\interface\{ce9b37ec-d243-47a2-83db-3a8350175193}

C:\WINDOWS\DOWNLO~1\conflict.1
.
C:\WINDOWS\system32\start.cdi

C:\Documents and Settings\utilisateur\Application Data\opera\opera\profile\toolbar

C:\Documents and Settings\utilisateur\Mes documents\nba live 2004\saves\001\settings.dat

C:\Documents and Settings\utilisateur\Mes documents\nba live 2004\saves\002\settings.dat

C:\Documents and Settings\utilisateur\Mes documents\nba live 2004\saves\005\settings.dat

C:\Documents and Settings\utilisateur\Mes documents\nba live 2004\saves\006\settings.dat

C:\Documents and Settings\utilisateur\Mes documents\nba live 2004\saves\007\settings.dat

C:\Documents and Settings\utilisateur\Mes documents\nba live 2004\saves\008\settings.dat

C:\Documents and Settings\utilisateur\Mes documents\nba live 2004\settings\settings.dat

C:\Documents and Settings\utilisateur\Local Settings\application data\dell\solutioncenter\index.html

 

Okay! Well according to a few sources the below registry keys are from CYdoor


HKEY_CLASSES_ROOT\interface\{ce9b37ec-d243-47a2-83db-3a8350175193}
HKEY_LOCAL_MACHINE\software\classes\interface\{ce9b37ec-d243-47a2-83db-3a8350175193}

But I find it rather strange that at the same time, your scans are also picking up Cydoor in a bunch of other places. If we remove these registry keys and they are related to your game, it could break the game. You could do a registry backup first, and then fix them. What would you like to do?

 

Are you sure you ran Ewido as directed earlier? You said it came up clean. Ewido normally detects and removes this. It will find it as something like:

HKLM\SOFTWARE\Classes\Interface\{CE9B37EC-D243-47A2-83DB-3A8350175193}\ProxyStubClsid32\\ -> Spyware.P2PNetworking : Cleaned with backup

 

OK! Are your Ewido detections up to date?

Let's backup your regstry. Download, install, and run: Erunt to make a backup. Then if necessary we will delete those registry keys.

 

Okay! But did you use Erunt to backup your registry. If so, do the below:

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixcyd.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixcyd.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

Now see if your scans are clean!

 

Click File, click Save As, and then in the next window there is box labeled "Save As Type" change this to All Files. Otherwise instead of getting a filenamed fixcyd.reg you will get fixcyd.reg.txt which cannot be merged into the registry by double clicking on it.

 

Are 'go' and 'mo" abbreviations you use in France for kb (kilobyte) and mb (megabyte)?

I'm not sure what you are seeing in your Google folder. I do not use it but I'm not sure why they would be downloading files there. What it the Google folder for? Is there for Google Toolbar?

 

Okay! So you use the term octets instead of byte.

If you do not know what these files are, I would suggest uninstalling Google Toolbar for now and deleting that folder. You can always reinstall later.

 

Okay! Let me know the results of trying what I gave you in message # 36.