View Full Version : SpyBot beta-includes 21 Nov: maybe FP SearchSquire
FanJ
November 22nd, 2003, 10:49 AM
Also posted at the SpyBot S&D forum at Netintegration.
Maybe there is a false positive by SpyBot (I use version 1.2) with the beta-includes def's from 21 Nov 2003.
It found this key:
SearchSquire: Domain settings (Register sleutel, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com
Looking at the key, it is:
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com]
"*"=dword:00000004
I have the feeling this key is coming from IE-SPYAD, but looking at ie-ads.reg I see:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com]
"*"=dword:00000004
So the keys are almost the same, except for this difference:
[HKEY_USERS
[HKEY_CURRENT_USER
I have to admit that I don't know whether the first key is nevertheless coming from IE-SPYAD.
If someone could tell me that: please ;)
PS: system is Windows 98 SE Dutch.
FanJ
November 22nd, 2003, 12:53 PM
The thread is at the SpyBot-forum at Net-Integration, section SpyBotS&D beta, thread Beta detections 11/21.
It is reported by another user (with IE-SPYAD) too.
FanJ
November 23rd, 2003, 12:58 AM
and more reports at the thread there "False scan result, SEARCHSQUIRE.COM".
So, let's wait till Pepi has the opportunity to look at this.
Detox
November 23rd, 2003, 03:51 AM
hmm, come to think of it, I didn't install IE-spyad after my last OS reinstall.
Regardless, I've nothing but confidence that Pepi will fix it all up ;)
FanJ
November 23rd, 2003, 09:18 AM
{QUOTE-> quoting: Detox link=board=20;threadid=16688;start=0#msg103481 date=1069577497]
Regardless, I've nothing but confidence that Pepi will fix it all up ;)
<-QUOTE}
I agree, Detox ! ;)
eburger68
November 23rd, 2003, 07:10 PM
FanJ:
I don't know where that HKEY_USERS\.DEFAULT searchsquire.com value is coming from. It shouldn't be coming from IE-SPYAD; IE-SPYAD adds all of its new entries to HKEY_CURRENT_USER .
One thing to check: open RegEdit and go to the the following location:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
Export the entire key and let us know what other values are in there, if any.
Best,
Eric L. Howes
FanJ
November 23rd, 2003, 09:53 PM
Hi Eric,
First of all: thanks for answering !!!
I have a huge list of entries in :
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
I still have to decide whether that list is the same as in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
At the moment I don't know what is causing this.
Maybe it is better to give you my private email-addy.
I will send you an IM, so we could talk about it further via email.
Best regards, Jan.
FanJ
November 23rd, 2003, 10:51 PM
Hi Eric and others who are interested,
I exported both reg-keys to a reg-file.
Then I opened both in Wordpad and saved them as text file.
To give you an idea, I give the first entries of both:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
@=""
"*"=dword:00000004
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
@=""
"*"=dword:00000004
In both text documents I deleted the first parts of the entries:
[HKEY_CURRENT_USER\
[HKEY_USERS\.DEFAULT\
So in above example I got this:
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
@=""
"*"=dword:00000004
Then I saved the text files.
Both files have now exactly the same size.
Then I compared both text files using the comparing tool BeyondCompare.
Both were exactly the same.
Conclusion:
For some reason I have the same reg-entries stored in two different registry places.
[hr]
I thought that others might be also interested; that's why I posted this.
Hi Eric,
Thanks for your email !!!
Further now via email.
I'll reply in a few minutes with the attached ZIP.
eburger68
November 25th, 2003, 11:48 AM
Hi All:
I've been doing some testing withe IE-SPYAD to figure out why IE-SPYAD's entries were being added to this location:
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
...in addition to the default location:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
The short answer is: that's the way Win9x behaves, and there's not much I can do about it.
See this thread at DSLR/BBR for a more complete discussion:
http://www.dslreports.com/forum/remark,8600137~root=security,1~mode=flat
(http://www.dslreports.com/forum/remark,8600137~root=security,1~mode=flat)
Best,
Eric L. Howes
FanJ
November 25th, 2003, 07:16 PM
Hi Eric,
I sincerely apologize to you !
I promised you to do some testing.
Due to personal circumstances I simply didn't have the energy to do more than only a few postings.
I know that I failed.
And I also promised someone else to do some (completely other) testing, awhile back. And I didn't do that either.
It's me and only me who is to blame here :-[ :'(
Please accept my apologies !
Best regards, Jan.
vBulletin® Copyright ©2000-2010, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2010, Wilders Security Forums