Network1.Popups & about.com

Hi, Yesterday I ran PestPatrol & network1.popups (adware) & about.com (tracking cookie) were found. Why didn't RegDefend 2.0 (paid version) notify me of these two items, wanting to write to the registry? PestPatrol states that "autorun" portion of the registry, is scanned & items relating to the above were removed. I'm using RD ver 2.001 with configuriation of "RD Standard."

Thanks
rico

 

Hi rico,

Of the various registry modifications done by Network1.Popups, the standard rules would only have alerted you to two:

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run seeve
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run sixtysix

Do your RD logs show anything similar? Were you actively infected, or was PestPatrol removing remnants from a previous infection? Your PestPatrol logs should tell you exactly what actions it had to take. Is it possible that those registry values existed before you installed RD? Just looking for more info...

Regarding tracking cookies, the registry does not store cookies. It only stores cookie settings such as paths to the various folders on your system that store cookies.

Nick

 

Hi Nick,

Thank you for taking the time to respond. Previous scans with PP did not show Network1.popups until 10-03-05. Prior to that 9-30-05 PP found something, not network1.popups: From PP log:

Key "hkey_current_user \software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net"
Key "hkey_current_user \software\microsoft\windows\currentversion\internet settings\zonemap\domains\popuppers.com"

these two entries were removed by PP, & are was called network1.popups.

I sure do not remember seeing this from an RD alert. I'll have to pay closer attention.

Should an alert from RD occur, can you ignore the 'allow/not allow' & do a google search, then come back & answer? RD would be nicer if it had a search feature. Are the two entries above detected by PP something RD should have alerted me to? Perhaps I'll try RD's registry test, see how she does.

Thanks
rico

 

Hi rico,

Those look like remnants from a failed (or possibly previous) infection. Fortunately, it looks like Network1.popups was not active, or at least not autostarting. The standard rules will not alert you to changes to the above keys. You would have to create a rule to guard those.

Nick

 

Try creating a rule that looks like this...

 

Hi Nick

Can remnants be missed on a scan then be picked up later? 9/30/05 PP did not find 'network1.popups'. Then on 10/03/05 it was detected? Are there some rules I should add? If so how do you add them?

thanks
rico

 

Looking at it more closely, HKEY_CURRENT_USER\...Internet Settings\ZoneMap\Domains contains IE's restricted domains, probably put there by another security app. Could very well be a PP false-positive, similar to hosts file false-positives.

Nick

 

I've seen this happen with a couple different "antispyware" scanners. They often falsely detect and remove an entry in the restricted zones portion of the registry for IE.

As Nick is saying some other security app you use, placed those entries there to force IE to use the Restricted Site Zone for those internet addresses.

Last time I tried MS Antispy beta it also falsely detected some entries there and wanted to remove them. I always find those false positive removals ironic, since those entries are there to protect IE.

Nothing like having your antispyware scanner get confused and remove some of your protection!

 

Hi Nick & Rick,

I think PP found the false positive, from IE Spyad. Note on 10/3/05 I installed the new version of IE-SpyAd. When I looked at the IE-ads.reg file, I noticed the 'zonemap' in its registry line.

Next, I've contacted tech. support for PP & saved the PP log + copied this thread, to send to tech. at PP.

Next, I was not sure all the entries from IE-Spyad were in my restriced sites. They talk about some XP users sometimes don't get a long list in the restricted zone, so after 10/3/05 I un-installed IE-SpyAD & installed IE-SpyAd2. Hence what PP took away, I think I've replaced. And contacted tech at PP.

Thank
rico

ps I'll post outcome of PP support

 

Hi rico,

The important thing to look for in the individual \Domains keys is a value of "4", which corresponds to the Restricted Sites zone. Zones, trusted to restricted (0-4), are defined in other registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

Perhaps PP spotted a value other than "4" for the Network1.popups domain. Can't say for sure what PP is doing, but with the proper rules in place, RD will alert you to any tampering with those keys (by malware or trusted apps).

Nick

 

There are a lot of security tools and pop up blockers that put addresses into the restricted sites zone, some on a massive scale. So if you use RegDefend to prompt for changes and additions there, be prepared to get prompted to death if you update an app that does this. But you'll quickly find out which apps update this section!

But settings can be 0,1,2,3 or 4 depending upon the security zone you (or something else) placed it in.

This link at MS ( http://support.microsoft.com/default.aspx?kbid=182569 ) explains these registry settings well.

 

i see the same network1 regkey alert when i use ca's online spyware scan, and another regkey alert when i use trendmicro's online spyware scan.. i am pretty sure that those items come from installing "iespyad".. if you want to test, uninstall iespyad, then reinstall it.. you should get some alerts from regdefend showing you that those keys are being created when installing iespyad..

 

Hi Redwolfe,

Now I'm using IE-Spyad2, & with yesterday's PP update I did not get anything from PP. So either PP fixed its own FP or IE-Spyad2 is a viable work around.

Geez! I'm still waiting for tech. support from PP to respond. PP is slow to respond via email support.

Take Care
Rico