Hello All, As some of you may have seen in other posts I have done in this forum, I just recently reformatted my computer (as in a few days ago). I practice very safe surfing so this, to me, is crazy and I need to understand how this is happpening. I am at a loss right now. In any event, I just ran some scans with Ad-Aware, Spybot S&D, and MSAS. So to get to the point, Lavasoft's Ad-Aware found 518 critical objects of which 512 are in my registry! Spybot found only one thing and MSAS found nothing. I have very few programs installed at the moment, but I am a bit freaked out by all this. In any event, the most activity seems to be picked up by Ad-Aware (strangely enough) as normally Spybot and MSAS seem to pick up more stuff. The Ad-Aware scan reveals that there have been a LOT of entries made to my registry under this key... HKEY_CURRENT_USER:Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains Of which there are a TON of entries to sites that do not look good, to say the least. I currently have installed on my system... Analog X Script Defender ATI Catalyst 5.1 Drivers BOClean Cacheman CCleaner Creative Soundblaster Live! sound drivers Driver Cleaner Pro NOD32 Ad-Aware MSAS Microsoft Bootvis MS Office 2003 Pro Mozilla Thunderbird Mozilla Firefox Quick Time Spybot S&D Spywareblaster Spywareguard Total Uninstall WinRar MSN Messenger 7.0 Using HpGuru's HOSTS File And that is about it aside from my Data and Games (mostly Steam related) on a separate partition. The only other thing that I can think of is that I used a program called "Safe XP" which is supposed to help lock down your system. But now it makes me wonder. I have only used IE to get Critical Updates and that is it. ALL of my surfing is done with FF exclusively. I did not get ANY WARNINGS regarding browser hijack attempts (as this scan states that I had) from MSAS, Spywareguard etc as they are resident protection on my pc right now. So in any event, should I get rid of all this crap my pc? Could Ad-Aware be reporting false postives? Or is Ad-Aware that much better than the other two Spybot and MSAS. I am going to upload a text file with what was found during this scan. If some of you guys could please help me with this it is much appreciated. Also if you know of any programs aside from what I have that will protect me from this, please let me know as I am ready to drop some money down now. The strange thing is that scans on my other pc's were fine it was just this one, which I used Safe XP on. I wonder if there is some junk in this program. Thanks in advance for any/all replies and help. Best Regards, Jag PLEASE NOTE: I could not post the whole file as I am only allowed 100k for a text file upload and my file size was 111k. So I deleted out some of it so it would allow me to post it here so that you guys could see it. Thanks.
Hi Jag, The first two entries are fine, they're the result of using Spybot's IE tweaks to restrict changes in IE. As for the others, use regedit to navigate to those keys: (ie. HKEY_CURRENT_USER:Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\0190-dialer.com ) The D-Word Value should be 4 ... A Value of 4 indicates that the site is set in IE's restricted zone. Which is correct. A Value of 2, However indicates that the site is set in IE's trusted zone. Which would need to be corrected/fixed. HTH, Steve
Hi Steve, There are so many entries however. It seems that some of them are listed with a value of 4 as you said, (and can be edited) while other keys are just coming up as Invalid DWORD value and are not able to be edited. Do you think I should just remove them all? Or, should I just reformat Windows yet again? Im a bit freaked out esp since only one of the three pieces of software I have found all of this, that being adaware, the one piece of software that in the past for me, has not found much. I am now also questioning the capabilities of MSAS. Either that or it does not watch over those registry keys. In any event, Im still thinking reformat, but what do you (or any others think)? What would you do if you were in my shoes? Also to help stop this in the future (since none of my current programs did) what would be a better defense against something like this? Process Guard RegDefend Or something else entirely? Thanks so much for getting back to me so quickly. Regards, Jag
Just run Spyware Blaster and Spybot (Immunize feature) again and they'll re-write those entries. - Then all will be listed with a Dword of 4 - My guess is maybe MSAS tried to "fix" those entries previously, which shouldn't have been "Fixed" at all, and would be a F/P on whatever scanner "corrected those" (my guess is MSAS). When you open Spyware Blaster, you should see some items aren't protected now, same with Spybot immunize feature, if you run it's check feature, not all items will be protected against. Just enable all protections in Spyware Blaster, and run the immunize feature of Spybot, to correct what's been done. If you then update MSAS and run another scan, and if it picks up those items again - set it to ignore them, otherwise you will continually run around in this circle. Don't worry there is absolutely nothing wrong with your computer, everthing is fine Steve
Those Domain entries most likely were placed there by SPYWAREBLASTER= restricted zone=enabled normal behavior.
Hi Steve, OK I did what you said and I think the culprit is Spybot. When I went into Spywareblaster, everything was still "enabled". When I went into Spybot's immunize feature, there was only 14 "protections" missing. So I re-immunized my machine and within seconds, MSAS popped up a warning that a certain site (which looked like a bad one) was trying to get into my "trusted zone". I blocked the request of course. Re-ran scans and everything is coming up clean. So I think the culprit is with Spybot. The strange thing is it only happens on this one pc on my home network, on the other two this problem does not occur. I wonder if anyone here has ever had this problem? Thanks for your help with this, I think I am going to do some more snooping around. Regards, Jag
Actually....if my hunch is correct....it's MSAS that is erroneously burping....and it is the culprit. Please take a look at the below thread....and see if that is what you are experiencing. Also....do you recall what site it was that you blocked....or if you do not recall....look in MSAS\View Blocked Events....as decribed in this post. Possible related thread---> SpyBot S&D v1.4 and Microsoft Antispyware clash?
Hello Bubba, Thanks for chiming in on this. Here is the key and site in question that I chose to "block" in MSAS. Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blue-elefant.com Why would Spybot add that into the trusted zones list of sites? Or is MSAS as you say burping and thinking its trying to put it there when actually it is not? I have not chosen to remove it as of yet until I hear back with your suggestions. Best Regards, Jag
It's not....it's properly adding it as an IE Restricted Zone site. Yes....MSAS is burping and thinking a site is being added to the Trusted Zone. This is not the first time MSAS has burped wrongly in regards to this....and the site varies from time to time....but is usually reported and a database\sig update fixes that particualr URL problem eventually. While I do not feel this should be viewed too negatively by those that at least visit Forums such as this....my concern is for those millions of less knowledgeable that would not know to ask about such warnings....there-by disabling a valid Security protection entry. FYI....this URL you are concerned about is also listed in Eric Howe's IE-Spyad database. I just now enabled MSAS's Real-time Protection\Application Agent's(which controls this)....and then added IE-Spyad. One of the sites MSAS burped on was blue-elefant.com
Hi Bubba, Thanks for your response on this one. I just double checked my ie-spyad as well and indeed see it listed. It is also in my HOSTS file (Hpguru's) to be exact. So in this case, I would say that MSAS did the right thing correct? I mean if its listed in iespyad AND Hpguru's HOSTS file it has got to be a bad site. Regards, Jag
No....MSAS did not do the right thing ! It is saying that Spybot is attempting to add an entry to your Trusted Zone....when in fact Spybot is actually attempting to correctly add the bad site to the Restricted Zone....and MSAS is wrongly warning you of this fact with it's pop-up. Where am I failing in getting the light to turn on
No M$AS is still doing the wrong thing ... it isn't differentiating between Dword values ... What you do want is it list in your domains key in the registry as a restricted site = Dword value of 4 - Which with IE's zones setup properly will heavily restrict what the url can do. If it was listing it in the trusted zone = Dword value of 2 - then M$AS would be doing the right thing. But this isn't the case, as it is being set with the Dword value of 4 ... so it's a False Positive on the part of M$AS. This all becomes a moot point because as it's listed in your hosts file, you couldn't ever access that site anyway, as the hosts re-directs any outbound requested for any url listed in your hosts as a loop back to your computer (127.0.0.1). But none the less M$AS shouldn't be doing what it's doing in this case. Steve PS. Thanks Bubba ... for continuing on for me while I was in transit from work. EDIT:@ Bubba - Opps I guess I was creating this post as you posted. Sorry my friend. You carry on
Thanks to both of you. You have been of great help. Part of the reason why I was not getting this Bubba is twofold. 1. Lack of sleep. 2. Drinking last night. Normally this is not something I would get so confused over. But I think the two things I mentioned above is why. I was thinking that Spybot (or w/e else it could be) WAS trying to add something to the trusted zone and MSAS was preventing it. Sorry it took me so long to get what you meant. I know I am not allowed to post HJT logs here, but I did notice some strange things regarding zones showing up in a HJT log scan of this pc. I wonder if it would be safe to have HJT delete these registry entries. Obviously I will not post what it is here, but I am thinking that they must be a part of it. Basically there are some O15 entries stating that things should be in the Internet Zone, where as right now HJT is saying they are in the My Computer zone. Again, I thank the both of you tremendously for your help with this. And I apologize if I wasted your time with things and me taking 10 years to understand what you are both stating to me. Also if you need to delete the part about my question regading a HJT log, feel free to delete it. Thanks, Jag
No trouble Jag, If you aren't certain you understand we can try an explain it, again. The most important thing is that you understand what is happening. We can explain some more if needed. ~No Worries~ 015 entries in HJT are Unwanted sites in Trusted Zone ... normally If you didn't add the listed domain to the Trusted Zone yourself, have HijackThis fix it. I wouldn't suggest you fix anything yourself, please post a HJT log @ Castle Cops and have an expert review your log to see if anything is wrong. Please read their Guidelines Before Posting, I'm not sure who your ISP is but AOL does tend to add in 015 entries, but as it's new install I'm sure there isn't anything too wrong, if at all. Post your log there, and keep us updated here. If there is anything, once removed we can advise you on further protections to prevent it (if anything) in the future. Steve
Been there....done it....with a t-shirt If it's similar to the example below....you really need to let HJT fix that....and also suggest you post a HJT log to one of the sites listed below....and post it for analysis. Whichever site you decide to go to, please be sure and follow their posting policy before you post your HijackThis log: CastleCops.com Net-Integration.net SpywareInfo.com Gladiator-Antivirus.com This example ? O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM) With that improper setting....any time you surf the net....all HTTP security is following what the hidden My Computer Zone settings are at....LOW(almost everything is enabled). No applogize needed as far as I'm concerned. It was me lacking the ability to properly convey what I felt was the problem. Bubba
Bubba, That is exactly one of the four entries that I have. Man I guess I had better let HJT do its thing too. I will for sure post my log on one of those forums. Thanks again for all of your help. Best Regards, Jag
You are more than Welcome....and Please keep us in the loop about what they will possibly find....it may help us all.
This may not have anything to do with your problem, unless you used manufacturer supplied RESTORE CD's. Now days when I buy I laptop from a manufacturer, I make sure both restore cd's & just the plain OS CD are included. Why? without naming names, Some hijack your browser with restore CD's. I don't think they ad as much spyware as they used to though. controler