Network1.Popups & about.com

Discussion in 'Ghost Security Suite (GSS)' started by Rico, Oct 4, 2005.

Thread Status:
Not open for further replies.
  1. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,692
    Location:
    Texas
    Hi, Yesterday I ran PestPatrol & network1.popups (adware) & about.com (tracking cookie) were found. Why didn't RegDefend 2.0 (paid version) notify me of these two items, wanting to write to the registry? PestPatrol states that "autorun" portion of the registry, is scanned & items relating to the above were removed. I'm using RD ver 2.001 with configuriation of "RD Standard."

    Thanks
    rico
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi rico,

    Of the various registry modifications done by Network1.Popups, the standard rules would only have alerted you to two:

    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run seeve
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run sixtysix

    Do your RD logs show anything similar? Were you actively infected, or was PestPatrol removing remnants from a previous infection? Your PestPatrol logs should tell you exactly what actions it had to take. Is it possible that those registry values existed before you installed RD? Just looking for more info...

    Regarding tracking cookies, the registry does not store cookies. It only stores cookie settings such as paths to the various folders on your system that store cookies.

    Nick
     
  3. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,692
    Location:
    Texas
    Hi Nick,

    Thank you for taking the time to respond. Previous scans with PP did not show Network1.popups until 10-03-05. Prior to that 9-30-05 PP found something, not network1.popups: From PP log:

    Key "hkey_current_user \software\microsoft\windows\currentversion\internet settings\zonemap\domains\media-motor.net"
    Key "hkey_current_user \software\microsoft\windows\currentversion\internet settings\zonemap\domains\popuppers.com"

    these two entries were removed by PP, & are was called network1.popups.

    I sure do not remember seeing this from an RD alert. I'll have to pay closer attention.

    Should an alert from RD occur, can you ignore the 'allow/not allow' & do a google search, then come back & answer? RD would be nicer if it had a search feature. Are the two entries above detected by PP something RD should have alerted me to? Perhaps I'll try RD's registry test, see how she does.

    Thanks
    rico
     
  4. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi rico,

    Those look like remnants from a failed (or possibly previous) infection. Fortunately, it looks like Network1.popups was not active, or at least not autostarting. The standard rules will not alert you to changes to the above keys. You would have to create a rule to guard those.

    Nick
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Try creating a rule that looks like this...
     

    Attached Files:

  6. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,692
    Location:
    Texas
    Hi Nick

    Can remnants be missed on a scan then be picked up later? 9/30/05 PP did not find 'network1.popups'. Then on 10/03/05 it was detected? Are there some rules I should add? If so how do you add them?

    thanks
    rico
     
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Looking at it more closely, HKEY_CURRENT_USER\...Internet Settings\ZoneMap\Domains contains IE's restricted domains, probably put there by another security app. Could very well be a PP false-positive, similar to hosts file false-positives.

    Nick
     
  8. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    I've seen this happen with a couple different "antispyware" scanners. They often falsely detect and remove an entry in the restricted zones portion of the registry for IE.

    As Nick is saying some other security app you use, placed those entries there to force IE to use the Restricted Site Zone for those internet addresses.

    Last time I tried MS Antispy beta it also falsely detected some entries there and wanted to remove them. I always find those false positive removals ironic, since those entries are there to protect IE.

    Nothing like having your antispyware scanner get confused and remove some of your protection!
     
  9. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,692
    Location:
    Texas
    Hi Nick & Rick,

    I think PP found the false positive, from IE Spyad. Note on 10/3/05 I installed the new version of IE-SpyAd. When I looked at the IE-ads.reg file, I noticed the 'zonemap' in its registry line.

    Next, I've contacted tech. support for PP & saved the PP log + copied this thread, to send to tech. at PP.

    Next, I was not sure all the entries from IE-Spyad were in my restriced sites. They talk about some XP users sometimes don't get a long list in the restricted zone, so after 10/3/05 I un-installed IE-SpyAD & installed IE-SpyAd2. Hence what PP took away, I think I've replaced. And contacted tech at PP.

    Thank
    rico

    ps I'll post outcome of PP support
     
  10. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi rico,

    The important thing to look for in the individual \Domains keys is a value of "4", which corresponds to the Restricted Sites zone. Zones, trusted to restricted (0-4), are defined in other registry keys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

    Perhaps PP spotted a value other than "4" for the Network1.popups domain. Can't say for sure what PP is doing, but with the proper rules in place, RD will alert you to any tampering with those keys (by malware or trusted apps).

    Nick
     

    Attached Files:

  11. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    There are a lot of security tools and pop up blockers that put addresses into the restricted sites zone, some on a massive scale. So if you use RegDefend to prompt for changes and additions there, be prepared to get prompted to death if you update an app that does this. But you'll quickly find out which apps update this section!

    But settings can be 0,1,2,3 or 4 depending upon the security zone you (or something else) placed it in.

    This link at MS ( http://support.microsoft.com/default.aspx?kbid=182569 ) explains these registry settings well.
     
  12. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i see the same network1 regkey alert when i use ca's online spyware scan, and another regkey alert when i use trendmicro's online spyware scan.. i am pretty sure that those items come from installing "iespyad".. if you want to test, uninstall iespyad, then reinstall it.. you should get some alerts from regdefend showing you that those keys are being created when installing iespyad..
     
  13. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,692
    Location:
    Texas
    Hi Redwolfe,

    Now I'm using IE-Spyad2, & with yesterday's PP update I did not get anything from PP. So either PP fixed its own FP or IE-Spyad2 is a viable work around.

    Geez! I'm still waiting for tech. support from PP to respond. PP is slow to respond via email support.

    Take Care
    Rico
     
Thread Status:
Not open for further replies.