Restricted sites have no registry value (cannot be removed)

Discussion in 'SpywareBlaster & Other Forum' started by Vanguard, Dec 5, 2005.

Thread Status:
Not open for further replies.
  1. Vanguard

    Vanguard Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    69
    SpywareBlaster 3.4

    Under the Restricted Sites tab, I clicked the option (to check it) for "Restrict the actions ..." which adds a list of sites to the Restricted Sites list in the registry key. However, when this option is disabled, not all of those bad sites are removed from the registry keys. I also went through all the thousands of entries to uncheck them (because of the sucky GUI that doesn't let users select all using Ctrl+A or select some using Ctrl+mouseclick or Shift+mouseclick) and clicked the button "Remove protection ..." but still many bad sites were not removed from the registry.

    I would monitor the following registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

    Under gets added a registry subkey for each domain regardless of which security zone under which it is used. A data item under the domain's registry subkey specifies in which security zone it belongs. Okay, so why is SpywareBlaster adding domains that have no data item to define in which security zone it belongs? That is why disabling or removing the domains using SpywareBlaster doesn't remove them all because some don't belong to any security zone.

    I looked at the ones that SpywareBlaster would not remove. These are also not listed in any security zone when using Internet Options -> Security -> Restricted Sites -> Sites (or they refuse to be deleted using that method). What I saw was, for example:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\008i.com

    for the 008i.com domain. In that subkey was defined a default data item (with "*" as the data item's name), as follows:

    data item name = *
    data item value = 4

    The value of 4 means that domain is listed in the Restricted Sites security zone. So then I disabled the Restricted Sites list in SpywareBlaster which removed most but not all domain subkeys and looked at one of those that got left behind. I'd see:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cjb.net

    but it has NO data items defined within that subkey (and, no, the "(Default)" that is shown means no data items are defined in that subkey). So SpywareBlaster will add absolutely useless entries in the registry for domains that end up not being assigned to any security zone. In other words, SpywareBlaster adds "bad" domains which are totally unusable within IE's Restricted Sites security zone - so those sites are *not* restricted!

    Below is a list of the dataless domains added by SpywareBlaster:
    1gb.ru
    american-teens.net
    cjb.net
    com.au
    com.br
    com.ru
    data-line.us
    dulcineasystems.net
    exaccess.ru
    gratisdownloads.nl
    host.sk
    jps.ru
    narod.ru
    netfartpost.com
    ntcor.com
    picture-posters.com
    pornpic.org
    rack.cc
    scourweb.net
    spb.ru
    tucows.com
    webhost.ru

    Until this gets fixed, I've had to disable the Restricted Sites list in SpywareBlaster and follow by cleaning up the registry. Before releasing a list of bad sites, perhaps they should actually be marked as bad so they get included in the Restricted Sites security zone - and that means some quality control before releasing the list by scanning each entry in your list to check that a data item is defined that specifies the Restricted Sites security zone.

    Also, when the user disables SpywareBlaster's Restricted Sites option, that doesn't mean all entries will be removed. Could be SpywareBlaster's list has changed since last used so a site listed before is no longer in the list, but disabling the option in SpywareBlaster will not clear out these old remnant registry keys. Either an option should be provided to clear out the list in the registry (and not just for the domains in SpywareBlaster's list) or the user reminded to use Internet Options -> Security -> Restricted Sites -> Sites to check for any remnant sites that should be removed/added.
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    All Domains or Sub-Domains designed to be placed in IE's Restricted Zone do contain the proper data value....0x00000004 (4)

    All those entries are Domains keys and were not placed in the registry explicitily for protection. However those Domains have Sub-Domains attached to them. It is the Sub-Domains that have the proper data value for Restricted Sites protection.

    Take for instance 1gb.ru that you are listing. It has it's Sub-Domain people which is the actual Restricted Site Spywareblaster is providing the protection for. That is no different than adding a site such as update.microsoft.com only. The update sub-domain will be seen in the registry with a data value but you will not see a data vlaue next to the microsoft.com Domain.

    While it is in-accurate to say there are sites lacking data value in the Spywareblaster database given the above explanation....I'll defer to Javacool for the explanation while all entries placed in the registry by Spywareblaster are not removed. I am not at this time able to find the numerous posts by Javacool where this has been commented to.

    Regards,
    Bubba
     
  3. Vanguard

    Vanguard Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    69
    You are correct in that the remnant domain keys had subkeys for subdomains or hosts under the "bad" domain. I only looked at the *result* of disabling the "Restricted Sites ..." option in SpywareBlaster which left all those domain keys still in the registry.

    Why leave behind the empty domain key (which is not assigned to any security zone) when all its subdomains have been deleted? SpywareBlaster was the culprit that added the domain and the subdomain keys, so SpywareBlaster should be equally responsible to clean out its own entries. It is very sloppy logic to add a key and subkeys and then "cleanup" by only removing the child keys and leave behind the parent keys.

    It is possible that the subkeys were added by some other process than SpywareBlaster. So SpywareBlaster should only remove the parent key if removing its own subkeys results with no subkeys left. However, SpywareBlaster also changes its list of bad sites so an old site included in its list might not be in a later updated list. Just removing the subkeys listed in the current updated bad sites list would result in leaving behind all those old sites not currently in the SpywareBlaster bad sites list. I don't see anything that says SpywareBlaster could not add more data items under a subkey. It uses the star-named ("*") data item to identify under which security zone the bad site belongs ("4" for the Restricted Sites zone). It could also add another data item to identify that it was SpywareBlaster that added the subkey (and it might even hash the value of the string for this data item so hackers couldn't add it to get SpywareBlaster users to accidentally delete those subkeys). So Spyware, regardless of which sites were in its current updated bad sites list, would remove all subkeys in which the [hashed] identifier string showed that the subkey was added by SpywareBlaster, and if this subkey deletion resulted in no subkeys left then the parent key (which is *under* the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ level) would also get deleted.

    The "cleanup" when disabling the "Restricted Sites ..." option within SpywareBlaster is sloppy.
     
  4. stein

    stein Registered Member

    Joined:
    Nov 18, 2005
    Posts:
    26
    Location:
    Scandinavia
    I concentrated on the 4 long addresses: american-teens.net, dulcineasystems.net, gratisdownloads.nl, picture-posters.com.

    I found these 4 sites in the Registry, but I did not find them in SpywareBlaster's list....It's hard to see how SpywareBlaster could have added them when they are not mentioned on SpywareBlaster' list.


    Maybe SpyBot SD (which I have running as well) have added them? I don't know.

    My findings indicate that all Registry entries having a sub-domain are not the work of SpywareBlaster. In fact it seems that SpywareBlaster never enters sub-domains (but I have not fully verified this).

    Both 777search.com and 777top.com exist with sub-domains in my Registry. SpywareBlaster is able to remove (and add) the main key but not the key in the sub-domain. It looks like SpywareBlaster understands someone else "owns" the sub-domain entry, and removes only what SpywareBlaster itself is able to add.
    If I manually delete these 2 sub-domains, SpywareBlaster is never able to bring them (the sub-domains) back, it only refreshes the main entries. But SpywareBlaster will completely remove the 2 Registry keys when unchecked in SpywareBlaster's Restricted Sites list.

    Regards, Stein
     
    Last edited by a moderator: Dec 7, 2005
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    As mentioned above....those items are the Domains and it is the Sub-Domains of those particular Domains that Spywareblaster is providing the protection for. You will only see sites Spywareblaster protects when doing a search in Spywareblaster and in this case it is the Sub-Domains you would search for.

    hot-cartoon-sex.anime.american-teens.net
    careers.dulcineasystems.net
    casino.com.free.game.pogo.gratisdownloads.nl
    travel.picture-posters.com
     
  6. stein

    stein Registered Member

    Joined:
    Nov 18, 2005
    Posts:
    26
    Location:
    Scandinavia
    Thanks Bubba,
    I found them now.
    So there are a few sub-domain entries after all, contrary to what I thought I observed.
    And SB can't remove the main entry, just the sub-domain. SB handles only the sub-domain key and thinks it did not create the main key.

    Stein
     
  7. Vanguard

    Vanguard Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    69
    That's why I mentioned a possible algorithm that SpywareBlaster should use when the "Restricted Sites" option in it is disabled. If in removing the subdomains SpywareBlaster ends up leaving a domain completely void of any subdomains then it should also remove the parent domain; i.e., it should walk up from the child subkeys up through the parent keys until it hits the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ key (whereupon it does no further deletions). If SpywareBlaster deletes all its own subdomains but some still remain then it should not delete the parent key (something else added the child key). Since the list may change and because old entries may not be in the newest list used by SpywareBlaster, I suggested adding another data item within each domain or subdomain key that says the key was added by SpywareBlaster and it uses that to trigger as to which keys it removes. It could still give preference to its current bad sites list when removing the keys but also check if any left were those it added before.

    Most user do not appreciate sloppy uninstall programs that leave behind remnant files and registry keys. They figured they uninstalled the program so it should actually be uninstalled. Same for when disabling an option within SpywareBlaster: it should remove ALL of its own entries in the registry regarding that particular option. The problem is that SpywareBlaster will not only leave behind domains which are not in any security zone but it might also leave behind domains or subdomains that are no longer in its "bad" list.

    If the author doesn't want to go through all the trouble of figuring out the algorithm in code to perform an elegant cleanup then just add an option in SpywareBlaster that deletes all subkeys under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ so the user doesn't have to go into the registry to do the cleanup themself. Yeah, it would step on any entries added by some other process or user but a warning would tell the user about that. That could be implemented in the next interim release to give the author time to write the code to do the more elegant cleanup (i.e., provide a workaround until the solution is ready).
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Just as a suggestion for you and anyone else interested....there is a neat little program that has come out that is very useful in cleaning up, manipulating, backing up ones Trusted or Restricted Sites. It's very useful for those that use multiple programs such as IE-Spyad, Spybot, Spywareblaster in regards to Restricted Site entries.

    This program---> Zoned Out Version 2.2
     
  9. Vanguard

    Vanguard Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    69
    But it appears that ZonedOut does the same thing as SpywareBlaster in that it will only list the subdomains if there are any. That is, like SpywareBlaster, it shows the domains if there are no subdomains or, if there are subdomains, only shows the subdomains and not the domains. You end up deleting the subdomains but leave behind the domains (which are not assigned to any security zone). You'll end up still having to go into the registry to delete the parent domains once their subdomains have been removed.

    The only remaining advantage to ZonedOut is that it lets you search through the list. This can be handy when you enter a site but only want to temporarily test its operation in a particular security zone. Then when you want to remove it from the sites list for that security zone, you can search on it instead of having to scroll through a long list looking for it.

    Have you tested if ZonedOut also deletes the parent domain registry key when all of its child domain registry keys have been deleted (i.e., when deleting subdomains results in leaving none behind, does ZonedOut also delete the domain)?
     
  10. toadbee

    toadbee Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    123
    I can confirm this behavior, and you are absolutely correct on all counts.

    In order to clean it up, you have to apply protection for all in spywareblaster, then use the "remove all" function in ZonedOut.
     
  11. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    There are a number of useful things about ZonedOut....one being a very easy way to compare databases of other programs that add sites to the Restricted Zone. Check it out further....you might find other useful ways to use it ;)
    That is no different than what you would see if you manually added sites yourself to Internet Explorer. You only see entries that you added. If it was a sub-domain entry that's all you would see. You wouldn't see the domain entry also
    My own experience with ZonedOut has been as Toadbee said....if you select Remove All in ZonedOut....I can confirm it definetly deletes all entries.

    Except in the case of Spybot entries....it removes ALL entries including those in ones Trusted Zone....but that's another topic and a Spybot problem not a ZonedOut problem :rolleyes:
     
  12. Vanguard,

    If you absolutely want to delete all of it, then go to this site and download DelDomains.inf (Be aware that anything in your trusted zone will be gone as well).
    http://www.mvps.org/winhelp2002/restricted.htm

    Quote from site:
    To remove all the sites listed in the Restricted Zone

    Download: DelDomains.inf - Right-click and select: Save Target As
    To use: right-click and select: Install (no need to restart)
    Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

    Microsoft decided to group both Zones into the same registry key [duh!]
    To remove individual entries: Click "Sites", highlight the entry - Click Remove.

    HTH,
    VV
     
  13. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Hi,

    In a few cases, that you mentioned, SpywareBlaster will only delete the subdomain key and value, and not the (empty) main domain key (when disabling protection).

    The leftover empty key doesn't cause any problems - it just doesn't do any good either. (i.e. It's useless.) So it really isn't anything to worry about.

    However I will look into this for the next release.

    If you right-click on the Block List, there are "Select All" and "Deselect All" options (among many other tools, like Find/Find Next).

    Best regards,

    -Javacool
     
  14. Vanguard

    Vanguard Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    69
    I was thinking of writing a .reg file (or the suggestion of using an .inf file) but the problem there is that the deletion is not dependent on the hexidecimal value used to specify the security zone to which the domain belongs. I'd lose all my trusted domains, too, and I don't want to then also manage yet another .reg or .inf file that lists my trusted sites to put them back after deleting all domains from all security zones.

    I'd only want to delete those domains that are in the Restricted Sites zone (i.e., those that have the "*" default data item with a value of "4"). I'll have to check out ZonedOut to see if it gives me the management needed to cleanup these registry keys.

    Thanks for that info. I was trying to use Ctrl+A, Ctrl+mouseclick, and Shift+mouseclick to select all or ranges of domains to remove but those Windows methods don't work in SpywareBlaster. I didn't think of trying a context menu mechanism.
     
  15. Vanguard

    Vanguard Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    69
    Oh oh, looks like a nasty waiting in ZonedOut. Their web page says:
    Since Spybot's Immunize function does the same thing as SpywareBlaster by adding registry keys for the domains with "4" for the default data item's value which puts them in the Restricted Sites zone, it looks like ZonedOut would have the same defect when using SpywareBlaster to add those registry keys.
     
    Last edited by a moderator: Dec 9, 2005
  16. toadbee

    toadbee Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    123
    No Sir - as far as I can tell ZonedOut Plays well with SpywareBlaster. In so far as Spybot search and destroy, I've emailed them twice about "illegal" entries they force into the registry old school - and have heard nothing back from them. By illegal - i mean entries that are not acceptable as far as IE is concerned, and IE is controlling the game on Zones.
    Your beef there IS with SSD.
     
  17. Peeved McAfee User

    Peeved McAfee User Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    76
    toadbee:

    Can you explain why you think entries that Spybot is adding to the registry are:

    Can you also cite specific examples?
     
  18. toadbee

    toadbee Registered Member

    Joined:
    Nov 10, 2003
    Posts:
    123
    Sorry Peeved Guy - I missed your post here:

    Here are a few - the last i tinkered with SSD among others were
    "satisf*cktion.net
    needf*cknow.com
    free-f*cking-video.com
    f*cknicepics.com
    f*ckdenniss.com
    coolwwwsearch.
    coolwebsearch."

    Yes, with the wildcard's (asterisks) just as you see them there. Try to add them via the IE interface and you'll be told its an invalid wildcard sequence.
     
  19. Peeved McAfee User

    Peeved McAfee User Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    76
    toadbee:

    Thanks!

    Peeved McAfee User
     
Thread Status:
Not open for further replies.