SpyBot beta-includes 21 Nov: maybe FP SearchSquire

Discussion in 'other anti-malware software' started by FanJ, Nov 22, 2003.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Also posted at the SpyBot S&D forum at Netintegration.

    Maybe there is a false positive by SpyBot (I use version 1.2) with the beta-includes def's from 21 Nov 2003.

    It found this key:

    SearchSquire: Domain settings (Register sleutel, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com

    Looking at the key, it is:

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com]
    "*"=dword:00000004

    I have the feeling this key is coming from IE-SPYAD, but looking at ie-ads.reg I see:

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com]
    "*"=dword:00000004

    So the keys are almost the same, except for this difference:
    [HKEY_USERS
    [HKEY_CURRENT_USER

    I have to admit that I don't know whether the first key is nevertheless coming from IE-SPYAD.

    If someone could tell me that: please ;)

    PS: system is Windows 98 SE Dutch.
     
  2. FanJ

    FanJ Guest

    The thread is at the SpyBot-forum at Net-Integration, section SpyBotS&D beta, thread Beta detections 11/21.

    It is reported by another user (with IE-SPYAD) too.
     
  3. FanJ

    FanJ Guest

    and more reports at the thread there "False scan result, SEARCHSQUIRE.COM".

    So, let's wait till Pepi has the opportunity to look at this.
     
  4. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    hmm, come to think of it, I didn't install IE-spyad after my last OS reinstall.

    Regardless, I've nothing but confidence that Pepi will fix it all up ;)
     
  5. FanJ

    FanJ Guest

    I agree, Detox ! ;)
     
  6. eburger68

    eburger68 Privacy Expert

    Joined:
    Mar 4, 2002
    Posts:
    244
    FanJ:

    I don't know where that HKEY_USERS\.DEFAULT searchsquire.com value is coming from. It shouldn't be coming from IE-SPYAD; IE-SPYAD adds all of its new entries to HKEY_CURRENT_USER .

    One thing to check: open RegEdit and go to the the following location:

    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\

    Export the entire key and let us know what other values are in there, if any.

    Best,

    Eric L. Howes
     
  7. FanJ

    FanJ Guest

    Hi Eric,

    First of all: thanks for answering !!!

    I have a huge list of entries in :
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

    I still have to decide whether that list is the same as in:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

    At the moment I don't know what is causing this.
    Maybe it is better to give you my private email-addy.
    I will send you an IM, so we could talk about it further via email.

    Best regards, Jan.
     
  8. FanJ

    FanJ Guest

    Hi Eric and others who are interested,

    I exported both reg-keys to a reg-file.
    Then I opened both in Wordpad and saved them as text file.

    To give you an idea, I give the first entries of both:

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
    @=""
    "*"=dword:00000004

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
    @=""
    "*"=dword:00000004

    In both text documents I deleted the first parts of the entries:
    [HKEY_CURRENT_USER\
    [HKEY_USERS\.DEFAULT\

    So in above example I got this:
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
    @=""
    "*"=dword:00000004


    Then I saved the text files.
    Both files have now exactly the same size.
    Then I compared both text files using the comparing tool BeyondCompare.
    Both were exactly the same.
    Conclusion:
    For some reason I have the same reg-entries stored in two different registry places.


    [hr]

    I thought that others might be also interested; that's why I posted this.

    Hi Eric,
    Thanks for your email !!!
    Further now via email.
    I'll reply in a few minutes with the attached ZIP.
     
  9. eburger68

    eburger68 Privacy Expert

    Joined:
    Mar 4, 2002
    Posts:
    244
    Hi All:

    I've been doing some testing withe IE-SPYAD to figure out why IE-SPYAD's entries were being added to this location:

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

    ...in addition to the default location:

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

    The short answer is: that's the way Win9x behaves, and there's not much I can do about it.

    See this thread at DSLR/BBR for a more complete discussion:

    http://www.dslreports.com/forum/remark,8600137~root=security,1~mode=flat


    Best,

    Eric L. Howes
     
  10. FanJ

    FanJ Guest

    Hi Eric,

    I sincerely apologize to you !
    I promised you to do some testing.
    Due to personal circumstances I simply didn't have the energy to do more than only a few postings.
    I know that I failed.
    And I also promised someone else to do some (completely other) testing, awhile back. And I didn't do that either.
    It's me and only me who is to blame here :oops: :'(

    Please accept my apologies !

    Best regards, Jan.
     
Loading...
Thread Status:
Not open for further replies.