SpyBot beta-includes 21 Nov: maybe FP SearchSquire

Also posted at the SpyBot S&D forum at Netintegration.

Maybe there is a false positive by SpyBot (I use version 1.2) with the beta-includes def's from 21 Nov 2003.

It found this key:

SearchSquire: Domain settings (Register sleutel, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com

Looking at the key, it is:

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com]
"*"=dword:00000004

I have the feeling this key is coming from IE-SPYAD, but looking at ie-ads.reg I see:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com]
"*"=dword:00000004

So the keys are almost the same, except for this difference:
[HKEY_USERS
[HKEY_CURRENT_USER

I have to admit that I don't know whether the first key is nevertheless coming from IE-SPYAD.

If someone could tell me that: please

PS: system is Windows 98 SE Dutch.

 

The thread is at the SpyBot-forum at Net-Integration, section SpyBotS&D beta, thread Beta detections 11/21.

It is reported by another user (with IE-SPYAD) too.

 

and more reports at the thread there "False scan result, SEARCHSQUIRE.COM".

So, let's wait till Pepi has the opportunity to look at this.

 

hmm, come to think of it, I didn't install IE-spyad after my last OS reinstall.

Regardless, I've nothing but confidence that Pepi will fix it all up

 

I agree, Detox !

 

FanJ:

I don't know where that HKEY_USERS\.DEFAULT searchsquire.com value is coming from. It shouldn't be coming from IE-SPYAD; IE-SPYAD adds all of its new entries to HKEY_CURRENT_USER .

One thing to check: open RegEdit and go to the the following location:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\

Export the entire key and let us know what other values are in there, if any.

Best,

Eric L. Howes

 

Hi Eric,

First of all: thanks for answering !!!

I have a huge list of entries in :
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

I still have to decide whether that list is the same as in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

At the moment I don't know what is causing this.
Maybe it is better to give you my private email-addy.
I will send you an IM, so we could talk about it further via email.

Best regards, Jan.

 

Hi Eric and others who are interested,

I exported both reg-keys to a reg-file.
Then I opened both in Wordpad and saved them as text file.

To give you an idea, I give the first entries of both:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
@=""
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
@=""
"*"=dword:00000004

In both text documents I deleted the first parts of the entries:
[HKEY_CURRENT_USER\
[HKEY_USERS\.DEFAULT\

So in above example I got this:
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
@=""
"*"=dword:00000004


Then I saved the text files.
Both files have now exactly the same size.
Then I compared both text files using the comparing tool BeyondCompare.
Both were exactly the same.
Conclusion:
For some reason I have the same reg-entries stored in two different registry places.


[hr]

I thought that others might be also interested; that's why I posted this.

Hi Eric,
Thanks for your email !!!
Further now via email.
I'll reply in a few minutes with the attached ZIP.

 

Hi All:

I've been doing some testing withe IE-SPYAD to figure out why IE-SPYAD's entries were being added to this location:

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

...in addition to the default location:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]

The short answer is: that's the way Win9x behaves, and there's not much I can do about it.

See this thread at DSLR/BBR for a more complete discussion:

http://www.dslreports.com/forum/remark,8600137~root=security,1~mode=flat


Best,

Eric L. Howes

 

Hi Eric,

I sincerely apologize to you !
I promised you to do some testing.
Due to personal circumstances I simply didn't have the energy to do more than only a few postings.
I know that I failed.
And I also promised someone else to do some (completely other) testing, awhile back. And I didn't do that either.
It's me and only me who is to blame here

Please accept my apologies !

Best regards, Jan.