SpywareBlaster create regedit directories?

Discussion in 'SpywareBlaster & Other Forum' started by flo, Jun 5, 2004.

Thread Status:
Not open for further replies.
  1. flo

    flo Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    5
    Under regedit I come up with hundreds of apparently undesirable sites which if SpywareBlaster did not create them in their individual directories for the purpose of making them inaccessible I'd like to delete them:

    \HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

    and

    \HKEY_USERS\S-1-5-21-2139998230-118731197-3814514758-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

    Thanks in advance for any assistance
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Yes, many sites are added to that registry key as a part of the protective settings in SpywareBlaster. That key is where Internet Explorer stores sites that it adds to the various security zones it has available. The entries added by SpywareBlaster will all have a value of "4", which you can see if you click on one of the site names in the left panel in regedit and view the value next to the "*" in the right panel. A value of "4" means the site was added to IE's restricted zone, which is a good way to limit what such sites can do on your computer if you are using IE.
     
  3. flo

    flo Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    5
    Thank you for your very helpful response. I suppose the information is documented somewhere, if bothered to look. I see the long list and notice that almost all have the asterisk (*) but there are a few that have more. I noticed that upon logging on one of the processes in CTL ALT DEL is Internet explorer. It comes up and then goes away as a process but it seems to do it without bringing up the browser to the screen. And then I notice immediately www.popuppers.com becomes part of the day's history. Nothing "seems" to come of this other than some probably violation of privacy. Therefore I want to get rid of it. When I look at the long list of taboo sites I notice that just about all have the asterisk and that all seem to have the restricting 4. However, paypop.com not only has the * but a second line that is identical to the * line except that instead of an asterisk it has an http.
    The sites popuppers.com and popuptraffic.com have no * and instead have http
    I wonder whether I can just edit the http out and put in an asterisk instead, and do no harm?
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Well, you may have a hijacker on your system if you are getting an invisible IE window that comes and goes all on its own, as you've seen in the task manager. So, the best thing to do is post a HijackThis Log over in the appropriate forum per these instructions:

    https://www.wilderssecurity.com/showthread.php?t=15913

    As to those entries, a bit of explanation about what the "*" is and also why sometimes you might see "http" or "https" in its place, or in addition. In many places in computing an "*" character is used as a wildcard and it generally means "any" item will match a condition. Having a domain name with the value set basically as "*"=4 {aka. * REG_DWORD 0x00000004 (4)} means for any protocol supported by IE, use the Restricted zone for security enforcement. (4 being the restricted zone here).

    Well, having an entry that shows: http REG_DWORD 0x00000004 (4) still means that normal web browser traffic will be treated as a restricted zone site. The important thing is that the value is "4". Other values mean some zone other than the Restricted zone, and that would be a concern.

    However, in looking up these sites, I don't have any entry at all called: paypop.com but I do have one called: paypopup.com and it is normal (meaning just the "*" set to a DWORD value of 4). As for those other two sites, those exist here and are also just "*" lines - no extra lines in that registry key. At this point it would be best probably to just post the log for review and see if you do have some spyware infection.

    Also note that if you have any sites in the IE Trusted zone, those will have a value of 2. If any bad sites have a value of 2, than you may well have been hijacked by something, as well.
     
  5. flo

    flo Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    5
    Thank you once again. I was mistaken about "paypop.com". It should have read "paypopup.com" in addition to "popuppers.com" and "popuptraffic". I will post a copy of the HijackThis log that I ran after a checkup with McAfee antivirus, AdAware, Spybot S&D, as well as Alurias ASEScanner.
     
Loading...
Thread Status:
Not open for further replies.