Results 1 to 9 of 9

Thread: Registry changes

  1. #1
    Junior Member
    Join Date
    Aug 2010
    Posts
    3

    Default Registry changes

    I am running Windows 7 home premium 64 bit and used Spybot to immunize.
    In my registry I find under "ZoneMap" 2 folders I am worried about because they contain all sorts of bad domain names.

    The "Domains" subfolder I understand is placed there by Spybot's immunization tool. But the "EscDomains" is not mentioned in Spybot's documentation and seems to contain the same domains to make them escape the above protection!

    Indeed, when I do nslookup for 007Guard.com I get the following results:

    C:\Users\JSM>nslookup 007guard.com
    Server: UnKnown
    Address: 192.168.1.1
    Non-authoritative answer:
    Name: 007guard.com
    Addresses: 208.72.2.179
    208.72.2.180
    208.72.2.186
    208.72.2.187
    208.75.252.106
    208.75.252.107
    208.75.252.108
    208.65.130.26
    208.65.130.27
    208.72.2.18
    208.72.2.19
    208.72.2.20
    208.72.2.178
    So even though 007Guard.com is the very first list in both the hosts file and Spybot's registry entries, things seem to be getting through and the hosts file is being bypassed somehow.

    Can someone explain please?

  2. #2
    Senior Member
    Join Date
    May 2009
    Posts
    236

    Default

    What you are seeing in the registry is the immunizations for the Restricted Zone of Internet Explorer placed there by SpyBot Search & Destroy.

    Right click on the Internet Explorer icon, select Properties. Click on the Security tab, select Restricted sites and then click on the Sites button. You will see the same domains you just listed.

  3. #3
    Junior Member
    Join Date
    Aug 2010
    Posts
    3

    Default

    Thank you for responding.

    I can understand the list in the subfolder "ZoneMap\Domains" is that. But what about the same list in "ZoneMap\EscDomains"? My reading suggests that EscDomains is designed to make the included domains escape blocking. Did I perhaps misunderstand?

    Also, how to explain the nslookup results?

    Thanks.

  4. #4
    Senior Member
    Join Date
    May 2009
    Posts
    236

    Default

    Does your hosts file have as it's first entry
    127.0.0.1 localhost

    Mine does and when I do an NSLookUp on 007Guard.com all I get is
    Hostname: 007guard.com
    IP Address: 127.0.0.1

    127.0.0.1 007guard.com line is in my hosts file as well, placed there by SpyBot Search & Destroy immunization. If these lines aren't in your hosts file, that explains your nslookup results. Also, Address: 192.168.1.1 indicates that you may not have localhost set to 127.0.0.1.

    Enhanced Security Configuration (ESC) is not what you think it is. See

    Internet Explorer security zones registry entries for advanced users

    Enhanced Security Configuration for Internet Explorer

  5. #5
    Junior Member
    Join Date
    Aug 2010
    Posts
    3

    Default

    It did not. Spybot must have commented it out. But I uncommented it and now it does have 127.0.0.1 localhost as its first uncommented entry. I even rebooted and still got the same nslookup which is my concern.

  6. #6
    Senior Member
    Join Date
    May 2009
    Posts
    236

    Default

    SpyBot will not remove the localhost entry. It must be above this line. Did you restart windows after adding the localhost line.

    # Start of entries inserted by Spybot - Search & Destroy

    You may have malware on your system already. What other security software do you have installed and running? What such software was installed and then removed?

  7. #7
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,484

    Default

    Apparently,it's normal on Windows 7 for the 127.0.0.1 localhost entry in the hosts file to be commented out.
    http://serverfault.com/questions/468...dns-itself-why

  8. #8
    Senior Member
    Join Date
    May 2009
    Posts
    236

    Default

    Quote Originally Posted by Zenobia View Post
    Apparently,it's normal on Windows 7 for the 127.0.0.1 localhost entry in the hosts file to be commented out.
    http://serverfault.com/questions/468...dns-itself-why
    So, Windows 7 is itself commenting out the localhost entry? Is this what is causing the NsLookUp results that Anderson2 is seeing? FWIW, I'm still running WinXP Pro SP3 and have little exposure to Win7.

    @@Anderson2,

    What does a TraceRoute to 007guard.com result in?

  9. #9
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,484

    Default

    Same here,I haven't had much time on a Windows 7 computer,so sometimes things get a bit perplexing to me about them.

    But,yes,apparently,from what I gathered,it is normal for the 127.0.0.1 localhost entry to be commented out in Windows 7.
    Is this what is causing the NsLookUp results that Anderson2 is seeing?
    Yes,I believe so.There's a thread here,though netstat was being used,not nslookup:
    http://forums.spybot.info/showthread.php?t=20443

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •