PDA

View Full Version : FPs generated from IE-SPYAD Zone Settings



Crystal Sky
2005-12-23, 16:08
Re: FPs Spybot - Search & Destroy version: 1.4 (build: 20050523)

Hello,

I understand there are certain conflicts between Spybot S&D and IE-SPYAD.

Does this include the following entries added by IE-SPYAD in
HKEY_USERS\S-1-5-21-1220945662-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains? As you can see, they are in the Restricted Zone:

--- Search result list ---
CoolWWWSearch.BadZoneMap: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1220945662-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net\*!=W=4

CoolWWWSearch.BadZoneMap: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1220945662-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info\*!=W=4

XXSWare Inc.: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1220945662-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxsware.com\*!=W=4

Smitfraud-C.: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1220945662-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\asdbiz.biz\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1220945662-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cc20foreva.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1220945662-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\datingforlove.org\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1220945662-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\e-finder.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1220945662-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\fast-look.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1220945662-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\fuck-fuck.org\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1220945662-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\letgohome.com\*!=W=4

Spy Sheriff: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1220945662-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\porn-host.org\*!=W=4

Thank you in advance.

Crystal Sky

Rosenfeld
2005-12-23, 21:21
the ! in *!W=4 means that the data of the DWord * is not =4, which is the expected value to place them in the restricted zone, i.e. they are not in the restricted zone according to Spybot. Have you checked in the registry and in IE Spyad?

Crystal Sky
2005-12-24, 08:26
the ! in *!W=4 means that the data of the DWord * is not =4, which is the expected value to place them in the restricted zone, i.e. they are not in the restricted zone according to Spybot. Have you checked in the registry and in IE Spyad?Thank you for the clarification. I noted the exclamation point in *!W=4 and was not sure of its validity. The entries in my original post were indeed in the registry as listed by Spybot's scan.

I went through a number of the listings in IE-SPYAD after reading your post, and there were numerous entries with the same Value data *!W=4 in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains and the corresponding HKEY_USERS....etc...\Domains. I uninstalled the previous IE-SPYAD version and loaded the new version (Dec. 20, 2005) and the settings are now correct with none of the original entries listed in the scan. A registry search now revealed the entries in question are no where to be found.

Interesting to say the least as I did not let Spybot fix them, and they didn't show up in any other scans. Just finished a new scan with Spybot and received a clean bill this time. Must have been a fluke in IE-SPYAD.

Thank you again.