Greyfox
2008-11-06, 07:41
SpybotSD’s immunisation process (as at 1.6.1.33 and Detection updates 22/10/08) places registry entries in the 10 locations listed below. If starting from scratch with 0 entries present in these areas, when it immunises it puts 9353 entries in each. When it un-immunises (undo), it does not completely clear out all of these entries, leaving the same 46 entries in each location.
At some stage in the past, on two PC’s checked, the immunisation process appears to have also placed some additional entries, which are no longer in the 22/10/08 immunisation set, in the same locations, and these are also not removed by the present Undo.
The 10 locations are:-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Puts in 9353 entries – leaves 46 + 65 from previous = total 111)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\EscDomains (Puts in 9353 entries – leaves 46 + 19 from previous = total 65)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Puts in 9353 entries – leaves 46 + 64 from previous = total 110)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\EscDomains (Puts in 9353 entries – leaves 46 + 17 from previous = total 63)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Puts in 9353 entries – leaves 46 + 65 from previous = total 111)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\EscDomains (Puts in 9353 entries – leaves 46 + 67 from previous = total 63)
HKEY_USERS\S-1-5-18 \Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\
Domains (Puts in 9353 entries – leaves 46 + 65 from previous = total 111)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\EscDomains (Puts in 9353 entries – leaves 46 + 17 from previous = total 63)
HKEY_USERS\S-1-5-21–“Big number”\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Puts in 9353 entries – leaves 46 + 65 from previous = total 111)
HKEY_USERS\S-1-5-21-“Big number”\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\EscDomains (Puts in 9353 entries – leaves 46 + 19 from previous = total 65)
In addition, at some previous stage the immunisation process appears to have also placed a large number of entries (7,910) in two additional locations. The current process does not now put entries in these locations, nor does the present Undo remove them. These two locations are:-
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Entries left 7,910)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Entries left 7,910)
None of the above entries (beyond those that are removed by the Undo) are removed when/if SpybotSD is installed, even if the SpybotSD registry cleanup is run.
The above has been posted merely as an observation.
At some stage in the past, on two PC’s checked, the immunisation process appears to have also placed some additional entries, which are no longer in the 22/10/08 immunisation set, in the same locations, and these are also not removed by the present Undo.
The 10 locations are:-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Puts in 9353 entries – leaves 46 + 65 from previous = total 111)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\EscDomains (Puts in 9353 entries – leaves 46 + 19 from previous = total 65)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Puts in 9353 entries – leaves 46 + 64 from previous = total 110)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\EscDomains (Puts in 9353 entries – leaves 46 + 17 from previous = total 63)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Puts in 9353 entries – leaves 46 + 65 from previous = total 111)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\EscDomains (Puts in 9353 entries – leaves 46 + 67 from previous = total 63)
HKEY_USERS\S-1-5-18 \Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\
Domains (Puts in 9353 entries – leaves 46 + 65 from previous = total 111)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\EscDomains (Puts in 9353 entries – leaves 46 + 17 from previous = total 63)
HKEY_USERS\S-1-5-21–“Big number”\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Puts in 9353 entries – leaves 46 + 65 from previous = total 111)
HKEY_USERS\S-1-5-21-“Big number”\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\EscDomains (Puts in 9353 entries – leaves 46 + 19 from previous = total 65)
In addition, at some previous stage the immunisation process appears to have also placed a large number of entries (7,910) in two additional locations. The current process does not now put entries in these locations, nor does the present Undo remove them. These two locations are:-
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Entries left 7,910)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Entries left 7,910)
None of the above entries (beyond those that are removed by the Undo) are removed when/if SpybotSD is installed, even if the SpybotSD registry cleanup is run.
The above has been posted merely as an observation.