Hi, i've had a look around at some of the other threads on immunisation but they haven't helped me.


Here's the situation, the PC is a friends and it was infected with malware. With help from the Malware Forum guys it's pretty much cleaned up now. The thread on this is here:-

http://forums.spybot.info/showthread.php?t=35831

During the clean up process i noticed that in Spybot S&D in the immunization list there are 3 which always remain unprotected. I thought that this may have been a problem with Spybot S&D as during the clean up the PC was behaving oddly and i discovered the PC had a faulty stick of memory. The memory was changed and i uninstalled, redownloaded and reinstalled Spybot S&D but it still comes up with these 3 unprotected.

Here's the areas which they're in:-

Internet Explorer (32/64bit)
.DEFAULT(Domains) - 2 - 9944 - 9946
Administrator (Secure Domains) - 1 - 9945 - 9946


Here's the system-
WinXP Home SP3 - fully updated
AVG Free 8.0.175
Windows Firewalled

Also i have done the PC immunisation in normal (user) mode and in safe mode (administrator) and it makes no difference.

SnowBum,

Have you tried "undoing" the immunisations, then re-immunising?

I hadn't tried undoing the immunizations .............. but i have now.

When i undo them i'm left with 8 still protected immunizations:-

Internet Explorer (32/64 bit)
.DEFAULT (Domains) - 9941 - 5 - 9946
.DEFAULT (Secure Domains) - 9944 - 2 - 9946
Administrator (Secure Domains) - 9945 - 1 - 9946



When i Immunize again i'm left with the original 3 unprotected.

Do all of these IE immunizations relate the the "hosts" file in:- C:\WINDOWS\system32\drivers\etc ?


Because when i undo all immunizations (and there are 8 left still protected) and i go to look at the "hosts" with notepad this is what it contains:-

127.0.0.1 local host
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy


I.e. no insertions


But once i have immunized there are a load of 127.0.0.1 entries with domain names after them that are between the "# Start" and "# End" and there's an extra line at the start of the domain names that says:- "# This list is Copyright 2000-2008 Safer Networking Limited"

Do all of these IE immunizations relate the the "hosts" file in:- C:\WINDOWS\system32\drivers\etc

No, the host file immunisation would appear to be working as it should. The Domains and Secure Domains entries you are having trouble with are entries made in the registry. It would appear that there are some existing entries that the present Spybot installation does not have the correct permissions to remove.

Does/did the PC have any other security software that uses immunisation such as SpywareBlaster, or an older version of Spybot?

SnowBum,

I have attached a small zip file. If you are comfortable with doing this, please unpack it to anywhere convenient on your C: drive. The zip file contains a single batch file called Report.bat

Before running Report.bat, please undo the immunisations in Spybot so that you are left with the 8 that are not "undoing" in

Internet Explorer (32/64 bit)
.Default (Domains)
.Default (SecureDomains)

Now run Report.bat. It should generate two text files in a new temporary folder C:\TempRep

The two files will be named Domains.txt and EscDomains.txt and these should contain details about the 8 entries that are not being undone. It is only reporting on what is there, it is not intended to change anything.

Please post back with these two files attached. Once you have done this you can delete the temporary folder C:\TempRep

If you are not sure of any part of the above, please ask before proceeding.

Edit: We'll look at the 1 left in the Admin (Secure Domains) later

Does/did the PC have any other security software that uses immunisation such as SpywareBlaster, or an older version of Spybot?
When i received the PC from my workmate it did have a registry cleaner application on it which insisted there were hundreds of registry faults and that it'd be best to spend $$$$$'s to buy their full software. So as i usually do with these types of software i uninstalled the piece of junk. Also there was something called "Paretologic" which claims to be a security software, i also uninstalled that.


No, the host file immunisation would appear to be working as it should. The Domains and Secure Domains entries you are having trouble with are entries made in the registry. It would appear that there are some existing entries that the present Spybot installation does not have the correct permissions to remove.

One of the problems that i was having whilst cleaning the PC up from infections (with the help of the guys in the Malware forums, link to thread in first post) was that on every reboot it was saying that the registry was damaged and a backup was being reloaded. I found that there was a stick of faulty memory in the PC which was causing file corruption errors, this memory has now been replaced ....... maybe there're errors in the registry. If it comes to editing the registry i have no problems at all doing that, i've done it plenty of times in the past for different reasons and i'm comfortable doing it.


I've attached the 2 files required.

Thanks for you time.:)

SnowBum,

OK, I am attaching another zip file to this post. Unzip it somewhere convenient on your C: partition. There are two .reg files in it, which are to clear out just the relevant Domains and Esc Domains entries.

Before using them make sure your browsers are closed, then go into spybot and undo the immunisations. Exit Spybot, then double click on each of the .reg files in turn, click on Run, click on yes, click on OK

Now BEFORE going any further please run Report.bat as you did before so we can see whether any entries were left (there shouldn't have been). I'd appreciate it if you could include the two text files obtained in your next post.

Now go into spybot - there should be no entries left shown as immunised in the Internet Explorer (32/64bit) .DEFAULT(Domains) and .DEFAULT (Secure Domains). If this is so, reimmunise and let's know what the result is.

Edit: If you have the ability to logon the Administrator account, can you do so to carry out the above.

OK, done exactly as you asked. I booted Windows into Safe mode as i can get into the Administrator account in Safe mode and did everything.

After i'd ran the reg files and ran the report bat file i started Spybot S&D and immunized, did and undo and re-immunized. I still have the same amount unprotected after immunization and the same amount still protected after an undo.

Snowbum,

If you look at the two text files you attached to your last post in notepad, you will see the entries that are causing the problem,

5 in [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains,
and 2 in
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains

For some reason, these entries can't be deleted, probably because of the permissions that apply to them.

If you are comfortable with useing Regedit, please have a look at one of these entries in each group. Right click on the entry, click on permissions, then click on advanced. It would be helpful if you could post a screen shot of the permissions tab, and also of the owner tab.

Basically what we need to do is to delete these particular entries.

I've done some screen shots of a few of the registry keys relating to the entries in the last 2 text files i've attached.

You say that i have to basically delete the entries, i've attached another screen shot called "delete_which_one", in that screen shot which folder/s do you mean to delete? The root folder for that entry (i've arrowed it red in the screen shot) or the sub-folders (i've arrowed them green in the screen shot).

Do i have to delete all of the enteries that were in the last 2 text files i've attached or just one lot. I'm just making absolutely sure what i have to delete before i dive in.

Post for to attach the 2 files i couldn't attach to the last post, reached the attachment limit.

Snowbum,

Unfortunately the screen shots are not clear enough to pick out the details I was hoping to see, however:-

Can you logon in Safe mode as Administrator. If you haven't changed it from the default leave the password blank.

Using regedit, goto
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

From there goto the entry for trenitalisa. Right click on it, select delete. If it deletes OK, do the same thing for each of the other 5 entries that were left in the last Domains.txt file you posted.

Also if that set of deletes works, then goto
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains
and then delete the two entries that were in the last EscDomains.txt file you posted.

To be clear, do not delete the Domains or EscDomains "folder", but all 5 specific entries in Domains that have been identified, and also the 2 in EscDomains that have been identified.

If for any reason you are not able to delete an entry, can you write down the permissions for it and include them in your post. (you need only do this for one entry at this stage). The information should include the type, name, permission inherited from and apply to, from the permissions tab, the current owner of the item from the owner tab, and what ever names are listed in the change owner to area.

As you have previously indicated that you have prior experience with editing the registry and are comfortable doing it, I guess I don't need to remind you that you should have a backup. :)

My last post was prepared fairly quickly because of a time constraint. Having since had a closer look at the screen shot "delete_which_one" that you posted:-

Whilst the resolution is not good enough to read which item this is (the one pointed to by the red arrow), the two sub-items (the ones you indicated by the green lines) are probably significant. They are normally not present for a simple "immunisation" entry, and may well prevent you from deleting the main item (the one with the red arrow). If you can't delete the main item, try deleting each of the sub-items first. If you can't do this, have a look at their permissions. If necessary, post back the details of these.

In the hope of making it clearer for you, I have attached a screen show to show the items that need to be manually deleted - if any or all of these have additional sub-items then these should be deleted also.

I've tried in safe mode logged in as administrator to delete the folders and the subfolders but get the error "Cannot delete www: Error while deleting key"

I've attached screenshots (BMP this time) for the deletion error, the folder permissions and the sub-folder permissions (or lack of)

Notice that in the permissions for the folder and the sub-folder screen shots you see the sub-folder key hasn't any data in it. On other valid folders that also have this sub-folder the key does have data in it and you can look at the permissions for this sub-folder.


I couldn't upload the screen shots here as they were too big and i wanted to keep the resolution clear, so i uploaded them to an image host:-

http://img.photobucket.com/albums/v721/SnowBum/error_deleting.jpg

http://img.photobucket.com/albums/v721/SnowBum/permissions.jpg

http://img.photobucket.com/albums/v721/SnowBum/subfolder_permssions.jpg

SnowBum:

It appears that there are "Special Permissions" set on:


[….\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trenitalias.it]
Suggestion: Using the following as a guide, see if you can remove the "Special Permissions" from that registry key:
Set, view, change, or remove special permissions
http://technet.microsoft.com/en-us/library/cc786378.aspx

From what i can see in the permissions for that registry key there are no special permissions. The permissions of that registry key are exactly the same as the other registry keys around it.

I have tried the "Remove an existing group or user and its special permissions" from the article you've linked but i still can't delete the folder or the sub-folder for "trenitalias.it" i still get the message "error while deleting key."

For that key i now have no inherited permissions, only permissions set locally at that key. There are only 2 permissions set and they're for the Administrator (full control) and for user-KELLY (full control).

Is it possible for the structure of those key enteries to be damaged?

Snowbum,

Can you go to the trenitalisa.it key, right click on it, select permissions, click on advanced. It should now be on the permissions tab. Can you please post a screen shot of that, then click on owner and post a screen shot of that.

Snowbum,

Once you have done the two screen shots.

In safe mode, logged in as Administrator,

Go to the trenitalisa.it key, right click on it, select permissions, click on advanced, then select the owner tab. In the "change to" area there should be two possible owners, one that starts with "Administrators.." and one that starts with your name. Highlight the one starting with "Administrators..." then click on apply.

Now click on the Permissions tab. Underneath the permissions entries box there are two tick boxes, the top one which would normally be ticked is "inherit from parent the permission entries that apply to child objects...."
Remove the tick from that box. A security dialogue will appear, click on "Remove". Now retick the box for "inherit from parent the permission entries that apply to child objects....", then click on Apply. This will set up the correct permissions for the trenitalisa.it key (it will inherit them from the Domains key.

Now tick the second box "Replace permission entries on all child objects with the entries show here.." then click Apply. On the serurity dialogue that appears, click on Yes, then OK, then OK to exit the permissions for the trenitalisa.it key.

This should replace the permissions of the www subkey with those of its parent (the trenitalisa.it key), and you should now be able to delete the www subkey, and then delete the parent trenitalisa.it key

If this works as planned, do the same thing to each of the 5 problem keys in the Domains group. You can use the same procedure to remove the two problem entries in the EscDomains group, however in the first step (changing the owner) change it to your user ID.

Please post back and let me know whether this was successful

2674
Snowbum,

Can you go to the trenitalisa.it key, right click on it, select permissions, click on advanced. It should now be on the permissions tab. Can you please post a screen shot of that, then click on owner and post a screen shot of that.

I meant to post these yesterday after i'd removed the inherited permissions.
Weird it let me upload one JPG but not the other, i had to upload that one as a GIF :scratch:

Now tick the second box "Replace permission entries on all child objects with the entries show here.." then click Apply. On the serurity dialogue that appears, click on Yes, then OK, then OK to exit the permissions for the trenitalisa.it key.

This should replace the permissions of the www subkey with those of its parent (the trenitalisa.it key), and you should now be able to delete the www subkey, and then delete the parent trenitalisa.it key

When i get to this step it gives an error, i've attached a screenshot of this.

I've uploaded that screenshot to an image host again, the PNG and GIF attachment options give rubbish images and the BMP one doesn't allow the resolution.

http://img.photobucket.com/albums/v721/SnowBum/error.jpg

It seems to me as if the sub-key structure is corrupted. It isn't accepting any changes to it's security permissions or owners. When i select the sub-key i get the "Cannot open www: Error while opening key" and when i OK that message and the sub-key appears opened in the regedit window there's no data for the sub-key.

From you screen shot it becomes evident I left out something from my previous instructions, and for the record it should have been:-

"Now click on the Permissions tab. Underneath the permissions entries box there are two tick boxes, the top one which would normally be ticked is "inherit from parent the permission entries that apply to child objects...."
Remove the tick from that box. A security dialogue will appear, click on "Remove". Whatever permission entries that are left showing, remove. Now retick the box for "inherit from parent the permission entries that apply to child objects....", then click on Apply. This will set up the correct permissions for the trenitalisa.it key (it will inherit them from the Domains key)"

That said, unfortunately the end result would have been the same in that it was not able to subsequently pass on the permissions to the subkey in the next step.

I don't at this stage totally subscribe to the key being "corrupted", mainly because it is not a matter of it affecting one such key, but 5 in Domains, 2 in EscDomains and 1 yet to be looked at in the Admin account, and I suspect they will all show exactly the same type of "Security" block that prevents their permissions from being accessed. If indeed it were corruption and to this extent it would be fair to say there would likely be other corruption elsewhere and that would make the whole OS installation suspect and make a strong case for a complete reinstallation. I still think however these have been deliberately locked by some sort of security policy.

Unfortunately I am not able at the moment to shed any light on how you can "unlock" them so you can access the permissions and delete them. I have run out of ideas. Hopefully some one else may have the answer you need, otherwise I guess an OS rebuild may be the only option.

I'm sorry I was not able to help you resolve this. If you do find a solution please post back and let's know what it involved .

I've gone off looking for any other solution to this problem.

I've found out that there're some applications that put null characters into sub-keys to make them "undeletable". I've ran a tool that auto-deletes these null character keys ................ but that didn't do any good.

What i have found is that if i go to the key and try to export it i get an error saying that the branch to the sub-key isn't a valid structure (or something like that).

Short of doing a full fresh install of WinXP i think that the solution to this problem will have to remain undiscovered. Right at the start i suggested to my workmate that a fresh install would be the best solution due to the severity of the malware infections he had but he wanted to keep his current install due to the large number of personal data files he had on it. I feel that i have gone as far as i can with it and am now going to hand it back over to him. The PC is now 100% stable, has firewall and anti-virus protection and the ability to sweep for malware (via Spybot S&D). All of the problems he initially had have been cleaned away, the registry/immunization problem was something that i wanted to get to the bottom of and i don't think it will effect his everyday running of the PC.

Thanks for all of your help, you guys are stars.

Regards

Steven Tedds