PDA

View Full Version : Registry changes



Anderson2
2010-08-04, 16:10
I am running Windows 7 home premium 64 bit and used Spybot to immunize.
In my registry I find under "ZoneMap" 2 folders I am worried about because they contain all sorts of bad domain names.

The "Domains" subfolder I understand is placed there by Spybot's immunization tool. But the "EscDomains" is not mentioned in Spybot's documentation and seems to contain the same domains to make them escape the above protection!

Indeed, when I do nslookup for 007Guard.com I get the following results:

C:\Users\JSM>nslookup 007guard.com
Server: UnKnown
Address: 192.168.1.1
Non-authoritative answer:
Name: 007guard.com
Addresses: 208.72.2.179
208.72.2.180
208.72.2.186
208.72.2.187
208.75.252.106
208.75.252.107
208.75.252.108
208.65.130.26
208.65.130.27
208.72.2.18
208.72.2.19
208.72.2.20
208.72.2.178
So even though 007Guard.com is the very first list in both the hosts file and Spybot's registry entries, things seem to be getting through and the hosts file is being bypassed somehow.

Can someone explain please?

Gopher John
2010-08-04, 18:20
What you are seeing in the registry is the immunizations for the Restricted Zone of Internet Explorer placed there by SpyBot Search & Destroy.

Right click on the Internet Explorer icon, select Properties. Click on the Security tab, select Restricted sites and then click on the Sites button. You will see the same domains you just listed.

Anderson2
2010-08-04, 20:20
Thank you for responding.

I can understand the list in the subfolder "ZoneMap\Domains" is that. But what about the same list in "ZoneMap\EscDomains"? My reading suggests that EscDomains is designed to make the included domains escape blocking. Did I perhaps misunderstand?

Also, how to explain the nslookup results?

Thanks.

Gopher John
2010-08-04, 21:07
Does your hosts file have as it's first entry
127.0.0.1 localhost

Mine does and when I do an NSLookUp on 007Guard.com all I get is
Hostname: 007guard.com
IP Address: 127.0.0.1

127.0.0.1 007guard.com line is in my hosts file as well, placed there by SpyBot Search & Destroy immunization. If these lines aren't in your hosts file, that explains your nslookup results. Also, Address: 192.168.1.1 indicates that you may not have localhost set to 127.0.0.1.

Enhanced Security Configuration (ESC) is not what you think it is. See

Internet Explorer security zones registry entries for advanced users (http://support.microsoft.com/kb/182569)

Enhanced Security Configuration for Internet Explorer (http://msdn.microsoft.com/en-us/library/ms537180%28VS.85%29.aspx)

Anderson2
2010-08-04, 22:11
It did not. Spybot must have commented it out. But I uncommented it and now it does have 127.0.0.1 localhost as its first uncommented entry. I even rebooted and still got the same nslookup which is my concern.

Gopher John
2010-08-04, 22:19
SpyBot will not remove the localhost entry. It must be above this line. Did you restart windows after adding the localhost line.

# Start of entries inserted by Spybot - Search & Destroy

You may have malware on your system already. What other security software do you have installed and running? What such software was installed and then removed?

Zenobia
2010-08-05, 04:09
Apparently,it's normal on Windows 7 for the 127.0.0.1 localhost entry in the hosts file to be commented out. :)
http://serverfault.com/questions/4689/windows-7-localhost-name-resolution-is-handled-within-dns-itself-why

Gopher John
2010-08-05, 14:54
Apparently,it's normal on Windows 7 for the 127.0.0.1 localhost entry in the hosts file to be commented out. :)
http://serverfault.com/questions/4689/windows-7-localhost-name-resolution-is-handled-within-dns-itself-why

So, Windows 7 is itself commenting out the localhost entry? Is this what is causing the NsLookUp results that Anderson2 is seeing? FWIW, I'm still running WinXP Pro SP3 and have little exposure to Win7.

@@Anderson2,

What does a TraceRoute to 007guard.com result in?

Zenobia
2010-08-06, 02:28
Same here,I haven't had much time on a Windows 7 computer,so sometimes things get a bit perplexing to me about them. :)

But,yes,apparently,from what I gathered,it is normal for the 127.0.0.1 localhost entry to be commented out in Windows 7.

Is this what is causing the NsLookUp results that Anderson2 is seeing?
Yes,I believe so.There's a thread here,though netstat was being used,not nslookup:
http://forums.spybot.info/showthread.php?t=20443