AdwCleaner detects some elements of immunization as PUPs

[IzNoGud78]

I ran scans on several occasions with the AdwCleaner tool and each time it detected the following registry entries as PUPs

PUP.Optional.Legacy             HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy             HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
PUP.Optional.Legacy             HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy             HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
PUP.Optional.Legacy             HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy             HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com

I believe there is a correlation between the detection of these items and the immunization tool, also because they are always detected following the application of immunization and if removed or quarantined via AdwCleaner, doing a subsequent scan with the immunization tool results in incomplete immunization.

I'm so sure of this that I decided to add the items to the list of AdwCleaner exclusions (also making a report as likely false positives on their forum), but I would be more comfortable if I had confirmation of this, thanks.

 

[Zenobia]

I see you received a reply there:
https://forums.malwarebytes.com/top...-detection-after-immunization-with-spybot-sd/
Spybot would add those entries to the registry shown in your logfile as part of immunization, but they would be given a dword value of 4 to place them in the Restricted Sites Zone, and not the Trusted Sites Zone.
https://learn.microsoft.com/en-us/t...ty-privacy/ie-security-zones-registry-entries

You could contact Spybot support for further clarification, if you like.
https://www.safer-networking.org/support/#contactform
You might like to include a link to this topic to help with explanation.

 

[PepiMK]

Both are entries that are indeed blocked by the immunization, since around 2012.

It's like Zenobia said - it all depends on the value inside these registry keys. I have no idea why AdwCleaner does not check the content, since entries like these are a constant source of false positives.

You could simply run regedit (or RegAlyzer) to verify the actual value.

Not sure if this is documented inside RegAlyzer, will update the RegAlyzer database with useful information and post again

 

[PepiMK]

Not sure why exactly you wrote on the MalwareBytes forums that you haven't received a comment yet?

 

[IzNoGud78]

Not sure why exactly you wrote on the MalwareBytes forums that you haven't received a comment yet?

I apologize but I just saw now the reply on this forum. Anyway, I thank you all for the replies, at least I'm sure I did the right thing by adding the detections among the eclusion rules and reporting the false positive.