Incomplete immunization - Internet Explorer 32 Bit Software Domains

[lapper4]

I ran Spybot 2.4 immunization with administrator privileges and was able to immunize all categories except for Internet Explorer 32 bit software domains. Interestingly, Spybot was able to immunize the same software domains for Internet Explorer 64 bit. Please see the attached image of the immunization results.

I immunized a second time after disabling all my other antimalware protection software (Kaspersky Pure 3.0, Microsoft Security Essentials Version 4.5.216, and SpywareBlaster Version 5.0), but got the same result.

I have read the posts I found regarding the reasons for incomplete immunization and I don't have any of the blocking software mentioned installed on the computer. Could this be a problem with an Internet Explorer setting? If so I could not find the problem among the Internet Explorer settings.

I have Windows 7 professional 64 bit version with Service Pack 1 and numerous other updates
Internet Explorer version 11.0.9600.17239

Windows Defender is turned off
Internet options security is set to Medium-high with protected mode enabled

We have a second computer with the same software and same settings. Spybot was able to do a complete immunization on the second computer. I haven't been able to figure out what difference is between the 2 computers that prevents complete immunization on one of them.

Does anyone know what I'm overlooking?

 

[Zenobia]

Rightclick somewhere in the immunization window,select deselect all,then checkmark only \SOFTWARE (Domains),and click Apply Immunization.I've never had a problem immunizing Internet Explorer,but sometimes on Firefox one section is slow immunizing,so make sure you leave it for a bit,maybe 5 or 10 minutes.
If it doesn't work,did you get any messages/windows from Spybot saying it couldn't be immunized,or does it just sit there?

 

[lapper4]

Hello Zenobia:

I did as you asked but it still wouldn't immunize the 32 bit software domains.

I do get an error message

 

[Zenobia]

Hello.
I wonder if this might be a permissions issue on the registry key?That seems like that might be it.I'm not 100% sure on that,but it might be worth going for a look.
Have you ever been in the computer's registry before?And are you familiar with it?

 

[lapper4]

If you are asking if I can search for a registry key and change a command line parameter or delete the key, yes I have done that a few times before, usually following instructions for a potential fix for a problem. I backed up the registry before making changes. So far I haven't made my computer unbootable or made a program unusable. Which registry edit program do you recommend I use?

 

[Zenobia]

It would just be opening regedit,and checking the permissions on the domains key,and perhaps changing permissions if it is incorrect.If you would like to do that,I'd give you instructions.

If you would rather not,then the websites listed in the registry as part of Spybot's immunization are usually the same ones Spybot puts into the Hosts file,making those bad websites unreachable,which also gives a form of protection.
The sites listed in the registry as part of Internet Explorer (32-bit) place those sites into Restricted Sites.
If you would prefer not to go into the registry,the unimmunized items could be left as is or perhaps put into Immunization's ignore.

It's completely up to you,whichever you are most comfortable with.

 

[lapper4]

I'm game, please send the instructions.

 

[Zenobia]

Okay.
Please click the start orb,and type regedit,then click regedit.exe.Say yes to the UAC prompt.
Go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap,then click on Domains.Rightclick Domains,then select Export.Name the file something easy to remember,like domainsbackup,and make sure the Save as type is Registration Files (*.reg).Pick a place where it's easy to find,such as Documents or Desktop,then click Save.


Once that's done,rightclick Domains again,then select Permissions.Under Group or User Names,you'll see some things listed.
You can skip Restricted,if it's listed,because that shouldn't have full control.
Beneath that System is probably listed.With that,Full Control and Read should have a checkmark.(It is normal for the checkmarks to be greyed out on these.)
Below that,you should probably see something similar to Karen (Karen-PC\Karen)If your account is an administrator account then Full Control and Read should be checkmarked.
Then below that one,you should see something similar to Administrators (Karen-PC\Administrators).This should also have Full Control and Read checkmarked.
If any of the ones you checked don't have Full Control or Read checkmarked,please let me know.

 

[lapper4]

Did as you instructed. The System, Karen, and Administrator permissions have the Read and Full Control boxes check marked as shown in the attached images. I didn't send you the reg file because it is over 5 megabytes and you didn't ask for it.

Perhaps this is a dumb question, but if the problem is a windows permission issue, why was Spybot able to immunize against 507 of the 15492 software domains? Shouldn't immunization of all the domains be blocked?

 

[Zenobia]

Oh,thanks for uploading the images.Seeing makes things easier sometimes.

Perhaps this is a dumb question, but if the problem is a windows permission issue, why was Spybot able to immunize against 507 of the 15492 software domains? Shouldn't immunization of all the domains be blocked?

Not a dumb question at all.That's why I said I wasn't 100% sure it was a permissions issue.

This will sound strange,but could you try unimmunizing the 507 immunization that you do have for Internet Explorer (32-bit) \Software(Domains),and then try immunizing it again,and let me know what happens?

 

[lapper4]

I unimmunized and then re-immunized just the 32 bit software domains and wound up with 507 immunized domains again. Then I unimmunized everything and re-immunized everything, which resulted in 507 immunized 32 bit software domains again. Also got the same error message.

 

[Zenobia]

Okay,thanks.

I'm not familiar with it,but I was looking at the Kaspersky Pure page.I have the right product,the same as yours?
http://www.kaspersky.ca/products-services/home-computer-security/pure
I see Central Management is included,so this might not apply.But I was thinking if there are two Kaspersky Pure products on both computers,could one be configured a different way?This page mentions automatic protection mode:
http://support.kaspersky.com/9552#block2
I was thinking that perhaps on one computer automatic protection mode might be enabled,and perhaps on the other computer it could be set to prompt,so perhaps Kaspersky encountered part of the Spybot immunization,and automatically blocked it,and continues to,or some variation of that.
http://support.kaspersky.com/9553#block1

You could also check out the Microsoft Security Essentials history tab.Click on quarantined items,and also all detected items,and view More Details,to see if anything could be the Internet Explorer 32 bit domains immunization.

I see nothing in the Spyware Blaster tutorial that might affect immunization,so you can rule that one out for now.

 

[lapper4]

We have Kaspersky Pure 3.0 on both computers. I haven't checked to see if the Kaspersky settings on both computers are exactly the same because Kaspersky has a "disable all protections" option. When the 32 bit software domains weren't all immunized, I disabled all Kaspersky protections (see first post) so I assumed the Kaspersky settings wouldn't matter. Are you suggesting that even with Kaspersky disabled, the Kaspersky settings could prevent immunization?

I looked at the Microsoft Security Essentials history tab. I clicked on quarantined items and also all detected items, there was nothing listed in either category. I didn't see a "View More Details" option for either category. Perhaps something has to be listed to see that option. In the Microsoft Security Essentials settings tab, I disabled real time protection and tried to immunize again. Still only 507 software domains immunized.

Is there a way to determine which domains are being immunized and compare the registry entries for those domains with the registry entries for domains that won't immunize? In other words, could some parameter in the individual domain keys prevent immunization?

This morning I compared all Internet Explorer options selected for both computers, including the advanced tab settings. There were a couple of settings that were different, but I wouldn't expect the differences to affect the ability to immunize. That said, I changed the two settings on the computer that wouldn't completely immunize to match the settings on the computer that does completely immunize, even with all anti-malware software enabled. Still could only immunize 507 domains with all anti-malware software disabled.

 

[Zenobia]

No,I didn't know there was a disable all protections setting in Kaspersky Pure.Looks like it can't be Security Essentials,either.

In other words, could some parameter in the individual domain keys prevent immunization?

I vaguely remembered something happening with immunization in an older version of Spybot like that,but I discounted it because I hadn't noticed anybody else getting the same problems on the forums recently.Have you updated recently?(Just in case there was some problem with immunization I didn't know about,and it was fixed in an update.)

 

[lapper4]

We had used Spybot 1.62 on both computers from May 5, 2011 until August 20, 2014. August 20 I installed Spybot 2.4 on both computers. There was a difference in the installation on the two machines. On the computer with complete immunization, the installation program recommended or asked (I can't remember which now) if I wanted to uninstall Spybot 1.62 before installing version 2.4. So 1.62 was uninstalled by the installation program before 2.4 was installed. On the computer without complete immunization, the installation program never asked or recommended removing version 1.62 before installing 2.4. I thought that was strange and wondered if that would create a problem, but the 2.4 installation seem to go OK and 2.4 appeared to be working OK. 2.4 was installed in a new folder rather than in the previous 1.62 folder, which remained after the 2.4 installation.

I considered using the control panel add/remove program application to remove 1.62. However, 1.62 didn't show up on the add/remove program list. When I looked in the 1.62 folder, it was empty except for the Tea Timer program. I assumed that the 2.4 installation program had removed most of 1.62. I deleted the Tea Timer program and 1.62 folder.

 

[Zenobia]

That should be alright,if there was anything left of the Spybot 1.6.2 program,it shouldn't interfere with anything related to Spybot 2.4.It's good you deleted Teatimer.

I had you in the wrong area of the registry when I had you check the domains security before.Sorry about that.
http://blogs.technet.com/b/fdcc/arc...plorer-s-explicit-security-zone-mappings.aspx

You could see if there is something wrong with the last site listed under the domains key if you would like to.I was thinking there might be something wrong with it,so immunization couldn't go past the last one.
To do that,you'd click the start orb,and type regedit,then click regedit.exe.Say yes to the UAC prompt.
Go to HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains,and scroll down until you get to the last site listed.If it's one put in by immunization,it should have a dword value of 4.Click on that one,then rightclick and select Export.Name it something memorable,make sure Save as type is Registration Files (*.reg).Pick a place where it's easy to find,such as Documents or Desktop,then click Save,then close regedit.
Locate the registry file you just saved,rightclick it and select Edit.Notepad should open.Highlight the text and copy and paste it here.

 

[lapper4]

Thanks for the link to the article on site to zone mapping. I will fully digest it later.

Here is the information for the last site in HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. The dword value is 4.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\zyban-zocor-levitra.com]
"*"=dword:00000004

 

[lapper4]

Please ignore my previous post - wrong computer! (my bad now).

The last site is the same as the previous post, however there is no dword listed. The first site listed in HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains does not have a dword listed either.

I could not export the file for the first or last site. When I tried I got this error message "The selected branch does not exist. Make sure that the correct path is given"

When I right click on Domains and check permissions, the popup box indicates there are no permissions for these sites.

The other computer (with no immunization problem) has dword values of 4 for the first and last sites. When I right click on Domains and check permissions for the other computer, the popup box indicates there are 4 users with Read and Full Control.

Perhaps we are now zeroing in on the problem?

I can send you jpegs of either permission box if you wish.

 

[Zenobia]

Perhaps we are now zeroing in on the problem?

Yes,I believe so.

A backup should be made before anything further,just to be on the safe side.Could you go back to HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap,click on Domains,then rightclick,and try to Export the whole key?
Name the file something easy to remember,and make sure the Save as type is Registration Files (*.reg),then click Save.
You might get an error when you try to export the Domains key,too.If you do,please make a note of what it says and let me know.

Yes,you could send jpegs of the permission boxes too,please,if it isn't too much trouble.

 

[lapper4]

I was able to right click on Domains and do an Export. However, most of the files in the Domains folder did not export. I did not get an error message doing the export. Comparing the Domains files shown in the registry editor with the notepad view of the export file, it looks like only files with a dword value of 4 exported. It also appears that every file with a dword value of 4 has a sub folder while those files without a dword value do not. Most, but not all, of the Domains files for the computer that does not have an immunization problem have subfolders named "www" or have www in the subfolder name.

I have attached jpegs for the Domains permission box for Greg's and Karen's PCs and 2 jpegs of the Domains files shown in the registry editor for Karen's PC. The 2 registry editor jpegs show the first 3 files in the export file list plus some of the files that didn't export. The Domains export file for Karen's PC was 154 KB and when I tried to upload it I received an error message saying uploads of files of this type (text files I guess) are limited to 48.8 KB. Therefore I have pasted the first few lines of the export text file below, which is representative of the entire export file. Since only the Domains files with a dword value of 4 exported, is the export file of any value?






[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\25u.com]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\25u.com\first-antivirmd]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\25u.com\www.first-antivirmd]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\25u.com\www1.first-antivirmd]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\77zip.com]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\77zip.com\www]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aartemis.com]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aartemis.com\www]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aboveredirect.com]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aboveredirect.com\www]
"*"=dword:00000004