Jump to content


Photo

Internet Zones-Registry


  • Please log in to reply
12 replies to this topic

#1 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 24 May 2004 - 12:00 PM

I was repairing some unwanted changes which were made to my registry, and I was wondering if it was safe to delete any entries found under the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zone Map\Domains. Thanks.

#2 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 25 May 2004 - 08:57 AM

I have had a number of trojans and spyware applications that have been downloading content to and deleting it from my hard drive for some time. There are a lot of sites under this key that may be spyware-related - I have already deleted a lot and have added them to my restricted zone. One, xxxtoolbar.com, keeps coming back no matter what I do (it is being caused by the coolweb varient CWS.GoogleMS.3 according to the Pest Patrol trial version, which finds nothing else besides the registry entry). If anyone reading this has any advice on this subject, please help as soon as possible.

#3 lost

lost

    Member

  • New Member
  • Pip
  • 2 posts

Posted 25 May 2004 - 04:45 PM

Hkey_current_user\software\microsoft\windows\current user\internet settings\zone map\domains\xxxtoolbar.com

the new version of SB now has domain protection and this is what you are seeing there.

Some spy-ware scanners are getting false positives on SpyBot's new domain protection.

Spy Sweeper does and others. Ad-ware is NOT giving these false positives.

#4 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 25 May 2004 - 05:59 PM

So what are these sites listed under Hkey_current_user\software\microsoft\windows\current user\internet settings\zone map\domains\? (I'm a newcomer to the Windows registry) Are these banned sites that are protected against?

One other thing. CoolWebShredder has found several elements on my system when asked to scan only, but cannot fix them. Are these false positives too? Thanks

Windows 98 (4.10.2222 A)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system
AppData folder: C:\WINDOWS\Application Data
Username: User

Found Hosts file: C:\WINDOWS\hosts (736 bytes, R)
Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A, running)
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com [*] dword:4
CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com [*] dword:4
CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (7710 bytes, A)
Found line in Win.ini: load=
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (2382 bytes, A)
Found line in System.ini: shell=Explorer.exe

- END OF REPORT -

#5 lost

lost

    Member

  • New Member
  • Pip
  • 2 posts

Posted 26 May 2004 - 02:13 PM

It depends on what value is in that registry key. If it is 4 then it is OK, because this will add that particular site into the Restricted Zone of IE. If the value is 2, then this will add the particular site to the Trusted Zone of IE - which in this case is NOT what you want.

I am new to this also. The above is that an expert says.

#6 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 26 May 2004 - 05:53 PM

I removed a lot of them, but it doesn't matter because I added them all manually to my restricted zone (I think they were already 4's). Except for wasting some time, I don't think I did anything wrong. I fear that sites and content are being accessed and/or downloaded by either CWS.GoogleMS.3 or some other file (Adaware found and destroyed one such file a month ago but I don't remember its name, and I deleted a trojan downloader manually). Right now, I am only experiencing a very annoying nuisance, but I am afraid it could get worse since CWS.GoogleMS.3 seems to be persistent and my firewall's intrusion detail section indicates I have four trojans, one of which is considered severe. I am waiting for help in another thread, though, so I won't go into any details here. Thanks for he help with the registry.

#7 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 26 May 2004 - 07:46 PM

Also, some more questions, if anyone has answers.

1. What about the sites found under the key Hkey_current_user\software\microsoft\windows\current user\internet settings\P3P?

2. What does the value 5 on these sites mean?

3. I found this entry which looks suspicious to me -HKEY_CURRENT_USER\Software\proaooieoozstzeaou . There are a lot of entries under it, including some random ones.

4. What is the key HKEY_CURRENT_USER\Software\Dialerweb\eurogamelandia? Is it spyware-related?

Thanks, just want to make sure this computer is clean.

#8 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 27 May 2004 - 05:56 PM

We need a closer look at what's happening.
Please download Hijack this
Copy it into its own folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet. This log will show the registry entries in a more user friendly way!
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#9 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 28 May 2004 - 09:50 AM

Actually, I've had HJT for the last few months, and right now I have a problem that it is not detecting (The only suspicious file which it finds is config.ini, and it reappears every time the computer reboots whether it is deleted or not.) I have the details listed in a post under malware removal ("Cannot find Parasite), but I will sum them up here:

1. CWS.GoogleMS.3 CWShredder lists this as being on my system, but doesn't remove it. PP finds it as well but this may be a false positive, as it only finds xxxtoolbar.com which in my restricted zone. By looking at other threads, I can see this one is harder to delete than most, and is regenerating itself through Media Player.

2. Trojans My firewall indicates in its IDS details that my computer has possibly been compromised by four different trojans; Deepthroat 3.1, Q (which is only supposed to affect Unix/Linux users), win-trin00, and Matrix 2.0. I searched manually for DT3.1 (for registry entries and files) and found nothing, and deepthroat.trojan is the only thing even resembling any of these which is in Norton AV's database (which I update regularly). Months ago, NAV found and deleted about five unknown trojans, and maybe those were these four.

3. Save Now The only traces left of this are two registry keys found by pest patrol. I removed them manually, but they reappeared after rebooting.

4. Firewall Shuts Down with Bearshare left on Self-explanatory. Firewall is Kerio Personal Firewall 4. Tried to register at the Kerio forum, but got an error with my registration key.

I don't know where to start with any of this. I don't think HJT is any good right now, but if you want to see my log there are several already posted under my malware removal thread (the last is the latest). Someone already looked at it and told me to delete the entries and files for config.ini and sconfig.ini. This did no good because sconfig.ini is not on my system or in my log, and config.ini regenerates after rebooting. To see more details on these problems, please check the other thread I mentionned. I will post my log here soon, too.

#10 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 28 May 2004 - 11:05 AM

Since I installed Pest Patrol and updated Java, my HJT log is slightly different, so here it is.

Logfile of HijackThis v1.97.7
Scan saved at 1:29:22 AM, on 1/22/01
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\MY DOCUMENTS\NEW FOLDER\PROGRAMS\ANTI-SPYWARE\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.37.com/
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_04.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rbigc81q.slt\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - Startup: SYSTRAY.EXE
O4 - Startup: config.ini
O4 - Startup: sgbhp.exe
O4 - Startup: iTouch Configuration.lnk.disabled
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab

I have already tried deleting O4 - Startup: config.ini and O4 - Startup: sgbhp.exe, but they reappear after rebooting. From what I can tell, its going to take a lot more than just that to fix my system.

By the way, I have not yet mentionned this in either thread, but my internet has slowed down over the past week, and my computer freezes doing even simple tasks.

#11 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 30 May 2004 - 08:19 AM

Bump

#12 clif_notes

clif_notes

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 27 June 2004 - 03:38 PM

Hi Chevyfan1,

sgbhp.exe is part of Spyware Guard which you have running. Don't worry about it at all. Your HJT log looks clean to me. Are you sure you still have a trojan running loose? I can't say what's causing your slow downs but I think you may have licked the bad guys this time but get a second opinion, I'm still new at reading the logs.

Have a great day.
Posted Image Posted Image

#13 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 30 June 2004 - 07:54 PM

I found out that I did have a trojan - it is extremely advanced and has only recently been discovered. It is carried either through pop-ups, a worm or other trojan, or freeware on P2P networks. It uses the infected computer as a reverse proxy to route porn to other users computers (who are attempting to access the porn from the real server - which is hidden by using the infected computer). The content is accessed through the infected computer for about ten minutes before another infected computer is substituted (to avoid suspicion by the user). It has been nicknamed "Migmaf" and there may be multiple strains in existence. It is not a serious threat, however, and major Anti-Virus companies are working on the detection rules right now (maybe I should have tried to isolate the files and submitted them here for analysis). For more info, search Migmaf, porn trojan, or something similar in any search engine.

Both of my computers have been reformed now, however, and I am having no more problems.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button