[GoJoAGoGo]

About a year ago I had CWS come into my system attached to a freeware program. It was present and detected by the various spyware removal programs used in this forum until I discovered the CWS was embedded in the freeware program called Index.Dat Viewer. I removed the Index.Dat Viewer program and then ran scans with HijackThis, CWShredder, Ad-aware, Spybot S&D to assure that CWS was indeed gone and I also have SpywareBlaster protection running. I then ran JV16 Power Tools and the scan came up with about 250 Registry entries related to CWS, I deleted all the entries.

I regularly do scans with Ad-aware, Spybot S&D, HijackThis and CWShredder. None of these scans have come up with any CWS entries since my problem of a year ago.

Today I did a scan with a Spyware removal program called "pcOrion". It's one of those free to scan buy to remove deals except this program will list the Registry key of the entries it finds. It found CWS, an Exploit and IETray. I was concerned with the CWS and decided to run Ad-aware and then Spybot S&D to see if they would also find the CWS. Neither program found the CWS.

I then went into the Registry key that was given by the pcOrion scan which was: HKEY_Current_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

This key is the Trusted Sites Domains and it had approximately 200-300 entries of CWS, Adult XXX, BonziBuddy and every other scum domain I've ever seen before.

My questions are how could this Trusted Sites Domains key get so corrupted? And how could Ad-aware, Spybot S&D and the rest of the well known Spyware removal tools used in this forum not detect these entries?

Thanks

 

[Mosaic1]

Hi,

Those sites may have been added to Restricted.
Adding to that key is done like this:
A domain is added by creating a subkey. Look in the right pane for a Dword named *

If the value is 4 then that domain has been added to restricted. That adds extra security to that domain. That is, if the Restricted Settings are high and have not been tampered with.

 

[Mosaic1]

I have some very nasty sites in my restricted zone. Did you use IE- Spyad? This adds lot of domains there. But they are added to the the restricted zone.

 

[GoJoAGoGo]

No I don't use IE - Spyad. But what really puzzles me is why they weren't detected while running Ad-aware and Spybot S&D scans?

 

[Mosaic1]

Let me explain this again. That key is not the Trusted Domains key. Not at all. It is the Domains key. Anything not listed there is assumed to be in the internet Zone.

But if you want to add a domain to another zone, you add a subkey under Domains. Then you create a DWord in the right pane and name it *

then you change the value data.

2 is trusted
4 is restricted.

So, please do not get all upset. That scanner may be not up to standard. Look in Internet Options>Security. Click Restricted and then the sites button. Are you seeing all those nasty sites listed there?

Here's a sample from my registry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cnww.net]
"*"=dword:00000004

cnww.net is a Domain. Look at the DWORD ,it is set to 4. That is the restricted zone. When you go there, you are going to have the tighter security which comes from being in the restricted zone.

Whenever IE goes to a site, it checks to see if that site is assigned to a particular Zone and applies that zone's security settings to the site.

IF so then uninstall that scanner.

 

[aarhus2004]

Hello Mosaic1,

I am interested in this thread and in your responses. My knowledge of the Registry is limited.

May I please ask you to look at this GIF which shows the 'key' in question:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

I am not sure which part of this is the KEY.

However the final word is 'Domains' which extends downwards, and shows each of five items. These I have in my Trusted Sites Zone (in Internet Options/ Security tab/Trusted Sites).

Were I to remove one of these sites in Internet Options it would cease to be shown here in the Registry. So I believe.

I recognise that the www, when clicked-on, opens up the RH Pane's Name and Data columns and signifies by the value 0x00000002 [2] that it is a Trusted Site. (see GIF)

Presumably had I sites in the Restricted Zone the value data associated with them would be [4].

I don't understand this, I quote you:

"But if you want to add a domain to another zone, you add a subkey under Domains. Then you create a DWord in the right pane and name it *"

You seem to be saying that this is the way we add sites to other zones. You cannot however mean that. Do you?

This Forum (TSG) advocates the use of at least the following in an attempt to control spyware, malware and so on:

Spybot Search and Destroy.
LavaSoft Ad-Aware.
CWShredder.

May I ask if, when you write "That scanner may be not up to standard." you saying that one or all of the foregoing is or are not up to the task of finding the items mentioned by GoJoAGoGo. Do I understand you correctly?

Thank you, Mosaic1.

 

[Mosaic1]

Hi aarhus2004,

Yes. A lot of these scan and then pay scanners are outright scams and others are not good or incompetent. I am not familiar with this one because I haven't kept up on the subject.

Here's a page with a good list to help guide you:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

You understood me correctly about the registry. I was explaining what she found when she opened it up. But as a Casual User it is best to use the Interface provided in the browser to set up domains. Never add anything to trusted unless you really trust that site 100%. The Trusted sites zone's security is relaxed.

Internet Options>Security

Click the Icon for the Zone and then add the domain there.

 

[aarhus2004]

Mosaic1,

Many thanks for your response. I would like to share with you my understanding which has resulted from it.

If I visit a website which then deposits spyware on my computer and if I run a successful (adequate) removal tool the spyware entries will be removed, and the website (domain) responsible will be added in both my registry domain list with a value which identifies that domain as a Restricted one and subject, on subsequent visits, to the the high security levels in Internet Options>Security tab>Restricted sites. It will, of course, appear there listed as a Restricted site also.

GoJoAGoGo,

What you found in the domain key were those sites, which having been identified by your removal tool(s), had been allocated the restricted sites identifier in the registry domain key (the [4] designator) and would have been seen listed in Internet Options>Security tab>Restricted Sites.

For me that essentially expresses my understanding of the whole process.

My thanks to you both for the sharing. And if there is more to this, well, I hope to read of it.

 

[GoJoAGoGo]

GoJoAGoGo,

What you found in the domain key were those sites, which having been identified by your removal tool(s), had been allocated the restricted sites identifier in the registry domain key (the [4] designator) and would have been seen listed in Internet Options>Security tab>Restricted Sites.

For me that essentially expresses my understanding of the whole process.

My thanks to you both for the sharing. And if there is more to this, well, I hope to read of it.

aarhus2004:

Yes, all those bad sites should of appeared in the Internet Options>Security>Restricted Sites area but I can't say for sure because I removed all those sites from the Registry before looking in that area.