Specific911

Babsa · Aug 11, 2005

I have recently been getting a message on Spyware Doctor that I have a "High" risk spyware on my machine from Intelius.com that I remove with Spyware Doctor but keeps coming back.

Can I just go into Regedit and delete the files? Do I need to disable MS Recover to last configuartion before I delete it? The location in my registry is as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains\Specific911.biz

There are probably 100 other files in this "ZoneMap\Domains" area, none of which I want on my computer. May I safely delete these folders without damaging my software?

Thank you.

chaslang · Aug 11, 2005

Many items are added to

HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains

by using tools like Spybot's Immunize or IE-SpyAD. As long as they are in the Restricted Zone (value should equal 4) instead of the Trusted Zone (value equal 2), they are not problems. If Spyware Dr is detecting ones in the RZ, it is a false positive and should be ignored.

Babsa · Aug 11, 2005

Here is the log. Thank you.

Babsa · Aug 12, 2005

Here's another log. I ran some additional programs, as suggested, and uploaded one AdAware update. Couldn't download RAV because they said no downloads available right now and could not run Bitdefender without enabling Active X controls and I wasn't comfortable doing that, sorry.

Thanks for the advice about AVG not playing nice with Norton, I never liked AVG anyway!

I tried deleting the files #16 & #23 you suggested, however, #23 keeps coming back, even after reboot. I think it may have something to do with my Brother printer.

I re-ran Spyware Doctor and Specific911 didn't show up again, but I still don't understand the purpose of all those files in the registry that reference Specific911.

Thanks for the help.

chaslang · Aug 12, 2005

You sent me a PM about the TZ & RZ comment I made in message # 3. It is best to keep all communication like that in the thread. That way everyone benefits.

If all the items in the ZoneMap\Domains area all have a value of 4, they are in the Restricted Zone (RZ). If they were in the Trusted Zone (TZ), they would have a value of 2 and that would be bad. This is a False Positive on Spyware Doctors part if it is detecting items that are in the RZ just because the name (URL) is that of a bad site.

Now for everyone's benefit, O23 lines in HJT logs are for system services. Yes yours is for your Brother printer but many people see the lines in HJT that end with a (file missing) and they believe they should be fixed. The problem is that HJT has a bug and sometimes shows the files for the services to be missing when they are not. I ignore all O23 lines like that unless the service itself is for malware.

Babsa · Aug 12, 2005

Sorry about the mis-step in sending a PM. Just didn't want to look dumb. Good advice for everyone to know, however. It sounds like my registry is showing these sites as restricted, however, could you please clarify whether the info listed on my registry IS the same as the info you state causes these sites to be considered restricted? The info in the registry is as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\AoneMap\Domains\Spcific911.biz

[ab] (Default) REG_SZ (value not set)
[oioi] * REG_DWORD 0x00000004 (4)

I see a "4" in the binary code line, is that the "4" that makes this site restricted? Thank you for all of the great advice!

chaslang · Aug 13, 2005

0x00000004 is hexidecimal not binary and yes 4 = Restricted

The (4) is for decimal representation. For this case 4 hex is the same as 4 decimal.
0x0000000a would be (10).

Log in or Sign up

Specific911

Babsa Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Babsa Private E-2

Attached Files:

hijackthis.log.8-11-05.txt

Babsa Private E-2

Attached Files:

hijackthis.log.8-11-05 #3.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Babsa Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member