Jump to content
mbyuser

adaware hosts file conflict

Recommended Posts

unsure if this has been posted I did look however I might have missed it.

the latest version of adaware 7.3.0.0  is picking up spyblaster/spybots hots files again.

AdwCleaner[S51].txt

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  1. Download Malwarebytes Support Tool
  2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
  3. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  4. Place a checkmark next to Accept License Agreement and click Next
  5. You will be presented with a page stating, "Get Started!"
  6. Click the Advanced tab
    Repair menu_arrows.png
     
  7. Click the Gather Logs button
    Advanced_arrows.png
     
  8. A progress bar will appear and the program will proceed with getting logs from your computer
    Advanced Gather Logs_arrows.png
     
  9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Advanced Gather Logs completed_arrows.png
     
  10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
     notify me.jpeg  

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

Hi @mbyuser,

Could you export HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ registry key and share it?

Thanks!

Share this post


Link to post
Share on other sites

hey sry I ve been pretty unwell as late.

 

unsure how to do that are you asking for edges per site site privacy options ?

guide me and I`ll follow

Share this post


Link to post
Share on other sites

To get an export of the registry keys in question simply open regedit (click START and type regedit and press Enter or click on it to open it once it is displayed) and navigate to the key HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com and then right-click on the incredibar.com key/folder and select Export then in the save dialog browse to a convenient location such as your desktop to save the file and give it a name such as incredibar and click Save then do the same for HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com as well as HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com.

Once that's done, go to the location where you saved the 3 reg files and select them all and right-click on one of them and hover your mouse over Send to and select Compressed (zipped) folder then attach the ZIP folder you just created to your next reply.

If you still have trouble let me know and I'll provide further guidance and assistance.

Edited by exile360

Share this post


Link to post
Share on other sites

Nope, it should be 3.  The third one will be found under HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com, at least going by the 3 detections shown in your ADWCleaner log.  I'm sure those two will be sufficient though.

Share this post


Link to post
Share on other sites

Yep, looks good to me.  Now hopefully they'll be able to get these FPs corrected for good this time.  I don't know how the internals of the engine/detections work, but it should theoretically be possible to simply whitelist any Zonemap\domains entries that contain a value data of 4 which refers to the restricted zone (since no actual threat would ever place its associated sites into the restricted zone, and instead would definitely configure them to the trusted zone which is zone 2, all of which is documented by Microsoft on this page).

Share this post


Link to post
Share on other sites

could I ask whats the status of AdwCleaner the detections are still appearing,not concerned and I know its really is no big issue,just interested.

Share this post


Link to post
Share on other sites

I haven't heard anything yet unfortunately so I'm guessing it's not something they can address until a future release (otherwise they would have simply pushed out a database update to correct it).

Share this post


Link to post
Share on other sites
On 4/4/2019 at 10:03 PM, mbyuser said:

unsure if this has been posted I did look however I might have missed it.

the latest version of adaware 7.3.0.0  is picking up spyblaster/spybots hots files again.

AdwCleaner[S51].txt 5.05 kB · 8 downloads

It may be detecting those domains (or simply the fact that the hosts file has changed) as a potential malicious change.

Truth be told, the hosts file is not meant to block domains and is a common misconception/misuse of the hosts file. It's main intent is to help direct a (few) domains to new IP addresses, such as in the case that DNS has not propagated with updates.

If you'd like to learn more about it, you can read about Blocking Malware and Advertisements Safely.

Share this post


Link to post
Share on other sites
1 hour ago, Tarun said:

It may be detecting those domains (or simply the fact that the hosts file has changed) as a potential malicious change.

Truth be told, the hosts file is not meant to block domains and is a common misconception/misuse of the hosts file. It's main intent is to help direct a (few) domains to new IP addresses, such as in the case that DNS has not propagated with updates.

If you'd like to learn more about it, you can read about Blocking Malware and Advertisements Safely.

These entries being detected aren't actually in the HOSTS file at all and have nothing to do with the HOSTS file; they're in the restricted sites list in the registry under the ZoneMap\Domains keys.  This is where Windows stores the list of trusted and restricted/unsafe sites for Internet Explorer and it is used by SpywareBlaster as well to add known malicious sites to the restricted sites list to protect users' systems.  Any site in the Restricted Zone is prevented from doing things like running scripts, executing ActiveX controls and other things that would be perfectly fine on a normal/safe website but could be harmful if used maliciously.  They are detected because ADWCleaner apparently can't determine whether a site stored under those keys is configured as 2 for Trusted or 4 for Restricted (all the detected entries are set to the latter, meaning the user's browser will treat them as unsafe as it should).

Details on the feature are documented in this Microsoft help article.

As for the HOSTS file, yes, it is true that its intended purpose is for redirecting sites and that too many entries can cause issues with the DNS Client service, however if that service is disabled it's not an issue (though this may not be true on Windows 10 as I've done some preliminary testing in that OS and found that there are still browser performance issues when using a large HOSTS file even when the DNS Client service is disabled/not running).  As for whether or not it should be used this way to block malicious sites, I think that's up to the user.  It has been used for this purpose by the likes of MVPS.org, Malwarebytes' own hpHosts, known malware hunting/reporting sites/databases like MDL and many others along with Spybot Search & Destroy which adds sites to the HOSTS file for blocking (as well as adding entries to the restricted sites list in the registry as well as using the Zones to block cookies from specific sites through the registry (something SpywareBlaster does as well).

My current HOSTS file (Windows 7 x64 SP1, fully patched) contains over 900,000 entries and counting (I use a tool called HostsMan to download and combine multiple security and privacy related HOSTS files from various sources) and I've been using the HOSTS file this way for years going all the way back to the days of Windows XP.  I've also found that it actually improves browsing performance when the domains in the HOSTS file are configured to use the null 0.0.0.0 address rather than the local machine/loopback address 127.0.0.1 (something I can easily change for all entries via one of the functions in HostsMan so that I don't have to do so manually).

Edited by exile360

Share this post


Link to post
Share on other sites

I was using the term hosts file very  loosely rather than more complicated title. 

Pretty sure exile knew that.

that aside thanks for the input.

Anyways that aside exile.

few things related really.

just a discussion not a rant don't think after all these years I would sundally ( sure that's spelt wrong ) start ranting rather than learning anyways.

The program that causeing the issue is I take is spyblaster not spybot . Alought by the sounds of it spybot if it added somthing ad adaware couldn't determine would be flagged also.

 

i can't get totally onboard with the flaging it's not the fact that the entries are being flagged it's more the name there being flagged is pups and the program responsible for the flagging you can't really call a pup.

the program makes the entries and the entries are then flagged witch in essence is saying spyblaster it's self is a pup.

 

you know as I do years ago that's all most folks had to help protect them bar anti virus programs and they wernt what they are today and things have moved on and spybots not great calling them both pups as could happen seems almost like a kick in the face for all the good they did do.

I mean spyblaster thou how could that be deemed a pup as said the program makes the entries even if your not flaging spyblaster it's self the entries lead back to the program that made them I take it you understand what I am getting at.

 

reading on I see your still useing hosts man witch I much would love to have back on my system.

i thought it had been abandoned obviously not by the sounds of it.

Soon as use it I lose conection to the net ( dns errors with or without the two above programs removed ) and have to run hoops to get things working again,thinking about it I never had a problem on my last device.

guess I should hop over there and see if there a fix.

All the best 

in good faith mbyuser 

 

 

 

 

 

 

Edited by mbyuser
Wadda you think - typos :)

Share this post


Link to post
Share on other sites

I just wanted to clarify that the detected entries had nothing to do with the HOSTS file because they don't, nor do they redirect or block anything in any way the way that the HOSTS file can/does; they simply tell Internet Explorer that the listed sites are to be placed into specific zones to use the specified settings for those zones.  While ADWCleaner does detect these entries, that does not in any way indicate that it is claiming that the program that created them is a PUP because these types of entries are not exclusive to those applications.  Those applications just happen to use this built in functionality provided by Microsoft for Internet Explorer as documented in the Microsoft article I linked to above (and nowhere in that article does it even mention Spywareblaster or Spybot Search & Destroy or any other third party program because just like the HOSTS file, the Zonemap/Domains registry keys are a built in function of the operating system itself, not a feature that is specific to any one program).

The reason that ADWCleaner detects these entries is only because if they were to indicate anything other than a data value of 4, Internet Explorer would treat them quite differently which could put the user in peril of having malware, PUPs, toolbars or any number of other dangerous or unwanted software onto the user's system, and because ADWCleaner is not looking at the value data, only checking for the existence of such sites in the Zonemap/Domains registry keys, they end up getting detected.  It is a bug in the engine of ADWCleaner that needs to be fixed so that it can differentiate between entries with a value data of 4 for the Restricted zone and say a value data of 2 for the Trusted zone.

As for your issues with HostsMan, I can only speculate that either the DNS Client service needs to be disabled and the DNS cache needs to be flushed, or else perhaps there is a conflict with your current DNS settings (I personally avoid such issues by having HostsMan set all entries in my HOSTS file to the null address of 0.0.0.0 rather than the frequent default loopback address of 127.0.0.1, particularly since I use an alternate DNS configuration that requires me to set my DNS address to 127.0.0.1; this has the added benefit of making site lookups that are blocked by my HOSTS file marginally faster since a null address lookup is faster than a loopback address lookup since Windows will not retry the failed connection on a lookup failure as it does by default with 127.0.0.1 entries).

Edited by exile360

Share this post


Link to post
Share on other sites

reading it over again and your reply I guess that's fair enough. 

its not like i payed cash for somthing that works well enough and no dout it will only get better

it's a useful tool to keep in the tool box tbh.

-

i had no idea the null addy had such benfits. Thanks. 

cheers for taking your free time to reply btw. Hopefully your day will be a good one 

 

 

 

 

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.