Jump to content

Recommended Posts

Hi everyone,
a few days ago I ran an ipconfig and noticed I had a DNS prefix: utopia.net. After a few more scans, I noticed that all my traffic was redirected through that site.
I tried running Malwarebytes, but it wouldn't open. After running adwcleaner, I could run it, but it didn't find anything.
ipconfig still reported that utopia.net redirection was still there.
I scanned the registry and manually deleted all entries containing this name, I edited the DNS registry entry to point to my DNS and locked the entry to prevent it from being modified. I did a flushdns and ipconfig reported that the redirection was finally gone.
I added rules in my firewall to prevent any access to the site or any of the IPs I found associated to it.
Now, after a week or so, I find again that this DNS prefix has come back! Again I ran MB, but it doesn't find anything.
I'm not cleaning the registry by hand again, as it proved to be only a temporary solution.

I'm attaching FRST's and mbam's reports.

Thank you!

MB Report.txt Shortcut.txt Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Read this article https://www.ghacks.net/2019/05/07/about-baidu-search-update-in-firefox/ and decide if you want to keep this FF extension.
FF Extension: (Baidu Search Update) - C:\Users\Magnus\AppData\Roaming\Mozilla\Firefox\Profiles\84npj74y.default-1556802080427\features\{85f94525-8731-436b-b5ff-94e100e70748}\baidu-code-update@mozillaonline.com.xpi [2019-05-04]
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Reset Firefox

Firefox:
Reset Firefox, Default Browsing settings:
https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings
===

Syncing issue

If the problem persists and you are Syncing Firefox it with other Devices reset it.
https://support.mozilla.org/en-US/kb/how-do-i-set-sync-my-computer

When all is well you can re-sync your devices.
<<<>>>

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Share this post


Link to post
Share on other sites

Hello Nasdaq (love the name, btw),

Thank you for your welcome. I've found this forum very useful in the past, it was about time to subscribe.
I did as you said. I'm attaching the fixlog.

ipconfig reports that my DNS still points to utopia.net:


image.png.f46bf3b9b32968efb325220805cb050e.png

 

Fixlog.txt

Share this post


Link to post
Share on other sites

Hi,

Let reset the DNS

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

How is it now?

fixlist.txt

Share this post


Link to post
Share on other sites

I'm attaching the fixlog.
After rebooting I ran an ipconfig and saw the dns suffix is still there, so I manually ran the command netsh int ip reset to see if there was any error being thrown there, but everything came out ok:
image.png.de88eadd5df165623aed48829b281624.png

but as I said, the dns remains.

What baffles me is that under network config's settings, the suffix is not there:
image.png.e6ce38c606ab4bbb2cb67902a315ec5e.png

I wait for further instructions.

Fixlog.txt

Share this post


Link to post
Share on other sites

Hi,

Lets see what we can find in the Registry.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
Utopia.net
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
====

If not found then the router may be compromised.

Reset your router only if nothing is found in the registry.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html
 

Share this post


Link to post
Share on other sites

Hi Nasdaq,

the search has given the following result:
 

Quote

Farbar Recovery Scan Tool (x64) Version: 08-05.2019
Ran by Magnus (10-05-2019 16:32:22)
Running from D:\Users\Magnus\Downloads
Boot Mode: Normal

================== Search Registry: "utopia.net" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\utopia.net]

====== End of Search ======

however, a manual search in the registry found keys under other folders, such as:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{F34C2D7F-6779-41D9-9E36-CFC08F197867}\Connection
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Parameters\Isatap\{F34C2D7F-6779-41D9-9E36-CFC08F197867}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters  <--- This one worries me in particular
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{F075BC00-F85F-4F3A-A1ED-9AC7D1209B75}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\iphlpsvc\Parameters\Isatap\{F34C2D7F-6779-41D9-9E36-CFC08F197867}

And others...
I'm currently writing a bat script to export all results to a txt file.

Don't worry about the router credentials, I have them.

Share this post


Link to post
Share on other sites

I'm attaching the results from the script scan.
The results regarding the firewall are the rules I made to block the IPs I found were associated to utopia.net.
 

output.txt

Share this post


Link to post
Share on other sites

Hi,

Delete the registry key and reset these registry values.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Share this post


Link to post
Share on other sites

Well, it seems we have a stubborn one here.
It's still there. I ran again FRST and found these matches:
 

Quote

Farbar Recovery Scan Tool (x64) Version: 11-05.2019
Ran by Magnus (11-05-2019 16:58:33)
Running from D:\Users\Magnus\Downloads
Boot Mode: Normal

================== Search Registry: "utopia.net" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\utopia.net]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{382134B9-F233-4FC8-BAB2-7389BF7EF009}\Connection]
"Name"="isatap.utopia.net"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{382134B9-F233-4FC8-BAB2-7389BF7EF009}]
"InterfaceName"="isatap.utopia.net"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]
"DhcpDomain"="utopia.net"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{F075BC00-F85F-4F3A-A1ED-9AC7D1209B75}]
"DhcpDomain"="utopia.net"

====== End of Search ======

 

Fixlog.txt

Share this post


Link to post
Share on other sites

Hi,

Let try this way.

Copy all the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.


Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\utopia.net]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{382134B9-F233-4FC8-BAB2-7389BF7EF009}\Connection]
"Name"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{382134B9-F233-4FC8-BAB2-7389BF7EF009}]
"InterfaceName"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]
"DhcpDomain"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{F075BC00-F85F-4F3A-A1ED-9AC7D1209B75}]
"DhcpDomain"=-

Restart the computer when completed.

You can delete the fixme.reg file when done.


Any luck?

Share this post


Link to post
Share on other sites

Sorry for the delay, I had a hectic week.
I tried the script, but it says this:
image.png.2a52c9d64447585990a095d4b83cc761.png

I tried doing as the error states, and importing from within regedit, but it says:

image.png.93169f5548f6e37cc1e7acd73b5ac6f2.png

I also tried running the script from a command prompt with administrator privileges, but I got the first error.
The same three things were tried on safe mode with no luck.

I think there might be a typo somewhere in the script, but I can't find it.

Share this post


Link to post
Share on other sites

Well, I'm a fool. It wasn't until I went to check my regedit version that I realised I wasn't copying the first line of the script, as I thought it was but a title.

So, I finally ran the script and rebooted the computer and, guess what? utopia.net is still there.

image.png.5111b18b53b8057935941980c8d99574.png

Share this post


Link to post
Share on other sites

Hi,

Please run the fixme.reg one more time.
When completed Restart the computer normally.

====

If the problem persists, execute this search again.
Let see what I may have forgotten.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
Utopia.net
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
====

Share this post


Link to post
Share on other sites

Hi, I ran the fixme.reg, rebooted and ran Farbar with the parameters you told me, and this is the result:

Quote

 

Farbar Recovery Scan Tool (x64) Version: 18-05.2019
Ran by Magnus (18-05-2019 11:39:55)
Running from D:\Users\Magnus\Downloads
Boot Mode: Normal

================== Search Registry: "Utopia.net" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\utopia.net]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{D8798B70-12C0-4196-BEAA-3D3F03588A06}\Connection]
"Name"="isatap.utopia.net"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{D8798B70-12C0-4196-BEAA-3D3F03588A06}]
"InterfaceName"="isatap.utopia.net"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]
"DhcpDomain"="utopia.net"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{F075BC00-F85F-4F3A-A1ED-9AC7D1209B75}]
"DhcpDomain"="utopia.net"

====== End of Search ======

 

Needles to say, the redirection is still there.
I've been going back and forth through all the services and processes and I can't figure out which one is that's rewriting the registry.

I ran the following script:

Quote

 

set output=D:\Users\Magnus\Desktop\output.txt
@echo off

reg query HKCR /s /f utopia.net >>%output%
reg query HKCU /s /f utopia.net >>%output%
reg query HKLM /s /f utopia.net >>%output%
reg query HKU /s /f utopia.net >>%output%
reg query HKCC /s /f utopia.net >>%output%

 

And got this output:

Quote

End of search: 0 match(es) found.

End of search: 0 match(es) found.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\utopia.net

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{D8798B70-12C0-4196-BEAA-3D3F03588A06}\Connection
    Name    REG_SZ    isatap.utopia.net

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Parameters\Isatap\{D8798B70-12C0-4196-BEAA-3D3F03588A06}
    InterfaceName    REG_SZ    isatap.utopia.net

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters
    DhcpDomain    REG_SZ    utopia.net

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{F075BC00-F85F-4F3A-A1ED-9AC7D1209B75}
    DhcpDomain    REG_SZ    utopia.net

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Tcpip\Parameters
    DhcpDomain    REG_SZ    utopia.net

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Tcpip\Parameters\Interfaces\{F075BC00-F85F-4F3A-A1ED-9AC7D1209B75}
    DhcpDomain    REG_SZ    utopia.net

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{D8798B70-12C0-4196-BEAA-3D3F03588A06}\Connection
    Name    REG_SZ    isatap.utopia.net

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{D8798B70-12C0-4196-BEAA-3D3F03588A06}
    InterfaceName    REG_SZ    isatap.utopia.net

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters
    DhcpDomain    REG_SZ    utopia.net

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{F075BC00-F85F-4F3A-A1ED-9AC7D1209B75}
    DhcpDomain    REG_SZ    utopia.net

End of search: 11 match(es) found.

End of search: 0 match(es) found.

End of search: 0 match(es) found.

 

I don't know why I keep getting different outputs than from FRST, but well... there they are.
 

Share this post


Link to post
Share on other sites

Hi,

I do not know why your search found more entries then the Farbar Search.
I will have to investigate with the Owner of the program.

===

I have included all the entries your found in this fix..
Notice that the Registry Keys are not the same.

Copy all the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 

Quote

 

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\utopia.net]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{382134B9-F233-4FC8-BAB2-7389BF7EF009}\Connection]
"Name"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{382134B9-F233-4FC8-BAB2-7389BF7EF009}]
"InterfaceName"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]
"DhcpDomain"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{F075BC00-F85F-4F3A-A1ED-9AC7D1209B75}]
"DhcpDomain"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{D8798B70-12C0-4196-BEAA-3D3F03588A06}\Connection]
"Name"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Parameters\Isatap\{D8798B70-12C0-4196-BEAA-3D3F03588A06}]
"InterfaceName"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters]
"DhcpDomain"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{F075BC00-F85F-4F3A-A1ED-9AC7D1209B75}]
"DhcpDomain"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Tcpip\Parameters]
"DhcpDomain"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Tcpip\Parameters\Interfaces\{F075BC00-F85F-4F3A-A1ED-9AC7D1209B75}]
"DhcpDomain"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{D8798B70-12C0-4196-BEAA-3D3F03588A06}\Connection]
"Name"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{D8798B70-12C0-4196-BEAA-3D3F03588A06}]
"InterfaceName"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]
"DhcpDomain"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{F075BC00-F85F-4F3A-A1ED-9AC7D1209B75}]
"DhcpDomain"=-

 

Restart the computer when completed.

You can delete the fixme.reg file when done

How is it now?

p.s.
Just to make sure run the Regedit.exe as an Administrator.

Share this post


Link to post
Share on other sites

Hi,

I added the registry values as you indicated, and sure thing, the suffix was gone, but as soon as I rebooted, it was back.

Using microsoft's process monitor, I found out that there's some service running that's requesting the modification of the values back:

Capture.thumb.JPG.b90dab40e2a6cec62192abd1c1ad82d6.JPG

 

Capture2.thumb.JPG.0cdd1b0a63ff5a0e2351a14f3b4336ba.JPG

 

What's even more interesting is that this service keeps requesting the writing of utopia.net values into the registry periodically, every ten minutes or so, which means it's not something that just runs at startup, but a resident service that's continuously running.  These are just a few examples, the filter output is filled with these entries.  I can make a text output if you wish to inspect it further.
Also, I've been inspecting what services is svchost runnning, but despite there are several network related ones, I haven't seen any particularly suspicious one.

I await further instructions.
 

Share this post


Link to post
Share on other sites

Ok, playing a bit more with the process monitor, I found out that a service with PID 1304 is the one writing to the registry, and PID 1312 keeps sending and requesting network packages from utopia.net:

image.png.445de4e852de5c504283bfa22702f25c.png

I don't know if there's much we can do with this information, but I thought it could be useful.
Also, I want to point out that PID 1312 is trying to communicate with utopia.net despite the suffix not being there, as there are requests before and after running the fixme.reg

Share this post


Link to post
Share on other sites

Well, I found out two things related to this:
1.- When I stop SSDPSRV, the network traffic to and from utopia.net stops.
2.- When I stop dnscache, after two or three minutes, it restarts and svchost writes the previous registry values under the PID 1304.

Besides that, I couldn't arrive to many conclusions, since I started getting network connections to utopia under other PIDs I didn't have before.   I'll try to make more controlled and methodic tests tomorrow.

Share this post


Link to post
Share on other sites

Now that lit a bulb!
Reading the description of SSDPSRV I noticed that at the same time that I started having network connection speed problems and overall laggy behaviour in my computer (which led me to the initial ipconfig that made me discover utopia.net), my mapped network drives were not automatically reconnecting when starting the computer and I had to do it by hand.
This leads me to believe that either this malware infected or replaced one or more dll files related to the Discovery Protocol Service.
Now... I don't know how to fix this other than replacing these dlls from a clean operating system, or reinstalling the whole system from scratch. I'm not really confident about replacing the dlls, as whatever infected them might still be (and probably is) in the system, and the replacement  won't fix anything for more than five seconds.
To be honest, I thought of that solution (format and clean install) on day three, but I think that if we find a way to actually fix this infection, we might be able to help lots of other people that are infected, and solve a problem that's been around since 2011.
I'm going to investigate further down this path and keep you updated. So far, only disabling the service, running the fixme and rebooting didn't fix it.
 

Share this post


Link to post
Share on other sites


Hi,

Let see what these tool will report.

Read carefully and follow these steps.
TDSS

  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

  • If an infected file is detected, the default action will be Cure, click on Continue.

  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.

  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


===

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.


=======

Share this post


Link to post
Share on other sites

Hi,

Well nothing suspicious there.

Lets clean the ZonMaps

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]

Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.

Restart the computer normally.

Let me know if the problem persists.

==
 

Share this post


Link to post
Share on other sites

Hi,
unfortunately, the problem persists.
I tried doing as you said, and also tried running both fixes before rebooting, but it always comes back. What's even worse, it comes back even before rebooting if I take more than a few seconds to reboot.
This makes me think that there's a process running that puts the registry entries back in place, so modifying the registry won't solve the issue if we can't kill that process first.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.