Jump to content
ColdlyIndifferent

AdwCleaner Minor Spybot Issue

Recommended Posts

I've used an old version of Spybot for years as a low level additional protection as it has a very small profile/low resource use and doesn't interfere with anything very much.

I've run scans with AdwCleaner in the past and its has never had a problem but at some point, I think fairly recently, it has been reporting the following on my PC:-

PUP.Optional.Legacy             HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy             HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
PUP.Optional.Legacy             HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy             HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
PUP.Optional.Legacy             HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy             HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com

First time it happened, like a good boy, I allowed AdwCleaner to clean and restart. All gone, all good............but a couple of weeks later I ran the scan again and they're all back. This kept on happening and then I eventually noticed something - every time after I'd used AdwCleaner and then later updated Spybot definitions and applied what it calls browser immunisation it showed 6 items as unprotected.

It took some time to click even then but when it did and I did a bit of research I found "Zonemap" is used by browsers IE in particular as the designated registry location for restricted and trusted web sites. Spybot adds its own definitions to this list and those six items AdwCleaner is deleting as PUPs are apparently from Zonemap's list of restricted domains.

Identifying what is trusted and what is restricted from the Zonemap lists is not clear (anyone here know?) but the registry entries for the IE trusted sites are slightly different from the bulk of the others I've looked at. I am pretty sure those six are restricted domains.

It would appear AdwCleaner is actually removing protection from my system by deleting these entries.

Obviously I can add them to an exclusion list from now on but I thought it worth mentioning this matter here now I've discovered what they are and why they keep reappearing. The restricted domains shown in Zonemap are very numerous, there are hundreds of them covering everything dodgy from gambling web sites to HC porn so the question that also has to asked is why are only those six considered PUPs?

 

 

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the AdwCleaner Help forum.

Someone will reply shortly, but in the meantime here are a few resources which may help resolve your issue:

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

Greetings,

This is a known issue with ADWCleaner and Spybot.  For the Zonemap\Domains keys if the value data is 4 then it is restricted which is what Spybot should be classifying them as; unfortunately it seems ADWCleaner is simply looking for the presence of those domains in the Zonemap\Domains keys without verifying the actual zone they are classified as based on the value data and this is the issue causing these false positives in ADWCleaner.  You can find further details about this issue as well as a link to Microsoft's documentation on the security zones for IE in the registry in this post.

I hope this helps, and if there is anything else we might assist you with please let us know.

Thanks

Share this post


Link to post
Share on other sites

Thanks for the reply/information.

I guessed the registry key value 4 meant the domain was one of those on the restricted list, useful to have that confirmed.

Share this post


Link to post
Share on other sites

As a follow up to this, although unnecessary as those Adwcleaner designated "threats" reappear every time Spybot definitions are updated, I decided to add them to the exclusions list.

The problem I'm having now is that despite the paths being (laboriously0 individually copied direct from the Adwcleaner scan log and added to the Exclusions list those exclusions are being ignored and with each new scan they being reported again. I've checked and the exclusions are all there and exactly the same paths so why are those locations still being reported?

Annoyingly I discovered you can't just add them in the default mode either you have to launch Adwcleaner in admin mode (right click > Properties > Compatibility > and tick: always run as administrator) for the Add Exclusions button and other options to become available. Also I'm not sure what, for the particular files listed in my original post, I should be using as the Exclusion Type. 'Family' being set as default I don't understand -  I just wanted those very particular paths excluded but whatever I use it seems it is being ignored.

I'm probably writing them in the wrong way or something like that so if someone can explain it would b appreciated.  

Share this post


Link to post
Share on other sites

You shouldn't have to deliberately launch it as admin or change the compatibility settings for it, at least as long as UAC is set to defaults for your system (if it isn't then you may run into problems as ADWCleaner, Malwarebytes 3 and all of Malwarebytes current software, like most modern apps, are fully UAC compatible and compliant, so disabling or modifying UAC from defaults may impact how the tools run).

With regards to the detections, I suspect that adding them manually can't work because it's the value data being detected, not the key itself and I don't think there is a way to add value data to exclusions manually so your best bet would be to right-click on the detected entries (it's easiest to right-click on the parent category 'PUP.Optional.Legacy') at the end of a scan and select Add to Exclusions so that they will be excluded going forward.  That should prevent them from being detected again in the future.  I just tested and was successful in doing so on my own system.

Share this post


Link to post
Share on other sites

I discovered what the 'problem' was - not the UAC settings.

If you do a Adwcleaner scan then immediately go to Settings > Exclusions to add the exclusions before doing anything else ie. Skip or Clean, the buttons are disabled. I made the assumption this was because I was not being allowed to add the exclusions as I did not have the correct permissions. Changing the compatibility setting to run as admin seemed to confirm that.

But what I was actually doing was just relaunching Adwcleaner and that was all that is necessary to get the Exclusions buttons to function. Adwcleaner simply disables those Exclusions options after a scan, presumably for security reasons so no settings changes can be made before the notified threat from a scan has been addressed one way or the other.

Anyway that is sorted now and the advice to add the exclusions directly via the right mouse click context menu, which I had not thought to try, does work and scans now report 'No Problems'. I guess you were correct about it being being a value data issue not the key itself. Good call.

But is it not a bit strange that you can add exclusions via the context menu immediately after a scan but not do the same via the Settings > Exclusion screen.   

 

 

 

Share this post


Link to post
Share on other sites

It probably has something to do with driver states and the config files.  Mid-scan or even on the scan results screen, they don't want the user to be able to change anything since it could conflict with what is going on with the scan process.  For example, if you've detected something during a scan and immediately exclude it manually, there's no way to tell the driver to honor the exclusions since exclusions in Malwarebytes work by having excluded items not be displayed in the list of detections for subsequent scans, which would mean that the detected items would end up getting removed if you left the checkboxes checked for those items at the end of the scan and proceeded with the remediation process even though those items might now be in exclusions from adding them during the scan or while on the scan results screen.  It's similar to how Malwarebytes won't let your restore something from quarantine when a reboot is pending for DOR (Delete on Reboot) because the net result would be the item getting permanently deleted without a backup copy existing in quarantine (since the item is deleted from quarantine once it is restored, and DOR deletes the items detected from the previous scan from disk on system restart without any quarantine process since it has to assume that the item has already been quarantined and the driver and DOR script don't actually have access to copy anything to quarantine the way the main EXE and service do).

Basically it's a convoluted way of saying that you're right, you can't modify settings during a scan or while the action at the end of a scan is still pending :) 

Anyway, I'm glad I could help and if there is anything else we might assist you with please let us know.

Thanks

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.