Jump to content
Purity8

Spybot S&D + AdwCleaner clashing?

Recommended Posts

I'm a long time user of Spybot S&D.

I've discovered that Adware Cleaner is detecting registry entries inserted by Spybot S&D's immunization feature. Adware Cleaner detects 6 registry keys (2 main ones) as PUP.Optional.Legacy.

 

At first glance, I thought it was weird that it was weird that everything has been running normally, all scans comes out clean.

And then I do my regular routine of updates. From Windows Updates to all programs (thanks UCheck), followed by all scanners.

My scan sequence: Spybot S&D Update, Immunization & scan (Geez that thing takes a really long time) > SpywareBlaster Update > RogueKiller scan > AdwCleaner scan.

 

I decided to do a search: "What is incredibar.com" and "What is dospop.com"?

Upon searching the second one, I found Spybot's site about false positives; which is exactly the same results from AdwCleaner.

And guess what? That same link above redirects back to this forum Incredibar which dates almost exactly a year ago.

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the AdwCleaner Help forum.
In order to help us assist you to resolve your issue, please post or attach your latest AdwCleaner log files with your post. https://support.malwarebytes.com/hc/en-us/articles/360039021593

Someone will reply shortly, but in the meantime here are a few resources which may help resolve your issue:

Thanks in advance for your patience.

-The Malwarebytes Forum Team

 

 

 

 

notify me.jpeg

mbst_advanced_gather_logs.jpg

mbst_get_started.jpg

mbst_getting_logs.jpg

mbst_log_saved_desktop.jpg

Share this post


Link to post
Share on other sites

Based on all the previous information, the registry entries were added by Spybot S&D should no longer be detected by AdwCleaner.

Can you please direct me to a member of the moderator team? I haven't been able to find any of these members. My problem was previously solved by @AdvancedSetup. He had asked me to PM one of the mods to re-open my topic, but I haven't been able to find one let alone contact one.

I don't want to double post.

Share this post


Link to post
Share on other sites
43 minutes ago, Purity8 said:

the registry entries were added by Spybot S&D should no longer be detected by AdwCleaner.

This is the correct topic to deal with AdwCleaner detecting those entries.

It is managed by a different team and since this more reporting a false positive than it is malware removal.

Please the requested logs so action can be determined by the AdwCleaner team.

Share this post


Link to post
Share on other sites

Okay.

 

# -------------------------------
# Malwarebytes AdwCleaner 8.0.4.0
# -------------------------------
# Build:    04-03-2020
# Database: 2020-04-08.2 (Cloud)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    04-11-2020
# Duration: 00:01:20
# OS:       Windows 10 Enterprise
# Scanned:  31802
# Detected: 6


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy             HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy             HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
PUP.Optional.Legacy             HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy             HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
PUP.Optional.Legacy             HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy             HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.


AdwCleaner[S00].txt - [1331 octets] - [29/11/2019 22:43:54]
AdwCleaner[C00].txt - [1519 octets] - [29/11/2019 22:44:21]
AdwCleaner[S01].txt - [2479 octets] - [16/01/2020 12:40:35]
AdwCleaner[C01].txt - [2445 octets] - [16/01/2020 12:43:23]
AdwCleaner[S02].txt - [1575 octets] - [18/01/2020 22:03:03]
AdwCleaner[C02].txt - [1763 octets] - [18/01/2020 22:03:39]
AdwCleaner[S03].txt - [1697 octets] - [18/01/2020 22:19:06]
AdwCleaner_Debug.log - [195143 octets] - [18/01/2020 22:25:51]
AdwCleaner[S04].txt - [2657 octets] - [27/02/2020 12:59:26]
AdwCleaner[C04].txt - [2755 octets] - [27/02/2020 13:03:34]
AdwCleaner[S05].txt - [2024 octets] - [08/03/2020 12:49:46]
AdwCleaner[S06].txt - [2841 octets] - [19/03/2020 10:14:39]
AdwCleaner[C06].txt - [2938 octets] - [19/03/2020 10:15:23]
AdwCleaner[S07].txt - [2207 octets] - [19/03/2020 10:20:25]
AdwCleaner[S08].txt - [2268 octets] - [19/03/2020 10:21:57]
AdwCleaner[S09].txt - [2329 octets] - [19/03/2020 17:35:59]
AdwCleaner[S10].txt - [3146 octets] - [21/03/2020 15:55:47]
AdwCleaner[C10].txt - [3243 octets] - [21/03/2020 16:51:40]
AdwCleaner[S11].txt - [2513 octets] - [21/03/2020 18:12:26]
AdwCleaner[S12].txt - [2574 octets] - [22/03/2020 19:29:31]
AdwCleaner[S13].txt - [2635 octets] - [24/03/2020 12:49:59]
AdwCleaner[S14].txt - [2696 octets] - [24/03/2020 13:19:14]
AdwCleaner[S15].txt - [3675 octets] - [29/03/2020 21:32:34]
AdwCleaner[S16].txt - [3392 octets] - [29/03/2020 22:29:41]
AdwCleaner[C16].txt - [3467 octets] - [29/03/2020 22:30:19]
AdwCleaner[S17].txt - [3696 octets] - [11/04/2020 11:53:30]
AdwCleaner[S18].txt - [3757 octets] - [11/04/2020 14:20:16]
AdwCleaner[S19].txt - [3552 octets] - [11/04/2020 14:21:50]
AdwCleaner[S20].txt - [3218 octets] - [11/04/2020 14:23:08]
AdwCleaner[S21].txt - [3184 octets] - [11/04/2020 21:12:47]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S22].txt ##########

Share this post


Link to post
Share on other sites

Yep, those look like entries created by Spybot, assuming that the value data for those entries is 4 which would mean they are categorized in the restricted zone (I believe a failure to differentiate between the various possible numerical values/value data for these entries is why these detections keep occurring, because if they were for example categorized with a value data of 2 they would be in the trusted zone which would definitely be bad and should be detected by ADWCleaner, however if they are only looking for the existence of those keys under the Zonemap/Domains keys without reading the actual numerical value data for their classifications then this type of FP will continue to occur).

Share this post


Link to post
Share on other sites

I can safely add them to Exclusion list right?

That's what the previous user did as well.

Share this post


Link to post
Share on other sites

Yes, though I'd recommend confirming that their value data is 4 in the registry first were it me, just to be certain.

Share this post


Link to post
Share on other sites

I can confirm all 6 registry keys have the value 4. Phew, took me some time to browse through it all.

Share this post


Link to post
Share on other sites
Posted (edited)

Yeah, rooting through all those reg keys can be tedious (especially given the number of entries typically added by Spybot).

Just FYI, you can add more unwanted sites to the restricted list if you use a tool called Spywareblaster.  It's an older app much like Spybot and has been around for a long time and it also blocks cookies from many malicious sites and trackers (to protect your privacy; a far superior tactic to deleting them after the fact), just be aware that most of the protection offered by these functions only applies to Internet Explorer (though they do have some blacklists for Firefox as well, though they do not add any protection to Chrome).  They blacklist sites by adding them to the restricted sites list which doesn't actually block the sites, but it does disable most in-browser functions that could be exploited by malware and other threats such as running ActiveX controls, active scripting, automatic downloads and other functions that could be leveraged to try and attack or infect the system through the browser.  It's a pretty old method of blacklisting sites and isn't as effective as outright blocking them (such as the Web Protection function in Malwarebytes or through the HOSTS file, though Spybot does also add sites to the HOSTS file for blocking with its immunize function; Spywareblaster does not, it only uses the registry).

That's just some added info for you in case you were not aware.  I've studied and used those and many other security tools for many years so I'm quite familiar with most of their functions.  Unfortunately more modern operating systems and web browsers are a somewhat double-edged sword as they are typically inherently more secure through enhanced security features which have been created and added over time, however many of the older functions that were once useful for locking web browsers down do not work in more modern operating systems and web browsers (like Chrome and other Chromium based browsers).  Windows 10 can also be very finicky when it comes to using a HOSTS file for blocking sites (I've personally found that if too many entries are created in the HOSTS file it brings all web browsers to their knees, likely due to a problem with the newer version of DNS caching used in Windows 10; a similar issue exists in earlier Windows versions, however it can easily be alleviated by stopping and disabling the DNS Client service (a service which isn't actually required anyway; it's used for caching, something that isn't nearly as useful as it once was back when internet connections were much slower before the more widespread use of faster broadband connections, where now loading a site fresh on a reasonably fast connection is actually quicker than loading it from the cache in the browser or the DNS address lookup through the DNS caching function).  Unfortunately, disabling the DNS Client service does not appear to correct the issue on Windows 10 (and the behavior of the issue is actually different on 10 compared to how it manifests itself on older Windows versions).

Edited by exile360

Share this post


Link to post
Share on other sites

Yeah, I use blaster as well.

That's interesting to note, I'll keep in mind, thanks.

Share this post


Link to post
Share on other sites

You're welcome :)

I just wanted you to be aware that there could be potential pitfalls and gaps in protection with these tools, especially on Windows 10 and using Chrome just in case you didn't know (as well as for the benefit of anyone else who might come across this thread).

Anyway, I will report the repeated FP to the ADWCleaner team, and hopefully they will be able to address it once and for all this time (I suspect their engine/database is only targeting the presence of these sites in the Zonemap/Domains registry keys rather than specifically looking at whether or not they are in the trusted or restricted list (the value data/number representing the specific security zone as mentioned previously) and while I doubt they can address the issue in the current engine/database (it likely requires additional logic to first look for the presence of the sight, then to verify that it is set to anything other than zone 4 (the restricted zone) prior to registering a detection for it), they should be able to add such additional logic in a future release.  I'm certain that it can be done, however I don't know how difficult it will be to do so since it basically requires adding a sort of IF/THEN logic to the rules/signatures (something easily accomplished via a batch script for example, but not necessarily so simple working through a custom scan engine like ADWCleaner).

Share this post


Link to post
Share on other sites

Yeah, I did use Chrome for awhile (before FireFox Quantum was released and was much slower) and I also saw Blaster didn't include Chrome in the list, so it was a huge security risk.

If AdwCleaner was coded with C/C++, perhaps a if/else or do-while may work, but I have no idea what language it uses.

I agree 100% with you in hoping it'll be fixed once and for all in the near future as I'm positive there will be more users like me that use S&D (-/+ Blaster).

Share this post


Link to post
Share on other sites

I have no idea what code it uses or how that code translates into the syntax for the signatures used by the scan engine itself, but hopefully it won't be too complex of an issue for them to address.  In the meantime, if you need to exclude the entries so that they are no longer detected you should be able to right-click on it in the scan results and select the option to ignore/exclude them that way they will no longer be detected while awaiting a permanent solution.

Share this post


Link to post
Share on other sites

You're welcome, I'm glad I could help, and I hope that they do get this FP corrected in-engine soon.

Share this post


Link to post
Share on other sites
Posted (edited)

Just as a side note. I am not a fan of using the Registry for that type of blocking. Though this documentation is a bit old I'm sure very similar limits continue to exist for Windows 10.

https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-storage-space

https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-element-size-limits

There are many other references than just the links above

 

Today with the use of Ad and Script blockers it is so much more efficient than filling the Registry with this type of data.

You can review the following topic for better solutions in helping to protect your system  Tips to help protect from infection

 

Edited by AdvancedSetup
updated information

Share this post


Link to post
Share on other sites

Yeah, I haven't used these tools for quite some time personally, primarily because I pretty much exclusively use SRWare Iron (based on Chromium) as my primary browser and also use Firefox a fair bit, there isn't nearly as much to gain/lockdown by using such tools for those browsers so I rely more on browser add-ons/extensions like Malwarebytes Browser Guard and uBlock Origin along with my HOSTS file.  I haven't personally experienced any problems due to large data sets in the registry, however I also see little point in maintaining a massive restricted sites list or cookie block list in the registry when I can just as easily outright block all those sites completely via my HOSTS file and other web filtering/blocking tools/databases, meaning I don't have to worry about the sites executing any kinds of code on my system or storing any data (cookies included) on my system since any connection to those sites is flat out blocked at the entry point.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.