Jump to content

False positive detection after immunization with Spybot S&D


Recommended Posts

I have noticed that whenever I use the Spybot Search & Destroy immunization tool, AdwCleaner detects the registry entries in the attached log file as PUPs.

I'm not sure of the actual usefulness of these items, but I'm sure they are entries created by Spybot S&D because if I run the immunization check again after removing or quarantining these entries, the immunization status comes back incomplete.

After several detections and being sure that these entries are somehow related to the use of Spybot S&D's immunization tool, I considered adding these entries to the exclusion rules.

AdwCleaner[S11].txt

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the AdwCleaner Help forum.
In order to help us assist you to resolve your issue, please post or attach your latest AdwCleaner log files with your post. https://support.malwarebytes.com/hc/en-us/articles/360039021593

Someone will reply shortly, but in the meantime here are a few resources which may help resolve your issue:

Thanks in advance for your patience.

-The Malwarebytes Forum Team

 

 

 

 

notify me.jpeg

mbst_advanced_gather_logs.jpg

mbst_get_started.jpg

mbst_getting_logs.jpg

mbst_log_saved_desktop.jpg

Link to post
Share on other sites

Welcome.

 

Go to the Internet Options in your computer, and under Security, check the sites added as Trusted Sites.  If any of these appear, you should remove it. They are considered as Browser Hijackers. I have no idea why Spybot Immunization is adding these to the Trusted Sites settings.

  • Like 1
Link to post
Share on other sites

On 1/22/2023 at 10:03 PM, JSntgRvr said:

Welcome.

 

Go to the Internet Options in your computer, and under Security, check the sites added as Trusted Sites.  If any of these appear, you should remove it. They are considered as Browser Hijackers. I have no idea why Spybot Immunization is adding these to the Trusted Sites settings.

Neither of the domains appear among the trusted sites. I tried to ask for explanations on the Spybot forum as well, but i still haven't received a response at the moment.

Link to post
Share on other sites

3 hours ago, tashi said:

I just saw now the responses on the Spybot forum. What is sure is that the domains have not been added among the trusted sites, so the false positive report remains plausible.

Link to post
Share on other sites

For a Domain be included in the restricted zone, it should read as follows:

 

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\malwarebytes.com]
"*"=dword:00000004

 

Perhaps AdwCleaner is not reading the value. If that is the case, then it is a bug that should be attended.

Edited by JSntgRvr
Typo
Link to post
Share on other sites

19 hours ago, JSntgRvr said:

For a Domain be included in the restricted zone, it should read as follows:

 

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\malwarebytes.com]
"*"=dword:00000004

 

Perhaps AdwCleaner is not reading the value. If that is the case, then it is a bug that should be attended.

I think the problem might occur because the dword value is present, but in underlying paths:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\dospop.com]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\dospop.com\google]
"*"=dword:00000004

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\dospop.com\www.google]
"*"=dword:00000004

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com\mystart]
"*"=dword:00000004

Windows Registry Editor Version 5.00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\dospop.com]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\dospop.com\google]
"*"=dword:00000004

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\dospop.com\www.google]
"*"=dword:00000004

Windows Registry Editor Version 5.00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com\mystart]
"*"=dword:00000004

Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\dospop.com]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\dospop.com\google]
"*"=dword:00000004

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\dospop.com\www.google]
"*"=dword:00000004

Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com\mystart]
"*"=dword:00000004

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.