Alec
Fri Aug 29 22:18:14 PDT 2008
Scott wrote (in news:ORomdYjCJHA.2496@TK2MSFTNGP04.phx.gbl):
> What are the possible consequences of manually removing the following type
> of registry key:
>
> hkey_local_machine \software\microsoft\windows\currentversion\internet
> settings\zonemap\domains\ (website)
That key is good, don?t delete it. SpyBot and SpywareBlaster regularly add
things to it to protect you from those bad websites. Of course if you don?t go
to them, then there?s no problem, but even if you don?t go on purpose, you never
know when a rogue hyperlink or script redirect will send you to one. It?s just
like the HOSTS file. SpyBot adds entries to that as well to block bad sites.
As Martha Stweart would say, it?s a good thing.
> If my understanding is correct, the values of this key will set the
> security/privacy settings of the IE browser for the specified website. For
> the case of malware, the malware would create this key and set the security
> level to "Trusted" for the website. It would then direct the browser to the
> website and run more malicious code from that site.
SpyBot and its ilk check to see if any of the keys they know are set to trusted
and set them back to blocked.
> Using REGEDIT, I looked to see how many keys I had of this type and found a
> huge amount. I estimate about 500. None of the websites are those that I
> visit regularly, or maybe never visited at all. A lot of them seem to have
> foreign domains. I want to get rid of them. It seems like the registry saves
> everything.
Yup, some security app added them to protect you. Unfortunately a lot of the bad
sites are indeed foreign (to North America). McAfee recently released a list of
the most dangerous places on the web and foreign domains dominated.
http://www.mcafee.com/us/about/press/corporate/2008/20080604_181010_g.html
> There is also the potential embarrassment factor. A worst case scenario is
> that a computer savy girlfriend inspects my registry and demands to know why
> I have a key from moscowwhores.com. I don't remember ever visiting this site
> and it's not really the way I roll.
What?s embarrassing about Moscow Whores? :D A computer savvy girlfriend who
inspects your registry would be savvy enough to know about security software,
and would be a heck of a catch. ;)
I just checked moscowwhores.com and was blocked by Spybot; it didn?t even give
the option to allow, only deny was enabled. (I?ve always wondered what the
block-pages-in-IE option of Spybot is, but I?d never seen it in action before.
Now, I finally know what it does. Thanks!)
> These keys have two parameters: REG_SZ (value not set) and REG_DWORD =
> 0x00000004 (4)
> Can anyone tell me what these values mean?
The string is not actually a value, that?s just part of every registry key and
unless it?s specifically set, it means nothing. The * value determines IE?s
security setting for that domain. You can view a list of domains the ?safe way?
by going to IE->Tools->Options->Security->Restricted Sites->Sites.
> What could go wrong if I engage in mass deletement of these type of keys.
You won?t be protected. It?s like uninstalling your anti-virus/firewall/etc.;
chances are that nothing will happen, but chances are you will get infected.
--
Alec S.
news/alec->synetech/cjb/net