[bloomcounty]

Click Start > Run > type regedit > OK

The registry editor will open. By clicking the plusses navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\139mm.com

In the right hand panel you should now see something like the attachment.

Mine is Dutch so translated your first line should say (Default)  (No value)

But the second line is the important one.
that should be the same.

Okay, right now, BEFORE I unblock in MS Antispyware, it is already like how you're saying it should be. But you still want me to choose to unblock it in MS Antispyare, correct? So this is kind of a test to see what happens by unblocking it? Just want to verify...

And, before I do that, can you answer the #2 question above? What exactly am I presently blocking in MS Antispyare? If I do "unblock" it, and then it doesn't show up as it should in regedit, how can I block it again? Will I be able to check it in MS Antispyware to block it again? Or will that option disappear?

I just want to make sure of all this before I "unblock" it -- thanks very much for the help!

-- bloomcounty

[Advertisements]

The problem is that we can't see what you blocked.

So unblocking it is an experiment to see what happens.
If it happens again MSAS should prompt you as a warning.

Then you can thoroughly read what it asks of you and if you are unsure ask us.

Regards,

[Metallica]

The problem is that we can't see what you blocked.

So unblocking it is an experiment to see what happens.
If it happens again MSAS should prompt you as a warning.

Then you can thoroughly read what it asks of you and if you are unsure ask us.

Regards,

[bloomcounty]

The problem is that we can't see what you blocked.

I remember what it said -- it said, do you want to allow the IE trusted site 139mm.com?
I chose to "not allow".

This is the log currently in MS Antispyware that shows the details of this action:

Internet Explorer Trusted Site: Trusted Site 139mm.com

Disabled date: 6/10/2005 3:39:35 PM

Details: Internet Explorer Trusted Site deactivated

Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\139mm.com\www decativated on

Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\139mm.com\www * = 4 decativated on

Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\139mm.com decativated on

...that's cut/pasted right from MS Anti-spyware, under Real-time Protection --> Blocked Events. It's the only one I have listed.

Doesn't that tell exactly what I blocked?

Sorry if I'm misunderstanding -- thanks for your patience!

(I'll wait to do the test until after I hear back -- thanks!)

-- bloomcounty

[Metallica]

Well I find that alarrm very confusing since it says:

Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\139mm.com\www * = 4 decativated on

If that means it stopped that site from being added to Zone 4 (Restricted Sites) then that is not what we want.

Regards,

[bloomcounty]

Well I find that alarrm very confusing since it says:

Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\139mm.com\www * = 4 decativated on

If that means it stopped that site from being added to Zone 4 (Restricted Sites) then that is not what we want.

Okay, well I went ahead and "unblocked" the event and restarted my computer. Everything stayed exactly the same. The site was not added to the Trusted Sites in IE. Both www.139mm.com and *.139mm.com are listed in IE on the Restricted Sites list. And when I checked the registry with regedit, and select the 139mm.com folder, as well as the two subfolders, *. and www, it looks like what you show at this link:

http://www.geekstogo...pe=post&id=1553

...so it made no difference! So I should be good to go as I am now? (There's no option in MS Antispyware to block that again -- once I unblocked it, the listing was gone.) Or is there somewhere else it could have been referencing for the values it listed for supposedly blocking that site?

Let me know -- thanks again!

-- bloomcounty

[Metallica]

You should be good to go.

It only shows that it is very good practice to read those prompts untill you understand what they mean.
You are in no rush. Windows puts the program asking for the change "on hold" untill you have made up your mind.

I will however make a suggestion to the beta team of MSAS to create something a bit more understandable in the logs.

There should be a clear "value before" and "value after" and preferably a "process asking for the change"

I'll keep on dreaming

Regards,

[bloomcounty]

Thanks for the help... But before you go, 3 things:

1. I'm looking through the MS Antispyware settings and under Real-Time Protection --> Application Agents, I chose Manage Allowed/Blocked IE Trusted Sites. There are no sites listed for "Allowed Trusted Sites" and there's only one for "Blocked Trusted Sites: 139mm.com

Huh? I guess it's not bad that that's there, but why would it be if I unblocked that other thing?

2a. Under Manage Allowed/Blocked IE Urls, there are none listed for blocked (which doesn't make sense to me if in IE itself, there's that long list of blocked sites, including *.139mm.com, in the Security menu settings), and for allowed urls, these are listed:

C:\WINDOWS\system32\blank.htm
http://ie.search.msn...st/srchcust.htm
http://www.google.com
http://www.microsoft...=ie&ar=iesearch
http://www.microsoft...er=6&ar=msnhome
res://mshtml.dll/blank.htm
res://mhstml.dll/repost.htm
res://mhstml.dll/navcancl.htm
res://shdoclc.dll/offcancl.htm

Are these okay?

2b.I removed about:blank from the list (I think I had inadvertantly added that when I was keeping IE home page at about:blank until I starting seeing about:blank listed in hijack type problems). So it's good/okay to have about:blank removed from this list, right?

3. On my machine at home (Windows 98SE -- no MS antispyware, Spybot currently uninstalled while investigating this 139mm.com stuff), I STUPIDLY went to the www.139mm.com in Firefox by clicking the link in a post and opening it in a new tab because someone said that Firefox blocked it. However, mine didn't block it (probably because I had spybot unintalled), and the name of the site changed from www.139mm.com to ???.139mm.com (or something like that) in the tab at the top and my hard drive starting running non-stop superfast. So I immediately closed the tab before I visually saw anything load in the browser window for the site. Could it have put something on my computer? This has got me worried.

Thanks so much!

-- bloomcounty

Edited by bloomcounty, 14 June 2005 - 01:37 PM.

[Metallica]

1. Like I said. It's a beta and they are still working on it. It should mean that an attempt was made and blocked, but no guarantees froim me on that one.

2a. Allowed URL's and blocked sites are completely different things.
Very briefly explained:
- Allowed URL's are sites that can be allowed to be preset on your system as your homepage or searchpage.
- Trusted sites are sites that can run little programs on your system without notifyingh you about it. (Like for example the site of your bank)

2.b about:blank is a abused startpage. As long as it is actually a blank page there is nothing wrong with it as your startpage. When it is filled with content by some hijacker it's the bad news people complain about and post their logs.

3. The time that FireFox and Opera were not targeted by malicious sites are behind us and don't let anyone tell you different.
You should do a thorough check on that computer to see if nothing snuck in.

Regards,

[bloomcounty]

3. The time that FireFox and Opera were not targeted by malicious sites are behind us and don't let anyone tell you different.
You should do a thorough check on that computer to see if nothing snuck in.

What do you suggest? A friend (who is more knowledgable than I) said he was going to come over and install whatever the top/popular free AV and firewall software (since I only have an old Norton AV scanner that does not monitor on its own and no firewall). I only have dial-up so am not connected non-stop (nor do I spend hours and hours no the internet).

Anything specific I should investigate on my computer?

-- bloomcounty

[bloomcounty]

So I just read on another forum where someone posted that it is, "in fact", a false positive with the MS Antivirus detecting 139mm.com from SpyBot's immunization as being a "safe site"...

Of course, I wish I knew that before I actually went to that site on my home computer... In the end, I could have just left everything well enough alone! Curses!

Well, hopefully my computer isn't messed up at home. Thanks again for your help. And if you have any suggestions, that'd be great.

-- bloomcounty

Edited by bloomcounty, 14 June 2005 - 02:38 PM.

[Metallica]

I had a look at the code on that site. As long as you didn't click on anything you should be fine.

Run a Google search for something common and check if the searchresults were not tampered with.

Regards,

[bloomcounty]

I had a look at the code on that site. As long as you didn't click on anything you should be fine.

The site didn't even come up in the browser (probably because I have a slow dial-up connection) before I closed it. But my hard drive did start running a mile a minute non-stop for a few seconds (until I closed the window). What would cause my hard drive to do that?

Out of curiosity, what is on that site from clicking the links?

Run a Google search for something common and check if the searchresults were not tampered with.

Meaning, just go to google in Firefox, search for "Abraham Lincoln", and then just look at the search results that come up on the google page? What kind of thing would I find if there's a problem? Like sex sites being listed instead or something?

Thanks!

-- bloomcounty

[Metallica]

The hard drive spinning would mean something is being downloaded. As you may have notioced that site is pretty big, so it doesn't mean any programs where downloaded.

I'd rather not comment on what you can find there.

The search results would be manipulated according to the wishes of the people paying the hijackers. Normally p0rn, online casino's etc.

Regards,

[bloomcounty]

The hard drive spinning would mean something is being downloaded. As you may have notioced that site is pretty big, so it doesn't mean any programs where downloaded.

I'd rather not comment on what you can find there.

The search results would be manipulated according to the wishes of the people paying the hijackers. Normally p0rn, online casino's etc.

The Google test comes up fine. So if I've cleaned out my cache and whatever AV freeware my friend installs this weekend comes up clean, I should be okay?

Something else I've noticed is that when I open my Outlook Express, the hard drive runs for a really long time (and if I close it, it stops running). It would always do that when my wife's "identity" was up, but not mine -- though now it's started doing it for my "identity" as well. Any idea what that could be, if anything?

Thanks!

-- bloomcounty

[Metallica]

Hard to tell. If it connects automatically, it could be pre-fetching mail.
Or it could be rearranging files, because your drive is heavily fragmented.

Regards,