[bloomcounty]

Keith, on Jun 11 2005, 02:52 PM, said:

I have Spybot 1.4 on a 98SE and it did not show this during installation

I think you're misunderstanding me. Nothing showed up on my 98SE machine either on installation. It showed up on the XP machine at work when the MS Antispyware caught the change. So on my 98SE machine, I tried adding the site www.139mm.com to the "Restricted Sites" list in IE (even though I use Firefox), and it wouldn't let me because it said it was listed elsewhere and had to be removed from there first. But when I looked at the list of "Allowed Sites" in IE, there were no sites listed. So someone that site is allowed, but I can't see where that's at. Doesn't seem right...

Go to your IE, go under Security Options and try adding the site typed as follows:

www.139mm.com

...to your "Restricted Sites" list. If you have SpyBot 1.4 installed, it probably won't let you do this. Then check your "Allowed Sites" list and see if that site is there. It probably isn't...

Thoughts?

Thanks,

bloomcounty

[bloomcounty]

Well, I scanned through the entire list of "Restricted Sites" in IE and it looks like www.139mm.com *IS* now listed as restricted. Go figure. So is *.139mm.com. Not sure what's going on... But I guess I'm "blocked" from it!

-- bloomcounty

[bloomcounty]

Keith -- I hope you're still monitoring this thread!

UPDATE:

I was incorrect above. Here's the deal:

I thought that the 139mm site was added to the restricted list after all in IE, but only a *version* of it. On the IE safelist are the following:

www.139mm.com
*.139mm.com

...BUT, *not* 139mm.com on it's own. THAT is the thing that IE will not let you add to the restricted sites list because it says it's already listed somewhere else (i.e. the "allowed sites" list) -- however, it's NOT on the allowed sites list! It's because there's a registry value that has been added to mark it as safe that you can't see when you immunize with SpyBot 1.4.

So if you have immunized with SpyBot 1.4, can you go to your IE and try to add 139mm.com (Typed just like that) to the restricted sites list? I bet it won't let you...

On the XP machine at work (which I'm on now), the MS Anti-spyware caught it and I "blocked" it. Here's the entry:

Internet Explorer Trusted Site: Trusted Site 139mm.com

Disabled date: 6/10/2005 3:39:35 PM

Details: Internet Explorer Trusted Site deactivated

Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\139mm.com\www decativated on

Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\139mm.com\www * = 4 decativated on

Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\139mm.com decativated on

So something weird is going on with that after all! (You could probably check your Windows 98 machine for those entries to verify...)

Now, I have the option to "permanently remove" the "Internet Explorer Trusted Site deactivated" -- or "unblock it" (which I'd think would then make it so it's no longer blocked). So will "permanently remove" remove those registry entries associated with 139mm.com shown above or just pemanently remove the block?

Also, since I don't have MS Anti-spyware at home, I can't do any of that, but I bet the registy values are on my home computer too (since I can't add 139mm.com to my restricted sites list in IE). So how can I go into the registry and find those entries above at home on my Windows 98 machine and remove them? And is it safe to do so?

However, I did try going to www.139mm.com in Firefox because someone said it would get blocked (I know, dumb of me!), and what happened was it showed the name in the tab at the top, then it changed to something like ???.139mm.com (or something like that), then it sounded like my hard drive starting running a lot for some reason, so I quickly shut the window before I saw anything visually load in the window. So is it possible that something bad got on my computer from there now (even though my HijackThis log is clear)? This has got me really worried.

Any further help would be greatly apprecaited -- thanks so much!

-- bloomcounty

[Retired Tech]

Rename them first, so you have something to undo

[bloomcounty]

Keith, on Jun 13 2005, 10:43 AM, said:

Rename them first, so you have something to undo

I don't know what you mean... Are you referring to the registry entries? Rename them where? I don't know how to go into the registry...

Thanks!

[Retired Tech]

Click start then run then type regedit then press enter to get this



Click the plus next to each word in the list, and guess what I found,



it really does look as though these are the blocked sites and should be left there

If you click the key then right click you can rename or remove

[bloomcounty]

Okay, I did what you showed me, but it doesn't look exactly the same on this XP machine. I don't know how to do the screen capture thing, so I'll describe it:

The first line is exactly the same as yours. But there is a second line that reads:

Reg_DWORD 0x00000004 (4)

(This is the case if I click on any of the sites listed...)

So what does that mean?

Also, then what's the deal with the MS Anti-spyware listings I listed above and the registry entries it shows. What is it blocking? Here is is again with notes:

Internet Explorer Trusted Site: Trusted Site 139mm.com
Me: Why does it say "trusted site"?

Disabled date: 6/10/2005 3:39:35 PM

Details: Internet Explorer Trusted Site deactivated
Me: Doesn't this mean that it was attempted to be added as a "Trusted Site" (which is what popped up when I immunized with SpyBot 1.4) and I blocked it from being added? Or did I "block the block" so now it's considered safe? It does say trusted site, so what's that about?

Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\139mm.com\www decativated on

Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\139mm.com\www * = 4 decativated on

Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\139mm.com decativated on

Me: So what are these keys? It looks to be the three listed when you go to the regedit thing, I guess (the main folder for 139mm.com, then the two sub folders www.139mm.com and *.139mm.com). But is this saying that it was allowed but has been blocked, or that it was blocked and now I am allowing it? I don't understand.

Thanks!

[Retired Tech]

If they can stay where they are for a while, I need to ask about this, I'm sure they are being blocked, but I will try to get you the definitive answer later

[bloomcounty]

Keith, on Jun 13 2005, 11:35 AM, said:

If they can stay where they are for a while, I need to ask about this, I'm sure they are being blocked, but I will try to get you the definitive answer later

Sounds great -- thanks!

But what are you referring to as being blocked? Is the site 139mm.com being considered safe by IE and I'm blocking that action? Or is the site unsafe, and I'm saying it's okay?

And why would that pop up for that site only when I immunized with SpyBot 1.4? (I've since unintalled SpyBot).

It seems that site is on my IE restricted sites list. You can't add "139mm.com" I guess because it considers it taken care of with the www.139mm.com and the *.139mm.com. To see what I mean, go to your IE restricted sites list and try to add this exactly: 139mm.com

...it won't let you. But if you try to do the same for another site it has listed with the www or the *. (say, crazycats.com) it won't let you either. It's the same for all of them. So I guess that's not a case of 139mm.com be listed as safe somewhere, just that it's already taken care of. Does that seem right?

But I'm also still concerned about having gone to that site and my hard drive running non-stop for a few seconds before I closed the window. Could something bad have gotten on my computer?

Thanks for the help!

-- bloomcounty

[Metallica]

I haven't read the entire thread, but I wish to throw in some comments:

In *.139mm.com the asterisk is a wildcard, so everything ending with .139mm.com will end up in the same zone unless specified otherwise elsewhere.

The value 4 means that the site is in the "Restricted Zone"

HTH,

Pieter

[Retired Tech]

Thank you very much

[bloomcounty]

Metallica, on Jun 13 2005, 12:17 PM, said:

I haven't read the entire thread, but I wish to throw in some comments:

In *.139mm.com the asterisk is a wildcard, so everything ending with .139mm.com will end up in the same zone unless specified otherwise elsewhere.

The value 4 means that the site is in the "Restricted Zone"

Thanks for the info! But I'm still confused... what exactly have I done in MS Anti-spyware? To me, it seemed like it was saying 139mm.com is a trused IE site and did I want to allow it, which I said "No" and thus it was blocked. Or is that not what happened? Am I blocking it *from* being blocked?
-----------------------
Internet Explorer Trusted Site: Trusted Site 139mm.com

Disabled date: 6/10/2005 3:39:35 PM

Details: Internet Explorer Trusted Site deactivated
-----------------------

What does this mean?

And what should I do with this now in MS anti-spyware. Right now, it's listed like this:

6/10/2005 3:39:35 PM Internet Explorer Trusted Site Internet Explorer Trusted Site deactivated

...and I can check it and have the option to either "Permanently remove all checked items" or "Unblock all checked items"

Let me know what you think -- thanks for the help!

-- bloomcounty

[Metallica]

"Unblock all checked items."

Then check if the value is still 4 as it should be.

Regards,

[bloomcounty]

Metallica, on Jun 13 2005, 12:56 PM, said:

"Unblock all checked items."

Then check if the value is still 4 as it should be.

1. Where would I check if the value is still 4? The registry values I listed are from the MS antispyare:

Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\139mm.com\www decativated on

Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\139mm.com\www * = 4 decativated on

Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\139mm.com decativated on

...so I don't know where I'd go look to find those. When I looked in the registry as instructed, it looked like this image:

http://www.geekstogo.com/forum/index.php?a...pe=post&id=1541

but with a second line showing this:

Reg_DWORD 0x00000004 (4)

2. If I'm unblocking it, then that means I have allowed it? If that's true, then why does the MS Antispyware list it as an IE Trusted Site?

Thanks!

-- bloomcounty

[Metallica]

Click Start > Run > type regedit > OK

The registry editor will open. By clicking the plusses navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\139mm.com

In the right hand panel you should now see something like the attachment.

Mine is Dutch so translated your first line should say (Default) (No value)

But the second line is the important one.
that should be the same.

Attached thumbnail(s)

•