Member Avatar for ClassAustralia

Howdie from the land down under! I have been sent crazy-er by the ever persistent Surf Accuracy and had tried everything under the sun. It did not exist in add/remove programs, AdAware did nothing, two different high end anti-virus programs failed and SpyBot would identify and "fix" it but rescan and presto there it was... :evil: And nothing unusual appeared in HJT!! :sad: I did a bit of research and then ran SpyBot again, this time clicking the box to identify what it was fixing. What I found was that something had written in a registry file that loaded the thing from the web location. So here was my fixit that did the trick for me. I welcome comments and please, check the pathing on your Spybot to make sure its the same.

Go to "Run"...type in "Regedit" and open. Here is the path to this little nasty that I found...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Internet Settings\ZoneMap\Domains\contentmatch.net\ny\https!=W=4

Carefully follow the path in the reg edit to the folder for contentmatch.net and delete that folder.

Close out regedit. I then followed up CCleaner and ran my Avast! virus program just before rebooting and then checked again with SpyBot. The little buggar is gone.....dead......history..... :cheesy: :cheesy: :cheesy:

Hope this works for you and that the big boys here have a look to make sure this won't be a bit much for some users.

Thanks for being here!!

  • 2 Contributors
  • 2 Replies
  • 141 Views
  • 8 Hours Discussion Span
  • Latest Post Latest Post by ClassAustralia
Member Avatar for DMR

What I found was that something had written in a registry file that loaded the thing from the web location.

Not quite, but you're on the right track.
The Registry entry you posted doesn't actually tell Windows or IE to load any file(s) from the malicious website, but it does make it possible for IE to communicate with the website, which is obviously a Bad Thing. To be technical about it, the presence of the "contentmatch" site in the Domains key is a modification made by the infection; it is not an actively malicious component of the infection, nor does is point to/execute such a component.

https!=W=4
The (horribly boring) breakdown of that cryptic code from SpyBot is:

https is the secure http protocol.
W=4 means that the default registry DWORD value of the https protocol for the domain in question is 4.
4 identifies the Restricted Sites Zone in the Internet Options control panel's Security tab.
!= is coding/scripting notation for "not equal to".

Human translation: "Yo, Bro'- I found a malicious site which should be listed in your Restricted Sites Zone, but it ain't!"

For a mind-bogglingly boring exposition on the whole ZoneMap/Domains thing, have a read of this Microsoft article (note: make sure you have a pretty good-sized dose of psychotropic drugs at hand; you'll need them....)

Member Avatar for ClassAustralia

Thanks for that and the explanation of why it worked. Maybe I will put on a Jimi Hendrix CD and divest myself of the recommended psychotropics then have a look at the link....or just do the first part and skip the link! Thanks as always for your help and support. CA

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.