malware?

I am running W 7 home Premium 64 bit and have the firewall enabled, use a router, have Avast, A2, etc. None show any problems.

But when perusing my registry file I find under EscDomains a whole list of sites that look like bad sites. I suspect these may be there to protect me from them but I am not sure if that is true or they mean I am infected with all these things.

Examples: kaaweb.it kacero.net karaweb.it

Suggestions for a second AV to use beside Avast (and microsoft's own ..I forget its name with updates every two weeks or so)? I tried to install Kaspersky but it took forever and would not install correctly on my system. So I removed it.

All you really need it is one real-time AV and one on-demand only AV such as MalwareBytes. Have you tried deleting all your cookies through your web browser?

1. Run MBAM to see what's going on.
2. MSE is a free AV program that I use and updates daily.
Let us know if we can provide more help!

Slow typist here! Petey

These are the only entries I have under that key:



I would delete all other entries apart from those. Remember to log on as each user and repeat this operation.

Restore Microsofts Host file with HostXpert


Download the HostsXpert 4.3 - Hosts File Manager.

• Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert
• Click HostsXpert.exe to Run HostsXpert 4.3 - Hosts File Manager from its new home
• Click "Make Hosts Writable?" in the upper right corner (If available).
• Click Restore Microsoft's Hosts file and then click OK.
• Click the X to exit the program.
  
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Now, go here and download a good Hosts file http://www.mvps.org/winhelp2002/hosts.htm

Cookies in both my main browser (Firefox) and IE which I use occasionally are all deleted.

I will download HostsXpert 4.3 and try it.

I am the only user on the system so with everyone else saying they do not have anything else under that registry key, I am now really worried. Also worried to just delete all this stuff from the registry. I suppose I would be safe if I backed the registry first.

For AV I have Avast running constantly and occasionally I run Malwarebytes. Neither find anything and yes I do update MB before running it. I also have run Spybot which found a couple of cookies but nothing anymore.

If a create a new hosts file I can always re-run Spybot to "immunize" it but I am worried about what else I need to add to it so as not to lose my internet connection. It was a real hassle getting that to work the first time around. Thanks everyone for helping.

Jacee said:

Restore Microsofts Host file with HostXpert


Download the HostsXpert 4.3 - Hosts File Manager.

• Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert
• Click HostsXpert.exe to Run HostsXpert 4.3 - Hosts File Manager from its new home
• Click "Make Hosts Writable?" in the upper right corner (If available).
• Click Restore Microsoft's Hosts file and then click OK.
• Click the X to exit the program.
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Now, go here and download a good Hosts file Blocking Unwanted Parasites with a Hosts File

Click to expand...

Is this hosts file for W 7 64 bit or does it not matter? Where does it go?

The Howling Wolves said:

1. Run MBAM to see what's going on.
2. MSE is a free AV program that I use and updates daily.
Let us know if we can provide more help!

Slow typist here! Petey

Click to expand...

Ran Malwarebytes: nothing found
Ran Spybot: nothing found.

I could create a new hosts file but what about all these registry entries?

Anyone know what the EscDomains key is about? The name suggests its entries (a long list of bad and porn sites) may actually be there to bypass these domains or does it mean they are "trusted zones"?

Where is the active hosts file in W 7 64 bit?

If it is the one in C:\Windows\System32\drivers\etc\hosts
Then on my PC it has right at the top:

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 007guard.com - 007guard and Windows Vista
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com

and yet as the nslookup showed, 007Guard is still getting through!

Could that not be the right hosts file?

This is mine also
# 127.0.0.1 localhost
# ::1 localhost

Spybot s&d inserted it's Hosts files, so yes, re-immunize now.
You should be fine.
Read this for peace of mind hosts immunisation. www.007guard.com - Safer-Networking Forums

But what about the entries in the registry under EscDomains ? From my internet searches about EscDomains it seems all these bad sites are exempted and are placed in the "safe internet". Should I really delete them from the registry or is there somewhere else in W 7 that I can go to tell W7 these are not safe and good sites?

Is there any connection between the hosts file and EscDomains ?

I think the hosts file is being by-passed by the registry entries. When I run nslookup I get

C:\Users\JSM>nslookup 007guard.com
Server: UnKnown
Address: 192.168.1.1
Non-authoritative answer:
Name: 007guard.com
Addresses: 208.72.2.179
208.72.2.180
208.72.2.186
208.72.2.187
208.75.252.106
208.75.252.107
208.75.252.108
208.65.130.26
208.65.130.27
208.72.2.18
208.72.2.19
208.72.2.20
208.72.2.178
So even though 007Gurad.com is the very fist list in the hosts file, things seem to be getting through and the hosts file is being bypassed somehow. That is why I am asking about those resComains listings.

OK, everything is solved! The porn and other sites listed under the registry's zonemap (Esc Domains and Domans) are part of Spybot's protection system. It adds these to the registry as well as to the hosts file. So all is well (I think). As I said MBAM, Avast and others find nothing bad on my system.

Still worried about the nslookup results.