how to fix hijackthis issues-they keep showing up after a deletion?

  theDarkness 22:59 PM 25 Apr 13
Locked
Answered

I have had a couple of issues pop up within hijackthis.

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)

and

O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)

I cannot fix or remove them, they just reappear in the next scan. This is surely a major issue if all http connections are being treated as if they were non public. I am on windows 7, using Avast with Online Armor and malwarebytes. I have scanned the system with RogueKiller, tdsskiller, adwcleaner. I also tried ad-aware.

No issues, aside from 3 wallpaper jpgs, supposedly trojan detected by adaware as infected 'trojan.win32.trojaniframe (v)' files - possible false positives or not a major issue. I do not believe these files are related to the protocol issue, as they are old wallpapers I have used on xp in the past, and the protocol issue did not show up in hijackthis.

After a google, one forum suggests to delete the registry entries at 'HKEYCURRENTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults', but in 7, 'ProtocolDefaults' is missing. I know HijackThis is an old program, but if there are no compatibility issues with 7, it is surely still a problem that needs fixed. Any ideas on how to permanently change these protocols back to default? Is it situated elsewhere in the registry? Thanks for any info.

  theDarkness 03:09 AM 26 Apr 13

update-i think i may have answered my own question. As hijackthis is an old program and the 'ProtocolDefault' registry location does not exist in windows 7, hijackthis may simply be thinking that its in the wrong zone by default, as it expects it to always exist.

If anyone knows another program i can use to double check whether the http and https protocols are in the Internet zone and not My Computer, that would be of great help. Thanks

  Secret-Squirrel 08:43 AM 26 Apr 13

"I cannot fix or remove them, they just reappear in the next scan."

As far as I know, you first need to launch HijackThis by right-clicking its executable and choosing "Run as Administrator". If you don't do it that way then HJT can't make any changes to the Windows Registry.

"'HKEYCURRENTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults', but in 7, 'ProtocolDefaults' is missing."

That key is present on my Windows 7 PC, and because HJT can see it, it's probably on yours too.

A Google search tells me that you probably shouldn't have those two Registry keys so have another go at running HJT. Make sure you create a Windows System Restore point first just in case.

  theDarkness 15:23 PM 26 Apr 13

I forgot to mention that I have run HijackThis as admin right from the start, as if I didnt then it would not complete a scan, it would stop with a 'denied access to the hosts file' message.

Jock1e-thanks for link, I added my issue there in case anyone decides to reply, but I havent read any similar issues on there.

SecretSquirrel-'ProtocolDefaults' is definately not present at that one location on my version of 7. With 'its on yours too', Im assuming you think its present and hidden as a result of HijackThis results message, but I think HijackThis may just be out of date, and if the values are definately not present, it assumes they are in the wrong zone just because of that. If ProtocolDefaults shows in 7 for you at HKEYCURRENTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefault, can you show me a printscreen of what your settings are? I believe they should be set to 3 for http and https, the internet zone.

These are mine. As you can see, there is no ProtocolDefaults section within ZoneMap at this location, so I cannot show any protocol content. This may or may not be why HijackThis believes I have an issue, as every other location that does have ProtocolDefaults, which shows it is set to 3, the internet zone. I could add ProtocolDefaults to ZoneMap as a test, but then editing the registry in this way without knowing the consequences may not be a good idea based on the questionable results of one program.

  Secret-Squirrel 16:22 PM 26 Apr 13

" I have run HijackThis as admin right from the start, as if I didnt then it would not complete a scan, it would stop with a 'denied access to the hosts file' message."

Actually, after you OK the warning message, the scan resumes and does complete ;)

"can you show me a printscreen of what your settings are?"

Here you go.

Sorry but I'm out of ideas with this issue.

PS: Thanks for bringing postimage.org to my attention. It's such a quick 'n' easy way to post screenshots for basic forums like this one which don't support attachments.

  theDarkness 17:05 PM 26 Apr 13

Thanks. I forgot to say its 7 home, what version are you using? Perhaps a registry cleaner (eg ccleaner, which is installed) may have deleted the files, although I tend not to use it. I do not know of any microsoft registry repair tools which may reinsert any missing registry values, if there is definately a problem with the system.

  theDarkness 17:22 PM 26 Apr 13

update-Ive added your ProtocolDefault values to ZoneMap, and the warning is no longer popping up in hijackthis, but since my version of ZoneMap has no other entries aside from the protocol (domains,escdomains and ranges missing), it may well make no difference regarding security. I wondered at first if any of these registry entries not available may be to do with my wifi set up, related programs installed, or if windows only adds them after a certain action is taken (eg IE not set to default-although that made no difference). I dont know.

  Secret-Squirrel 20:00 PM 26 Apr 13

".....what version are you using?"

Home Premium 64-bit.

  theDarkness 23:21 PM 26 Apr 13
Answer

I have forgotten to do one thing, and thats to check the registry of all other accounts on this system. They all have the correct full 'ZoneMap\ProtocolDefaults' content. My own account with missing content was created long after installation, so I am assuming either a firewall may have prevented the content of 'HKEYCURRENTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap' being written, or a malicious program may have simply deleted them.

I have now created a new account which is showing all protocol content, and will likely shift over to that one now, to be sure nothing else has been tampered with. No malware has ever been detected on this system. I believe the adaware jpg 'trojans' may be false positives, as avast, malwarebytes and virustotal.com detected nothing for those suspect wallpapers.

I dont know why my registry settings could not have been corrected within hijackthis, but perhaps hijackthis just doesnt understand how to fix registry entries that are missing, only incorrect settings. Thanks for the replies :)

  theDarkness 23:25 PM 26 Apr 13

ps after a google, winpatrol looks like a good tool to keep on eye on any changes made to the registry, so I might try that out to keep an eye on protocol defaults. I think it only works for the paid for version though, and I dont think my firewall or antivirus (online armor+avast) have similar features.

  Secret-Squirrel 08:32 AM 27 Apr 13

Thanks for the feedback :)

Advertisement

This thread is now locked and can not be replied to.

Sony Xperia Z5 vs Xperia Z5 Premium vs Xperia Z5 Compact: What's the difference between Sony's new ?…

1995-2015: How technology has changed the world in 20 years

Get $800 of free online Nuke and VRay rendering from Google Zync

iPhone 6S preview: What to expect from Apple's next iPhone