Security Risk Analysis and Permanent Mitigation for dospop.com and incredibar.com Registry Persistence

Question: Advise why such a security risk recurs. Permanently block the recurrence of the following entries and provide a PowerShell script to mitigate this security risk:

• HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
• HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
• HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
• HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com

Why These Registry Entries Re-occur

The persistent reappearance of dospop.com and incredibar.com registry entries in your Internet Explorer security zone configuration represents a classic adware persistence mechanism. These entries are flagged by security tools like AdwCleaner as PUP.Optional.Legacy (Potentially Unwanted Program).​

Root Causes of Re-occurrence

1. Active Malware/Adware Process
The primary reason these entries return is that the malicious software remains active on your system. The registry keys are symptoms, not the root cause. Adware like IncrediBar operates as:​

• Browser hijackers that modify search engines and homepages

• Background services (e.g., “IB Updater service”) that monitor and restore registry settings​

• Bundled software that reinstalls components during system updates or restarts

2. Multi-Hive Registry Persistence
The entries appear in both HKU.DEFAULT and HKU\S-1-5-18 (Local System account) hives, indicating:​

• System-level infection affecting all user profiles

• New user profile contamination via the .DEFAULT hive, which seeds new accounts

• Privilege escalation allowing malware to write to system-wide registry locations

3. MITRE ATT&CK Technique T1112
This behaviour aligns with the Modify Registry technique, where attackers abuse the ZoneMap registry key to:​

• Add domains to the trusted sites zones, bypassing security restrictions​

• Enable persistent browser redirects to advertising networks

• Maintain footholds even after partial cleanup attempts

4. Startup/Scheduled Task Persistence
Malware often creates:

• Registry Run keys for automatic execution

• Scheduled tasks that periodically restore settings

• Windows services with automatic startup type​

Suspecting that either the browser or one of the extensions has malicious code that persistently pushes the malware onto the computer by tweaking its internet settings and gaining further registry access. With these gains, the ability to hijack and reroute traffic.

CAN BRAVE CREATE A MITIGATING PATCH TO PROTECT ITS BROWSER AGAINST SUCH MALWARE, EITHER FROM CORE SOFTWARE OR INSTALLED EXTENSION VULNERABILITIES?

Note (from above):

Active Malware/Adware Process
The primary reason these entries return is that the malicious software remains active on your system . The registry keys are symptoms, not the root cause.