Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Something weird

Status
Not open for further replies.
blakee

blakee

Programmer
Jan 18, 2005
22
Ok.. I've had this for awhile but I don't know how to get it off or whats causing this.. If I put in 2 "LL"s then it turns into "**" in my internet browsers.. does anyone know whats causing this to happen?
 
Sort by date Sort by votes
The ones I would be suspicious of are -

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseC*** Control) - /xscan53.cab



This last one if it was just Housecall instead of your old mate *** would probably be OK.

The one in the Hosts file is suspicious, what other entries do you have in your Hosts file.

A normal default Hosts file would be similar to this -

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost


The entries mentioning "(no file)" are old entries that have been partly removed and should be safe to remove.

Make sure Hi Jack This is configured to Backup entries before removing them.

I'd like to check the Toolbars and Clsid's here but you can do that if you want.

CLSID / BHO List / Toolbar Master List
 
Upvote 0 Downvote
I can't download the Microsoft: Windows Antispyware beta because it gives me a 404 error.. but I deleted the entries and I don't see a difference..
 
Upvote 0 Downvote
You could try resetting your Winsock.

FAQ779-4625
 
Upvote 0 Downvote
Since your HijackThis! log shows you at XP with Service Pack 2:

Start, Run, CMD

netsh winsock reset catalog

(Wait for the prompt that a restart is required).

Reboot.
 
Upvote 0 Downvote
In IE there are a bunch of internet sites and IP's in the restricted sites.. such as *.whatever.com. When I delete them and close IE they come back right after.. what is causing this? Oh and I did the winsock thing but no luck..
 
Upvote 0 Downvote
Ok, I ran the Dllcompare and I was clean. So I went to the 2nd one which was posted by kurta007. I ran the file that he listed which was, finditnt2000xp.zip. So, I don't know if anything is wrong but I would appericate it if anyone can tell me anything about the log file..

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Administrator\Desktop

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is E4BF-DC2E

Directory of C:\WINNT\System32

01/22/2005 06:26 PM <DIR> dllcache
08/28/2004 03:22 PM 56 BB204F9EC4.sys
08/28/2004 03:22 PM 10,022 KGyGaAvL.sys
2 File(s) 10,078 bytes
1 Dir(s) 31,513,939,968 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is E4BF-DC2E

Directory of C:\WINNT\System32

01/25/2005 06:41 PM 890 vsconfig.xml
01/22/2005 06:26 PM <DIR> dllcache
01/03/2005 04:10 PM 4,212 zllictbl.dat
08/28/2004 03:22 PM 56 BB204F9EC4.sys
08/28/2004 03:22 PM 10,022 KGyGaAvL.sys
08/25/2004 03:24 PM 488 logonui.exe.manifest
08/25/2004 03:24 PM 488 WindowsLogon.manifest
08/25/2004 03:24 PM 749 cdplayer.exe.manifest
08/25/2004 03:24 PM 749 wuaucpl.cpl.manifest
08/25/2004 03:24 PM 749 ncpa.cpl.manifest
08/25/2004 03:24 PM 749 nwc.cpl.manifest
08/25/2004 03:24 PM 749 sapi.cpl.manifest
08/19/2004 07:51 PM <DIR> GroupPolicy
08/19/2004 07:42 PM 21,692 folder.htt
12 File(s) 41,593 bytes
2 Dir(s) 31,513,935,872 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is E4BF-DC2E

Directory of C:\WINNT\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is E4BF-DC2E

Directory of C:\WINNT\System32

07/24/2002 04:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 31,513,935,872 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------- Locate.com Results -------------

C:\WINNT\SYSTEM32\
vsconfig.xml Tue Jan 25 2005 6:41:16p A..H. 890 0.87 K
zllictbl.dat Mon Jan 3 2005 4:10:34p ...H. 4,212 4.11 K

2 items found: 2 files, 0 directories.
Total of file sizes: 5,102 bytes 4.98 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINNT\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\system32\\NvMcTray.dll,NvTaskbarInit"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"Zone Labs Client"="\"C:\\Program Files\\ZoneAlarm\\zlclient.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\
 
Upvote 0 Downvote
From your results it is not the newer VX2. I do not like this entry at all:
Directory of C:\WINNT\System32
01/25/2005 06:41 PM 890 vsconfig.xml


 
Upvote 0 Downvote
The sites being listed in your IE Restricted Sites are probably being inserted by your Security Software as a preventive measure for your surfing protection.

How many firewalls are you running? Do you have ZoneAlarm, Norton and XP SP2's firewall all running at the same time?

If you have Ad-Aware SE from Lavasoft on your machine download the Ad-Aware VX2 cleaner plugin and run Ad-Aware.
 
Upvote 0 Downvote
Only Zonealarm Pro.. I turned off the windows firew*** and the NIS firew***.
 
Upvote 0 Downvote
lol.. guys I found the problem for the **'s. It was Zonealarm Pro.. I was in the ID Lock and went into the "MyVault" tab and deleted the entry and then turned ID lock back on and I went to the ineternet and put in "all" and it didnt convert anymore.. how frustrating.. thanks for all your help :).
 
Upvote 0 Downvote
Hola, glad you got it worked out...

had probs with ZoneAlarm myself, lately (had been using it for ages and encountered probs just the past few weeks v5.1.033 and v5.6.042 ...) now I have switched to Kerio Personal Firewall... sofar so good...





Ben

If it works don't fix it! If it doesn't use a sledgehammer...
 
Upvote 0 Downvote
I think you need to spend some time in Control Panel, Add/Remove programs.

Your Hijack logs show both NIS and Zone Alarm running, no matter what you may believe.

For example:

O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

I hope you made the edits discussed above in Hijack, as you had other junk running as well.

It is time to clean this machine.

Remove, not disable, uneeded firewalls and other detrius.
Follow carefully faq608-4650
Consider using the Microsoft Antispyware beta:
 
Upvote 0 Downvote
Excuse my cryptic humor, maybe it is a case of "*** or nothing
 
Upvote 0 Downvote
yeah my bad I did have NIS firewall running cuz i just looked and it was on..
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Jasen
  • Locked
  • Question
weird issue with Windows locking up on a file
Replies
2
Views
61
Jasen
Jasen
sggaunt
  • Locked
  • Question
Maybe there is something I don't understand about libraries? 1
Replies
4
Views
89
vacunita
vacunita
stduc
  • Locked
  • Question
Has something effected chkdsk?
Replies
1
Views
55
goombawaho
goombawaho
NickStiven
  • Locked
  • Question
Something unknown keeps failing to connect to IP address 192.168.1.1
Replies
7
Views
82
Diancecht
Diancecht
dan2229
  • Locked
  • Question
something different at start up
Replies
4
Views
45
ANFPS26
ANFPS26

Part and Inventory Search

Sponsor

Back
Top