Jump to content


Photo

Internet site blocked


  • Please log in to reply
31 replies to this topic

#1 lzvx51

lzvx51

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 19 December 2004 - 07:30 PM

I have a ZoneAlarm Pro firewall and can not acces the Zonelab.com website. I was previously able to acces this site. I have checked my hosts (attached) and can't find the problem. I even re-installed my ZoneAlarm software. Anyone have some ideas?


:gasp:


Also attached is my HJT log file...

Logfile of HijackThis v1.98.2
Scan saved at 8:28:57 PM, on 12/19/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winxp\system32\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

Attached Files



#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Retired Staff
  • PipPipPipPipPip
  • 5,365 posts

Posted 21 December 2004 - 09:22 AM

Hi,
Your log looks clean ...
However you should not have all three of these running at the same time.

1) C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
2) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
3) C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Try deleting your browser cache ...

Download: Clear the Cache (freeware)
http://www.majorgeek...wnload4191.html
Once installed, run CCleaner click the Windows [tab]
Select the following:
Posted Image
Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit

As for your HOSTS file ... it's outdated, contains many dead entries, and appears to be corrupt. It should not have all of these, like this:

127.0.0.1 localhost
127.0.0.1 localhost
127.0.0.1 localhost
127.0.0.1 localhost
127.0.0.1 localhost

You should only have 1 entry like that and it should be the 1st entry.
If you want to use a current HOSTS file ... (see below)
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 lzvx51

lzvx51

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 21 December 2004 - 08:39 PM

Per your suggestion, I have updated my hosts (attached) and cleaned my cache. Still no success.

I'm unclear on your direction about:

"However you should not have all three of these running at the same time.

1) C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
2) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
3) C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe"

I think only the spysweeper is running as I have to launch the other two programs. Could this be causing the problems? My startup menu shield from SpySweeper does not indicate that Ad-aware and spy-bot are running.

Any more ideas???

[Posted HOSTS file removed]

Edited by WinHelp2002, 21 December 2004 - 09:14 PM.


#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Retired Staff
  • PipPipPipPipPip
  • 5,365 posts

Posted 21 December 2004 - 09:35 PM

Hi,
If you look in your 1st post you'll see the 3 items I mentioned.

Either you have them all running or had them running when you scanned with HijackThis and posted you log. Whichever it was there is no need to have them all running at the same time.

What happens when you try to access ZoneAlarm?

Note: there was no need to post the HOSTS file, which I removed ... I know what the contents were as that's my file.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 lzvx51

lzvx51

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 22 December 2004 - 07:15 PM

When I try to access Zonelabs.com I receive a time out message. I attempt this with both IE and Firefox browsers. I have attemped to Ping the web and IP address with no luck. I can't figure it out!


:hmmm:

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Retired Staff
  • PipPipPipPipPip
  • 5,365 posts

Posted 22 December 2004 - 08:38 PM

Hi,
Yes that is very odd ... have you tried posting to their Forum?
http://forums.zonelabs.com/zonelabs

It sounds like your problem is ZoneAlarm specific ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#7 lzvx51

lzvx51

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 23 December 2004 - 05:09 PM

I have tried their fourm but no luck. You guys seem more responsive and knowledgable..


:excl:

#8 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Retired Staff
  • PipPipPipPipPip
  • 5,365 posts

Posted 23 December 2004 - 06:44 PM

Hi,
Well I'm out of ideas ... perhaps the ZA Forum will respond shortly ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#9 lzvx51

lzvx51

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 23 December 2004 - 09:53 PM

Thanks for your time. You can close this topic.

#10 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Retired Staff
  • PipPipPipPipPip
  • 5,365 posts

Posted 24 December 2004 - 03:28 AM

You're welcome ...

This Topic is closed at users request.

If you need this topic reopened, please request this by sending the moderating team
an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#11 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 31 December 2004 - 02:54 PM

Reopened at request of lzvx51.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#12 lzvx51

lzvx51

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 31 December 2004 - 03:22 PM

Thanks for re-opening this topic and I'm hopeful someone can help. My problems continue to be that I can't access this specific site and I think it started when I was removing some spyware. I was able to acces the site previously. I have checked with my ISP (not blocking sites) and firewall provider (can't access when ZoneAlarm is off) and they feel that everything is fine from their end. Oddly, I can access other zonelab sites for other countries (e.g., zonelabs.de) but not the US. I really don't want to use the System Restore function as I spent two weeks removing various spyware programs.

Are there other Micosoft programs that could be restricting access. Something is my local registry, setupapi? I'm not familiar with these programs but I did a search of my harddrive for the word "zonelabs" in files and several came back.



:gasp:

#13 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 31 December 2004 - 04:34 PM

Get Option^Explicit's Hosts File Reader from here: http://www.downloads...sFileReader.zip
Subratam also has a screen shot: http://subratam.org/...sFileReader.PNG

It will show whether you have any abberant hosts files (click "Scan for Hosts). You can then edit out any entries that block the site, or "Save Log" for posting here if unsure.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#14 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Retired Staff
  • PipPipPipPipPip
  • 5,365 posts

Posted 31 December 2004 - 04:57 PM

cnm,
Look up ... they are already using my HOSTS file, which certainly does not contain any entries for Zonelabs.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#15 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 31 December 2004 - 05:34 PM

I was thinking there could be a second hosts file. The pointer in the registry designates the active one. HijackThis used to report when this pointer was abnormal, but I'm not sure yet whether 1.99 will do that. If Hosts File Reader shows only the one hosts file (yours) then this is indeed the wrong tree to bark up. :)
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#16 lzvx51

lzvx51

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 01 January 2005 - 08:52 PM

How do I determine if I have more than one host file? If I do, how do I determine which one is being used?

#17 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 01 January 2005 - 08:56 PM

I told you exactly how to do it:
http://forums.spywar...ndpost&p=171450
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#18 lzvx51

lzvx51

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 01 January 2005 - 09:56 PM

Well I followed your instructions and found two hosts files. One empty that I deleted and the other created by winhelp2002. Still no luck. Very frustrating.... Are you aware of any other programs or files that I can look at that can be blocking the site???


:hmmm:

#19 lzvx51

lzvx51

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 02 January 2005 - 04:52 PM

I am starting to have problems accessing sites (e.g., techtv.com). At the suggestion of this board I recently changed to Sun Java. Could this have something to to with my problems?

#20 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 02 January 2005 - 05:44 PM

Your problem is baffling. If we can really rule out your ISP, then please do this.

1. Run (free trial) Trojan Hunter, let it fix or remove anything it finds. http://www.trojanhunter.com/
If it found anything, then reboot.

2. Get the latest HijackThis.exe and post a new log. http://www.spywarein.../HijackThis.exe
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#21 lzvx51

lzvx51

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 03 January 2005 - 11:25 PM

Ran the Trojan Hunter and it did not find anything.

Attached is my HJT log



Logfile of HijackThis v1.99.0
Scan saved at 12:00:51 AM, on 1/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winxp\system32\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WIND

OWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

#22 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 04 January 2005 - 01:20 AM

Please try this. Put www.zonelabs.com in your Trusted Zone.
In IE, Tools->Internet Options, Security. Click on Trusted Sites. Then click on Sites, add www.zonelabs.com in the window, and click Add. See picture.

Also please do this.
Scan with HijackThis, mark the box next to this, close all other windows including this one, then click Fix checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winxp\system32\blank.htm
Reboot.

Then post another log.
The Zonelabs should show up as an O15 entry.

Did that help?
I find that www.zonelabs.com redirects to http://www.zonelabs....ontent/home.jsp
What happens when you click on that?

Attached Files


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#23 lzvx51

lzvx51

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 07 January 2005 - 09:35 PM

I could not remove the BLANK entry. Could this be my problem? I added www.zonelabs.com com to both of my browsers IE and Firefox. Still no luck! :angry:

I also noticed that I received the following error message when attempting to access the site via IE: "opening page res://C:\windows\system32\shocloclc.dll/dnserror.htm"

Logfile of HijackThis v1.99.0
Scan saved at 10:31:31 PM, on 1/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\TrojanHunter 4.0\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winxp\system32\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Edited by lzvx51, 07 January 2005 - 09:49 PM.


#24 Gnmpf

Gnmpf

    burn Malware burn

  • Trusted Advisor
  • PipPipPipPipPip
  • 4,487 posts

Posted 08 January 2005 - 03:20 AM

Hi, you have to replace MVPS hosts file later and any other sites that you have put in the trusted/restricted Zone.

Please download: DelDomains.inf
http://mvps.org/winh.../DelDomains.inf
To use: Close all open browsers
Right-click DelDomains.inf and select: Install
Note: this will remove all entries in the Trusted Zone and Restricted Zone.

Then download the Hoster from http://members.aol.c...dbee/hoster.zip here Press 'Restore Original Hosts' and press 'OK'
Exit Program.

reboot

Than go to control panel, internet options, security, see the 4 zones: Internet, Intranet, trusted Zone and Restricted zone. Hilight each of them one after the other and click standard

Can you now visit this site?

Edited by Gnmpf, 09 January 2005 - 12:23 PM.

user posted image
proud member since 2004

Most active in: Resolved or inactive Malware Removal
user posted image

#25 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Retired Staff
  • PipPipPipPipPip
  • 5,365 posts

Posted 08 January 2005 - 03:23 AM

Hi,

I could not remove the BLANK entry.

Please explain ...

I added www.zonelabs.com com to both of my browsers IE

Where? It's not showing up in your log ...

Just a thought ...

Start | Run (type) services.msc
Scroll down to "DNS Client"
Right-click and select: Properties
Click the drop-down arrow for "Startup type"
Select: Manual click Apply\Ok

Next:

Start | Run (type) cmd (press Enter)
(type) ipconfig /flushdns
Close the "Command Prompt" and reboot.
See if you can access www.zonelabs.com

If not then I would suggest you may have a conflict between ZoneLabs and your NAV.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#26 lzvx51

lzvx51

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 08 January 2005 - 09:12 PM

Still can't access the sites after following your instructions. I also can't remove the following entry form my HJT log as you suggested:

"R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winxp\system32\blank.htm"

I run HJT, Scan, check fix by the entry, reboot and it re-appears..?????

Any more thoughts?

:blush2:

Here is my current HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 10:06:46 PM, on 1/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\TrojanHunter 4.0\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winxp\system32\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

#27 lzvx51

lzvx51

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 08 January 2005 - 09:29 PM

The entry I could not remove is:

"R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winxp\system32\blank.htm"

I added www.zonelabs.com to the "trusted zones" in IE and to the "allowed sites" in Firefox.

Do I need to restore my DNS Client properties to Automatic?

Lastly, I removed NAV from my startup and attempted to access the siite with no luck. Does this rule out the NACV conflict concerns?

#28 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Retired Staff
  • PipPipPipPipPip
  • 5,365 posts

Posted 08 January 2005 - 09:38 PM

Hi,
Internet Options | General [tab]
Is your "HomePage" set to: "about:blank" (if so = ignore the below)

Otherwise, Start | Run (type) regedit
Navigate to the following location:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Highligh: Local Page = c:\winxp\system32\blank.htm" (right pane)
Right-click and select: Delete (Ok the prompt)
Close Regedit.

Note: the above has nothing to do with not accessing ZoneLabs.

Do I need to restore my DNS Client properties to Automatic?

No it's not needed ...

Does this rule out the NACV conflict concerns?

Not really, but like I said before you are asking about 3rd party programs that are not related to a "hijack" issue.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#29 shadowwar

shadowwar

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,361 posts

Posted 09 January 2005 - 08:46 AM

is spysweeper alerting you on bootup that it had changed? are you allowing or denying the changes?

#30 lzvx51

lzvx51

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 09 January 2005 - 11:26 AM

Otherwise, Start | Run (type) regedit
Navigate to the following location:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Highligh: Local Page = c:\winxp\system32\blank.htm" (right pane)
Right-click and select: Delete (Ok the prompt)
Close Regedit.


I executed this twice and the entry re-appeared. Am I doing something incorrectly?

Also, I needed to reload your hosts file again. Was this expected with the actions you suggested?

Lastly, to shadowwar's question "is spysweeper alerting you on bootup that it had changed? are you allowing or denying the changes?"

SpySweeper is not providing any alerts..

Edited by cnm, 09 January 2005 - 12:00 PM.


#31 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Retired Staff
  • PipPipPipPipPip
  • 5,365 posts

Posted 09 January 2005 - 04:49 PM

Hi,

Am I doing something incorrectly?

Not unless your "HomePage" is set to "about:blank"

Also, I needed to reload your hosts file again.

Why? what happened to the HOSTS file?
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#32 Gnmpf

Gnmpf

    burn Malware burn

  • Trusted Advisor
  • PipPipPipPipPip
  • 4,487 posts

Posted 10 January 2005 - 01:59 PM

I reset his host file but I also wrote that he has to replace it later.
user posted image
proud member since 2004

Most active in: Resolved or inactive Malware Removal
user posted image




Member of UNITE
Support SpywareInfo Forum - click the button