G
B
Blake
I haven't seen any resoluions beyond this KB article you quoted (and thanks
for that).
I'll be brave and install the patches on a box or 2 soon and see what
happens.
for that).
I'll be brave and install the patches on a box or 2 soon and see what
happens.
J
Jim Byrd
Hi Blake - Courtesy of Bob Cerelli,
http://www.onecomputerguy.com/ie_tips.htm#winsock_fix
Can't Connect to Internet With Internet Explorer
Added 10/3/04
If no Internet application like IE, Outlook Express or other browsers are
working,
it may be due to corrupted Winsock registry entries. First find out if you
can connect to the Internet. Just trying to use a web browser is not the
best test. Try pinging a site by both IP and Name
If pinging by IP works, then you have a connection to the Internet and the
Winsock registry entries are probably ok. If pinging by IP works but by
Name doesn't, then likely you have DNS problem.
If you can't ping by either one, then you may have corrupted Winsock
registry entires.
The basic steps are to:
Delete the corrupted Winsock registry entries
Import clean ones
Reboot the computer
For All Operating Systems - Remove the old registry entries -
http://www.onecomputerguy.com/reg/xp_del_winsock.reg
Import the clean registry file for your particular operating system
For Win98 - http://www.onecomputerguy.com/reg/win98_winsock.reg
For ME - http://www.onecomputerguy.com/reg/winme_winsock.reg
For WindowsXP - http://www.onecomputerguy.com/reg/xp_winsock.reg
For Windows2000 - http://www.onecomputerguy.com/reg/winsock_2k.reg
http://www.onecomputerguy.com/ie_tips.htm#winsock_fix
Can't Connect to Internet With Internet Explorer
Added 10/3/04
If no Internet application like IE, Outlook Express or other browsers are
working,
it may be due to corrupted Winsock registry entries. First find out if you
can connect to the Internet. Just trying to use a web browser is not the
best test. Try pinging a site by both IP and Name
If pinging by IP works, then you have a connection to the Internet and the
Winsock registry entries are probably ok. If pinging by IP works but by
Name doesn't, then likely you have DNS problem.
If you can't ping by either one, then you may have corrupted Winsock
registry entires.
The basic steps are to:
Delete the corrupted Winsock registry entries
Import clean ones
Reboot the computer
For All Operating Systems - Remove the old registry entries -
http://www.onecomputerguy.com/reg/xp_del_winsock.reg
Import the clean registry file for your particular operating system
For Win98 - http://www.onecomputerguy.com/reg/win98_winsock.reg
For ME - http://www.onecomputerguy.com/reg/winme_winsock.reg
For WindowsXP - http://www.onecomputerguy.com/reg/xp_winsock.reg
For Windows2000 - http://www.onecomputerguy.com/reg/winsock_2k.reg
G
George Hester
Hi Jim. Maybe you know how to reset the Automatic Search in IE? It's not working from the GUI. Thanks.
J
Jim Byrd
Hi George - Download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your default Search functionality and reset your prefixes. You'll have to
manually re-select any Search Customizations you may have had, however.
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your default Search functionality and reset your prefixes. You'll have to
manually re-select any Search Customizations you may have had, however.
G
George Hester
Ya thank you thank you THANKS. I got zapped by a nasty Malware weekend before last. I was able to hibernate the thing but I wasn't able to fix the automatic search issue. I would type in eisenhower and got this in return in the address bar of IE:
http:/// eisenhower
Would you like to hear something that happened with this thing. I have a program called asviewer.exe. This gives a lot of startup locations beyond just the Run keys in the registry. I had a file the malware put in system32 called ilizak.exe. The name is not important but the behavior is.
I couldn't stop the "malware" from writing this file into this location when I was logged on as Administrator. No other user did that. So I made an empty text file named ilizak.exe and put it in system32 while signed on as a different Admin and removed ALL permissions from it. That kept the file from appearing in system32. But it did not stop the call to it placed in the Run key under HKLM. Now for the interesting part.
While signed in as Administrator asviewer would tell me that there was a call in the Run key under HKLM that pointed to C:\WINNT\system32\ilizak.exe. But when I looked at the key it was NOT there. I could delete the key and put it back then run asviewer and the call would not be there. But log out then back in as Administrator and there it was again. asviewer saying it was there but not visible when I looked.
Do you believe that? I wouldn't but it's true.
The other interesting thing this is ilizak.exe was not viewable in system32 using Windows Explorer while logged in as Administrtaor. I had to log into a different Administrator I made long ago and could see it. I could also access the machine from a different system and see it. It was 38KB and no icon resources in it. And believe it or not I couldn't even see my empty ilizak.exe I told you I made earlier while signed on as Administrator
I was finally able to stop the ghost writing to the HKLM Run key while logged on as Administartor but this Search issue in IE was the last vestige of it I could not fixed. Thanks to you I'm much better now.
http:/// eisenhower
Would you like to hear something that happened with this thing. I have a program called asviewer.exe. This gives a lot of startup locations beyond just the Run keys in the registry. I had a file the malware put in system32 called ilizak.exe. The name is not important but the behavior is.
I couldn't stop the "malware" from writing this file into this location when I was logged on as Administrator. No other user did that. So I made an empty text file named ilizak.exe and put it in system32 while signed on as a different Admin and removed ALL permissions from it. That kept the file from appearing in system32. But it did not stop the call to it placed in the Run key under HKLM. Now for the interesting part.
While signed in as Administrator asviewer would tell me that there was a call in the Run key under HKLM that pointed to C:\WINNT\system32\ilizak.exe. But when I looked at the key it was NOT there. I could delete the key and put it back then run asviewer and the call would not be there. But log out then back in as Administrator and there it was again. asviewer saying it was there but not visible when I looked.
Do you believe that? I wouldn't but it's true.
The other interesting thing this is ilizak.exe was not viewable in system32 using Windows Explorer while logged in as Administrtaor. I had to log into a different Administrator I made long ago and could see it. I could also access the machine from a different system and see it. It was 38KB and no icon resources in it. And believe it or not I couldn't even see my empty ilizak.exe I told you I made earlier while signed on as Administrator
I was finally able to stop the ghost writing to the HKLM Run key while logged on as Administartor but this Search issue in IE was the last vestige of it I could not fixed. Thanks to you I'm much better now.
J
Jim Byrd
YW, George - Glad you got it straightened out. The behaviors you describe
are not uncommon for certain malware. A general policy worth following is
to do your "malware" clean-up from Safe mode or (even better) from a Clean
Boot. First, be sure to enable viewing of Hidden and System files. See my
Blog, Defending Your Machine, here:
http://defendingyourmachine.blogspot.com/ for some directions about how to
do this for future reference, as well as some precautionary steps you might
want to take to prevent this in the future.
are not uncommon for certain malware. A general policy worth following is
to do your "malware" clean-up from Safe mode or (even better) from a Clean
Boot. First, be sure to enable viewing of Hidden and System files. See my
Blog, Defending Your Machine, here:
http://defendingyourmachine.blogspot.com/ for some directions about how to
do this for future reference, as well as some precautionary steps you might
want to take to prevent this in the future.
G
George Hester
Yeah Jim. It didn't matter any of that about hidden files. Nope. What I told you was true. I believe the malware makers have come up with an integration into the shell making their files invisible no matter who is logged on and no matter what is enabled in View in Windows Explorer. Even still this would not effect what is viewable in regedit. And yes regedt32 said the same thing - namely nothing. I identified that hook and so that is why I could finally see the stuff. The name of the hook is again not important for it is randomly generated just as ilizak.exe was. Oh by the way attrib in command prompt showed nothing either.
This thing was in enum under HKLM\system. It was a legacy device driver. But getting it all out of there still didn't solve the issue. I had to find the hook.
The way to defend ourselves from these things is to never browse the web signed on as Admin AND make sure IE is "disabled" for almost everything.
This thing was in enum under HKLM\system. It was a legacy device driver. But getting it all out of there still didn't solve the issue. I had to find the hook.
The way to defend ourselves from these things is to never browse the web signed on as Admin AND make sure IE is "disabled" for almost everything.
H
Herb Martin
There are comments (and tools) about this as SysInternals.com, hiding
files from the API, and finding them through low level calls (which
are themselves IN THEORY able to be bypassed but unlikely
to be an malware that does that "today".)
RootKit finder or some similar name.
--
Herb Martin
Yeah Jim. It didn't matter any of that about hidden files. Nope. What I
told you was true. I believe the malware makers have come up with an
integration into the shell making their files invisible no matter who is
logged on and no matter what is enabled in View in Windows Explorer. Even
still this would not effect what is viewable in regedit. And yes regedt32
said the same thing - namely nothing. I identified that hook and so that is
why I could finally see the stuff. The name of the hook is again not
important for it is randomly generated just as ilizak.exe was. Oh by the
way attrib in command prompt showed nothing either.
This thing was in enum under HKLM\system. It was a legacy device driver.
But getting it all out of there still didn't solve the issue. I had to find
the hook.
The way to defend ourselves from these things is to never browse the web
signed on as Admin AND make sure IE is "disabled" for almost everything.
files from the API, and finding them through low level calls (which
are themselves IN THEORY able to be bypassed but unlikely
to be an malware that does that "today".)
RootKit finder or some similar name.
--
Herb Martin
Yeah Jim. It didn't matter any of that about hidden files. Nope. What I
told you was true. I believe the malware makers have come up with an
integration into the shell making their files invisible no matter who is
logged on and no matter what is enabled in View in Windows Explorer. Even
still this would not effect what is viewable in regedit. And yes regedt32
said the same thing - namely nothing. I identified that hook and so that is
why I could finally see the stuff. The name of the hook is again not
important for it is randomly generated just as ilizak.exe was. Oh by the
way attrib in command prompt showed nothing either.
This thing was in enum under HKLM\system. It was a legacy device driver.
But getting it all out of there still didn't solve the issue. I had to find
the hook.
The way to defend ourselves from these things is to never browse the web
signed on as Admin AND make sure IE is "disabled" for almost everything.
G
George Hester
Hi Herb:
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
Well I can tell you if someone said to me you are urinating alot; you have a dry mouth and fruity breadth; you feel always run down; and have an unquenchable thirst sounds like you have Diabetes I'd say I probably do if I had those symptoms.
This article almost exactly described what I experienced. I'd say it was a User Mode RootKit but the Kernel also sounded right the Registry issues.
I ran his scan tool and it seems I have some issues on a drive that I can remove from Windows 2000. It's a FAT16 drive and the files it contains look like source files. So I really don't know what this means if anything. I've removed it from Windows 2000 I'll be running the tool again later but I think I have a clean bill of health. Thanks for that RootKit description. I actually knew about this but never had the need to investigate it.
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
Well I can tell you if someone said to me you are urinating alot; you have a dry mouth and fruity breadth; you feel always run down; and have an unquenchable thirst sounds like you have Diabetes I'd say I probably do if I had those symptoms.
This article almost exactly described what I experienced. I'd say it was a User Mode RootKit but the Kernel also sounded right the Registry issues.
I ran his scan tool and it seems I have some issues on a drive that I can remove from Windows 2000. It's a FAT16 drive and the files it contains look like source files. So I really don't know what this means if anything. I've removed it from Windows 2000 I'll be running the tool again later but I think I have a clean bill of health. Thanks for that RootKit description. I actually knew about this but never had the need to investigate it.
H
Herb Martin
Hi Herb:
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
(The above doesn't seem to have anything to do with what I wrote, so
maybe it was in reference to something earlier in the thread.)
like source files. So I really don't know what this means if anything.
I've removed it from Windows 2000 I'll be running the tool again later but I
think I have a clean bill of health. Thanks for that RootKit description.
I actually knew about this but never had the need to investigate it.
Glad to help.
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
(The above doesn't seem to have anything to do with what I wrote, so
maybe it was in reference to something earlier in the thread.)
a User Mode RootKit but the Kernel also sounded right the Registry issues.
remove from Windows 2000. It's a FAT16 drive and the files it contains look
like source files. So I really don't know what this means if anything.
I've removed it from Windows 2000 I'll be running the tool again later but I
think I have a clean bill of health. Thanks for that RootKit description.
I actually knew about this but never had the need to investigate it.
Glad to help.
G
George Hester
What it means is if you have the symptoms a diagnosis may be in order. You doubted that a RootKit could be a part of malware. I had the symptoms and so chances are RootKit as diagnosis is NOT so far fetched. That's the reason for my analogy. Sorry it escaped you.
H
Herb Martin
George Hester said:
Got that part.
No me -- you were reading someone else's comments and replying
to mine.
you.
Which is the reason I suggested you download the RootKit Revealer.
See, I was assuming you knew what you were doing. (You sounded
like it.)
G
George Hester
Not always.