http://nothing/

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

No, I do not have any spyware, viruses, adware, or hijackings. I have checked
all of that. I do not have any corrupted files, and I just defragged. But
even after doing everything I can think of, this one still stumps me. My
homepage is set to foxnews.com, yet it will prematurely report "Done.", then
relink to "http://nothing/". All I can think of that would do this would be a
virus or some other malware, yet nothing shows up. Has anyone else had this
problem.
Yes PA Bear, I did go to the sites you listed on another thread, and even
tried Hijackthis. It didn't report back anything that could not be accounted
for.
 
It's definitely malware-like behavior. You should check your firewall logs
to see what servers your computer has been trying to contact.

Thought about a rootkit? Those are undetectable by antivirus / anti-malware
scanners.
 
I tried that too. ZoneAlarm does not report anything that looks questionable,
as of now. There was something a few weeks ago, but nothing now. Could it be
that it does not have to reconnect as the damage is done? How would I check
my roots?
Thanks.
 
Evidentally you are not familiar with rootkits. Most people are equally
unaware.

A rootkit disguises itself as part of the operating system. Because of that
it is undetectable by any program that runs on the operating system
(including Zone Alarm).
 
Ashepe wrote:
How would I check my roots?
Thanks.
Click to expand...

Here is a free tool that will scan your system for "rootkits" also on this
page is an explaination of what a rootkit is.
http://www.sysinternals.com/utilities/rootkitrevealer.html

The paid for version of this program among other things will "prevent" a
rootkit from installing unless you allow it. It will also stop a virus or
malware from disabling your firewall and anti-virus programs.
http://www.diamondcs.com.au/processguard/index.php?page=download
 
Hi,

I am having the same issue, just wondering if you've found out anything
yet, I can figure this one out.

Thanks
 
Thanks for the link. I used RootKit Revealer, and this is what it revealed:

HKLM\S-1-5-21-3910838766-2384526282-270958094-1006\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Connections\SavedLegacySettings 4/15/2006 11:35 AM 87 bytes Data
mismatch between Windows API and raw hive data.
C:\Documents and Settings\Brandon\Local Settings\Temporary Internet
Files\Content.IE5\0NNBM09L\clients[1].js 4/6/2006 10:14 PM 4.24 KB Visible in
Windows API, but not in MFT or directory index.
C:\Documents and Settings\Brandon\Local Settings\Temporary Internet
Files\Content.IE5\0NNBM09L\form[1].php 4/15/2006 11:46 AM 0 bytes Hidden from
Windows API.
C:\Documents and Settings\Brandon\Local Settings\Temporary Internet
Files\Content.IE5\OLIF8TA7\index[2].htm 4/6/2006 8:28 PM 98.13 KB Visible in
Windows API, but not in MFT or directory index.
C:\Documents and Settings\Brandon\Local Settings\Temporary Internet
Files\Content.IE5\OLIF8TA7\nwrmenu_var[1].js 4/6/2006 10:14 PM 25.71
KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Brandon\Local Settings\Temporary Internet
Files\Content.IE5\OLIF8TA7\nwrmenu_var[2].js 4/15/2006 11:51 AM 25.60
KB Hidden from Windows API.
C:\Documents and Settings\Brandon\Local Settings\Temporary Internet
Files\Content.IE5\OLIF8TA7\shows[1].js 4/15/2006 11:51 AM 5.75 KB Hidden from
Windows API.
C:\Documents and Settings\Brandon\Local Settings\Temporary Internet
Files\Content.IE5\T8CJTPKL\form[1].php 4/15/2006 11:34 AM 0 bytes Visible in
Windows API, but not in MFT or directory index.
C:\Documents and Settings\Brandon\Local Settings\Temporary Internet
Files\Content.IE5\T8CJTPKL\index[8].htm 4/15/2006 11:46 AM 0 bytes Hidden
from Windows API.
C:\Documents and Settings\Brandon\Local Settings\Temporary Internet
Files\Content.IE5\WHKH2FWD\clients[1].js 4/15/2006 11:51 AM 4.05 KB Hidden
from Windows API.
C:\Documents and Settings\Brandon\Local Settings\Temporary Internet
Files\Content.IE5\WHKH2FWD\shows[1].js 4/6/2006 10:14 PM 5.85 KB Visible in
Windows API, but not in MFT or directory index.
C:\Documents and Settings\Brandon\Local Settings\Temporary Internet
Files\Content.IE5\Y9VC5CBA\index[4].htm 4/15/2006 11:51 AM 98.13 KB Hidden
from Windows API.
C:\Documents and Settings\Brandon\Local Settings\Temporary Internet
Files\Content.IE5\Y9VC5CBA\index[5].htm 4/15/2006 11:51 AM 98.13 KB Hidden
from Windows API.
C:\Program Files\Common Files\Symantec
Shared\VirusDefs\20060412.005\vscanmsx.dat 4/15/2006 11:44 AM 2.02 KB Hidden
from Windows API.
C:\RECYCLER\NPROTECT\00094365 4/15/2006 11:38 AM 3.15 MB Hidden from Windows
API.

Some of these seem to be innocent, they are just not properly registered
where they should be, how RootkitRevealer would like. Any advice would be
appriciated.
 
Some of these seem to be innocent, they are just not properly registered
where they should be, how RootkitRevealer would like. Any advice would be
appriciated.
Click to expand...

Clear out your Temp internet folder and run F-secure backlight.

This is a very user friendly rootkit finder.

Other rootkit removers can preventors can be found at
www.antirootkit.com
 
I tried F-secure Backlight, but it found nothing. I also tried some of the
other links on the www.antirootkit.com forums. Sofar, if it is a rootkit, it
is not hurting my computer, but it is annoying, since it rerouts my homepage
to http://nothing/
Any more ideas?
 
Back
Top