bizarre DNS (I think) problem

[Cory C. Albrecht]

Hello all,

I had a weird problem with WinXP Home today.

I was installing Norton AntiVirus for somebody and it couldn't connect
to the liveupdate site (liveupdate.symantecliveupdate.com, according to
the virus definition updater) to download the latest virus definitions.
I couldn't surf to www.symantec.com but I could get to www.norton.com. I
could get to google, my own website and everythign else I tried. Rather
odd that www.norton.com woudl be accessible, but not www.symantec.com.


When I tried to ping www.symantec.com it gets an IP address of 127.0.0.1
and says can't reach it, same with liveupdate.symantecliveupdate.com.
But if I used nslookup to get the IP number for either hostname it
aliases/CNAMEs back to a568.x.akamai.net which has 3 differernt IPs
(64.7.128.72, 64.7.128.70, 64.7.128.71). All 3 of those IP addresses are
pingable and traceroutable to. I'm guessing that Internet Explorer and
Symantec LiveUpdate are getting the 127.0.0.1 address, just like ping
is, and that's why they can't connect.

I fiddled about with the network connections (Alcatel USB DSL modem via
PPoE to sympatico.ca), trying both obtaining the DNS server
automatically via DHCP and trying a handful of specific DNS servers.
Nothing made a difference, however.

Any ideas what is causing the problem and how to fix it?

 

[Chuck]

Hello all,

I had a weird problem with WinXP Home today.

I was installing Norton AntiVirus for somebody and it couldn't connect
to the liveupdate site (liveupdate.symantecliveupdate.com, according to
the virus definition updater) to download the latest virus definitions.
I couldn't surf to www.symantec.com but I could get to www.norton.com. I
could get to google, my own website and everythign else I tried. Rather
odd that www.norton.com woudl be accessible, but not www.symantec.com.


When I tried to ping www.symantec.com it gets an IP address of 127.0.0.1
and says can't reach it, same with liveupdate.symantecliveupdate.com.
But if I used nslookup to get the IP number for either hostname it
aliases/CNAMEs back to a568.x.akamai.net which has 3 differernt IPs
(64.7.128.72, 64.7.128.70, 64.7.128.71). All 3 of those IP addresses are
pingable and traceroutable to. I'm guessing that Internet Explorer and
Symantec LiveUpdate are getting the 127.0.0.1 address, just like ping
is, and that's why they can't connect.

I fiddled about with the network connections (Alcatel USB DSL modem via
PPoE to sympatico.ca), trying both obtaining the DNS server
automatically via DHCP and trying a handful of specific DNS servers.
Nothing made a difference, however.

Any ideas what is causing the problem and how to fix it?

Cory,

I'd bet its a dns hijack.

To get around the problem temporarily, look up addresses manually, using one of
these websites:
http://www.all-nettools.com/toolbox
http://www.dnsstuff.com/
http://home.planet.nl/~houwe135/wbnt1/#ping-tracert

Search your entire system drive, including hidden and system folders, for file
"hosts". There is one legit copy, in C:\WINDOWS\system32\drivers\etc\. The
others are possibly bogus, and part (but just part) of the problem. Examine the
contents of each copy found, using Notepad. (HINT: Scroll to the end of each
Hosts file, by hitting Ctrl-End, then back up to the top, page by page, before
deciding that the file is empty. Look out for blank lines at the beginning and
end of the file, after localhost, placed there by an exploit!)

How current is your virus protection? Try these free online virus scans:
<http://www.bitdefender.com/scan/license.php>
<http://www.pandasoftware.com/activescan/com/activescan_principal.htm>
<http://www.ravantivirus.com/scan/>
<http://security.symantec.com/ssc/home.asp>
<http://housecall.trendmicro.com/housecall/start_corp.asp>

Now check for, and learn to defend against, additional carriers of infection.
Have you downloaded these programs before? Download them again, as many are
revised frequently, to keep up with the current level of malware being attempted
constantly - get the absolutely most current version of each product listed.
They're all free - and most pretty small, so they download quickly enough.

First, download LSP-Fix and WinsockXPFIx from <http://www.cexx.org/lspfix.htm>,
and CWShredder from <http://www.majorgeeks.com/download4086.html>. All are
free.

Next, close all Internet Explorer and Outlook windows, then run CWShredder.
Have it fix all variants.

Now check for, and remove, spyware. Get HijackThis
<http://www.majorgeeks.com/download.php?det=3155> and Spybot S&D
<http://www.safer-networking.org/index.php?page=download>. Both free.
1) Install and run Spybot. First update it ("Search for updates"), then run a
scan ("Check for problems"). Trust Spybot, and make all recommended deletions.
2) Install and run HijackThis. Do NOT make any changes immediately. Save the
HJT Log.
3) Have your HJT log interpreted by experts at one or more of the following
forums (and post it, or a link to your forum post, here):
<http://forums.net-integration.net/>
<http://forums.spywareinfo.com/>
<http://forums.tomcoyote.org/>
<http://www.wilderssecurity.com/>

If removal of any spyware affects your ability to access the internet (some
spyware builds itself into the network software, and its removal may damage your
network), run LSP-Fix and / or WinsockXPFIx.

And Cory, please don't contribute to the spread and success of email address
mining viruses. Learn to munge your email address properly, to keep yourself a
bit safer when posting to open forums. Protect yourself and the rest of the
internet - never post your address unmunged.
http://www.mailmsg.com/SPAM_munging.htm

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Jim Macklin]

127.0.0.1 is your local computer, your locked in a closed
loop, probably by a virus.


--
The people think the Constitution protects their rights;
But government sees it as an obstacle to be overcome.


| On Mon, 24 May 2004 20:10:07 GMT, *email_address_deleted*
(Cory C. Albrecht)
| wrote:
|
| >Hello all,
| >
| >I had a weird problem with WinXP Home today.
| >
| >I was installing Norton AntiVirus for somebody and it
couldn't connect
| >to the liveupdate site
(liveupdate.symantecliveupdate.com, according to
| >the virus definition updater) to download the latest
virus definitions.
| >I couldn't surf to www.symantec.com but I could get to
www.norton.com. I
| >could get to google, my own website and everythign else I
tried. Rather
| >odd that www.norton.com woudl be accessible, but not
www.symantec.com.
| >
| >
| >When I tried to ping www.symantec.com it gets an IP
address of 127.0.0.1
| >and says can't reach it, same with
liveupdate.symantecliveupdate.com.
| >But if I used nslookup to get the IP number for either
hostname it
| >aliases/CNAMEs back to a568.x.akamai.net which has 3
differernt IPs
| >(64.7.128.72, 64.7.128.70, 64.7.128.71). All 3 of those
IP addresses are
| >pingable and traceroutable to. I'm guessing that Internet
Explorer and
| >Symantec LiveUpdate are getting the 127.0.0.1 address,
just like ping
| >is, and that's why they can't connect.
| >
| >I fiddled about with the network connections (Alcatel USB
DSL modem via
| >PPoE to sympatico.ca), trying both obtaining the DNS
server
| >automatically via DHCP and trying a handful of specific
DNS servers.
| >Nothing made a difference, however.
| >
| >Any ideas what is causing the problem and how to fix it?
|
| Cory,
|
| I'd bet its a dns hijack.
|
| To get around the problem temporarily, look up addresses
manually, using one of
| these websites:
| http://www.all-nettools.com/toolbox
| http://www.dnsstuff.com/
| http://home.planet.nl/~houwe135/wbnt1/#ping-tracert
|
| Search your entire system drive, including hidden and
system folders, for file
| "hosts". There is one legit copy, in
C:\WINDOWS\system32\drivers\etc\. The
| others are possibly bogus, and part (but just part) of the
problem. Examine the
| contents of each copy found, using Notepad. (HINT: Scroll
to the end of each
| Hosts file, by hitting Ctrl-End, then back up to the top,
page by page, before
| deciding that the file is empty. Look out for blank lines
at the beginning and
| end of the file, after localhost, placed there by an
exploit!)
|
| How current is your virus protection? Try these free
online virus scans:
| <http://www.bitdefender.com/scan/license.php>
|
<http://www.pandasoftware.com/activescan/com/activescan_prin
cipal.htm>
| <http://www.ravantivirus.com/scan/>
| <http://security.symantec.com/ssc/home.asp>
| <http://housecall.trendmicro.com/housecall/start_corp.asp>
|
| Now check for, and learn to defend against, additional
carriers of infection.
| Have you downloaded these programs before? Download them
again, as many are
| revised frequently, to keep up with the current level of
malware being attempted
| constantly - get the absolutely most current version of
each product listed.
| They're all free - and most pretty small, so they download
quickly enough.
|
| First, download LSP-Fix and WinsockXPFIx from
<http://www.cexx.org/lspfix.htm>,
| and CWShredder from
<http://www.majorgeeks.com/download4086.html>. All are
| free.
|
| Next, close all Internet Explorer and Outlook windows,
then run CWShredder.
| Have it fix all variants.
|
| Now check for, and remove, spyware. Get HijackThis
| <http://www.majorgeeks.com/download.php?det=3155> and
Spybot S&D
| <http://www.safer-networking.org/index.php?page=download>.
Both free.
| 1) Install and run Spybot. First update it ("Search for
updates"), then run a
| scan ("Check for problems"). Trust Spybot, and make all
recommended deletions.
| 2) Install and run HijackThis. Do NOT make any changes
immediately. Save the
| HJT Log.
| 3) Have your HJT log interpreted by experts at one or
more of the following
| forums (and post it, or a link to your forum post, here):
| <http://forums.net-integration.net/>
| <http://forums.spywareinfo.com/>
| <http://forums.tomcoyote.org/>
| <http://www.wilderssecurity.com/>
|
| If removal of any spyware affects your ability to access
the internet (some
| spyware builds itself into the network software, and its
removal may damage your
| network), run LSP-Fix and / or WinsockXPFIx.
|
| And Cory, please don't contribute to the spread and
success of email address
| mining viruses. Learn to munge your email address
properly, to keep yourself a
| bit safer when posting to open forums. Protect yourself
and the rest of the
| internet - never post your address unmunged.
| http://www.mailmsg.com/SPAM_munging.htm
|
| Cheers,
| Chuck
| Paranoia comes from experience - and is not necessarily a
bad thing.