Sebfori said:
Since being infected by Sasser (now removed), I haven't been able
to access any antivirus website. I looked in the HOSTS file, nothing there
(just 127.0.0.1). I renamed it nonetheless to no avail.
Haven't been able to update NAV either.
When pinging symantec or mcafee, IP adress displayed is 127.0.0.1,
which seems wrong.
If your OS is NTx try using nslookup on those names instead.
Assuming that your DNS is not resolving those names to 127.0.0.1
use telnet to test port 80 at the IP addresses nslookup returns. E.g.
telnet
www.symantec.com 80
The screen will clear if there is an open port there.
Press Ctrl-[ and enter c and then q to close the connection
and the application.
If the domain names are still resolving to 127.0.0.1 you probably
haven't found the right HOSTS file or (less likely) your dnscache
is retaining that invalid lookup and causing the override. To check
on the latter case and repair it you could try the following two commands:
ipconfig /displaydns | find /i "127.0.0.1"
ipconfig /flushdns
BTW if another /displaydns gives you the same results *after* the
/flushdns it is another strong indication that a HOSTS file override
is still in effect.
There is a known Trojan called QHOSTS which might be responsible
for changing the location of the active HOSTS file. See Symantec's
article about it for more information:
<
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html >
HTH
Robert Aldwinckle
---