Can't Access AV sites - renaming HSOTS doesn't work

[Guest]

Since being infected by Sasser (now removed), I haven't been able to access any antivirus website. I looked in the HOSTS file, nothing there (just 127.0.0.1). I renamed it nonetheless to no avail. Haven't been able to update NAV either.
When pinging symantec or mcafee, IP adress displayed is 127.0.0.1, which seems wrong. Can't find anything related to any AV website in the registery. Can you help?
Thanks,
SF

 

[Guest]

I think you have some information wrong. Why would you remove 127.0.0.1?
Go here it explains Hosts Files and you can download an updated file.
http://mvps.org/winhelp2002/hosts.htm
See if after that you can access AV sites. You may need to reboot.

Since being infected by Sasser (now removed), I haven't been able to

access any antivirus website. I looked in the HOSTS file, nothing there
(just 127.0.0.1). I renamed it nonetheless to no avail. Haven't been able to
update NAV either.

When pinging symantec or mcafee, IP adress displayed is 127.0.0.1, which

seems wrong. Can't find anything related to any AV website in the registery.
Can you help?

 

[H Leboeuf]

Your Winsock may be damaged, download the correct program and run it.
http://www.cexx.org/lspfix.htm (Win 98. ME )

http://www.spychecker.com/program/winsockxpfix.html (for Win2k, XP)

--

Henri Leboeuf
Web page: http://www.colba.net/~hlebo49/index.htm
===

Since being infected by Sasser (now removed), I haven't been able to

access any antivirus website. I looked in the HOSTS file, nothing there
(just 127.0.0.1). I renamed it nonetheless to no avail. Haven't been able to
update NAV either.

When pinging symantec or mcafee, IP adress displayed is 127.0.0.1, which

seems wrong. Can't find anything related to any AV website in the registery.
Can you help?

 

[Robert Aldwinckle]

Since being infected by Sasser (now removed), I haven't been able
to access any antivirus website. I looked in the HOSTS file, nothing there
(just 127.0.0.1). I renamed it nonetheless to no avail.
Haven't been able to update NAV either.
When pinging symantec or mcafee, IP adress displayed is 127.0.0.1,
which seems wrong.

If your OS is NTx try using nslookup on those names instead.

Assuming that your DNS is not resolving those names to 127.0.0.1
use telnet to test port 80 at the IP addresses nslookup returns. E.g.
telnet www.symantec.com 80
The screen will clear if there is an open port there.
Press Ctrl-[ and enter c and then q to close the connection
and the application.

If the domain names are still resolving to 127.0.0.1 you probably
haven't found the right HOSTS file or (less likely) your dnscache
is retaining that invalid lookup and causing the override. To check
on the latter case and repair it you could try the following two commands:

ipconfig /displaydns | find /i "127.0.0.1"
ipconfig /flushdns

BTW if another /displaydns gives you the same results *after* the
/flushdns it is another strong indication that a HOSTS file override
is still in effect.

There is a known Trojan called QHOSTS which might be responsible
for changing the location of the active HOSTS file. See Symantec's
article about it for more information:

< http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html >


HTH

Robert Aldwinckle
---