B
Baruch
I upgraded from Win 98 to XP Home today. The upgrade didn't like my
AV or firewall software (AntiVir and Sygate Personal), so I was
unprotected for a while. I also waited too long to install the
various Microsoft patches, thinking that since this was a fresh
install, it would be OK to wait a while. Silly me...
When I tried to install the software (AV and firewall), they wouldn't
work correctly. I went to their respective Websites, did a fresh
download, uninstalled everything, reinstalled, and still no good. The
programs start up and die. Once, it ran long enough to tell me that
it had found a "nachi.b.1 worm". Apparently another name for this is
"welchia".
Then I tried to access McAfee and Symantec, but could not get through
to them - "Cannot Find Server". In fact, almost *any* antivirus
software site was inaccessible.
Any software I had that might give me insight (msconfig, for example)
died right after it started.
Other programs, however, worked fine. I could get to most Websites,
run other programs, whatever. Just security-related stuff.
I tried to ping Symantec and McAfee from the command line, and this is
where it got interesting. Their IP address showed up as 127.0.0.1.
At least now I know why I couldn't access their sites.
I looked at the "hosts" file (on XP Home it's at:
C:\Windows\System32\drivers\etc). It had many entries, which I
produce here:
127.0.0.1 localhost
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
As you can see, many AV companies are redirected to localhost. The
other files in the folder were uncorrupted, and once I fixed hosts I
was able to get to the AV companies without problems.
My questions are:
1. Has anyone encountered a similar situation?
2. Aside from using AV to clean up, and a firewall to keep from
getting reinfected, is there anything else I need to do?
AV or firewall software (AntiVir and Sygate Personal), so I was
unprotected for a while. I also waited too long to install the
various Microsoft patches, thinking that since this was a fresh
install, it would be OK to wait a while. Silly me...
When I tried to install the software (AV and firewall), they wouldn't
work correctly. I went to their respective Websites, did a fresh
download, uninstalled everything, reinstalled, and still no good. The
programs start up and die. Once, it ran long enough to tell me that
it had found a "nachi.b.1 worm". Apparently another name for this is
"welchia".
Then I tried to access McAfee and Symantec, but could not get through
to them - "Cannot Find Server". In fact, almost *any* antivirus
software site was inaccessible.
Any software I had that might give me insight (msconfig, for example)
died right after it started.
Other programs, however, worked fine. I could get to most Websites,
run other programs, whatever. Just security-related stuff.
I tried to ping Symantec and McAfee from the command line, and this is
where it got interesting. Their IP address showed up as 127.0.0.1.
At least now I know why I couldn't access their sites.
I looked at the "hosts" file (on XP Home it's at:
C:\Windows\System32\drivers\etc). It had many entries, which I
produce here:
127.0.0.1 localhost
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
As you can see, many AV companies are redirected to localhost. The
other files in the folder were uncorrupted, and once I fixed hosts I
was able to get to the AV companies without problems.
My questions are:
1. Has anyone encountered a similar situation?
2. Aside from using AV to clean up, and a firewall to keep from
getting reinfected, is there anything else I need to do?