Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ping avg.com local host


  • Please log in to reply
8 replies to this topic

#1 Lenny--

Lenny--

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 11 January 2009 - 09:47 PM

First tiem asking for help. I am at my wits end.

Every time I ping avg.com I get the local host 127.0.0.1.

There are no entries in the hosts file. I clear the dns resolver cache and still get local host. When I add avg,com to the host file the reverse dns pointer is correct in the resolver cache but the pointer A record shows up as local host.

I have disabled netbios and there is no lmhost file.

I realize ping is a winsock app and I have dbl checked winsocks and any bogus lsp. I searched for ads and rootkits and found none.

I have rebuilt the tcp\ip stack by removing the nic deleteing the nic enumerations and reinstalling.

I did a packet capture and no icmp packet is even created. Of course nslookup work as it queries the dns directly. My thinking is that there may be a hostname alias because the way MS does name resolution for pings it would stop there and not create an ICMP packet, I canít seem to find any but am not quite sure where to look

Any ideas?

BC AdBot (Login to Remove)

 


#2 Lenny--

Lenny--
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 13 January 2009 - 10:27 PM

I am not sure how to move this, it may be for the networking gurus.

I total rebuilt tcp/ip and winsock from instruction in that forum. Also did some expermentation. That re-enforces my idea that it has to do with an aliase

I disbled dnscache and still ping avg.com to local host 127.0.0.1. I fooled around with dns cache provider order, same results. Added the PrioritizeRecrodData=1 dword which is suppose to force dns query beyond the local subnet in case of roundrobin applications. Same results, ping avg.com and it returns 127.0.0.1, (remembr I do not have any host entry but a dummy one for avg.com to resolve to 10.53.10.10 and there is no lmhostfile. I even disbaled dnscache and it still resolves to 127.0.0.1.

Given all that and knowing the first thing ping does when resloving is check to see if it a localhost name and stops. (remember I did a capture packet and there was no icmp packet created). Second after turning the dns cache backon the resolver cahches an A record for avg.com and the record name is "localhost" see output below.

avg.com
----------------------------------------
Record Name . . . . . : localhost
Record Type . . . . . : 1
Time To Live . . . . : 602447
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1

must be an alias for "localhost", but where....... please help. Thanks

#3 Lenny--

Lenny--
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 15 January 2009 - 09:41 AM

Just came across another computer with the same thing. Ping avg.com replies with 127.0.0.1. This is the third computer I have come across with this and I have spent hours and days trying to figure this thing out. I know it would be easier to just rebuild but I just need to know how it is doing this. It canít be a fluke I added entries like lenny.com to the host and the resolve as expected. I added avg.com in host and it still resolves to 127.0.0.1 no matter what. I turn of dns cahce, I change dns server priority, I even try adding to lmhost and always pings to 127.0.0.1 no matter what.

I have checked intenet zones, my computer zone, hostname aliases and find nothing. HJT log looks clean., tcpip.sys dnsrsvl.dll all seem legit even copied from know good computer. I have used netdiag, ipseccmd /debug and nothing.

I would love any sugestions. I really would love to track this down before a system rebuild

The only thing I can figure is some type of iis server with root aliases. All three computers have the same similarities a bunch of open TCP 1516 port local computer to local host, and the google results links are being hijacked from some active script, (not java) to goto random search pages.

Turn off active scripting and google results work fine, (would like to find which script is causing it but not sure how to do that). I added an IPSEC filter to block TCP 1516 both inbound and outbound and still pings to 127.0.0.1

I am going to do a command level virus scan using panda and sfc /scannow and see what it finds. Avg, spybot, found nothing.

#4 Lenny--

Lenny--
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 15 January 2009 - 06:37 PM

Found it. It was a rootkit afterall. TDSS DNS changer. Funny thing is I think this is a new variant and panda and gmer didnít find it. Suposedly what I have read online this one avoids itís detection. I was able to find using of all things spybot rootalyzer. (perhaps low\old tech under the radar?). L ow\old tech is a good stratgy for avoiding and detecting hacks sometimes.

Any way was able to clean up quickly using barts pe disk. Searched the hard drive and removed all tdss file and searched and deleted all tdss in remote registry (c drive registry for barts pe plugin). Deleted page file and dll cache and temp directories just incase.
also for good measure disconected from the network and powered off to clear memory.
I guess I could remove the ipsec filter for 1056 but I donít think it is used for anything anyway.

Re-bootedand and dns is back to normal, netstat looks good and and google results hijack has been removed so I can re-enable active scripting.

Just running my regiments of scans, avg, spybot adaware and hjt under each users id to be sure the system is clean. I have never tried it but Iíll try malwarebytes this time too. bleeping computer seems to recommended this so it should be pretty good.

I am sorry no one could help me with this particular problem but I think this website is great. I have picked up a lot of good ideas from it. And the people that help out users are great they must have a lot of patience and knowledge. Keep up the good work.

#5 Lenny--

Lenny--
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 15 January 2009 - 09:11 PM

One last thing. I found rather neat way to detect if you have this.

Just create a TDSS.txt file and see if it disapears. If your infected it will go to 0 bytes and disapear.

#6 RknRusty

RknRusty

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina
  • Local time:05:32 AM

Posted 15 January 2009 - 09:40 PM

Well dang, Lenny, you're a one man support team. :>

#7 lowtek_otc

lowtek_otc

  • Members
  • 280 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 16 January 2009 - 02:16 AM

One last thing. I found rather neat way to detect if you have this.

Just create a TDSS.txt file and see if it disapears. If your infected it will go to 0 bytes and disapear.



Yea I seem to have to use Avenger for TDSSserv and other TDS kits and infections. nasty.

#8 mawelsh

mawelsh

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 24 January 2009 - 10:41 AM

Any way was able to clean up quickly using barts pe disk. Searched the hard drive and removed all tdss file and searched and deleted all tdss in remote registry (c drive registry for barts pe plugin). Deleted page file and dll cache and temp directories just incase.


Thanks Lenny! I had a computer with the exact same condition and followed your instructions to get TDSS off so I could regain control of the system. It has multiple infections so I'm working on the rest, but this was KEY!!!

#9 hamluis

hamluis

    Moderator


  • Moderator
  • 56,261 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:32 AM

Posted 24 January 2009 - 11:27 AM

Very good example of self-help, well done :thumbsup:.

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users