Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Certain Sites, Such As Google.com Are Blocked


  • Please log in to reply
11 replies to this topic

#1 octavius

octavius

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 10 May 2007 - 12:08 AM

Hi,
Today I started having a problem, and it seems to be getting worse. The problem is that I can't get to www.google.com via my browsers, both IE and Firefox. I can get to other web sites. From the command prompt, I could PING www.google.com, and got back 216.239.37.104.

Seems weird, I looked every I could think but not really sure where this kind of thing is controled. I ran Spybot, Windows Defender, and Adaware all today after this started. Spybot and Windows Defender reported everything was fine. However, while I was poking around, I opened the Windows Firewall progaram and was looking at it, while I was doing that Windows Defender popped up and reported something was doing something it wasn't supposed to be doing : BrowserModifier:Win32/Matcash and WD offered to remove it. I clicked OK.

Then I noticed that a program named chuck.exe in a temporary directory had an exclusion in the firewall, so I removed the exclusion. I looked in the directory where the firewall said the program lived, nothing was there.

Then I downloaded, installed, and ran Adaware. It found all kinds of things and removed them all, one of which it could not remove until I rebooted. I think it was named virtualdns.dll, but I failed to write the name down.

Anyway, Adaware reports everything is ok now, but still I can't get to www.google.com, and also now not my gmail account (it appears my login has expired and gmail is trying to get to google.com to verify my information).

Now, PING also fails to reach www.google.com.

I'm tempted to download and run HijackThis, but thought I'd stop, take a breath, and ask for advice. Is there any non-malware issue that could have caused this? Is there suggested way to isolate the cause? The main clues, to me, are that I can get to most web sites, the only one I can't get to, as far as I know, is www.google.com, and www.gmail.com. Would malware be that specific?

Help?

Kind Regards,
Octavius

BC AdBot (Login to Remove)

 


#2 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:06:01 PM

Posted 10 May 2007 - 12:24 AM

Hello, octavius, :thumbsup: to bleeping computer. The return that you are getting on your ping does not resolve to www.google.com. It should be 72.14.253.147. Please download LSP Fix, here: http://www.bleepingcomputer.com/files/lspfix.php

run the program, please post of the files listed in the left hand pane. If you can I would also like to look at a copy of your hosts file. It can be found on you computer here: C:\windows\system32\etc\hosts . It should be hidden
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#3 octavius

octavius
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 10 May 2007 - 01:03 AM

Hi, thanks for the response. The files listed from lspfix are:
mswsock.dll
winrnr.dll
rsvpsp.dll

My hosts file, found at c:\windows\system32\drivers\etc\hosts contains:
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

#4 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:06:01 PM

Posted 10 May 2007 - 01:16 AM

try this : start, run, cmd, enter. type ipconfig /flushdns enter
then type ipconfig /release enter
ipconfig /renew

ping 72.14.253.147 (google)

ping 64.233.167.49 (Gmail)

then go to the services control compmgmt.msc services and aplications click the plus click services, check and make sure the dns client in the standard tab is set to automatic.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#5 octavius

octavius
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 10 May 2007 - 10:04 AM

Ok, I did the ipconfig commands (flush, release, renew)

I'm able to ping the 2 IP addresses you give, and I get responses from both.

However, when I do ping www.google.com, it still attempts to ping 216.239.37.104, not the address you give. Could google have more than one IP and could they be different by region?

Also, my DNS client is set to start automatically.

I tried the google IP address in my browser, it goes to a page that looks like google, though a bit different. I tried the one you gave for gmail, it took a while, then redirected me to this url : http://www.sedoparking.com/49.com

Sill, if I put www.google.com in my browser, it just times out...

---------- edited ----------

I did some searching (using the direct google IP you gave) and found that GOOGLE does in fact have many IP addresses, see this site to see a list: http://64.233.161.99/search?q=cache:vnX3GY...t=clnk&cd=6

So, for some reason my computer thinks it should be 216.239.37.104, which IS on that list, but which I can't ping. Could this be an issue with my ISP?

Even if I do a google search at 64.233.161.99, when I click on one of the results, it trys to take me to an address that starts www.google.com... which then times out.

This is so weird. Any thoughts?

Edited by octavius, 10 May 2007 - 10:26 AM.


#6 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:06:01 PM

Posted 10 May 2007 - 01:47 PM

Yes. To me all all the networking looks ok. You are increasingly describing a malware problem. Have you checked the preparation guide for posting a hijack this log?

Another question, are you running an antivirus along with windows defender?

Try to download rogue remover, here http://www.malwarebytes.org/rogueremover.php

install the program, update the database and run a scan. have it remove everything that it finds.

post here and let us know the results.

Edited by oldf@rt, 10 May 2007 - 01:48 PM.

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#7 octavius

octavius
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 10 May 2007 - 11:36 PM

Somebody suggested I edit the hosts file to put in known good IP values for google, and that has fixed the short term issue. Still not sure why I get a bad IP address for GOOGLE, but others have verified they can't ping it either. NSLOOKUP google.com and PING google.com were returning different values for me. I think it might be an issue between my ISP (Comcast) and Google.

Can anybody else get a result from pinging the IP I gave? Because it is a valid Google IP, and it seems to be bad...

#8 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:06:01 PM

Posted 11 May 2007 - 12:04 AM

I just ran a tracert to the ip you gave tracert 216.239.37.104 it timed out. see if you can run the same, and where it times out. here are my results, you can see the problem is outside the isp for me.

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

Tracing route to va-in-f104.google.com [216.239.37.104]
over a maximum of 30 hops:

1 8 ms 8 ms 9 ms 10.148.64.1
2 10 ms 14 ms 6 ms 68.2.8.65
3 8 ms 19 ms 16 ms 68.2.12.74
4 8 ms 20 ms 8 ms 68.2.12.1
5 12 ms 8 ms 7 ms chnddsrj02-ae1.0.rd.ph.cox.net [68.2.14.13]
6 50 ms 40 ms 39 ms paltbbrj02-so200.0.r2.pt.cox.net [68.1.0.30]
7 36 ms 42 ms 39 ms 68.105.31.62
8 40 ms 39 ms 39 ms 209.85.130.8
9 70 ms 75 ms 73 ms 216.239.46.45
10 84 ms 89 ms 89 ms 216.239.46.225
11 83 ms 92 ms 90 ms 72.14.238.233
12 86 ms 87 ms 89 ms 66.249.95.126
13 90 ms 91 ms 89 ms 72.14.232.106
14 92 ms * * 216.239.48.110
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.

Trace complete.

As you can see, that particular address does not respond.

Your problem is that even when you flush the DNS cache, you keep going back to the same place.

I think it was named virtualdns.dll, but I failed to write the name down.


This is what is worrying me. If you can do a search of your hard drive for vir*.*, and make sure you search all hidden and system files.

The filles related to that name come up with this:

http://www.ca.com/us/securityadvisor/virus...s.aspx?id=61569

Please download hijack this from the link here in bleeping computer and post a hijack this log in the correct forum. If you have any other questions, please ask. Please make no further changes to your computer, any changes can delay or ruin fixes from the Hijackthis team Member.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#9 octavius

octavius
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 11 May 2007 - 11:01 AM

Ok, I've run tradert on the original IP, and the *fixed* one. This is the original:
C:\>tracert 216.239.37.104

Tracing route to www.google.com [216.239.37.104]
over a maximum of 30 hops:

1 * * * Request timed out.
2 9 ms * 10 ms GE-1-5-ur01.seattle.wa.seattle.comcast.net [68.86.99.49]
3 9 ms 6 ms * te-9-3-ur02.seattle.wa.seattle.comcast.net [68.86.96.98]
4 * 9 ms * te-9-1-ar01.seattle.wa.seattle.comcast.net [68.86.96.102]
5 9 ms 15 ms 9 ms 68.86.96.174
6 14 ms 10 ms 9 ms 68.86.90.217
7 11 ms 10 ms 9 ms te-3-3.car1.Seattle1.Level3.net [4.79.104.109]
8 9 ms 8 ms 9 ms GOOGLE-INC.car1.Seattle1.Level3.net [4.79.104.74]
9 57 ms 9 ms 59 ms 216.239.43.81
10 75 ms 73 ms 74 ms 209.85.248.220
11 86 ms 79 ms 77 ms 66.249.94.232
12 77 ms 74 ms 76 ms 72.14.232.108
13 76 ms * 91 ms 66.249.95.126
14 * * 79 ms 216.239.48.94
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.


This is the *fixed*

C:\>tracert www.google.com

Tracing route to www.google.com [72.14.253.103]
over a maximum of 30 hops:

1 * * * Request timed out.
2 8 ms * 8 ms GE-1-5-ur01.seattle.wa.seattle.comcast.net [68.86.99.49]
3 10 ms 8 ms 19 ms te-9-3-ur02.seattle.wa.seattle.comcast.net [68.86.96.98]
4 9 ms * 10 ms te-9-1-ar01.seattle.wa.seattle.comcast.net [68.86.96.102]
5 10 ms 8 ms 9 ms 68.86.96.174
6 9 ms 9 ms 8 ms 68.86.90.217
7 11 ms 9 ms 11 ms te-3-3.car1.Seattle1.Level3.net [4.79.104.109]
8 9 ms 8 ms 9 ms GOOGLE-INC.car1.Seattle1.Level3.net [4.79.104.74]
9 14 ms 13 ms 13 ms 66.249.95.208
10 14 ms 13 ms 13 ms 72.14.239.12
11 16 ms 25 ms 14 ms 216.239.46.203
12 16 ms 24 ms 18 ms 72.14.233.29
13 16 ms 15 ms 17 ms 72.14.233.29
14 21 ms 28 ms 18 ms google.com [72.14.253.103]


They both seem to time out at the 1st hop, though I'm able to use GOOGLE now with the fixed value in my HOSTS file.

My question is, before running yet another program on my system (i've already run spybot, adaware, and windows defender), is there a way to determine where/how the bad GOOGLE IP gets returned to me? Based on my limited understanding of IP addresses and DNS servers, isn't it my ISP that takes my request to get to WWW.GOOGLE.COM and returns the IP, and in my case a bad one? My ISP is comcast, and I've read they have had problems with GOOGLE in the past.

I guess I'd like to know if the problem could be with my ISP, before doing yet more to my laptop, and I'm curious if there is a way to make that determination?

BTW, I did the check for vir*.*, hidden files too, I think adaware cleaned it off already.

#10 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:06:01 PM

Posted 11 May 2007 - 02:23 PM

That is why I would like for you to post a Hijack this log. There still may be something there that your anti spyware programs are missing. Do you have an antivirus program? Timing out on the first hop is also a sign that there is possibly some malware still left on the machine.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#11 octavius

octavius
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 13 May 2007 - 11:41 AM

OK, I re-ran AdAware, Spybot S&D, disk cleaner, and a virus package, all as preperation for running HighJack this. In the mean time Comcast called me back and we ran some tests using PING & NSLOOKUP, that the rep said verified that the issue was not Comcasts. The weird thing is that NSLOOKUP and PING return different values for WWW.GOOGLE.COM, but not for GOOGLE.COM.

This morning, on a lark, I looked again in C:\windows\system32\drivers\etc and noticed there was a hosts.ics file that I had not looked at yet, I had only been looking at the HOSTS file with no extension.

Anyway, I opened hosts.ics, and sure enough, it contained a single entry: 216.239.37.104 www.google.com

I commented out that entry, removed the temporary lines form the reguloar HOSTS file

72.14.253.103 google.com
72.14.253.103 www.google.com

and everything is working now.

So, I think the problem was this. I had 216.239.37.104 www.google.com in the HOSTS.ICS file, but didn't know about it. I don't recall how it got there, probably put there by one of the tech guys at the place I used to work. That was, until a couple of days ago, a valid and working IP for google, but that stopped being the case, hence broke my machine.

I've done some brief reading about HOSTS.ICS, sounds like a windows XP specific file but I don't really understand why there is a HOSTS file and also a HOSTS.ICS file.

#12 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:06:01 PM

Posted 13 May 2007 - 06:04 PM

The hosts.ics file is added when internet connection sharing is turned on. It will only show up on the computer with the shared connection. I have also seen it added when internet connections are hijacked by malware. any how, great that your connection is back.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users