Websites not loading ... virus ??

CFC1969

I cannot load SANS , Microsoft, AVG etc ... websites associated with security, I cannot loadup updates for virus checking because of this.

I have another partition with Windows 7, I can load all websites on this partition.

I loaded AVG on Windows 7 Partition, and ran it on the primary partition (Windows XP), it caught some malware. Also used Malwarebytes on it.

The problem still persists ....

Have checked HOST file, and nothing out of the ordinary ...

---

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\*******>ping www.sans.org
Ping request could not find host www.sans.org. Please check the name and try aga
in.

C:\Documents and Settings\*******>ping www.microsoft.com
Ping request could not find host www.microsoft.com. Please check the name and tr
y again.

C:\Documents and Settings\*******>ping www.rte.ie

Pinging www.rte.ie.nsatc.net [89.207.56.140] with 32 bytes of data:

Reply from 89.207.56.140: bytes=32 time=13ms TTL=60
Reply from 89.207.56.140: bytes=32 time=12ms TTL=60
Reply from 89.207.56.140: bytes=32 time=12ms TTL=60
Reply from 89.207.56.140: bytes=32 time=11ms TTL=60

Ping statistics for 89.207.56.140:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 13ms, Average = 12ms

C:\Documents and Settings\*******>tracert www.sans.org
Unable to resolve target system name www.sans.org.

C:\Documents and Settings\*******>tracert www.rte.ie

Tracing route to www.rte.ie.nsatc.net [89.207.56.140]
over a maximum of 30 hops:

1 13 ms 13 ms 9 ms 176.61.82.1
2 22 ms 13 ms 10 ms 109.255.250.222
3 14 ms 12 ms 14 ms 84.116.238.62
4 14 ms 13 ms 14 ms mat-r-10ge-0-0-3.rte.ie [193.242.111.42]
5 20 ms 16 ms 14 ms www.rte.ie [89.207.56.140]

Trace complete.

C:\Documents and Settings\*******>






Any ideas ?

pacquiao

Try pinging the ip address of microsoft, sans etc. Maybe something has hooked a function required to make a dns request?
Also try surfing the sites using the ip address.
Post up your "netstat -f" output while your trying to surf those particular sites.

If none of the above works try "net stop dnscache" and try the above again.

just thought of another thing too.

have a look at the output from this command "ipconfig /displaydns"

CFC1969

PacMan

Thanks for your reply, used your IPCONFIG command, found some strange websites, connected to one using HTTP and this is the page I get.

Will get back with more stuff

http://www.elvoa.cn/

Conficker Sinkhole By CNCERT/CC!

This domain is possibly used by Conficker Computer Worm.If you have any related problems,please contact CNCERT/CC.

ÄúËù·ÃÎʵÄÓòÃû¿ÉÄÜÕýÔÚ±»"·É¿Í"Èä³æ²¡¶¾Ê¹Óá£ÈçÓÐÏà¹ØÎÊÌ⣬ÇëÁªÏµ¹ú¼Ò»¥ÁªÍøÓ¦¼±ÖÐÐÄ£¨CNCERT/CC£©¡£

Email:cncert@cert.org.cn

If the website you visited is a normal site , please click here

Èç¹ûÄúÔÚ·ÃÎÊÕý³£ÍøվʱÓöµ½´ËÎÊÌ⣬Çëµã»÷ÕâÀï

pacquiao

Good stuff glad you found the problem.
I just had a read about the worm and it hooks functions involved in dns lookups.

The complete list of strings blocked in DNS requests is below:

 
cert.
sans.
bit9.
vet.
avg.
avp.
nai.
windowsupdate
wilderssecurity
threatexpert
castlecops
spamhaus
cpsecure
arcabit
emsisoft
sunbelt
securecomputing
rising
prevx
pctools 	norman
k7computing
ikarus
hauri
hacksoft
gdata
fortinet
ewido
clamav
comodo
quickheal
avira
avast
esafe
ahnlab
centralcommand
drweb
grisoft
eset
nod32 	f-prot
jotti
kaspersky
f-secure
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
defender
rootkit
malware
spyware
virus

CFC1969

Pacman,


Owe ya one, the F-Secure tool was downloadable from the alternate link, and used the --disinfect with the tool, auutomatically rebooted, and can now access sites.


Thanks again

pacquiao

CFC1969 wrote: »

Pacman,


Owe ya one, the F-Secure tool was downloadable from the alternate link, and used the --disinfect with the tool, auutomatically rebooted, and can now access sites.


Thanks again

That's the job. You're welcome.

900913

What's That http://www.elvoa.cn/ found with ipconfig /displaydns

I found the same thing.

ipconfig /displaydns > dns.txt

www.elvoa.cn

---

Record Name . . . . . : www.elvoa.cn
Record Type . . . . . : 1
Time To Live . . . . : 21425
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 221.8.69.25

* A while back my Avast had trouble updating but it's been fine updating now for months.

CFC1969

Read this

http://www.secureworks.com/research/threats/downadup-removal/


Use the F-Secure alternative link, and run the tool with

--disinfect

You have Conficker on your laptop

900913

I downloaded ftp://193.110.109.53/anti-virus/tools/beta/f-downadup.zip
But 5 mins into the scan I got blue screen of death (BSOD).
So now Im using my duel boot ubuntu. I should be able to scan my win7 partition from within ubuntu, maybe using Wine.

I will search google for a linux app that will find and clean Conficker.

Thanks for the info CFC1969

JimmyCrackCorn

Use f-prot linux edition

It can scan the mounted win7 partition if you use ntfs-3g to read write to drive.

I boot off a cd and do the above any time a relation infects there pc and it works very well.