Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

127.0.0.1

Status
Not open for further replies.

mccarron

IS-IT--Management
Jul 10, 2008
5
Yesterday while browsing, Mcafee alerted me to a trojan and then my system locked up. When I got it back up and running I ran a full scan, but when I tried to update from mcafee the connection was refused. I tried to do a windows update and it told me my firewall was probably blocking the site. I turned off firewall and tried again. As the day wore on I started getting the same error message from almost every tech support site or virus download site. All other websites seem to work as usual. I did an NSLOOKUP on these sites and got addresses. If I ping or put those addresses in my browser, I can get to the site (only for that one page a link gets the connection refused), but If I do a Tracert with the URL it says there is only one hop to that address 127.0.0.1. I checked and I do not have a hosts file.

Any ideas how my system would send a selective list of websites to a loopback address without a host file? Can the system be used to use anything other than the hosts file? If someone was using a proxy on me would all the websites go to 127.0.0.1.

If you have any ideas please let me know. If you don't have any ideas could you look on the mcafee website and get a telephone number for support. I can't access their website to get it.
 
Replace the hosts file with a clean one is what I would do first. But you may end up needing to do an OFFLINE scan. Look into getting yourself a Bart PE CD and enabline Mcafee command line scanner on it. This way, you boot from the CD and scan your C: drive for viruses and they can be removed very effectively because Windows (and any virus files) are not loaded. And we all know that removing files that are active/loaded is not always possible.

Here is what your hosts should look like. Edit and paste or create a new one on the desktop and replace the whole file. Make it READ ONLY when done.


# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
 
Reboot after replacing hosts file content for it to take effect and check it again to see that it didn't get modified.

c:\windows\system32\drivers\etc is the path.

The hosts file has NO extension, so if you create it with notepad (which would be the recommended program), make sure to remove the .txt after saving.

Here's a link to the Bart PE page. You can't live without
this program and CD and it's freeeeeeee.


Here's the Mcafee SDAT download you need to get your Mcafee plugin enabled and up to date.


Put the SDAT.exe in the proper folder
C:\PathToBartPEFolder\pebuilder3110a\plugin\mcafee\files

and then from command line run SDAT.exe /e to extract the files in the folder. It will take up to a minute to finish, but you won't see any activity.
 
You may want to check the registry key
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath

to make sure the file location is still c:\windows\system32\drivers\etc (especially as you do not have the file in there already, there should be a hosts file even if it's empty?)

You may also want to run . . .

ipconfig /flushdns

in case there is a DNS issue there somewhere



Adrian Paris

Paris Engineering Ltd

Google search of just tech forums & articles
(very useful, honest!)
 
recreated host file and rebooted. The new hosts file was not modified and I am still having the problem. I'd get the sdat from Mcafee, but I can't access the McAfee website. I checked the enviorment path in regedit and it looked fine. I also fluched dns. Still can't get anywhere. It seems that someone has gone out of their way to selectively deny me help websites. I'm not sure why they missed this one. Could someone give me a phone number or email address for mcafee tech support?
 
you might check your Restore Points and try to Restore to a time prior to your problem then scann everything OFFLINE and disconnected from the internet
 
If you are being blocked from particular sites you could trying going through a web proxy to get to where you need to for downloading updates etc. Would recommend one but I can't get to any at the moment because i'm behind the corporate firewall.

Also make sure you have a look at the ie add ons to see if there is anything suspicious like mywebsearch in there (disable it if there is)


Adrian Paris

Paris Engineering Ltd

Google search of just tech forums & articles
(very useful, honest!)
 
Some other things to try:
1) You might want to boot into safe mode first. Do you know the name of the trojan? If so, try searching the system registry for any entries by that name. Delete anything by the trojan name (You might want to back up the system registry first).

2) Check the event logs. They may have a clue as to what is going on as far as what trojan is still there, etc.

3) Open Task manager. Under the Process tab, check to see if there are any strange/unrecognised serices running. Google those that you are unsure of and look for fixes.

4) Download and install another virus scanner and double check for viruses/trojan/etc.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top