Riverview said:
Robert, thanks for your reply. I'm using XP with SP2 and the latest updates
applied.
Thanks. That's the same as I have so I may be able to help a bit more.
There were only two hosts files on the system and I renamed them.
Neither contained anything unusual, just a 127.0.0.1 with a name of
localhost. Could you explain to me what you think is happening so I can
better describe the problem in another newsgroup?
Well, first of all I don't know if that 127.0.0.1:81 occurs in the HTML source.
Then I don't know if it it occurs in the source that the host server sent.
(The difference would be that something, somewhere would be
intercepting the source as sent and replacing a valid URL with this
unusable one.)
My first guess was that the source wasn't the problem but that an
override to the DNS lookup of the server name in a URL in the source
was. The common trick people use to block advertising images is to
notice that they all originate on one server and then substitute the
TCP-IP loopback address (127.0.0.1) for such server names via
entries in their HOST file. Some malware could also take advantage
of this by actually serving that address and then fetching their own
images. (That might even account for that port number which was
reported. You might get some clues about that possibility from netstat.
netstat -anop tcp
Do you actually have something listening on that port 81?
If so the o switch will show you the PID of the listening process.)
When users started discovering how the HOSTS file worked
the bad guys figured out a way to use a different HOSTS file
(the QHosts exploit). To check that the HOSTS file is where
you think it is try this command:
netsh diag show adapter /v | find /i "DataBasePath"
Now it appears the bad guys have figured out ways to insert filters
into the TCP-IP stack to do what they want. This seems to show up
most in NT5 systems.
Here is a excerpt about my current understanding about that:
<excerpt>
FYI for XPsp2 there is a new repair command for the latter possibility:
netsh winsock reset
Otherwise there is
netsh interface ip reset
You might try checking for abnormalities beforehand by
netsh winsock show catalog type=LSP
ipseccmd show filters
(ipseccmd is on the XP Pro Support Tools)
BTW you may get better suggestions in a newsgroup
which specializes in networking for your OS.
Good luck
Robert Aldwinckle
---