IP Loopback when trying to view secure sites

Question

When I attempt to visit certain secure sites (www.ebay.com, www.paypal.com, www.cdnow.com, www.amazon.com), I get a 'Page cannot be displayed' message. When I ping these sites through my command prompt, the IP loops through my computer's own ip address. I spoke with Comcast support, they suggested there was a problem with my winsock file and referred me to Dell for further help...not sure how to correct this. Thank you

jmwills · Answer

First of all, those sites are not secure.  At least not the main pages are not secure.  Secure sites are designated by 'https'   Two things to try.  First clear out all of your Temporary Internet Files and then if still not luck, try adding Https://www.ebay.com and the others to your trusted sites list.

caper911 · Answer

No luck with clearing temporary internet files, cookies, spyware, virus scan, etc etc etc.    Another strange twist - when I type www.ebay.com into my browser, I get bounced to the results of a Google search on the word eBay.  I made sure I am typing the address in the true explorer address field (not the Google toolbar search field) and I still get the Google results.   Same with amazon.   With eBay, I am able to click on one of the search results and backdoor into eBay.  I get the 'Page not found' screen when trying the same strategy with amazon, paypal, or other similar sites....

xcator · Answer

I suggest you begin by trying to update all your a/v software and then scan your system online using trendmicro housecall, and see what it finds.

caper911 · Answer

I can get to Trendmicro House Call homepage, but get the "Page cannot be displayed" when clicking the link to scan my computer...

This is the link that is giving me problems:

http://www.trendmicro.com/hc_intro/default.asp

It seems to be the same problem I am having with the other sites.

Thanks again for any help you may be able to offer.

jmwills · Answer

Please post the results of an ipfconfig /all

caper911 · Answer

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . :
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsd1.pa.comcast.net.

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : hsd1.pa.comcast.net.
Description . . . . . . . . . . . : CNet PRO200WL PCI Fast Ethernet Adap
ter
Physical Address. . . . . . . . . : 00-08-A1-16-CB-D8
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 67.163.218.114
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 67.163.218.1
DHCP Server . . . . . . . . . . . : 68.87.75.10
DNS Servers . . . . . . . . . . . : 68.87.75.194
68.87.64.146
Lease Obtained. . . . . . . . . . : Saturday, October 28, 2006 10:54:56
PM
Lease Expires . . . . . . . . . . : Tuesday, October 31, 2006 9:58:38 PM

Message Edited by caper911 on 10-30-2006 05:01 AM

jmwills · Answer

To comply with Forum Rules, take out the name of your Service Tag.  Everything looks fines as it shows you are not behind a router.  I got to think some more on this one.  Can you ping these sites with good results?

caper911 · Answer

When I ping the sites listed above (eBay, amazon, cdnow, paypal) it lists the same ip address each time: 127.0.0.1

When I ping other sites (cbs, cnn, google, etc) I get the actual ip address of the sites (i.e. different ip addresses with each ping).

Thanks again.

Message Edited by caper911 on 10-30-2006 05:02 AM

xcator · Answer

and you may want to repost in the virus/spyware forum...

xcator · Answer

W32/Mytob-BI modifies the HOSTS file, changing the URL-to-IP mappings for selected websites, therefore preventing normal access to these sites. The new HOSTS file will typically contain the following:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com

and so on....read here (if you are able):

http://www.sophos.com/security/analyses/w32mytobbi.html

I suspect you have this or something similar.

you need to replace your hosts file then do some serious clean up imo.

caper911 · Answer

That sounds like the culprit...I (of course) was unable to view the link that you posted describing the virus. Are there steps I can take to remove?

How do I move this thread to the Virus/Spyware forum?

Thanks again for your help.

jmwills · Answer

If you go to the site of your AV product and search for that file name, they will usually provide a soltuion to remove it.  This has been an interesting thread.

zbestwun2001 · Answer

Please post a log on the HijackThis Forum where someone can review it and help you.
HJT Forum

Click HERE to download a self-extractable version of HijackThis.

Double click on hijackthis.exe to extract hijackthis to folder c:\hijackthis.
It will extract it to that folder and open the folder for you.
It will also create a shortcut on your desktop to HijackThis.
It will scan and the log should open in notepad.Click on "Edit > Select
All" then click on "Edit > Copy" to copy the entire contents of the
log.

Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

thanks,
ZB1

msgale · Answer

No reason not to.

msgale · Answer

For what its worth this is a windows default hosts file, everything in red.

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

127.0.0.1 is sometime called the loop back address, it is your own PC. When you see an entry in your hosts file similar to 127.0.0.1 xxx.com any attempt to connect to xxx.com will be looped back to your PC. There are at least two ways to get around the problem, 1 - fix the host file; 2 - use the actual IP address not the symbolic name. As an example to reach http://www.mcafee.com use http://216.49.88.12/ which is their IP address.

Virus & Spyware

Was this post helpful?