In command prompt, I ping any random string like "horuspocus" here is the output Code: C:\Users\username_nº>ping horuspocus Disparando horuspocus.ibox.pace.net [64.99.80.30] com 32 bytes de dados: Resposta de 64.99.80.30: bytes=32 tempo=175ms TTL=244 Resposta de 64.99.80.30: bytes=32 tempo=184ms TTL=244 Resposta de 64.99.80.30: bytes=32 tempo=176ms TTL=244 Resposta de 64.99.80.30: bytes=32 tempo=162ms TTL=244 Estatísticas do Ping para 64.99.80.30: Pacotes: Sent = 4, Received = 4, Lost = 0 (0% de perda), Aproximar um número redondo de vezes em milissegundos: Minimal = 162ms, Maximum = 184ms, Average = 174ms But the thing is I got this IP XYZ.ibox.pace.net [64.99.80.30] for every random name and every computer name actually on the internal network. What might be occuring ?
Looked all computers on network, none have such suspicious line entries. Actually, apart from normal begining usage guide, all are empty. one has '127.0.0.1 localhost' without single quotes
Run some malware scans, malwarebytes, spybot, HiJack This, etc etc All hosts should have entries, 127.0.0.1 localhost is normal A completely empty hosts files is not right -- Should look like this: Code: # Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost
yes, that is what it looks like on my machines. will do the malware scan. thanks. the pain is that we have 10 computers...
MrMagic, is there a possibility this is no malware at all? I read about dns suffix can be changed if one notebook change the domain name. Could we find, supposedly, a master browser and determine who did the change? But actually we are not at any domain, this network is workgroup. So I guess at the end of last phrase, it is malware after all =\ 1)Now there is a new DNS suffix .home instead of .ibox.pace.net. It works ping to local computers now. 2)There is one computer not being seeing on LAN.
router infections came up too on our daily meeting. We don't use standard pwd even before that we got this issue circa 1 month ago. Router isn't Linksys. If that would matter. We change routers and, at first, the ping was resolving IPv6 address. Then it change to .home DNS Suffix resolving IPv4. Somehow the ping and Remote Desktop are working. TeamViewer (lan mode) don't. What should I do to, say, automate these scan? Does it clean router by hard reseting them ? if no, how ?
A router 'Infection'? You mean a messed setup? One would need to crack the PW and mess with the settings...to flash a modified FW on it is even more unlikely. Well you can reset it to factory default, but then you need to setup it completely again. I'd rather check for suspicious settings...
This router is not much of configurable settings. they are all locked. you can't do much as disable remote magement, use https and so on. *it's a ISP router. But if you read pc world news what they talk about 'the moon' malware on linksys routers. Isn't possible this kind of infection?
Before I'd think about a router infection I'd check the network. Can you post more details of your infrastructure of your network? You have an ISP router. Is it a router only or has it direct internet access via own modem (ADSL/broadband-cable)? Could you connect directly to the modem to check if it is a router issue? How is the DNS server IP address(es)? Come from ISP? Are they 'legit'? What are and how are the devices connected to the router?..or is there a server who serves other clients? Could you access the Internet through another ISP to test a client? For instance via tethering through mobile 3G/LTE..?
It's actually a ADSL Modem/Router/TV decoder bundle all in one device. This modem even don't have place to set DNS. The ISP is a major company nation-wide. They might be legit. There are 3 wired desktops, 4 notebooks (via wifi). They are connect to the router through a Non-manageble switch. No, I can't access internet via another ISP. Anything else ?
Well I have no other info so far....but I'd suggest to figure if it is a router issue or a PC issue you'd need to connect one device to the router of which you are sure it pings OK at another network...maybe from a friend..or one with a clean install...? Either it's the router or ALL devices in your network... Oh.... Btw with checking for your network of messed settings I meant: You have run ipconfig /all from a CMD to check for DNS suffix and there is none right? Tried ipconfig /flushdns ? And you have checked the DNS clients on the PCs? run gpedit.msc as admin... computer config-->administrative templates-->network....->DNS client Anything strange? windows can add suffixes even depending on connection...(connection specific) It could be also something in the registry like: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\ But first try to connect a clean installed PC to your network and have a look...
He's said he cannot even change the DNS addresses himself at the router setup...he can check current DNS addresses using ipconfig command and verify them against the ISP's own.....
dns suffix Sorry for delay IPCONFIG from outsite notebook in wired connection to network (different WORKGROUP though): Code: C:\Users\UserOut>ipconfig /all Windows IP Configuration Hostname. . . . . . . . . . . . . . . . . . : CN-Itau Primary DNS Suffix . . . . . . . . . . . . : Tipo de nó. . . . . . . . . . . . . . . . . : híbrido Roteamento de IP ativado. . . . . . . . . . : não Proxy WINS ativado. . . . . . . . . . . . . : não DNS suffix search list. . . . . . . . . . . : home (should be blank?) Wireless Network Adapter Conexão de Rede sem Fio: Estado da mídia. . . . . . . . . . . . . . : mídia desconectada Connection specific DNS suffix. . . . . . . : home (??) Descrição . . . . . . . . . . . . . . . . . : brand Endereço Físico . . . . . . . . . . . . . . : MAC address DHCP Habilitado . . . . . . . . . . . . . . : Sim Configuração Automática Habilitada. . . . . : Sim Ethernet Adapter Conexão local: Connection specific DNS suffix. . . . . . . : home (??) Descrição . . . . . . . . . . . . . . . . . : brand Endereço Físico . . . . . . . . . . . . . . : MAC address DHCP Habilitado . . . . . . . . . . . . . . : Sim Configuração Automática Habilitada. . . . . : Sim Endereço IPv6 de link local . . . . . . . . : CN-Itau_IPv6 (Preferencial) Endereço IPv4. . . . . . . . . . . . . . . : CN-Itau_IPv4 (Preferencial) Máscara de Sub-rede . . . . . . . . . . . . : mask Concessão Obtida. . . . . . . . . . . . . . : quinta-feira, 28 de maio de 2015 09:19:01 Concessão Expira. . . . . . . . . . . . . . : sexta-feira, 29 de maio de 2015 09:19:35 Gateway Padrão. . . . . . . . . . . . . . . : 192.168.25.1 Servidor DHCP . . . . . . . . . . . . . . . : 192.168.25.1 IAID de DHCPv6. . . . . . . . . . . . . . . : random numbers DUID de Cliente DHCPv6. . . . . . . . . . . : random dashed numbers Servidores DNS. . . . . . . . . . . . . . . : 192.168.25.1 NetBIOS em Tcpip. . . . . . . . . . . . . . : Habilitado Tunnel Adapter isatap.home: Estado da mídia. . . . . . . . . . . . . . : mídia desconectada Connection specific DNS suffix. . . . . . . : home (??) Descrição . . . . . . . . . . . . . . . . . : Adaptador do Microsoft ISATAP Endereço Físico . . . . . . . . . . . . . . : random dashed numbers, most zeros DHCP Habilitado . . . . . . . . . . . . . . : Não Configuração Automática Habilitada. . . . . : Sim Tunnel Adapter Conexão Local* 2: Estado da mídia. . . . . . . . . . . . . . : mídia desconectada Connection specific DNS suffix. . . . . . . : (OK!?) Descrição . . . . . . . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Endereço Físico . . . . . . . . . . . . . . : random dashed numbers, most zeros DHCP Habilitado . . . . . . . . . . . . . . : Não Configuração Automática Habilitada. . . . . : Sim As we see the outside notebook got first this home DNS suffix at first attempt connection by wireless. Then I connected wired and it created in the respective adapter. I don't recall this home DNS suffix before on both adapters in ipconfig, really. Using a networked computer: 27/05, yesterday, the ping to a second networked computer was Pinging computerA.ibox.pace.net [64.99.80.30] with 32 bytes of data. All replies sent and received OK to this external IP. 28/05 today, the ping to a same second networked computer, after the outside notebook test, was Pinging computerA.home [192.168.25.2] with 32 bytes of data. All replies sent and received OK to local IP. All this dns suffix names and changes were seen even before the test with a outside notebook. they are repeating in some manner. Did a ping from outside notebook to networked computer and output is the same as 28/05 from network computer ping to second network computer. Note (1)when ibox.pace.net become, say, active, all home are change to ibox.pace.net in the respective lines. (2)I don't have any VM or VPN running. (3)Is it odd this double tunnel adapter Connection ? (4)DNS real addresses aren't shown in ipconfig, Gateway local IP instead. Yen, DNS suffix is not blank. Yes, I tried ipconfig /flushdns. gpedit dns client settings are all not-configured Couldn't find DNSClient registry subkey where you mention. So I did a search and found subkeys home and ibox.pace.net in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\
Sorry also for the late reply, did almost forget your thread. To me there is nothing suspicious what you have posted. DNS suffix search list is not empty here as well. It is the name of the router address here, means when I call it my router login page appears. It also appears at all Connection specific DNS suffix instances, it is not empty. Important is that Primary DNS Suffix is empty. Tunnel adapter here is also type.Connection specific DNS suffix type=isatap.... Connection specific DNS suffix=home means isatap.home same 'syntax' here I also have 2 tunnel adapters: descriptions: Microsoft-ISATAP-Adapter #2 and the other Teredo Tunneling Pseudo-Interface gpedit dns client settings are all not-configured as well... I am not a big expert, but to me there is nothing suspicious at your info. How do you call your router's login page? just typing the DNS suffix search list entry into a browser's address bar!? Have you called your ISP for assistance? 64.99.80.30 belongs to Tucows.com Co. Toronto Maybe a stupid question...could it be that it is 'normal' routing behavior? Was the ping behavior different before? I don't know how your ISP is routing you could ask for this IP address and what's the purpose, or could you check at a friend who has the same ISP? Sorry that I am not of much help. I'd be glad if you keep me updated, I'd like to know how it goes on....it is interesting
@LatinMcG you gave me NIGHTMARES with these articles! I went away with outside notebook back to its original place, where it's is a different ISP, and I will post later another ipconfig, which is different, of course, based on configuration from this unrelated ISP. Back to network computer, I see Search List DNS Suffix, Connection Specific DNS Suffix entry became domain.name . I checked other computer in this network and they all have domain.name as Search List and Connection Specific DNS Suffix now. That coincide with I change adsl modem/router AiO device. Except there is one computer which is blank for those entries. here is the common output of 'ipconfig all' for network computers Code: C:\Users\UA-compC>ipconfig /all Configuração de IP do Windows Nome do host. . . . . . . . . . . . . . . . : compC Sufixo DNS primário . . . . . . . . . . . . : Tipo de nó. . . . . . . . . . . . . . . . . : híbrido Roteamento de IP ativado. . . . . . . . . . : sim Proxy WINS ativado. . . . . . . . . . . . . : não Lista de pesquisa de sufixo DNS . . . . . . : domain.name Adaptador Ethernet Conexão local: Sufixo DNS específico de conexão. . . . . . : domain.name Descrição . . . . . . . . . . . . . . . . . : brand Endereço Físico . . . . . . . . . . . . . . : mac DHCP Habilitado . . . . . . . . . . . . . . : Sim Configuração Automática Habilitada. . . . . : Sim Endereço IPv6 . . . . . . . . . . . . . . . : IPv6(Preferencial) Concessão Obtida. . . . . . . . . . . . . . : quarta-feira, 10 de junho de 2015 16:41:51 Concessão Expira. . . . . . . . . . . . . . : quinta-feira, 11 de junho de 2015 22:41:51 Endereço IPv6 de link local . . . . . . . . : IPv6(Preferencial) Endereço IPv4. . . . . . . . . . . . . . . : IPv4(Preferencial) Máscara de Sub-rede . . . . . . . . . . . . : mask Concessão Obtida. . . . . . . . . . . . . . : segunda-feira, 1 de junho de 2015 08:42:02 Concessão Expira. . . . . . . . . . . . . . : domingo, 18 de julho de 2151 19:14:12 Gateway Padrão. . . . . . . . . . . . . . . : router IPv6 router IPv4 Servidor DHCP . . . . . . . . . . . . . . . : router IPv4 IAID de DHCPv6. . . . . . . . . . . . . . . : random number DUID de Cliente DHCPv6. . . . . . . . . . . : random dashed number Servidores DNS. . . . . . . . . . . . . . . : 192.168.25.1 NetBIOS em Tcpip. . . . . . . . . . . . . . : Habilitado Adaptador de túnel isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}: Estado da mídia. . . . . . . . . . . . . . : mídia desconectada Sufixo DNS específico de conexão. . . . . . : Descrição . . . . . . . . . . . . . . . . . : Adaptador do Microsoft ISATAP Endereço Físico . . . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Habilitado . . . . . . . . . . . . . . : Não Configuração Automática Habilitada. . . . . : Sim Adaptador de túnel Teredo Tunneling Pseudo-Interface: Estado da mídia. . . . . . . . . . . . . . : mídia desconectada Sufixo DNS específico de conexão. . . . . . : Descrição . . . . . . . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Endereço Físico . . . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Habilitado . . . . . . . . . . . . . . : Não Configuração Automática Habilitada. . . . . : Sim Adaptador de túnel isatap.domain.name: Estado da mídia. . . . . . . . . . . . . . : mídia desconectada Sufixo DNS específico de conexão. . . . . . : domain.name Descrição . . . . . . . . . . . . . . . . . : Adaptador do Microsoft ISATAP #2 Endereço Físico . . . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Habilitado . . . . . . . . . . . . . . : Não Configuração Automática Habilitada. . . . . : Sim I call Router login page with its IP address. Not possible with home nor domain.name. When pinging a computer A to computer B NAME in this network it resolve IPv6. The original and default isn't IPv4 ? This ibox.pace.net external IP doesn't appear anymore. My ISP don't help issues other than internet connectivity issues. If it's internal, it's my problem, they don't care. Yes, it was different before. It was resolving IPv4 computer names ping, this means I could use Remote Desktop with names. THat include connectivity issue both lan and wan. Explorer didn't resolve names. that kind of stuff. I will check other people with same ISP and let you know. Thanks in advance.
sounds like ipv6 is resolving local to router and on inet ipv4 there is a way if i remember right to disable ipv6 but not totaly. ( windows fileshare needs ipv6 for local router or it wouldnt work.)