Lost internet (via IE) / localhost access / ftp ability

[john97]

I recently lost complete access to the internet, localhost via my browsers and the ability to connect out via ftp. I've been able to "fix" the internet access with firefox, but not IE. I can ping 127.0.0.1, but not local host. In firefox and IE, when I attempt to access localhost page (I'm using IIS) I receive:
HTTP Error 503. The service is unavailable.
When I attempt to use ftp, I receive:
Status: Connection attempt failed with "EAI_FAIL - Nonrecoverable failure in name resolution".
Error: Could not connect to server
I've used netsh, but seems to no avail as I can not even locate the log file any place on my pc.
I've updated IE (7 to 8), my ftp client, but still no fix.
I'm not very familiar with this, your help would really be appreciated.
............................
I just spent several days working on this with Kimsland in the malware section (topic139072), recommended I move here now.

 

[yangly18]

edited....

 

[DelJo63]

is this IIS/7 ? I don't need a complete list of the hardware/software, but what environment
are you attempting to run?
{ IIS + FTP service on a server machine?} if so, which version of IIS and the Server?

Most importantly, has this setup run correctly in the past, or is the a newly configured system?

There seems to be a rash of HTTP 503 errors.
Googling "http error 503. the service is unavailable. iis 7.0" shows many hits.

This one looks promising http://www.west-wind.com/WebLog/posts/9436.aspx on application pools

Here's one on ISAPI Filters

I can ping 127.0.0.1, but not local host

the name localhost occurs in the hosts file located \windows\system32\drivers\etc.
it should be the first line without a #comment as 127.0.0.1 localhost (open with notepad)
If it's not there, add it at the top of any other addresses and then use an admin cmd prompt to issue these as written:

ipconfig /flushdns
net stop "dns client"
net start "dns client"​

ping localhost should now be working

ability to connect out via ftp

hmm from where to whom?

* on the server as a client to the server's ftp service
* ftp out to some public ftp service
​

what's the infrastructure like; is there a staff controlling the network and the gatway router and or the firewall(s)?

 

[john97]

Hi jobeard,
IIS 7.0.6000.16386

operating on vista business sp2
ftp is the fillezilla client 3.3.0.1

this setup run "perfectly", until mid afternoon approx 8 days ago

I've just visited the link on application pools ... when I checked my IIS Manager, the DefaultAppPool was indeed off, I restarted and set to start automatically, and rebooted, checked the DefaultAppPool and it was on, opened IE - no access localhost or internet, opened FF - access internet, but not localhost ... looked at IIS Manager again and the DefaultAppPool was off ...grrr

the host file is as you suggested, indeed we loaded a new host file during the malware process with Kimsland on this forum to be sure it was clean

followed your ipconfig, net stop and net start

the ping of localhost failed with a message of "ping could not find host localhost". (I just noticed that I can not ping any site by name, but can by ip address)

I'm using ftp client to place files in a web hosting server - external to me ... this has worked for a long time, but like the IE, local host, etc. ... all began failing last week

there is no staff controlling any part, other than the local ISP ... I've moved to use four different connections - 2 public and 2 private, the private routers / modems have been reset ...

 

[DelJo63]

this setup run "perfectly", until mid afternoon approx 8 days ago

Good

I've just visited the link on application pools ... when I checked my IIS Manager, the DefaultAppPool was indeed off, I restarted and set to start automatically, and rebooted, checked the DefaultAppPool and it was on, opened IE - no access localhost or internet, opened FF - access internet, but not localhost ... looked at IIS Manager again and the DefaultAppPool was off ...grrr

OK; needs a solution

the ping of localhost failed with a message of "ping could not find host localhost". (I just noticed that I can not ping any site by name, but can by ip address)

MAJOR Connectivity issue (for all external access ) This is a DNS issue

there is no staff controlling any part, other than the local ISP ... I've moved to use four different connections - 2 public and 2 private, the private routers / modems have been reset ...

We need to solve the connectivity for your Browser and Email before we can expect very much from IIS or any other application

A) what is the make/model of your router please
B) log into your router conf page; I need the gateway address, mask, and DNS addresses provided by your ISP.
C) then get the configuration seen by windows using ipconfig /all >mytcp.txt
and attach mytcp.txt to your followup; it will be located at %userprofile%\mytcp.txt

 

[john97]

how can I log into my router conf page?

 

[DelJo63]

give me (A)+(C) and I can tell you how to get (B)

 

[john97]

modem/router

a) modem from my ISP is a speadstream 4200, I also have a d-link dir655 router
(another pc also running vista is working fine on this config)

 

[john97]

b) router = Subnet Mask : 255.255.255.0, Default Gateway : 192.168.2.1, Primary DNS Server : 192.168.2.1, Secondary DNS Server : 192.168.2.1

 

[DelJo63]

b) router = Subnet Mask : 255.255.255.0, Default Gateway : 192.168.2.1, Primary DNS Server : 192.168.2.1, Secondary DNS Server : 192.168.2.1

no, those are the Windows Settings, not the Router settings.
Notice Gateway = Primary = Secondary =all= 192.168.2.1, the address of the router as seen from your Lan systems.

You also have IPv6 running

Link-local IPv6 Address . . . . . : fe80::c1d9:d571:3d15:3223%14(Preferred)​

which I would disable --

ipv6 uninstall ​

-- but let's continue

The true DNS is therefore only seen in the Router Config

modem from my ISP is a speadstream 4200, I also have a d-link dir655 router
(another pc also running vista is working fine on this config)

Ok, lets address the speadstream 4200 first.
Connect your system directly to the speadstream 4200 and use your browser ...
I believe the speadstream 4200 config is found by

http://192.168.254.254/
The default username is admin and default password is admin​

If you can login, be sure to change that password! or someone on the Internet will take over

now find the WAN side information and report
The gateway, mask, primary and secondary DNS addresses

 

[john97]

Please excuse.

when I use ipv6 uninstall as an administrator at the command prompt, I receive " 'ipv6' is not recognized as an internal or external command, operable program or batch file. "

I'm now wire connected directly to the speedstream ... http://192.168.254.254 gives me: "The connection to the server was reset while the page was loading."

 

[kimsland]

The ipv6 is in your network connections (right click on the connection > properties) That's where you uninstall that

Try: http://192.168.2.1 to connect to the speedstream

 

[john97]

thanks Kimsland,
192.168.2.1 works fine
the addresses are:
Subnet Mask: 255.255.255.255
DNS Server Address #1: 207.164.234.129
DNS Server Address #2: 207.164.234.193
Modem IP Address: 192.168.2.1
I don't see any reference to the gateway though in any of the options

 

[kimsland]

the addresses are:
Subnet Mask: 255.255.255.255
DNS Server Address #1: 207.164.234.129
DNS Server Address #2: 207.164.234.193

I must rush off, but please call your ISP (Internet Service Provider) and confirm those DNS entries are correct to your connection with them

 

[john97]

another ipconfig file when attached directly to the speedstream

 

[john97]

just spoke with my ISP ... they cfm'd the addresses

 

[kimsland]

IPv4 Address. . . . . . . . . . . : 192.168.2.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : December-08-09 4:30:53 PM
Lease Expires . . . . . . . . . . : December-11-09 4:30:52 PM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1

Well the DNS entries are not matching up with your network properties (right click on you network connection> properties > tcp/ip settings

Have you got another computer on the Network working, just to check these settings are exactly the same? (except IP address of course)
I just use Automatic settings as a standalone computer

 

[john97]

I removed this pc and plugged another pc running vista into the speedstream ... the ipconfig file list the ipv4 address as 192.168.2.10, subnetmask as 255.255.255.0, default gateway as 192.168.2.1 ... ff, ie and ftp are all working on that pc

 

[kimsland]

And these are the same as well:

DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1

Also do this:
Manual steps to repair or to reset Winsock for Windows Vista users

1. Click
   
   , type cmd in the Start Search box, right-click cmd.exe, click "Run as administrator", and then press Continue.
2. Type netsh winsock reset at the command prompt, and then press ENTER.
3. Type netsh int ip reset at the command prompt, and then press ENTER.
4. Type netsh interface ip delete arpcache at the command prompt, and then press ENTER.
5. Type Exit, and then press ENTER.

Restart

 

[john97]

Kimsland
You are the god! Once I used all your netsh commands and opened IIS Manager to start the DefaultAppPool - everything is now working again. I am truely amazed. Your patience with me during the past several days with malware and now with this thread has been awsome. I wanted to just throw this pc - but your persisted. I'll never be able to do enough to thank you - but please accept my humble "thanks". I'll never stop talking about this one!
John

 

[kimsland]

Wow, Thanks john97 :grinthumb

Actually due to jobeard's advice above, I just got to thinking about it more
So many minds together does actually work
And I had a little luck that you had another (working) available computer handy too

Thanks for the update.

 

[DelJo63]

wonderful :wave: Yea the Ipv6 uninstall was for Win/xp and I forgot you're on Win/7

$ nslookup 207.164.234.129
Server: resolver1.opendns.com
Address: 208.67.222.222

Name: mtrlpq02dnsvp1.srvr.bell.ca
Address: 207.164.234.129

so if your ISP is bell.ca then this is correct

I would still like to see the WAN side conf for the speedstream.
The gateway *must* be an address related to bell.ca and the mask must allow
access to the dns addresses


Personally, I have force my router to use
DNS Servers . . . . . . . . . . . : 208.67.222.222
......................... 208.67.222.220
which belong to the OpenDSN project.

This should provide immunity from DSN Hijacking