q: How does ping hijacking work?

I'm cleaning out an infected computer, and I've realised that it doesn't
just have 'browser' hijacking, it has 'ping' hijacking as well: most sites
(or many sites) are identified as 127.0.0.1. This is not DNS hijacking: NS
lookup still works. It is not DNS client cache corruption: I've turned off
the cache. I don't know what it is. I'm curious: What can you do to Windows
to break networking at this level?

(david)

On Dec 12, 10:19 am, "david" <da...@nospam.au> wrote:
> I'm cleaning out an infected computer, and I've realised that it doesn't
> just have 'browser' hijacking, it has 'ping' hijacking as well: most sites
> (or many sites) are identified as 127.0.0.1. This is not DNS hijacking: NS
> lookup still works. It is not DNS client cache corruption: I've turned off
> the cache. I don't know what it is. I'm curious: What can you do to Windows
> to break networking at this level?
>
> (david)

Could be hosts file entries for common sites.

Alister

Nope, the hosts file is clean, unless it has been re-directed. hmmmm...
what's the reg entry to re-direct the hosts file?

(david)

"Alister" <(E-Mail Removed)> wrote in message
news:7c4f7707-cc9a-48a8-a249-(E-Mail Removed)...
> On Dec 12, 10:19 am, "david" <da...@nospam.au> wrote:
>> I'm cleaning out an infected computer, and I've realised that it doesn't
>> just have 'browser' hijacking, it has 'ping' hijacking as well: most
>> sites
>> (or many sites) are identified as 127.0.0.1. This is not DNS hijacking:
>> NS
>> lookup still works. It is not DNS client cache corruption: I've turned
>> off
>> the cache. I don't know what it is. I'm curious: What can you do to
>> Windows
>> to break networking at this level?
>>
>> (david)
>
> Could be hosts file entries for common sites.
>
> Alister

On Dec 14, 10:41 pm, "david" <da...@nospam.au> wrote:
> Nope, the hosts file is clean, unless it has been re-directed. hmmmm...
> what's the reg entry to re-direct the hosts file?
>
> (david)
>
> "Alister" <alister....@hotmail.co.uk> wrote in message
>
> news:7c4f7707-cc9a-48a8-a249-(E-Mail Removed)...
>
> > On Dec 12, 10:19 am, "david" <da...@nospam.au> wrote:
> >> I'm cleaning out an infected computer, and I've realised that it doesn't
> >> just have 'browser' hijacking, it has 'ping' hijacking as well: most
> >> sites
> >> (or many sites) are identified as 127.0.0.1. This is not DNS hijacking:
> >> NS
> >> lookup still works. It is not DNS client cache corruption: I've turned
> >> off
> >> the cache. I don't know what it is. I'm curious: What can you do to
> >> Windows
> >> to break networking at this level?
>
> >> (david)
>
> > Could be hosts file entries for common sites.
>
> > Alister

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters
\DataBasePath

Alister

Nope, not that either.

It doesn't create a new connector either. When there is no network
the redirection is not in effect.

Oh well.

(david)

"Alister" <(E-Mail Removed)> wrote in message
news:f939e46d-e57b-4b9e-8ea7-(E-Mail Removed)...
> On Dec 14, 10:41 pm, "david" <da...@nospam.au> wrote:
>> Nope, the hosts file is clean, unless it has been re-directed. hmmmm...
>> what's the reg entry to re-direct the hosts file?
>>
>> (david)
>>
>> "Alister" <alister....@hotmail.co.uk> wrote in message
>>
>> news:7c4f7707-cc9a-48a8-a249-(E-Mail Removed)...
>>
>> > On Dec 12, 10:19 am, "david" <da...@nospam.au> wrote:
>> >> I'm cleaning out an infected computer, and I've realised that it
>> >> doesn't
>> >> just have 'browser' hijacking, it has 'ping' hijacking as well: most
>> >> sites
>> >> (or many sites) are identified as 127.0.0.1. This is not DNS
>> >> hijacking:
>> >> NS
>> >> lookup still works. It is not DNS client cache corruption: I've
>> >> turned
>> >> off
>> >> the cache. I don't know what it is. I'm curious: What can you do to
>> >> Windows
>> >> to break networking at this level?
>>
>> >> (david)
>>
>> > Could be hosts file entries for common sites.
>>
>> > Alister
>
> HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters
> \DataBasePath
>
> Alister