Guest Alex Posted June 27, 2008 Posted June 27, 2008 Hi, I experience huge issues with my laptop since I was infected by Virtumonde earlier this week. I managed to clean Virtumonde by using spybot, but even though the virus seems to have disappeared, I still experience huge problems with Internet browsing. I can access some websites like Lenovo, FreeCall, Free, my router, my bank, but I cannot access other websites such as http://www.lemonde.fr, linkedin, facebook, oanda, smartmoney... that's weird, that seem that a pipe is blocked or something filtering the DNS, only allowing some sites... but ping and resolving is OK! I tried flushing DNS to no avail, I have cleared all my caches and temp files to no avail, I have tried with deactivating the fw to no avail... I dont know what to do... I could not find anything on the Internet... Here is the symptom: when I start http://www.facebook.com (or another website), firefox displays Waiting for http://www.facebook.com... in the status bar and nothing else happens.... The problem is also similar with IE7 and I cannot access Windows Update. I tried upgrading to Firefox 3, but the problem remains. I am on Windows XP OEM SP2... I am hesitating installing SP3, I don't think that would solve the problem. I checked my router and it seems OK, since other PC on the same router have no problem accessing any website. I think the mess was created when I tried to eradicate the virus... also my MS Office seems corrupted, when I try to launch Excel, he asks for CD. Winword and Outlook are fine though. I have been using Windows PCs for 15 years and I am an IT professional, but that's the first time I see something like that. I am getting crazy... Any help would be very much appreciated; do u think I should reinstall Windows, or is there anything else I could try? Any kind of test to indentify the problem? Cheers, Alex -- Alex
Guest Alex Posted June 27, 2008 Posted June 27, 2008 RE: Cannot access some websites after virus cleaning Update: I think I still have the virus. After a few minutes, I got a crash in Firefox and the following message : WOWEXEC caused an access violation in ntvdm.exe Also Spybot informed me that a weird DLL wanted to register itself, I denied it... I don't know how to cure the problem for good... I tried many tools to fix virtumonde to no avail... Please help me to find the best option... Alex -- Alex "Alex" wrote: > Hi, > > I experience huge issues with my laptop since I was infected by Virtumonde > earlier this week. > > I managed to clean Virtumonde by using spybot, but even though the virus > seems to have disappeared, I still experience huge problems with Internet > browsing. > > I can access some websites like Lenovo, FreeCall, Free, my router, my bank, > > but I cannot access other websites such as http://www.lemonde.fr, linkedin, > facebook, oanda, smartmoney... > > that's weird, that seem that a pipe is blocked or something filtering the > DNS, only allowing some sites... but ping and resolving is OK! > > I tried flushing DNS to no avail, I have cleared all my caches and temp > files to no avail, I have tried with deactivating the fw to no avail... I > dont know what to do... > > I could not find anything on the Internet... > > Here is the symptom: when I start http://www.facebook.com (or another website), > firefox displays Waiting for http://www.facebook.com... in the status bar and > nothing else happens.... > > The problem is also similar with IE7 and I cannot access Windows Update. > > I tried upgrading to Firefox 3, but the problem remains. I am on Windows XP > OEM SP2... I am hesitating installing SP3, I don't think that would solve the > problem. > > I checked my router and it seems OK, since other PC on the same router have > no problem accessing any website. > > I think the mess was created when I tried to eradicate the virus... also my > MS Office seems corrupted, when I try to launch Excel, he asks for CD. > Winword and Outlook are fine though. > > I have been using Windows PCs for 15 years and I am an IT professional, but > that's the first time I see something like that. I am getting crazy... > > Any help would be very much appreciated; do u think I should reinstall > Windows, or is there anything else I could try? Any kind of test to indentify > the problem? > > Cheers, > > Alex > > -- > Alex >
Guest Erwin Moller Posted June 27, 2008 Posted June 27, 2008 Re: Cannot access some websites after virus cleaning Alex schreef: > Hi, > > I experience huge issues with my laptop since I was infected by Virtumonde > earlier this week. > > I managed to clean Virtumonde by using spybot, but even though the virus > seems to have disappeared, I still experience huge problems with Internet > browsing. > > I can access some websites like Lenovo, FreeCall, Free, my router, my bank, > > but I cannot access other websites such as http://www.lemonde.fr, linkedin, > facebook, oanda, smartmoney... > > that's weird, that seem that a pipe is blocked or something filtering the > DNS, only allowing some sites... but ping and resolving is OK! > > I tried flushing DNS to no avail, I have cleared all my caches and temp > files to no avail, I have tried with deactivating the fw to no avail... I > dont know what to do... > > I could not find anything on the Internet... > > Here is the symptom: when I start http://www.facebook.com (or another website), > firefox displays Waiting for http://www.facebook.com... in the status bar and > nothing else happens.... > > The problem is also similar with IE7 and I cannot access Windows Update. > > I tried upgrading to Firefox 3, but the problem remains. I am on Windows XP > OEM SP2... I am hesitating installing SP3, I don't think that would solve the > problem. > > I checked my router and it seems OK, since other PC on the same router have > no problem accessing any website. > > I think the mess was created when I tried to eradicate the virus... also my > MS Office seems corrupted, when I try to launch Excel, he asks for CD. > Winword and Outlook are fine though. > > I have been using Windows PCs for 15 years and I am an IT professional, but > that's the first time I see something like that. I am getting crazy... > > Any help would be very much appreciated; do u think I should reinstall > Windows, or is there anything else I could try? Any kind of test to indentify > the problem? > > Cheers, > > Alex > Hi Alex, I don't know what screwed up Office, but if you cannot reach some websites, try this: 1) In C:\WINDOWS\system32\drivers\etc you will find a file named hosts. (It has no extension.) Op this in notepad. It should only contain a bunch of comments that start with # and: 127.0.0.1 localhost unless you added more by hand. Do you see more? I am no virusexpert, so I don't know the one you described, but some malware likes to change your hosts file, in such a way it can fool you. eg, you type: http://www.mybank.com but you end up on a completely different site that tries to get your logincredentials. Could that be your problem? (If you are in doubt and see more entries than 127.0.0.1 localhost, just delete them all.) Regards, Erwin Moller
Guest Malke Posted June 27, 2008 Posted June 27, 2008 RE: Cannot access some websites after virus cleaning Alex wrote: > Update: I think I still have the virus. After a few minutes, I got a crash > in Firefox and the following message : WOWEXEC caused an access violation > in ntvdm.exe > > Also Spybot informed me that a weird DLL wanted to register itself, I > denied it... > > I don't know how to cure the problem for good... I tried many tools to fix > virtumonde to no avail... At this point you should get guided help from one of the specialty forums listed below (in no particular order). Choose one, register, read its posting FAQ, and post as directed. PLEASE DO NOT POST LOGS OF THIS SORT IN THE MS NEWSGROUPS. The alternative is to back up your data and return the computer to factory condition using whatever method was provided by the laptop mftr. OR take the machine to a local computer professional (who may do the same thing). http://aumha.net/ - Click on the HijackThis forum. Read the announcement and the stickies *first*. http://www.atribune.org/forums/index.php?showforum=9 http://aumha.net/viewforum.php?f=30 http://www.bleepingcomputer.com/forums/forum22.html http://www.dslreports.com/forum/cleanup http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html http://gladiator-antivirus.com/forum/index.php?showforum=170 http://spywarewarrior.com/viewforum.php?f=5 http://forums.techguy.org/54-security/ http://forums.tomcoyote.org/ Malke -- MS-MVP Elephant Boy Computers - Don't Panic! FAQ - http://www.elephantboycomputers.com/#FAQ
Guest Alex Posted June 27, 2008 Posted June 27, 2008 Re: Cannot access some websites after virus cleaning Hi, Sorry, forgot to mention about host file: -was using DNSAccelerator so my host file was full of websites (and perhaps some crap too) -deactivated my dnsaccelerator and deleted everything in the hosts file yesterday -now my hosts file is clean only localhost as you mentioned But it seems that the virus is still present and causing trouble to IE and Firefox.... Tried many fix tools to no avail Do not see what to do... lost! Alex -- Alex "Erwin Moller" wrote: > > Alex schreef: > > Hi, > > > > I experience huge issues with my laptop since I was infected by Virtumonde > > earlier this week. > > > > I managed to clean Virtumonde by using spybot, but even though the virus > > seems to have disappeared, I still experience huge problems with Internet > > browsing. > > > > I can access some websites like Lenovo, FreeCall, Free, my router, my bank, > > > > but I cannot access other websites such as http://www.lemonde.fr, linkedin, > > facebook, oanda, smartmoney... > > > > that's weird, that seem that a pipe is blocked or something filtering the > > DNS, only allowing some sites... but ping and resolving is OK! > > > > I tried flushing DNS to no avail, I have cleared all my caches and temp > > files to no avail, I have tried with deactivating the fw to no avail... I > > dont know what to do... > > > > I could not find anything on the Internet... > > > > Here is the symptom: when I start http://www.facebook.com (or another website), > > firefox displays Waiting for http://www.facebook.com... in the status bar and > > nothing else happens.... > > > > The problem is also similar with IE7 and I cannot access Windows Update. > > > > I tried upgrading to Firefox 3, but the problem remains. I am on Windows XP > > OEM SP2... I am hesitating installing SP3, I don't think that would solve the > > problem. > > > > I checked my router and it seems OK, since other PC on the same router have > > no problem accessing any website. > > > > I think the mess was created when I tried to eradicate the virus... also my > > MS Office seems corrupted, when I try to launch Excel, he asks for CD. > > Winword and Outlook are fine though. > > > > I have been using Windows PCs for 15 years and I am an IT professional, but > > that's the first time I see something like that. I am getting crazy... > > > > Any help would be very much appreciated; do u think I should reinstall > > Windows, or is there anything else I could try? Any kind of test to indentify > > the problem? > > > > Cheers, > > > > Alex > > > > Hi Alex, > > I don't know what screwed up Office, but if you cannot reach some > websites, try this: > 1) In C:\WINDOWS\system32\drivers\etc you will find a file named hosts. > (It has no extension.) > Op this in notepad. > > It should only contain a bunch of comments that start with # and: > 127.0.0.1 localhost > unless you added more by hand. > > Do you see more? > I am no virusexpert, so I don't know the one you described, but some > malware likes to change your hosts file, in such a way it can fool you. > eg, you type: > http://www.mybank.com > > but you end up on a completely different site that tries to get your > logincredentials. > > Could that be your problem? > (If you are in doubt and see more entries than 127.0.0.1 localhost, just > delete them all.) > > Regards, > Erwin Moller >
Guest Alex Posted June 27, 2008 Posted June 27, 2008 RE: Cannot access some websites after virus cleaning Hi Malke. I registered and posted on Atribune. Seems that my computer is still infected.... Considered this thread closed. Thanks. -- Alex "Malke" wrote: > Alex wrote: > > > Update: I think I still have the virus. After a few minutes, I got a crash > > in Firefox and the following message : WOWEXEC caused an access violation > > in ntvdm.exe > > > > Also Spybot informed me that a weird DLL wanted to register itself, I > > denied it... > > > > I don't know how to cure the problem for good... I tried many tools to fix > > virtumonde to no avail... > > At this point you should get guided help from one of the specialty forums > listed below (in no particular order). Choose one, register, read its > posting FAQ, and post as directed. PLEASE DO NOT POST LOGS OF THIS SORT IN > THE MS NEWSGROUPS. > > The alternative is to back up your data and return the computer to factory > condition using whatever method was provided by the laptop mftr. OR take > the machine to a local computer professional (who may do the same thing). > > http://aumha.net/ - Click on the HijackThis forum. Read the announcement and > the stickies *first*. > http://www.atribune.org/forums/index.php?showforum=9 > http://aumha.net/viewforum.php?f=30 > http://www.bleepingcomputer.com/forums/forum22.html > http://www.dslreports.com/forum/cleanup > http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 > http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html > http://gladiator-antivirus.com/forum/index.php?showforum=170 > http://spywarewarrior.com/viewforum.php?f=5 > http://forums.techguy.org/54-security/ > http://forums.tomcoyote.org/ > > Malke > -- > MS-MVP > Elephant Boy Computers - Don't Panic! > FAQ - http://www.elephantboycomputers.com/#FAQ > >
Guest Erwin Moller Posted June 27, 2008 Posted June 27, 2008 Re: Cannot access some websites after virus cleaning Alex schreef: > Hi, > > Sorry, forgot to mention about host file: > > -was using DNSAccelerator so my host file was full of websites (and perhaps > some crap too) > -deactivated my dnsaccelerator and deleted everything in the hosts file > yesterday > -now my hosts file is clean only localhost as you mentioned > > But it seems that the virus is still present and causing trouble to IE and > Firefox.... > Tried many fix tools to no avail > > Do not see what to do... lost! > > Alex Yeah, malware can be a real pain. I never had a virus/keylogger/whatever that actually made it that far it infected my PC ever in the 25 years I use computers now. :-) /me knocks on wood. For what it is worth: the only tools I use lately are: 1) Mc Afee virusscan (set to scan every file written to disk, which IS a performancepain on low-end systems, but untill now it kept my system clean.) 2) adaware. I suggest you do something similar when your PC is up and running again. I saw you went for advise to the virushelp forums now. If they cannot help you, my advise would be: 1) Back up your whole PC (not systembackup, but simply the files you need) 2) reinstall windows 3) install GOOD anti-virus software 4) Get latest servicepacks in and all other windowsupdate stuff 5) Never use IE, use FF instead. Then have a look at your backup'ed files, and place them on your new system. If some of them are infected, your virusscanner will recognize them. Hope that helps. Good luck. Regards, Erwin Moller
Guest PA Bear [MS MVP] Posted June 27, 2008 Posted June 27, 2008 Re: Cannot access some websites after virus cleaning You'll most likely find that Vundo is still present, along with ZLOB and an SDBot-variant, all protected by a rootkit. And chances are that Windows Update and your anti-virus application aren't working. Alex wrote: > Hi Malke. > > I registered and posted on Atribune. > > Seems that my computer is still infected.... > > Considered this thread closed. Thanks. > >> Alex wrote: >> >>> Update: I think I still have the virus. After a few minutes, I got a >>> crash >>> in Firefox and the following message : WOWEXEC caused an access >>> violation >>> in ntvdm.exe >>> >>> Also Spybot informed me that a weird DLL wanted to register itself, I >>> denied it... >>> >>> I don't know how to cure the problem for good... I tried many tools to >>> fix >>> virtumonde to no avail... >> >> At this point you should get guided help from one of the specialty forums >> listed below (in no particular order). Choose one, register, read its >> posting FAQ, and post as directed. PLEASE DO NOT POST LOGS OF THIS SORT >> IN >> THE MS NEWSGROUPS. >> >> The alternative is to back up your data and return the computer to >> factory >> condition using whatever method was provided by the laptop mftr. OR take >> the machine to a local computer professional (who may do the same thing). >> >> http://aumha.net/ - Click on the HijackThis forum. Read the announcement >> and the stickies *first*. >> http://www.atribune.org/forums/index.php?showforum=9 >> http://aumha.net/viewforum.php?f=30 >> http://www.bleepingcomputer.com/forums/forum22.html >> http://www.dslreports.com/forum/cleanup >> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 >> http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html >> http://gladiator-antivirus.com/forum/index.php?showforum=170 >> http://spywarewarrior.com/viewforum.php?f=5 >> http://forums.techguy.org/54-security/ >> http://forums.tomcoyote.org/ >> >> Malke >> -- >> MS-MVP >> Elephant Boy Computers - Don't Panic! >> FAQ - http://www.elephantboycomputers.com/#FAQ
Recommended Posts