Cannot access some websites after virus cleaning

[Alex]

Hi,

I experience huge issues with my laptop since I was infected by Virtumonde
earlier this week.

I managed to clean Virtumonde by using spybot, but even though the virus
seems to have disappeared, I still experience huge problems with Internet
browsing.

I can access some websites like Lenovo, FreeCall, Free, my router, my bank,

but I cannot access other websites such as www.lemonde.fr, linkedin,
facebook, oanda, smartmoney...

that's weird, that seem that a pipe is blocked or something filtering the
DNS, only allowing some sites... but ping and resolving is OK!

I tried flushing DNS to no avail, I have cleared all my caches and temp
files to no avail, I have tried with deactivating the fw to no avail... I
dont know what to do...

I could not find anything on the Internet...

Here is the symptom: when I start www.facebook.com (or another website),
firefox displays Waiting for www.facebook.com... in the status bar and
nothing else happens....

The problem is also similar with IE7 and I cannot access Windows Update.

I tried upgrading to Firefox 3, but the problem remains. I am on Windows XP
OEM SP2... I am hesitating installing SP3, I don't think that would solve the
problem.

I checked my router and it seems OK, since other PC on the same router have
no problem accessing any website.

I think the mess was created when I tried to eradicate the virus... also my
MS Office seems corrupted, when I try to launch Excel, he asks for CD.
Winword and Outlook are fine though.

I have been using Windows PCs for 15 years and I am an IT professional, but
that's the first time I see something like that. I am getting crazy...

Any help would be very much appreciated; do u think I should reinstall
Windows, or is there anything else I could try? Any kind of test to indentify
the problem?

Cheers,

Alex

 

[Alex]

Update: I think I still have the virus. After a few minutes, I got a crash in
Firefox and the following message : WOWEXEC caused an access violation in
ntvdm.exe

Also Spybot informed me that a weird DLL wanted to register itself, I denied
it...

I don't know how to cure the problem for good... I tried many tools to fix
virtumonde to no avail...

Please help me to find the best option...

Alex

 

[Erwin Moller]

Alex schreef:

Hi,

I experience huge issues with my laptop since I was infected by Virtumonde
earlier this week.

I managed to clean Virtumonde by using spybot, but even though the virus
seems to have disappeared, I still experience huge problems with Internet
browsing.

I can access some websites like Lenovo, FreeCall, Free, my router, my bank,

but I cannot access other websites such as www.lemonde.fr, linkedin,
facebook, oanda, smartmoney...

that's weird, that seem that a pipe is blocked or something filtering the
DNS, only allowing some sites... but ping and resolving is OK!

I tried flushing DNS to no avail, I have cleared all my caches and temp
files to no avail, I have tried with deactivating the fw to no avail... I
dont know what to do...

I could not find anything on the Internet...

Here is the symptom: when I start www.facebook.com (or another website),
firefox displays Waiting for www.facebook.com... in the status bar and
nothing else happens....

The problem is also similar with IE7 and I cannot access Windows Update.

I tried upgrading to Firefox 3, but the problem remains. I am on Windows XP
OEM SP2... I am hesitating installing SP3, I don't think that would solve the
problem.

I checked my router and it seems OK, since other PC on the same router have
no problem accessing any website.

I think the mess was created when I tried to eradicate the virus... also my
MS Office seems corrupted, when I try to launch Excel, he asks for CD.
Winword and Outlook are fine though.

I have been using Windows PCs for 15 years and I am an IT professional, but
that's the first time I see something like that. I am getting crazy...

Any help would be very much appreciated; do u think I should reinstall
Windows, or is there anything else I could try? Any kind of test to indentify
the problem?

Cheers,

Alex

Hi Alex,

I don't know what screwed up Office, but if you cannot reach some
websites, try this:
1) In C:\WINDOWS\system32\drivers\etc you will find a file named hosts.
(It has no extension.)
Op this in notepad.

It should only contain a bunch of comments that start with # and:
127.0.0.1 localhost
unless you added more by hand.

Do you see more?
I am no virusexpert, so I don't know the one you described, but some
malware likes to change your hosts file, in such a way it can fool you.
eg, you type:
www.mybank.com

but you end up on a completely different site that tries to get your
logincredentials.

Could that be your problem?
(If you are in doubt and see more entries than 127.0.0.1 localhost, just
delete them all.)

Regards,
Erwin Moller

 

[Malke]

Update: I think I still have the virus. After a few minutes, I got a crash
in Firefox and the following message : WOWEXEC caused an access violation
in ntvdm.exe

Also Spybot informed me that a weird DLL wanted to register itself, I
denied it...

I don't know how to cure the problem for good... I tried many tools to fix
virtumonde to no avail...

At this point you should get guided help from one of the specialty forums
listed below (in no particular order). Choose one, register, read its
posting FAQ, and post as directed. PLEASE DO NOT POST LOGS OF THIS SORT IN
THE MS NEWSGROUPS.

The alternative is to back up your data and return the computer to factory
condition using whatever method was provided by the laptop mftr. OR take
the machine to a local computer professional (who may do the same thing).

http://aumha.net/ - Click on the HijackThis forum. Read the announcement and
the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://forums.tomcoyote.org/

Malke

 

[Alex]

Hi,

Sorry, forgot to mention about host file:

-was using DNSAccelerator so my host file was full of websites (and perhaps
some crap too)
-deactivated my dnsaccelerator and deleted everything in the hosts file
yesterday
-now my hosts file is clean only localhost as you mentioned

But it seems that the virus is still present and causing trouble to IE and
Firefox....
Tried many fix tools to no avail

Do not see what to do... lost!

Alex

 

[Alex]

Hi Malke.

I registered and posted on Atribune.

Seems that my computer is still infected....

Considered this thread closed. Thanks.

 

[Erwin Moller]

Alex schreef:

Hi,

Sorry, forgot to mention about host file:

-was using DNSAccelerator so my host file was full of websites (and perhaps
some crap too)
-deactivated my dnsaccelerator and deleted everything in the hosts file
yesterday
-now my hosts file is clean only localhost as you mentioned

But it seems that the virus is still present and causing trouble to IE and
Firefox....
Tried many fix tools to no avail

Do not see what to do... lost!

Alex

Yeah, malware can be a real pain.
I never had a virus/keylogger/whatever that actually made it that far it
infected my PC ever in the 25 years I use computers now.
/me knocks on wood.

For what it is worth: the only tools I use lately are:
1) Mc Afee virusscan (set to scan every file written to disk, which IS a
performancepain on low-end systems, but untill now it kept my system clean.)
2) adaware.

I suggest you do something similar when your PC is up and running again.

I saw you went for advise to the virushelp forums now.
If they cannot help you, my advise would be:
1) Back up your whole PC (not systembackup, but simply the files you need)
2) reinstall windows
3) install GOOD anti-virus software
4) Get latest servicepacks in and all other windowsupdate stuff
5) Never use IE, use FF instead.

Then have a look at your backup'ed files, and place them on your new system.
If some of them are infected, your virusscanner will recognize them.

Hope that helps.

Good luck.
Regards,
Erwin Moller

 

[PA Bear [MS MVP]]

You'll most likely find that Vundo is still present, along with ZLOB and an
SDBot-variant, all protected by a rootkit. And chances are that Windows
Update and your anti-virus application aren't working.