Can't figure this virus out

  • Thread starter Thread starter JN
  • Start date Start date
J

JN

Guest
I don't know if the computer I am trying to fix just had AntiVirusXP2008 or
something more. I have found the manual removal instructions for AVXP and
that seemed to work except the computer cannot access a whole host of sites.

Mcafee.com
Symantec.com
windowsupdate.microsoft.com
PandaSecurity.com
And so on.

I can ping the sites fine and tracert fine but when I try to go to them in
IE7 a couple of strange things happen. First, when I try Mcafee.com it
brings me to a google search result page as if I did a google search for
mcafee.com. Then if I click on Mcafee.com link in those results IE7 wiill
give me the error page as if I were not connected to the Inernet.

If I try Symantec, Windows Update, Panda Security, or a few other sites I
just get the standard not connected to the Internet page from IE7. Other
sites like going to IBM, Google, MSN, etc appear to be working fine.

I have checked the Hosts file to see if this was altered, but it is OK and I
also checked to make sure my DNS server settings were not hijacked and they
were OK showing my ISP's DNS servers. I wanted to be sure it was not the
site so instead of going to PandaSecurity.com and getting blocked I went to
the IP address and was able to browse the site fine. I also ran LSPFix.exe
and there were not any additional protocols installed and HijackThis did not
show any BHOs or anything

I have tried to reinstall Panda AV, however it will not restart on reboot.
It is obvious that something is blocking it. This is obviously specifically
blocking Anti-virus programs and sites.

Yes, I could just format this computer, but what fun is that.
 
Re: Can't figure this virus out

JN wrote:

> I don't know if the computer I am trying to fix just had AntiVirusXP2008
> or
> something more. I have found the manual removal instructions for AVXP and
> that seemed to work except the computer cannot access a whole host of
> sites.
>
> Mcafee.com
> Symantec.com
> windowsupdate.microsoft.com
> PandaSecurity.com
> And so on.
>
> I can ping the sites fine and tracert fine but when I try to go to them in
> IE7 a couple of strange things happen. First, when I try Mcafee.com it
> brings me to a google search result page as if I did a google search for
> mcafee.com. Then if I click on Mcafee.com link in those results IE7 wiill
> give me the error page as if I were not connected to the Inernet.
>
> If I try Symantec, Windows Update, Panda Security, or a few other sites I
> just get the standard not connected to the Internet page from IE7. Other
> sites like going to IBM, Google, MSN, etc appear to be working fine.
>
> I have checked the Hosts file to see if this was altered, but it is OK and
> I also checked to make sure my DNS server settings were not hijacked and
> they
> were OK showing my ISP's DNS servers. I wanted to be sure it was not the
> site so instead of going to PandaSecurity.com and getting blocked I went
> to
> the IP address and was able to browse the site fine. I also ran
> LSPFix.exe and there were not any additional protocols installed and
> HijackThis did not show any BHOs or anything
>
> I have tried to reinstall Panda AV, however it will not restart on reboot.
> It is obvious that something is blocking it. This is obviously
> specifically blocking Anti-virus programs and sites.

Sounds like your computer isn't clean. Unfortunately, some XP Antivirus
infections also include Vundo and/or SDBot trojans, all protected by a
rootkit. Since you didn't specify what manual removal steps you did, here
are my usual instructions about these sorts of infections. My guess is that
you should go for the guided help at this point.

Here are removal steps:

http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009
http://www.bleepingcomputer.com/forums/topic154529.html (earlier versions)

Bleeping Computer removal how-to's -
http://www.bleepingcomputer.com/forums/forum55.html

These may work for you and all may be well. However, in many cases the
computer will also be infected with Zlob and/or Vundo trojans and protected
by a rootkit. These machines are extremely difficult to clean.

If your machine is one of these cases, either get guided help at one of the
specialty forums below OR back up your data and do a clean install of
Windows. It is your choice. If you are unsure how to back up your data or
how to do a clean install, you can take your machine to a local computer
professional. I don't recommend using BigComputerStore/GeekSquad types of
places.

PLEASE DO NOT POST LOGS IN THE MS NEWSGROUPS.

http://aumha.org/downloads/hijackthis.zip
http://aumha.net/ - Click on the HijackThis forum. Read the announcement and
the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://forums.tomcoyote.org/
http://www.thespykiller.co.uk/index.php?board=3.0
http://forums.subratam.org/index.php?showforum=7

Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
FAQ - http://www.elephantboycomputers.com/#FAQ
 
Re: Can't figure this virus out

From: "JN" <me@here.com>

| I don't know if the computer I am trying to fix just had AntiVirusXP2008 or
| something more. I have found the manual removal instructions for AVXP and
| that seemed to work except the computer cannot access a whole host of sites.

| Mcafee.com
| Symantec.com
| windowsupdate.microsoft.com
| PandaSecurity.com
| And so on.

| I can ping the sites fine and tracert fine but when I try to go to them in
| IE7 a couple of strange things happen. First, when I try Mcafee.com it
| brings me to a google search result page as if I did a google search for
| mcafee.com. Then if I click on Mcafee.com link in those results IE7 wiill
| give me the error page as if I were not connected to the Inernet.

| If I try Symantec, Windows Update, Panda Security, or a few other sites I
| just get the standard not connected to the Internet page from IE7. Other
| sites like going to IBM, Google, MSN, etc appear to be working fine.

| I have checked the Hosts file to see if this was altered, but it is OK and I
| also checked to make sure my DNS server settings were not hijacked and they
| were OK showing my ISP's DNS servers. I wanted to be sure it was not the
| site so instead of going to PandaSecurity.com and getting blocked I went to
| the IP address and was able to browse the site fine. I also ran LSPFix.exe
| and there were not any additional protocols installed and HijackThis did not
| show any BHOs or anything

| I have tried to reinstall Panda AV, however it will not restart on reboot.
| It is obvious that something is blocking it. This is obviously specifically
| blocking Anti-virus programs and sites.

| Yes, I could just format this computer, but what fun is that.



You probably are still infected with the RootKit payload that often acoompanies this.



Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

Then post the contents of the HJT log in your post in one of the below expert forums...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Re: Can't figure this virus out

Have you tried Malwarebytes? www.malwarebytes.com

If not, give it a try!

HTH

Dave

--
"JN" <me@here.com> wrote in message news:%237hx93aHJHA.1432@TK2MSFTNGP04.phx.gbl...
>I don't know if the computer I am trying to fix just had AntiVirusXP2008 or something more. I have
>found the manual removal instructions for AVXP and that seemed to work except the computer cannot
>access a whole host of sites.
>
> Mcafee.com
> Symantec.com
> windowsupdate.microsoft.com
> PandaSecurity.com
> And so on.
>
> I can ping the sites fine and tracert fine but when I try to go to them in IE7 a couple of strange
> things happen. First, when I try Mcafee.com it brings me to a google search result page as if I
> did a google search for mcafee.com. Then if I click on Mcafee.com link in those results IE7 wiill
> give me the error page as if I were not connected to the Inernet.
>
> If I try Symantec, Windows Update, Panda Security, or a few other sites I just get the standard
> not connected to the Internet page from IE7. Other sites like going to IBM, Google, MSN, etc
> appear to be working fine.
>
> I have checked the Hosts file to see if this was altered, but it is OK and I also checked to make
> sure my DNS server settings were not hijacked and they were OK showing my ISP's DNS servers. I
> wanted to be sure it was not the site so instead of going to PandaSecurity.com and getting blocked
> I went to the IP address and was able to browse the site fine. I also ran LSPFix.exe and there
> were not any additional protocols installed and HijackThis did not show any BHOs or anything
>
> I have tried to reinstall Panda AV, however it will not restart on reboot. It is obvious that
> something is blocking it. This is obviously specifically blocking Anti-virus programs and sites.
>
> Yes, I could just format this computer, but what fun is that.
>
>
>
 
Back
Top