Okay, I'm stumped and my tech friend is stumped. Maybe you won't be?
December 30, 2010 1:56 PM   Subscribe

Why does my computer believe that all sites aside from Google Mail and Google Talk do not exist?

Dell running Windows Vista, virus-protected and up-to-date. Firefox 3.6.13 displays GMail and GChat but loads only a blank white page for all other sites; IE gives me "this page cannot be displayed" for every site I checked, including GMail. The admin account (my primary account) is the only account affected; I can log into a guest account and see the entire internet.

Other info:
  • Prior to leaving for Christmas, my internet was working fine. I took my computer apart, put it in the closet to deter thieves, and went away for a week. When I returned and set it back up exactly as it had been before, Firefox would only view Google Mail; Google Talk works within browser and as a separate program. Appropriate care was taken in the moving of said computer and I have no reason to believe I damaged anything.
  • No other programs can access the internet from my admin account. Curse is borked, Pidgin is borked, Windows updates are borked, etc. Google Talk works fine.
  • Despite GMail and GChat working, www.google.com, maps.google.com, and calendar.google.com are blank-white as the rest of the internet.
  • My netbook can access all sites on the internet using both the ethernet connection and the wireless network.
  • The problem does not affect the guest account on my Dell, which is how I'm able to post this.
  • I'm able to ping sites from the admin account and get responses. These sites do not load in either Firefox or IE when I try.
  • Comcast cable modem. But I don't think the connection itself is the issue, as evidenced by the netbook and guest account being fine.
Ideas? Anything? I spent several hours working on IPv4 and IPv6 configurations and the Windows diagnostics, then spent an hour on the phone with a more tech-savvy friend who was frankly baffled by this behavior. I will be extremely happy to provide more information as requested.
posted by athenasbanquet to Technology (10 answers total) 2 users marked this as a favorite
 
Did you install PeerBlock recently? This exact thing happened to me when I installed PeerBlock and misconfigured it.
posted by griphus at 1:59 PM on December 30, 2010 [1 favorite]


There are other things to try, but you've proved that DNS and internet connectivity are working on the network, and that they are also working on other accounts on the same PC. The only thing that's left is the specific user account profile.

The first thing to do would be to run MSCONFIG and check the startup tab for anything that isn't Microsoft or well-known to you. Post it here, or have the tech savvy friend take a look. (Although if they haven't done this step already I might try a more savvy friend take a look.)
posted by anti social order at 2:23 PM on December 30, 2010


Response by poster: No PeerBlock.

MSCONFIG lists (Manufacturer in parentheses):
  • Adobe Updater Startup Utility (Adobe Systems Incorp.)
  • Adobe Acrobat (Adobe)
  • SBSV 2010/02/19-11:02:07 (Adobe)
  • Adobe CS5 Service Manager (Adobe)
  • Catalyst (R) Control Center (Advanced Micro Devices, Inc.)
  • QuickTime (Apple Inc.)
  • iTunes (Apple Inc.)
  • Google Talk (Google)
  • GoogleToolbarNotifier (Google)
  • hpwuSchd Application (Hewlett-Packard)
  • HpqSRmon Application (Hewlett-Packard)
  • hp digital imaging - hp all-in-one series (Hewlett-Packard)
  • IDT PC Audio (IDT, Inc.)
  • RAID Event Monitor (Intel)
  • InstallShield (Macrovision)
  • McAfee SecurityCenter (McAfee)
  • Windows Defender (Microsoft)
  • Microsoft Windows Operating System (Microsoft)<>
  • Skype (Skype)
  • CommonSDK (Sonic Solutions)
  • Sony Ericsson PC Suite (Sony Ericsson)
  • Dell Dock (Stardock Corporation)
  • Java(TM) Platform SE 6 U13 (Sun Microsystems)
These following are all from an unknown manufacturer.
  • confhost (2 entries, both with command "C:\Users\$Username\AppData\Roaming\Microsoft\conhost.exe" and location "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run". I tried unchecking these and restarting; one stayed unchecked and the other was re-checked on startup.)
  • DataSafeOnline (2 entries)
  • CurseClientStartup
  • mefkrkxh (Command "C:\Users\$Username\AppData\Local\pstpmfntl\nwkpugwtssd.exe and location "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run". Turned this off and restarted; internet problem persists.)
  • WNDA3100v2 Application
The other anomalous thing that I've seen since taking it back out of the closet is that on startup I get a pair of pop-up windows, both reading "Security Alert: Revocation Information for the security certificate for this site is not available. Do you want to proceed? Yes/No/View Certificate". Certificate is issued to smetrics.skype.com. I'm not sure if this is a symptom or a cause of the underlying issue - I suspect the former.

Thanks for the help--I can't tell you how much I appreciate it.
posted by athenasbanquet at 4:05 PM on December 30, 2010


Best answer: An acquaintance had a similar problem with XP. The underlying diagnostic was that Proxy was set. Specifically it forwarded http but not https connections to a localhost port. This, despite an up-to-date antivirus, was the work of a virus. In Firefox, try Tools > Options... > Network > Settings. One should also check however Vista sets system-wide and IE proxy.

If a manual proxy is set inappropriately, and then when cleared returns after a reboot, that's a virus. If you see something inappropriate for Proxy, google for that info or check back here.

The case I saw would have silently snooped http traffic, but the virus did not set up the proxy properly and so in effect just blocked http. This involved the Backdoor:Win32/Cycbot.B.
posted by gregoreo at 4:11 PM on December 30, 2010


Response by poster: NUTS! gregoreo has it; I just did a scan with Windows Defender and it picked up Backdoor:Win32/Cycbot.B. I feel so dirty. (Also confused; MacAfee is up to date and the firewall on. I don't download random programs or open attachments and suchlike.)

I've updated the definitions for Windows Defender and told it to remove the nastiness. What else do I need to do? Threat Expert tells me there's a list of files created and registry keys changed; do I need to do this manually or has Windows Defender taken care of it?
posted by athenasbanquet at 4:43 PM on December 30, 2010


Best answer: I feel so dirty. (Also confused; MacAfee is up to date and the firewall on. I don't download random programs or open attachments and suchlike.)

In my experience, both McAfee and Windows Defender are useless chunks of shit. Turning Defender off on a Vista box causes more nagging than it's worth, so leave that on. Uninstall McAfee, clean up your box using the instructions from deezil's profile, then install Panda Cloud Antivirus.
posted by flabdablet at 5:41 PM on December 30, 2010


No antivirus is 100%, and all of them need continuous updates to keep up with new and mutated viruses and malware.
posted by ZeusHumms at 5:07 AM on December 31, 2010


I've heard that the new Microsoft Security Essentials 2 is very good. In typical MS fashion, it takes then 5 years, but they eventually get it right.
posted by COD at 6:07 AM on December 31, 2010


Best answer: Condolences. I've seen much worse infections, but this one was no fun.

MS Security Essentials also worked in the case I investigated, both in ID'ing the malware (not precisely a virus) and in removing it. But given classic virus behavior--proxy security settings reset without user action--I was prepared to keep trying at least free AV products until I got a hit, and to continue isolation of the infected computer by means of a very tight external firewall inserted to detect and block suspicious traffic. There were indications the infection was present about a week before it was noticed, but the online info suggests a web link would have done it.

There are several files and registry settings to remove in a certain order, so one component doesn't reinstate the others. This assumes you received the same delivery agent and payload as I observed and want to check manually in addition to cleaning from MS SE or another AV tool. This MS page is as good as several with details. The usual advice applies: make a backup; strongly consider a bare metal rebuild; for at least for a couple of weeks run under a harsh firewall and review "call out" attempts; review web history for likely sources of this problem start by checking dates on the shell.exe, svchost.exe, and stor.cfg files); report results to AV authorities typically by means provided in the AV tool.
posted by gregoreo at 6:51 AM on December 31, 2010


I would like to suggest that when you downloaded a WoW addon with CurseClient that was the source of your infection. Or that at least has been my experience.
posted by ptm at 3:30 PM on January 1, 2011


« Older Grapes + Creativity in the Kitchen =?   |   Stop those tears Newer »
This thread is closed to new comments.


Tags

Share