• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 973
  • Last Modified:

I can only surf the internet in Safe Mode with Networking

Ok, this has me STUMPED... the details...

I have a severe problem that began yesterday morning... days before that, I was alerted that I had Backdoor.Graybird (a low risk trojan) on my computer...

the details:

-I have 100% connectivity, does not say limited, it claims to be fully connected. Yet, I open a browser or use the connection, and nothing... If i boot into safe mode with networking, I get all the internet I want!

-I am not connected through a router, just directly to a cable modem... also, I have tried nearby wireless connections on different ISPs (making sure only ONE connection is running at a time) and the exact same problem happens.

-I have run my Symantec anti-virus, ad-aware, spybot all normally, and in safe mode... here are the results...
      Symantec: says Backdoor.Graybird is found but cannot quarantine or delete (in safe mode or not)
      Ad-aware 2008 (updated fully) blue screens with 0x0000008E not long into the scan
      Spybot has similar results as semantic

-after searching extensively I have done these tips and here are the results
     -check the TCP/IP check box under connection properties, it is checked
     -"ipconfig -release/-renew" works fine in the command prompt
     -"ipconfig /flushdns" works, and successfully flushes
     -the "ping" command does not work! either times out or cannot locate
     -I have clicked "repair" on my network icon, and it says unable to refresh the IP address
     -I have run the program "SmitfraudFix" which comes bundled with the winsock fix

about Backdoor.Graybird:

-I have followed the instructions on the Symantec site for removing this particular virus, as well as on the "http://www.uninstall-spyware.com/uninstallBackdoorGrayBird.html" site... and non of the .dlls or processes were running, nor did any of the registry entries exist...

UPDATE: I called the ISP again, and they said that they think the reason is because whenever they see me logged on my uploads are insanely high (forgot the numbers, but high enough for me to get no connection)... Now I do NOT use any peer2peer as this is a work computer, and the connection is strictly the modem to my computer, no router involved... and the same thing happens on other connections too.... think im under attack?
3 Solutions
Andres PeralesCommented:
I would have you machine reimaged if it were a work computer and I was running that IT department....anyways are there any other machines in your home network that could possibly be infected as well?
gekko3558Author Commented:
Not to my knowledge, I part of the IT department and this is actually for an outside member's computer... We are trying to avoid him having to ship it all the way back to us and loosing days of work... last resort is that I am going to remotely access it and try to kill processes and try to isolate the problem
What does a HijackThis log say when he runs it?
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

WakeupSpecialist 1Commented:
HJT is a great option post a log up...lets see what you got.  

Norton is not a real good AV anymore these days.  
Not to mention it's more of just a virus scanner and not Spyware as well.  It will catch some but not enuff.

You can try also running Superantispyware.
You may also try running Combofix.exe too and post the log from that as well.  
Just be careful running combofix.exe, I suggest running this as a last resort.  That can cause issues and not easily recovered.  But usually works well in most cases.
gekko3558Author Commented:
before I run HJT, I have noticed a "myRAT.rmvb" and it will not let me deleted no matter what... :-/
gekko3558Author Commented:
here are 2 different HJT logs... one with the network connections disabled, and the other with the LAN connection enabled and "connected" to the internet... hope this helps
These entries/files below are similar to a variant of SDBot, try running SDFix.exe.
Are all those URLs in the Trusted Zone added in purpose? I would fix them if not.

These smss.exe and services.exe are running from a non-default location check them out and delete them.
C:\WINDOWS\system32\shared <-- check what other files are in this folder.
O23 - Service: Active Directory Helper (ADHelper) - Unknown owner - C:\WINDOWS\system32\shared\smss.exe
O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)

Download SDFix and save it to your desktop.(either one below)

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back
gekko3558Author Commented:
how would i change the trusted zone sites?
also, when booting into safe mode, can I use safe-mode with networking?
>>>how would i change the trusted zone sites?<<<

Sometimes when we install an application, it adds that programs site in the trusted zone, sometimes a user add sites in the Trusted zone purposely IF there's a problem in accessing that particular site.
Personally I don't add any sites in my Trusted Zone as these will give those sites more permission to do things than they would usually have.
To remove those sites from your Trusted Zone, you just need to run Hijackthis and checkmark those entries and click "Fix checked':

>>>when booting into safe mode, can I use safe-mode with networking?<<<

I'm not keen on safe mode with networking, safe mode is for troubleshooting, and it's not a good idea to connect online as your security programs won't be protecting you.
gekko3558Author Commented:
update and problem solved!

we searched the windows folder and sorted by date modified and found 30+ configs inis dlls and others created the exact day that he found the virus... after manually removing those we then went through the services and found around 7 out of place names that we disabled

lastly, and thanks to rpggamergirl, I managed to find that "shared" folder, and noticed the only 2 .exes inside were created at the moment he originally lost his internet!!

Thanks a ton for the help and suggestions!
Glad to know it's been resolved.

Good job in finding and deleting those bad files.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now