I can only surf the internet in Safe Mode with Networking

Posted on 2008-06-18
Medium Priority
Last Modified: 2011-10-19
Ok, this has me STUMPED... the details...

I have a severe problem that began yesterday morning... days before that, I was alerted that I had Backdoor.Graybird (a low risk trojan) on my computer...

the details:

-I have 100% connectivity, does not say limited, it claims to be fully connected. Yet, I open a browser or use the connection, and nothing... If i boot into safe mode with networking, I get all the internet I want!

-I am not connected through a router, just directly to a cable modem... also, I have tried nearby wireless connections on different ISPs (making sure only ONE connection is running at a time) and the exact same problem happens.

-I have run my Symantec anti-virus, ad-aware, spybot all normally, and in safe mode... here are the results...
      Symantec: says Backdoor.Graybird is found but cannot quarantine or delete (in safe mode or not)
      Ad-aware 2008 (updated fully) blue screens with 0x0000008E not long into the scan
      Spybot has similar results as semantic

-after searching extensively I have done these tips and here are the results
     -check the TCP/IP check box under connection properties, it is checked
     -"ipconfig -release/-renew" works fine in the command prompt
     -"ipconfig /flushdns" works, and successfully flushes
     -the "ping" command does not work! either times out or cannot locate
     -I have clicked "repair" on my network icon, and it says unable to refresh the IP address
     -I have run the program "SmitfraudFix" which comes bundled with the winsock fix

about Backdoor.Graybird:

-I have followed the instructions on the Symantec site for removing this particular virus, as well as on the "http://www.uninstall-spyware.com/uninstallBackdoorGrayBird.html" site... and non of the .dlls or processes were running, nor did any of the registry entries exist...

UPDATE: I called the ISP again, and they said that they think the reason is because whenever they see me logged on my uploads are insanely high (forgot the numbers, but high enough for me to get no connection)... Now I do NOT use any peer2peer as this is a work computer, and the connection is strictly the modem to my computer, no router involved... and the same thing happens on other connections too.... think im under attack?
Question by:gekko3558
LVL 17

Expert Comment

by:Andres Perales
ID: 21816182
I would have you machine reimaged if it were a work computer and I was running that IT department....anyways are there any other machines in your home network that could possibly be infected as well?

Author Comment

ID: 21816270
Not to my knowledge, I part of the IT department and this is actually for an outside member's computer... We are trying to avoid him having to ship it all the way back to us and loosing days of work... last resort is that I am going to remotely access it and try to kill processes and try to isolate the problem

Expert Comment

ID: 21816755
What does a HijackThis log say when he runs it?
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

LVL 18

Assisted Solution

Wakeup earned 80 total points
ID: 21816907
HJT is a great option post a log up...lets see what you got.  

Norton is not a real good AV anymore these days.  
Not to mention it's more of just a virus scanner and not Spyware as well.  It will catch some but not enuff.

You can try also running Superantispyware.
You may also try running Combofix.exe too and post the log from that as well.  
Just be careful running combofix.exe, I suggest running this as a last resort.  That can cause issues and not easily recovered.  But usually works well in most cases.

Author Comment

ID: 21817396
before I run HJT, I have noticed a "myRAT.rmvb" and it will not let me deleted no matter what... :-/

Author Comment

ID: 21817613
here are 2 different HJT logs... one with the network connections disabled, and the other with the LAN connection enabled and "connected" to the internet... hope this helps
LVL 47

Assisted Solution

rpggamergirl earned 400 total points
ID: 21818489
These entries/files below are similar to a variant of SDBot, try running SDFix.exe.
Are all those URLs in the Trusted Zone added in purpose? I would fix them if not.

These smss.exe and services.exe are running from a non-default location check them out and delete them.
C:\WINDOWS\system32\shared <-- check what other files are in this folder.
O23 - Service: Active Directory Helper (ADHelper) - Unknown owner - C:\WINDOWS\system32\shared\smss.exe
O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)

Download SDFix and save it to your desktop.(either one below)

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back

Author Comment

ID: 21821882
how would i change the trusted zone sites?
also, when booting into safe mode, can I use safe-mode with networking?
LVL 47

Expert Comment

ID: 21822301
>>>how would i change the trusted zone sites?<<<

Sometimes when we install an application, it adds that programs site in the trusted zone, sometimes a user add sites in the Trusted zone purposely IF there's a problem in accessing that particular site.
Personally I don't add any sites in my Trusted Zone as these will give those sites more permission to do things than they would usually have.
To remove those sites from your Trusted Zone, you just need to run Hijackthis and checkmark those entries and click "Fix checked':

>>>when booting into safe mode, can I use safe-mode with networking?<<<

I'm not keen on safe mode with networking, safe mode is for troubleshooting, and it's not a good idea to connect online as your security programs won't be protecting you.

Accepted Solution

gekko3558 earned 0 total points
ID: 21822427
update and problem solved!

we searched the windows folder and sorted by date modified and found 30+ configs inis dlls and others created the exact day that he found the virus... after manually removing those we then went through the services and found around 7 out of place names that we disabled

lastly, and thanks to rpggamergirl, I managed to find that "shared" folder, and noticed the only 2 .exes inside were created at the moment he originally lost his internet!!

Thanks a ton for the help and suggestions!
LVL 47

Expert Comment

ID: 21890035
Glad to know it's been resolved.

Good job in finding and deleting those bad files.


Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Read about achieving the basic levels of HRIS security in the workplace.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question