Solved

I can only surf the internet in Safe Mode with Networking

Posted on 2008-06-18
11
950 Views
Last Modified: 2011-10-19
Ok, this has me STUMPED... the details...

I have a severe problem that began yesterday morning... days before that, I was alerted that I had Backdoor.Graybird (a low risk trojan) on my computer...

the details:

-I have 100% connectivity, does not say limited, it claims to be fully connected. Yet, I open a browser or use the connection, and nothing... If i boot into safe mode with networking, I get all the internet I want!

-I am not connected through a router, just directly to a cable modem... also, I have tried nearby wireless connections on different ISPs (making sure only ONE connection is running at a time) and the exact same problem happens.

-I have run my Symantec anti-virus, ad-aware, spybot all normally, and in safe mode... here are the results...
      Symantec: says Backdoor.Graybird is found but cannot quarantine or delete (in safe mode or not)
      Ad-aware 2008 (updated fully) blue screens with 0x0000008E not long into the scan
      Spybot has similar results as semantic

-after searching extensively I have done these tips and here are the results
     -check the TCP/IP check box under connection properties, it is checked
     -"ipconfig -release/-renew" works fine in the command prompt
     -"ipconfig /flushdns" works, and successfully flushes
     -the "ping" command does not work! either times out or cannot locate
     -I have clicked "repair" on my network icon, and it says unable to refresh the IP address
     -I have run the program "SmitfraudFix" which comes bundled with the winsock fix

about Backdoor.Graybird:

-I have followed the instructions on the Symantec site for removing this particular virus, as well as on the "http://www.uninstall-spyware.com/uninstallBackdoorGrayBird.html" site... and non of the .dlls or processes were running, nor did any of the registry entries exist...

UPDATE: I called the ISP again, and they said that they think the reason is because whenever they see me logged on my uploads are insanely high (forgot the numbers, but high enough for me to get no connection)... Now I do NOT use any peer2peer as this is a work computer, and the connection is strictly the modem to my computer, no router involved... and the same thing happens on other connections too.... think im under attack?
0
Comment
Question by:gekko3558
11 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 21816182
I would have you machine reimaged if it were a work computer and I was running that IT department....anyways are there any other machines in your home network that could possibly be infected as well?
0
 

Author Comment

by:gekko3558
ID: 21816270
Not to my knowledge, I part of the IT department and this is actually for an outside member's computer... We are trying to avoid him having to ship it all the way back to us and loosing days of work... last resort is that I am going to remotely access it and try to kill processes and try to isolate the problem
0
 
LVL 7

Expert Comment

by:namol
ID: 21816755
What does a HijackThis log say when he runs it?
0
 
LVL 17

Assisted Solution

by:Wakeup
Wakeup earned 20 total points
ID: 21816907
HJT is a great option post a log up...lets see what you got.  

Norton is not a real good AV anymore these days.  
Not to mention it's more of just a virus scanner and not Spyware as well.  It will catch some but not enuff.

You can try also running Superantispyware.
You may also try running Combofix.exe too and post the log from that as well.  
Just be careful running combofix.exe, I suggest running this as a last resort.  That can cause issues and not easily recovered.  But usually works well in most cases.
http://superantispyware.com/superantispywarefreevspro.html
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 

Author Comment

by:gekko3558
ID: 21817396
before I run HJT, I have noticed a "myRAT.rmvb" and it will not let me deleted no matter what... :-/
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:gekko3558
ID: 21817613
here are 2 different HJT logs... one with the network connections disabled, and the other with the LAN connection enabled and "connected" to the internet... hope this helps
no-connection-hijackthis.log
with-connection-hijackthis.log
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 100 total points
ID: 21818489
These entries/files below are similar to a variant of SDBot, try running SDFix.exe.
Are all those URLs in the Trusted Zone added in purpose? I would fix them if not.

These smss.exe and services.exe are running from a non-default location check them out and delete them.
C:\WINDOWS\system32\shared\smss.exe
C:\WINDOWS\system32\shared\services.exe
C:\WINDOWS\system32\shared <-- check what other files are in this folder.
 
O23 - Service: Active Directory Helper (ADHelper) - Unknown owner - C:\WINDOWS\system32\shared\smss.exe
O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)


Download SDFix and save it to your desktop.(either one below)
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back
0
 

Author Comment

by:gekko3558
ID: 21821882
how would i change the trusted zone sites?
also, when booting into safe mode, can I use safe-mode with networking?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21822301
>>>how would i change the trusted zone sites?<<<

Sometimes when we install an application, it adds that programs site in the trusted zone, sometimes a user add sites in the Trusted zone purposely IF there's a problem in accessing that particular site.
Personally I don't add any sites in my Trusted Zone as these will give those sites more permission to do things than they would usually have.
To remove those sites from your Trusted Zone, you just need to run Hijackthis and checkmark those entries and click "Fix checked':


>>>when booting into safe mode, can I use safe-mode with networking?<<<

I'm not keen on safe mode with networking, safe mode is for troubleshooting, and it's not a good idea to connect online as your security programs won't be protecting you.
0
 

Accepted Solution

by:
gekko3558 earned 0 total points
ID: 21822427
update and problem solved!

we searched the windows folder and sorted by date modified and found 30+ configs inis dlls and others created the exact day that he found the virus... after manually removing those we then went through the services and found around 7 out of place names that we disabled

lastly, and thanks to rpggamergirl, I managed to find that "shared" folder, and noticed the only 2 .exes inside were created at the moment he originally lost his internet!!

Thanks a ton for the help and suggestions!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21890035
Glad to know it's been resolved.

Good job in finding and deleting those bad files.

Thanks!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now