TechSpot

PC rarely connects to network in normal, but always in Safe Mode

By Alderman
Jul 9, 2010
  1. Hey guys, I'm definitely having a problem with my computer. For a while now, I've had problems getting online. It so happens that only every 4-6 restarts will my computer actually connect to the internet; all the other times it says that it's "acquiring network address" or the network icon doesn't show up at all. When I try to go through Control Panel to take a look at the Network Connections things grind to a halt.

    After browsing through various forums I decided to try running it in Safe Mode to see if viruses/malware could be the problem. The internet works without a problem in safe mode, which leads me to believe that it is in fact a problem with malware or viruses. I have disabled all services and processes other than those required by Microsoft on startup and I still have the problem. I've tried running anti-virus, spyware, and malware programs such as AVG, Spybot Search & Destroy, Ad-Aware, and Malware Bytes--they've found several problems but no serious threats that I can remember and all have been removed and I still have the same problem. I downloaded HijackThis to see if it could help, but I can't identify the origin of any of the codes within and I'm afraid to tamper with them.

    In addition to the internet problem, the computer loads a lot slower than usual. There is also a problem with the theme--it has reverted back to Windows Classic rather than Windows XP and will not stay. I have to go through services to enable the Windows XP theme, but on the next start-up it's always back to the Windows Classic. And on random start-ups explorer.exe takes longer than usual to load, so the user profile takes additional time to load, and brings up nothing but the background and takes even longer to bring up the icons and the start menu.

    In case the information is needed:

    Windows XP Home Edition
    Service Pack 3
    AMD Athlon 64X2 Dual
    Core Processor 5200+
    2.70 GHz, 1.75 GB of RAM

    Any help with this problem would be greatly appreciated. Since the internet works periodically in normal mode I certainly believe it's a problem with spyware/malware/viruses but I have no idea where to turn to rid myself of the problem. Thanks for your time and help.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, what you are describing sounds more like system problems rather than malware. And here is some diagnostic information about using Safe Mode to troubleshoot:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    If a symptom does not reappear when you start in safe mode, you can eliminate the default settings and minimum device drivers as possible causes. If a newly added device or a changed driver is causing problems, you can use safe mode to remove the device or reverse the change.

    Using Safe Mode to determine a basic source of a problem:The choices:
    • Safe Mode: Loads the minimum set of device drivers (serial or PS/2 mouse devices, standard keyboards, hard disks, CD-ROM drives, and standard VGA devices)and system services required to start Windows XP/2000/2003.(Event Log, Plug and Play, remote procedure calls (RPCs), and Logical Disk Manager.) User specific startup programs do not run. This is helpful in determining whether problems are due to specific programs.
    • Safe Mode with Networking: Includes the services and drivers needed for network connectivity. Safe mode with networking enables logging on to the network, logon scripts, security, and Group Policy settings. Nonessential services and startup programs not related to networking do not run. Helpful if needed but should be used with caution as the security programs don't load in this mode.
    • Safe Mode with Command Prompt: Starts the computer in safe mode, but displays the command prompt rather than the Windows GUI interface.
    • Last Known Good Configuration, which starts your computer using the registry information that was saved at the last shutdown.

    So by using the different options of Safe Mode, you can sometimes determine what the area of problem is- and isn't.

    Give this a try- see if you can identify what is putting the system into Safe More. Let me know and we'll go from there.
    If necessary, I'll have you check the Event Viewer for corresponding errors.
     
  3. Alderman

    Alderman TS Rookie Topic Starter

    Ok, here are the symptoms that I know:

    In Safe Mode with Command Prompt: I was kind of clueless as to what I could do to check for usability, so I just ran an ipconfig /renew and came up with "Internal Error Occurred: The request is not supported." I don't know whether that is because the option doesn't support network connectivity or not.

    In Last Known Good Configuration: The user profile loaded slow, no icons or taskbar loaded on startup, and when I ran ipconfig renew it gave me "An error occurred while renewing interface Local Area Connection: The RPC server is unavailable."

    In Safe Mode: The user profile loaded normally and the only other thing I knew to do was to check the ipconfig /renew and it came up with the same error as it did in "Last Known Good Configuration."

    In Normal Mode: The same problems happened as those in "Last Known Good Configuration" only the network icon showed "Limited or No Connectivity" instead of "Acquiring Network Address."

    Just to be clear on one part of your response, "Give this a try- see if you can identify what is putting the system into Safe More." From this it sounds like you believe the system is going into Safe Mode automatically. I just wanted to make sure we understood each other on this part.

    As far as I know, only Microsoft Services were running during all this time since I disabled all the rest in msconfig. I don't really know how to get more in depth than I have.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I had hoped that by the process of elimination using the various Safe Mode choices, that you would be able to rule out some areas. It appears that isn't working.

    I think you are making the distinction that the system doesn't automatically boot into Safe Mode, but when you start in Normal Mode, you cannot connect to the internet. Is this correct?

    But if you boot into Safe Mode- (I assume with networking)-you can access the internet without problem. Is this correct?

    What this means:
    Since Safe Mode loads a minimum of drivers, it is reasonable to think that the problem may be a driver.

    On the other hand, Safe Mode with networking loads the processes and drivers that are needed to connect to the internet.

    Try this please:
    Boot into Safe Mode with Networking and download the programs below> do not run yet:
    Follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    After the downloads have been saved to the desktop, boot into Normal Mode and run the scans.
    When you have finished, leave the logs for review in your next reply .

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    I still don't know how much is malware vs system.
     
  5. Alderman

    Alderman TS Rookie Topic Starter

    It's sort of correct. When I start the system in Normal Mode it usually won't allow me to connect to the internet, but every so often--usually about 4 to 5 restarts--I will actually be able to connect to the internet while in Normal Mode. But it so happens that whenever I boot up the system in Safe Mode with Networking that it connects to the internet without any problems.

    And just to be clear on the next step--you want me to download all the software to be used in the 8-step process, boot into normal mode, run them all, and then post all the logs associated with them. Correct?
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    That is correct. when you use Safe Mode with Networking, your security programs don't run. So download all in Normal Mode, save to the desktop and you should ven be able to go offline to run.
     
  7. Alderman

    Alderman TS Rookie Topic Starter

    Here are the logs:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4302

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    7/11/2010 1:57:45 PM
    mbam-log-2010-07-11 (13-57-45).txt

    Scan type: Quick scan
    Objects scanned: 142642
    Time elapsed: 6 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-07-11 16:10:18
    Windows 5.1.2600 Service Pack 3
    Running: gy5r3rrk.exe; Driver: C:\DOCUME~1\Sheila\LOCALS~1\Temp\pxtdapow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA6908CD2]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA6908B8E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA6909142]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA690906C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA6908764]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA6908C68]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA69086A4]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA6908708]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA6908D88]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA6909210]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA6908D48]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA6908EC8]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB757B000, 0x187662, 0xE8000020]
    .rsrc C:\WINDOWS\system32\DRIVERS\serial.sys entry point in ".rsrc" section [0xB79EA094]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[476] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
    .text C:\WINDOWS\System32\svchost.exe[476] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
    .text C:\WINDOWS\System32\svchost.exe[476] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
    .text C:\WINDOWS\System32\svchost.exe[476] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 009F000A
    .text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
    .text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
    .text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[808] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003B0002
    IAT C:\WINDOWS\system32\services.exe[808] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003B0000

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
    AttachedDevice \FileSystem\Ntfs \Ntfs InCDRec.sys (InCD File System Recognizer/Nero AG)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

    Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
    Device Fs_Rec.SYS (File System Recognizer Driver/Microsoft Corporation)
    Device InCDFs.sys (InCD File System Driver/Nero AG)
    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
    Device -> \Driver\atapi \Device\Harddisk0\DR0 8A442EE4

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\DRIVERS\serial.sys suspicious modification
    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----



    I hope this format works for you. I think that the instructions said to paste most of the logs into the reply. If this doesn't work for you, it's no trouble to attach them all.
     

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Looks like a Rootkit.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
       serial.*
      [/code]
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    =============================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Re-enable your Antivirus software.
     
  9. Alderman

    Alderman TS Rookie Topic Starter

    Log from SystemLook:

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 22:52 on 13/07/2010 by Sheila (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for " serial.*"
    No files found.

    -=End Of File=-

    I have to post the other log in a new post because I exceeded the limit of characters with it on here.
     
  10. Alderman

    Alderman TS Rookie Topic Starter

    Combo Fix

    My apologies, it's still too long. I have to send it in an attachment.
     

    Attached Files:

  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You are running multiple antivirus programs: Avast and AVG 8. This can cause more vulnerability to the system. It can also slow the system down. Please remove one of them: Here are tools to help: Download only the tool for the antivirus program you don't want to keep:
    AVG Removal: Note: You may have to reinstall AVG to uninstall it fully
    Avast Removal
    Please reboot the computer when finished.
    =====================================
    I'd like to ask about a timeline I see for System Restore: I note these 3:
    RP492: 7/5/2010 3:56:39 PM - June 5th
    RP493: 7/5/2010 4:02:47 PM - Restore Operation
    RP494: 7/5/2010 4:39:13 PM - Restore Operation


    You installed a program named Cherple on this same date. Did you set a restore point before the download and install of this program? (smart thing to do) Did the connection problem begin after installing this so that you tried 2 System restores to try and fix it?

    I wasn't familiar with the program so had to look it up. It's described as "Cherple: PC to Cell Two Way Chat". Surely this required you to set up, add, remove or otherwise change some settings on the computer. Is it possible that in setting this program up you changed a setting related to your internet connecting? You did have malware, so it is also a consideration, but I thought I'd ask about Cherple.
    =================================
    After the AV program has been handled, please run this:
    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\nero\nero 7\incd\nbhregincdsrv.exe
    Folder::
    C:\found.000
    
    DDS::
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - No File
    BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
    
    Registry::
    
    Driver::
    NeroRegInCDSrv
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
     
  12. Alderman

    Alderman TS Rookie Topic Starter

    I removed Avast but I couldn't get AVG to stop running while Combofix was.

    As for the system restores, my boyfriend did that and he said he kept getting a message saying that the restoration failed.
    It was acting up a while before June 5 and even before I downloaded Cherple.
     

    Attached Files:

  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It was worth a check. Are you still having the same problem you had at the beginning? If so, which ones?

    Choose v2.0.4:
    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Follow with Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
     
  14. Alderman

    Alderman TS Rookie Topic Starter

    My computer is working much better now and it connects to the internet fast. Thank you so much for all of your help.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. It appears that you don't plan to run HJT or the online AV scan. Although they should be done, if you choose not to, you can remove the cleaning tools:

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if I can be of anymore help.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...