Can't Connect to Internet in Safe Mode.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by JD76, Jul 23, 2007.

  1. JD76

    JD76 Private E-2

    Trying to the online Bitdefender scan in safe mode...but my computer won't connect to the internet in safe mode. It connects to the network, but not the internet. I'm using Vista Ultimate and I started safe mode with network enabled.

    Other thing is, Panda won't let me do an online scan because it doesn't support my OS...which is Vista Ultimate.

    Any suggestions?
     
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Majorgeeks!

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy
      • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat---> You will need to turn off UAC in vista and reboot*
      • newfiles.txt - the log from ShowNew.bat ---> You will need to turn off UAC in vista and reboot*
      • HijackThis ---right click and run as Administrator to get proper results!
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
    *
    turn off UAC, to do this goto Control Panel\User Accounts and Family Safety\User Accounts and then choose your account if multiples ( best to be admin account ) and then bottom option is Turn User Accont Control On or Off then you will need to reboot.

    then Shownew and getrunkeys work ok
     
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Additionally:
    Spybot S&D ~ Works Fine.

    Counterspy ~ Works fine.

    Panda Quick Remover ~ Does not work.

    Bitdefender Online Scan ~ No work, fails on updates

    Panda online Scan ~ No Work, Operating System not supported!!!

    Do what you can and attach the logs.
     
  4. JD76

    JD76 Private E-2

    Uh, didn't follow direction on the Bitdefender scan and accidentally saved as html. Bitdefender did find one: Trojan.Downloader.Zlob.AADO It wasn't able to disinfect, so it deleted it. It was found here:C:\Program Files\CCleaner\uninst.exe

    Pandascan didn't work for me because my OS was not supported.

    Counterspy found a trojan.downloader also and it's quarantined.

    Man, it took me all day to do this...anyway...let me get the HiJackThis Log...
     

    Attached Files:

  5. JD76

    JD76 Private E-2

    Here's the HiJackThis log...
     

    Attached Files:

  6. JD76

    JD76 Private E-2

    Should I have ran HiJackThis with my external hard drive connected?
     
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What do you use the external drive for? If just data storage ...yes when you ran the scans incase there is something in you data files.

    Do you know what these are:
    C:\PR20070624124810001.xml
    C:\PR20070624124811001.xml
    C:\PR20070624124815001.xml

    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix, exit HJT.

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now attach new logs for:

    * GetRunKey
    * ShowNew
    * HJT
     
  8. JD76

    JD76 Private E-2

    I don't recognize:
    C:\PR20070624124810001.xml
    C:\PR20070624124811001.xml
    C:\PR20070624124815001.xml

    Deleted: R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    But when I did the SCAN ONLY I got 2 messages:

    For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this.

    If that happens, you need to edit the file yourself. To do this, click Start, Run and type: notepad "C:\Windows\System32\drivers\etc\hosts"
    and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as "hosts." (with quotes), and reboot.

    And:

    An unexpected error has occurred at procedure: modMain_CheckOther1Item()
    Error #75 - Path/File access error

    Please email me at merijn@spywareinfo.com, reporting the following:
    * What you were trying to fix when the error occurred, if applicable
    * How you can reproduce the error
    * A complete HijackThis scan log, if possible

    Windows version: Windows NT 6.00.1904
    MSIE version: 7.0.6000.16473
    HijackThis version: 1.99.1

    This message has been copied to your clipboard.
    Click OK to continue the rest of the scan.

    Not sure if it was supposed to do that or not. Not sure If I'm supposed to do what it's asking.
    And just wondering if that Reg Edit was to enable the viewing of hidden files, etc. They were enable before doing the scans and then I just turned them back off.

    The HijackThis log this time is with my external hard drive plugged in...and the drive was plugged in when I did the SCANs.

    Wanna thank you in advance for taking the time to help me out with this!
     
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You can delete those files.

    Remember:
    Hijackthis ~ will run but it does not have access to the Hosts file if run normally, UAC will block its scan, to scan, you need to right click the Hijackthis/Analyze exe and Choose "Run as Administrator" (and have turned off UAC then rebooted).
     
  10. JD76

    JD76 Private E-2

    ooops...forgot to press the upload button...
     

    Attached Files:

  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's see if this will work ...remember to right click and run as administrator ...and turn off all your security programs.
    Download HOSTER and then follow the below steps.

    * Unzip Hoster to a convenient folder such as C:\Hoster
    * Run Hoster.exe, click Restore Original Hosts and then click OK.
    * Click the X to exit the program
     
  12. JD76

    JD76 Private E-2

    Did the HOST thing. Here's a new HijackThis log...
    I still couldn't connect to the internet in Safe mode with network support...confused
     

    Attached Files:

  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please uninstall HJT ...and download and run this HJT.

    Then try to fix the:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    line.

    Post a new HJT log ....remember to run as administrator , rename to analyse and with all security off until you are done.
     
  14. JD76

    JD76 Private E-2

    Uninstalled the OLD HJT and installed the NEW HJT. Removed

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    again. It's weird...I had removed that line before on your original request...it just came back...
     

    Attached Files:

  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Gone now......are you still having problems?
     
  16. JD76

    JD76 Private E-2

    Thanks...The computer is much snappier...especially when loading webpages.

    Only thing is that it still won't connect to the internet in Safe Mode...Not that it's a big deal...but maybe it's my Vista. Anyway, as long as my system is clean...I shouldn't need to go into safe mode anyway. I'm not going to worry about that unless you think it's something that I need to be looking into. The connection just says that it's connected to the network with limited or no connectivity...I don't remember if I was ever able to connect since I first got my computer...

    Thanks again for the help TimW.
     
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sounds like a vista problem ...which we all have limited exp. with. But it also sounds like the drivers are not loading for your ethernet card ....check under computer properties ...device manager when in safe mode.
     
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    One last thing...run HJT and have it fix these three lines.
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O13 - Gopher Prefix:
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

    Your system should be running normally ...let me know.
     
  19. JD76

    JD76 Private E-2

    the R0 line and 013 lines are gone...but,

    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

    is not being deleted...it keeps coming back. I ran HJT as admin...even rebooted...and there it comes back. I don't even have symantec anymore. Uninstalled that when I got my computer.

    Oh, I was thinking that maybe Vista doesn't let the computer connect to Unsecure networks in safe mode?
     

    Attached Files:

  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sorry ....my mistake ...

    * Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    * On the page that opens, scroll down to Symantec Lic NetConnect
    * then right click the entry, select Properties and press Stop Service.
    * When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    * Click OK until you get back to Windows.

    * Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    * At the lower right, click on the Config button
    * Then click the Misc tools button
    * Select Delete an NT Service
    * Copy/paste CLTNetCnService into the box that opens, and press OK
    * If you receive any error messages just ignore them and continue.
    * Now exit HJT.

    We are just removing some left overs from NOrton.
    You may wish to post the problem of connections in safe mode in the software section.
     
  21. JD76

    JD76 Private E-2

    Thanks TimW...I'll do that when I get back. Thanks for all your help and time!:)
     
  22. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No problem ....:)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds