Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Access When In Safe Mode Only


  • Please log in to reply
4 replies to this topic

#1 TheVillagesFrank

TheVillagesFrank

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 21 May 2008 - 04:06 PM

Recovering from a worm.win32.netbooster infection.

After deleting numerous registry keys and unregistering dll files per removal instructions, everything seems to be normal.

The only problem remaining is I can't access the net unless I am logged in as administrator or the other user account (which has admin rights), after booting in the safe mode (F8).
IE and Firefox both work.

If I login after a regular restart, there is no internet access using IE or Firefox.

Seems simple to fix but I don't see anything wrong.

Please help!!

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 AM

Posted 21 May 2008 - 04:18 PM

Hi,
You should not delete any Registry Keys, because any mistake can cause your computer to act abnormal. Can you tell me what were the registry keys you removed and why?

Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 TheVillagesFrank

TheVillagesFrank
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 21 May 2008 - 04:39 PM

The computer was infected with worm.win32.netbooster. There were constant popups and dire warnings.
IE was hijacked. Couldn't make any changes to the home page or anything else.
There was no internet access.
Automatic updates for the Comcast cable provided McAfee suite was disabled.

The warnings and popups on the screen are all fake; they are designed to get people to panic and buy special removal software at a steep price.
There are numerous removal procedures on the net which consist of unregistering certain DLL's and deleteing certain registry keys.

Spyhunter (part of the response when searching for the worm string), finds a lot of registry keys that they claim have to be removed.
This only works if you purchase their full version!

Spybot search and destroy found a lot of files (mostly DLL) which it removed. It could not delete some of the keys it found.

I Removed the following keys as identified in Spybot as the worm:
hklm\software\classes\mvsps.msvpsapp
hklm\software\classes\clsid\e71878d1-e549-489a-92ba-c16f9048c249
hklm\software\microsoft\windows\currentversion\explorer\\browserhelpobjects\e71878d1-e549-489a-92ba-c16f9048c249

After doing all the above, all the worm symptoms are gone and everything seems to be ok (except IE access)

Maybe Spybot deleted something it shouldn't have.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 AM

Posted 21 May 2008 - 04:59 PM

This seems to be a malware promblem. A moderator might move your log somewhere else, please don't post this thread somewhere else, since this is a malware related promblem I am not allowed to help you. don't worry though, many other people will help you resolve this issue.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:03 AM

Posted 21 May 2008 - 06:07 PM

Log on as an administrator, go Start > Run and type: "cmd". In the window that appears type: "netsh winsock reset". When the program is finished, you will receive the message: "Successfully reset the Winsock Catalog. You must restart the machine in order to complete the reset." Close the command box and reboot your computer.

Go Start > Run > type: "cmd" In the window that appears type: "ipconfig /flushdns". Close the command box.

Go Start > Control Panel > Network Connections. Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties. Double-click on the Internet Protocol (TCP/IP) item. Select the radio button that says "Obtain DNS servers automatically". Reboot. Warning: Some Internet Service Providers need specific DNS settings. You need to make sure that you know if such DNS settings are required before you make this change.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users