Can't access internet, except in safe mode

[reflecx]

I posted earlier;

http://www.tek-tips.com/gviewthread.cfm/lev2/67/lev3/70/pid/779/qid/809234

regarding a virus that trendmicro identified as BKDR Beast.a. Since then I'm unable to log on to internet unless I'm in safe mode. On-line virus scans (in safe mode)from Panda got stuck half way through,and Microtrend's found nothing. I've disabled system restore and downloaded free AV's - as I shamefully have none. Protector Plus 2000 found nothing, both in safe and normal mode, and Grisoft AVG6.0, which only worked in norml mode, also found nada.
Similarly, the file that Carrr suggested as a possible culprit; msafje.com, was not found.

I'm grateful for any assistance,
Jamie

 

[SESaskDFC]

Howdy:

The file you searched for before may NOT be the one this trojan loaded.. As per Sophos..

The Trojan may copy itself to the Windows system, Windows command folder (under Windows 9x) or Windows msagent folder (under systems based on Windows NT) with a filename of the form MS????.COM where question marks denote random characters.

Ergo, you are looking for anything that starts with ms.. has 4 random letters and ends with the extension .com

Murray

 

[reflecx]

I,ve found only these two files that match the specs;
MSPSNY.COM-2CD89F3D.pf and MSSYBL.COM-042ABB49.pf, both in C:\WINDOWS\Prefetch. What should I do now? I,m cuurently in safe mode.

Jamie

 

[SESaskDFC]

Delete them.. XP doesn't need the Prefetch folder to run and one of the first tweaks for XP is disabling it !!

Murray

 

[reflecx]

Wotcha Murray,

Got rid of the bogeys and deactivated prefetch. I've still got a malady; can't connect to internet, except in safe mode. Any help is appreciated.

Cheers
Jamie

 

[noellees1]

Use the Winstock fix
faq779-4625
This is what you will need

http://members.shaw.ca/techcd/VB_Projects/WinsockFix.zip

 

[NihilisticDream]

Two places to look for definitive proof of the filename:
Open the registry (Start-Run-Regedit):
HKEY_CLASSES_ROOT\exefile\shell\open\command
The default value should be "%1" %*, if not, the file before it will show the path/filename of the infecting file.

Otherwise, if you can, post everything in the name column from
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrenVersion\Run

If you do not know about the registry or editing the registry, my advise is have someone who does do the work for you.

Also, once a backdoor has infected your system, every piece of personal information you have on that computer is considered compromised. Installng a firewall is nice, but too late to protect you from the possibility of identity theft. The only way to be 100% certain that the "hacker" cannot reaccess your system is to format the hard drive, reinstall Windows, and install a firewall before going back online.

 

[reflecx]

Hello NihilisticDream and Noellees1,

Thanks for taking the trouble.
This is in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrenVersion\Run

(Standard) (no value)
AVG_CC C:\Program\Grisoft\AVG6\avgcc32.exe\STARTUP
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCp.dll, Nv Startup
PP2000 InstaUpdate C:\Program\PROTEC~1\PPInupdt.exe
PP2000 Taskbar Control C:\Program\PROTEC~1\PPTbc.EXE
QuickTime Task "C:\Program\QuickTime\qttask.exe"-atboottime
TkBellExe C:\Program\Vanliga filer\Real\Update_OB\realsched.exe-osboot

The other place was as it should be. The suggestion to use a fix, applies, I imagine, after I've located and eradicated the intruder.

Don't give up on me, baby(ies)!

Cheers Jamie