Internet access crippled

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by TOCoons, Dec 30, 2014.

  1. TOCoons

    TOCoons Private E-2

    I have a brand new Dell Inspiron 3847 running Windows 8.1 and Internet Explorer 11,I believe, and McAfee antivirus. I had successfully downloaded a couple of games from the Microsoft Store, and the Microsoft SDK,
    since I wanted to do some programming.

    My problems began when I attempted to download the Turbo C++ 3
    compiler. Instead of the download of a compiler which I could then extract, the self-extracting Zip file changed my browser home page to Yahoo.com and installed four items purporting to a 7-zip file manager Norton Antivirus, a Browser bar, and something else. I also seemed to notice that a version of uninstall was included. After this, I lost most of my access to the internet:
    Every attempt to load a web page from the Start page yielded a "The proxy server isn't responding". I did manage to change the home page back to the Dell home page by restoring IE defaults, but the misbehavior persisted.
    I attempted to change it manually using the Control panel -> Network and internet -> Internet options > LAN settngs, and uncheck the box to disable the proxy server. The problem persisted and the box was checked again
    every time I came back to the page.
    By running IE from the desktop instead of the Start menu, I could get to the Dell home page and the Bing search engine, but I could no longer follow links and got the proxy server message instead. I did learn enough to suspect that the problem was fixable. I had uninstalled the Norton
    Antivirus, but when I was about to go after something else, I noticed that the Microsoft uninstall utility had apparently been replaced by one from an unknown source. If this is malware, I dare not run it again.

    I had transferred a copy of MalwareByes from an older computer, and I successfully installed and ran it. It successfully updated the database and quarantined some 44 items, none of them specifically viruses, but various
    nuisances, and I did save a copy of the log. I was then referred to the MajorGeeks web site.

    I have followed the instructions on the instruction thread, downloaded the four other programs, transferred them to the desktop, and run them. I
    could not get either version of HitmanPro to run, even though I did get two 64-bit versions on a 64-bit machine. The problem persists and I am using alternate access. I am enclosing the Roguekiller, MalwareBytes, TDSSkiller, and MGTools logs.
     

    Attached Files:

    TOCoons, Dec 30, 2014
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670} -> Found
    • [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3462137538-3840859020-1489188342-1001\Software\Microsoft\Windows\CurrentVersion\Run | WebBar : C:\Users\Thad\AppData\Local\WebBar\2.0.5343.21616\wb.exe -> Found
    • [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3462137538-3840859020-1489188342-1001\Software\Microsoft\Windows\CurrentVersion\Run | WebBar : C:\Users\Thad\AppData\Local\WebBar\2.0.5343.21616\wb.exe -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3462137538-3840859020-1489188342-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3462137538-3840859020-1489188342-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3462137538-3840859020-1489188342-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49227;https=127.0.0.1:49227 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3462137538-3840859020-1489188342-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49227;https=127.0.0.1:49227 -> Found
    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.

    ...and the same for these entries on the tasks tab please...

    • [Suspicious.Path] \\Check Updates -- C:\Users\Thad\AppData\Local\GeniusBox\tasks.exe -> Found
    • [Suspicious.Path] \\GeniusBox -- cmd.exe (/C start "" "C:\Users\Thad\AppData\Local\GeniusBox\client.exe") -> Found
    • [Suspicious.Path] \\Validate Installation -- C:\Users\Thad\AppData\Local\GeniusBox\uninstall.exe (/ValidateInstall=true) -> Found

    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.




    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.




    Please download AdwCleaner by Xplode and save to your Desktop.

    • Double click on AdwCleaner.exe to run the tool.
    • Vista/Windows 7/8 users right-click and select Run As Administrator
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
    • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
    • Attach the logfile to your next next reply.
    • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.


    Re run RogueKiller (just a scan) and attach log.

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running!
     
    Kestrel13!, Dec 30, 2014
    #2
  3. TOCoons

    TOCoons Private E-2

    I checked the first seven items as instructed. The last two had a different number for the Proxy server address. The three items on the task bar were already marked deleted. I did not find the RKReport log.
    The JRT completed in spite of encountering an exception in the first module, checking registry backup, and I am including the log.
    The ADWCleaner also completed, and I am including the log. I do not want the only entry I saw.
    I reran RogueCleaner. Again, it did not generate a log file. I explicitly checked the "report" button, saw a report, and attempted to save it but afterwards could not find it.
    The MGTools ran successfully and I have included the log file.

    My internet access is partly restored, but IE still won't run from the Start menu. First, it reported a Proxy server problem with a different number; now, it claims that File Explorer is running with administrator privileges.
     

    Attached Files:

    TOCoons, Dec 30, 2014
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re try with RogueKiller please. Then attach log.
     
    Kestrel13!, Dec 31, 2014
    #4
  5. TOCoons

    TOCoons Private E-2

    I did mean RogueKiller; that was a typo. Anyway, I ran it again, requested a report, and found where it was hiding them. Here are the last few.
     

    Attached Files:

    TOCoons, Dec 31, 2014
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    So I think the proxy entries are not showing in RogueKiller any more. Re run ONE more time and attach that latest log please.
     
    Kestrel13!, Dec 31, 2014
    #6
  7. TOCoons

    TOCoons Private E-2

    IE appears to be behaving normally now. Thank you.
     

    Attached Files:

    TOCoons, Dec 31, 2014
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    GeniusBox 2.0 <<< Uninstall this.

    Do you know what this is?
    C:\ProgramData\hvomxDKSs
     
    Kestrel13!, Jan 1, 2015
    #8
  9. TOCoons

    TOCoons Private E-2



    Done.

    I have no idea. *I* didn't install it, not intentionally.
     
    TOCoons, Jan 1, 2015
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Delete it, and then let me know if you're ready for the final steps. :)
     
    Kestrel13!, Jan 1, 2015
    #10
  11. TOCoons

    TOCoons Private E-2

    Done, and I'm ready.
     
    TOCoons, Jan 1, 2015
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Excellent. :)


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    7. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jan 2, 2015
    #12
  13. TOCoons

    TOCoons Private E-2

    Maybe not quite. Now the home page gets reset to about: blank.
    I've learned that's another malware problem, but what's the recommended fix?
     
    TOCoons, Jan 2, 2015
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Jan 2, 2015
    #14
  15. TOCoons

    TOCoons Private E-2

    I did a reset of IE, and a restart of the computer, and it didn't make a difference. The home page still came up about: blank
     
    TOCoons, Jan 2, 2015
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Ask about it in the software forum. ;) Best of luck!
     
    Kestrel13!, Jan 3, 2015
    #16
  17. TOCoons

    TOCoons Private E-2

    All clear now. Thanks for all your help.
     
    TOCoons, Jan 3, 2015
    #17
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're welcome. :)
     
    Kestrel13!, Jan 3, 2015
    #18

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds