Infected And No Internet

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by TabbyG, Mar 21, 2018.

  1. TabbyG

    TabbyG Private E-2

    A friend's pc has no internet access. He called a number on a popup which is listed as a tech support scam by Microsoft.
    The scammers installed GoToAssist and Advanced Password Manager, got control of his pc, appeared to collect passwords from Chrome, told him his ip was hacked with unidentified connections and said the pc would be unusable without their help before I took the phone and hung up. My friend changed all the possibly stolen passwords, I deleted them from Chrome, turned off its password storage, and plan to install LastPass after pc is malware free.

    I uninstalled the scammer's programs with Control Panel but cannot turn on Windows Firewall or access the internet. I manually installed MalwareBytes and its database update, but couldn't run MB until turning on Windows Management Instrumentation service. I went through the malware removal guide (incl spyware,virus,trojan,hijacker) using AdwCleaner, MB, RogueKiller, HitmanPro, and MGTools, and have attached the logs below. Thanks in advance!
     

    Attached Files:

    TabbyG, Mar 21, 2018
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Remove everything found in ADWCleaner as well as Hitman.

    Reboot and rescan with both and attach the new logs.
     
    TimW, Mar 21, 2018
    #2
  3. TabbyG

    TabbyG Private E-2

    Hi Tim,

    Thank you for your help!
    I removed everything found in ADWCleaner, rebooted, ran HitmanPro and attached its log. The Hitman options include Replace, Ignore, Tool > VirusTotal, etc, but not Remove. Do I need to activate the free trial and then remove all?
     

    Attached Files:

    TabbyG, Mar 21, 2018
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Crap...I apologize....I meant RogueKiller. Ignore the Hitman results. After cleaning with RogueKiller, reboot and run both ADWCleaner and RogueKiller and attach both logs.
     
    TimW, Mar 22, 2018
    #4
  5. TabbyG

    TabbyG Private E-2

    Okay... I cleaned with RogueKiller, re-ran ADWcleaner and cleaned a second time with RogueKiller, but RK still can't delete some PUPs from Best Buy pc app.
     

    Attached Files:

    TabbyG, Mar 23, 2018
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Ok..let's have one more scan:
    Please download Zemana Malware Removal to your desktop and run it please.

    It auto updates, and you click scan. After it's finished, click on the icon that looks like Cell phone strength bars. High-light the report (by date log was produced) and click on the "Open Report" icon. (looks like a folder). That notepad.txt can then be copied/pasted into another .txt doc and saved. Upload that, please.
     
    TimW, Mar 23, 2018
    #6
  7. TabbyG

    TabbyG Private E-2

    Thank you... I disconnected the infected pc from the modem since I can't turn on Windows Defender Firewall, and Zemana won't run without internet access (it does run on my own pc without a problem).
    I read on the MalwareBytes forum that Junkware Removal Tool removed the Best Buy pc app folder. It's still available on bleeping computer. Is that worth a try? Anyway I'm not sure it's a problem... the pc is from Best Buy and it came installed with it in 2011. Lots of Best Buy customers complained about it tho I can't post a working link for some reason.
     
    TabbyG, Mar 23, 2018
    #7
  8. TabbyG

    TabbyG Private E-2

    The pc lost internet access after the infection while still connected to the modem. I haven't tried re-connecting without a firewall.
     
    TabbyG, Mar 23, 2018
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, you can try doing that. It is no longer supported, but give it a try.

    Your logs are showing that: Dynamic Host Control Protocol -DHCP- is NOT running

    To try to rectify this, do the following:
    1. Go to Start ==> Run (or Windows key+R)
      • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
        (note that there is space after notepad)
      • The above file will open in the notepad.
      • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
      • Edit 0xA0 and replace it with 0x80 (replace A with 8)
      • Under File menu click Save and close the notepad.
    2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
      • On the General tab, click Install a popup window opens.
      • Select Protocol from the list and then click Add.
      • A new window opens, click Have Disk....
      • In the browse... box type c:\windows\inf
      • Click OK.
      • Select Internet Protocol (TCP/IP), and then click OK.
      • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
      • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
    3. Go to Start ==> Run (or Windows key+R)
      • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
        (note that there is space after notepad)
      • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
      • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
      • Under File menu click Save and close the notepad.
    4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
      • On the General tab, click Install
      • A popup window opens. Select Protocol.
      • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
      • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
    5. Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    6. Then attach the below logs:
      • C:\MGlogs.zip
     
    TimW, Mar 23, 2018
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Go ahead and try reconnecting.
     
    TimW, Mar 23, 2018
    #10
  11. TabbyG

    TabbyG Private E-2

    Thank you.
    1) I made the change to nettcpip.inf . I edited it on my desktop and copied to the INF directory after deleting the original, since I had a popup "You do not have permission to open this file" when editing in place.
    2) The pc is running Windows 10. I went to Settings > Network & Internet > Change adapter options, and the Network Connections folder is empty (no Local Area Connection).

    Under Network & Internet > View network properties, it shows

    Name: Ethernet
    Description: Realtek PCIe GBE Family Controller
    Physical address (MAC), IPv address, IPv6 address: [ I removed]
    Status: Not operational
    Maximum transmission unit: 1500
    DNS servers: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1
    Connectivity (IPv4/IPv6): Disconnected
     
    TabbyG, Mar 23, 2018
    #11
  12. TabbyG

    TabbyG Private E-2

    Just saw your post ... tried re-connecting with original and changed nettcip.inf - could not.
     
    TabbyG, Mar 23, 2018
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Ok..so that is for your ethernet. No Wifi is showing? Try connecting thru ethernet cable. Is there an icon in your tray for internet?
     
    TimW, Mar 23, 2018
    #13
  14. TabbyG

    TabbyG Private E-2

    It's a desktop machine without wireless.

    There was no tray icon for internet and the taskbar setting option for it was greyed out. I followed steps here to repair the registry file and turned on the 4 required network services listed here which were disabled. (NOTE: To make sure that this icon works properly you should also have the Network Connections, Network List Service, Network Location Awareness, and Network Store Interface Service services set to Started and Automatic.). Some were blocked from starting ( Error 1068 ) so I had to look at their dependencies and turn them on first, including DHCP Client. I also turned on some other disabled services like Windows Defender Firewall and Windows Update, and got audio back on thru its troubleshooter.

    I now have internet and Windows firewall is on. Here are results of running MGTools (with antivirus off).

    I don't know what other Windows services were affected. I guess I can look at my own machine's services, or look online for default settings?

    Thanks very much!
     

    Attached Files:

    TabbyG, Mar 23, 2018
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That is great news!! Now just to be sure there are no other pieces of malware, run Zemana and attach the log.
     
    TimW, Mar 23, 2018
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It looks like everything is running fine as to networking. I might suggest a WiFi dongle to connect without an ethernet cable.
     
    TimW, Mar 23, 2018
    #16
  17. TabbyG

    TabbyG Private E-2

    Ok, here's the Zemana log. I didn't repair/quarantine with it, but I did start the disabled Windows Security Center service it reported.
     

    Attached Files:

    TabbyG, Mar 23, 2018
    #17
  18. TabbyG

    TabbyG Private E-2

    Thanks for the WiFi dongle suggestion :) - maybe for the future.
     
    Last edited: Mar 23, 2018
    TabbyG, Mar 23, 2018
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good. Are you having any other malware issues?
     
    TimW, Mar 23, 2018
    #19
  20. TabbyG

    TabbyG Private E-2

    No other issues. Thank you very much!
     
    TabbyG, Mar 24, 2018
    #20
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Re-enable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8 or 10, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now go to the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 or 10 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. After doing the above, you should work thru the below link:
     
    TimW, Mar 24, 2018
    #21

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds