Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to connect to the internet


  • Please log in to reply
15 replies to this topic

#1 pctechjbay

pctechjbay

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 15 July 2014 - 08:34 AM

Hi, I am a computer tech. but I am stumped by this one. I recognise the scam involved, it is very common here in South Africa but this one doesn't quite fit the usual pattern. Normally they call you, take your money and leave you alone, or if you don't pay they lock you out of your pc. I've never known them to take your money and wait 4 months to lock you out.

My customer was contacted by a firm in March 2014 claiming to be called Global IT acting on behalf of Microsoft and that his copy of Windows was illegal. His copy of Windows 8 was, to the best of my knowledge, a legal, activated copy of Windows 8 which came pre-installed on the notebook. He allowed this person remote access to his notebook and was shown log files of all the errors. For a fee this person would fix all the errors and issue a new product key which would make Windows 8 legal. Payment was duely made (I really don't believe people still fall for this) and the notebook was "fixed". Until yesterday everything ran smoothly.

 

Yesterday he was unable to connect to any wireless network. Plugging in a cable did not resolve the issue. The router was tested and found to be working just fine and other computers can connect to the internet through it. So the problem is on the notebook. I was called this morning after two other technicians had failed to resolve the issue over a period of 6 or 7 hours. Initial examination reveals a folder on the desktop called "GLOBAL IT" which is not accessible from any account on the notebook. Trying to change permissions results in the message "You don't currently  have permission to access this folder". There is an offer to "Click here to permanently get access to this folder" and a "Continue" button. Clicking on "Continue" brings the message "You have been denied permission to access this folder".

 

I installed Revo Uninstaller and it only lists 40 installed programs, apparently there should be a lot more including Microsoft Office. Also missing are AVG 2014 (he has a valid license) and Malwarebytes Anti-Malware (also licenced).

Is it worth trying to fix this or would I be better off formatting? If it is worth trying to fix where do I start?

 

Any and all help is appreciated, thank you!


Edited by pctechjbay, 15 July 2014 - 08:34 AM.


BC AdBot (Login to Remove)

 


m

#2 JohnC_21

JohnC_21

  • Members
  • 21,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 AM

Posted 15 July 2014 - 09:02 AM

Hello,

Open a command prompt CMD > Right click > Run as administrator

 

At the prompt type:

net user administrator /active:yes

Log off and then log on. You should see the now enabled Administrator account. If not Reboot.

 

This will enable the super user account. Hopefully this will let you access the GlobalIT folder and see what it is doing.

 

I would also download and run Autoruns in the administrator account and look for any suspicious startup programs.  Good Luck



#3 pctechjbay

pctechjbay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 15 July 2014 - 09:10 AM

Thanks mate :) Much obliged.



#4 JohnC_21

JohnC_21

  • Members
  • 21,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 AM

Posted 15 July 2014 - 09:21 AM

Your Welcome,

If the enabled Administrator Account does not give you access to the GlobalIT folder. Download Puppy linux. Burn the iso and boot. The computer's hard drive will be labled sda1 in the lower left of the Puppy desktop. Clicking once will mount it and open the File Manager. Browse to the desktop folder and access the GlobalIT folder.

 

Edit: Because it is Windows 8 you will need to disable Secure Boot and Fasboot in BIOS.


Edited by JohnC_21, 15 July 2014 - 09:22 AM.


#5 pctechjbay

pctechjbay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 15 July 2014 - 09:23 AM

System error 5 has occurred. Access denied.

 

Autoruns is downloading. My ISP appears to be having issues 20 minutes to d/l 500kb? Sigh. I'll get back to you on that one, I didn't notice anything obvious in task manager.


Edited by pctechjbay, 15 July 2014 - 09:25 AM.


#6 JohnC_21

JohnC_21

  • Members
  • 21,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 AM

Posted 15 July 2014 - 09:31 AM

You can enable the Administrator account offline using this guide to bypass any restrictions. Download the latest version here, not the one in the guide.



#7 pctechjbay

pctechjbay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 15 July 2014 - 11:48 AM

I am unable to boot from either the CD drive or a USB drive. I tested the CD and it works just fine in another pc and boots to the utility - I suspect that they have disabled something to prevent booting from an external source. I can access the CMOS and change the boot order, but when I save and exit the unit automatically attempts to boot from the HDD. If I press F9 (HP's change boot device key) as I switch it on the only option to boot from is OS Boot Manager.

 

I finally managed to force the unit to boot from the CD but get a "failed to mount" Operation not permitted error. Damn!


Edited by pctechjbay, 15 July 2014 - 12:18 PM.


#8 JohnC_21

JohnC_21

  • Members
  • 21,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 AM

Posted 15 July 2014 - 12:29 PM

Sorry, I don't know what else to do about this. Maybe somebody on the Forum can give some ideas. You could not boot the linux CD either I take it. For the USB drive, I am pretty sure Fastboot has to be disabled in BIOS and would help to disable Secure boot also. Is there a legacy boot option? It's possible the disk will not boot because of the UEFI BIOS.

 

For the USB boot, use Rufus. In the dropdown box, one of the partition schemes is GPT and UEFI.

 

Edit: one last option but I don't know if will work is Kaspersky Rescue disk if you can get it to boot and do a scan. I would use the WindowsUnlocker Option in Terminal.


Edited by JohnC_21, 15 July 2014 - 12:37 PM.


#9 pctechjbay

pctechjbay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 15 July 2014 - 01:02 PM

Thanks John. I failed to get it to boot from USB and so burned a bootable CD. I managed to get the CD to boot eventually after jumping through many hoops. However the Failed to Mount Operation not permitted defeated me. I will happily try the Kaspersky Rescue Disk - at this point I am thinking perhaps a format might be the least painful way forward for both the customer and me. :) I'll keep you posted. I'm very grateful for your assistance.



#10 JohnC_21

JohnC_21

  • Members
  • 21,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 AM

Posted 15 July 2014 - 01:11 PM

Your Welcome,

Sometimes it's best just to cut your loses and move on. Hopefully Kaspersky will do something.


Edited by JohnC_21, 15 July 2014 - 01:11 PM.


#11 pctechjbay

pctechjbay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 16 July 2014 - 06:35 AM

I finally managed to get the notebook to boot from the Kaspersky Rescue disk. The scan found assorted malware but more importantly the file manager allowed me to see inside the locked Global IT folder. The following files are listed: ccsetup406.exe; desktop.ini, DisableUACforAdmin.reg; Evntvwr Cleanr.bat; favicon.ico; Malwarebytes licene Key.txt and mbam-setup-1.75.0.1300.exe. Nothing in that lot is ringing alarm bells. However to be on the safe side and side I am backing up the data and doing a factory restore. Something is not right and I cannot find it so I think the best option is to start from scratch. Thanks for you help John, I learned a lot this past 24 hours! :)



#12 JohnC_21

JohnC_21

  • Members
  • 21,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 AM

Posted 16 July 2014 - 07:01 AM

Sounds like a plan. I can't believe the amount of people that let their computer be controlled remotely because it is supposedly Microsoft on the other end of the line. To me this is a perfect example for current backups and system images but people rarely do it.

#13 pctechjbay

pctechjbay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 16 July 2014 - 07:06 AM

Yes, John, I can't believe people fall for this. I confess that this is the first time I've seen this particular version of the scam. The last one I dealt with about 2 months ago was also initiated with a call purporting to be from Microsoft. They gained access then locked the pc by using a CMOS password and a registry hive password. That one was a straightforward decision - can't bypass the registry hive password therefore a format was required. This one the customer is reluctant to let me format and I am struggling to lift the data as neither my of my workshop computers (XP and Windows 7) will see the data. The drive is visible in disk management but not from explorer. I have now resorted to Linux to recover the data :) Man this has been a learning curve of note!


Edited by pctechjbay, 16 July 2014 - 07:06 AM.


#14 JohnC_21

JohnC_21

  • Members
  • 21,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 AM

Posted 16 July 2014 - 09:10 AM

Sometimes the registry hive password can be fixed by deleting the registry hives and then copying them from the regback folder in Windows 7 using the linux disk. The issue is if the computer has been rebooted and Windows automatically backed up the password protected hive to Regback.



#15 pctechjbay

pctechjbay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 16 July 2014 - 09:15 AM

That's worth making a note of, thanks. This was Windows XP and I just figured since it was not a business machine but one used for Skype and email that it would be more cost effective to format. :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users