Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot access the internet


  • This topic is locked This topic is locked
17 replies to this topic

#1 cbm550

cbm550

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 25 November 2015 - 10:11 PM

My connection is showing that there is internet access, but I cannot access any web pages.  I tried to run Malware Bytes, but there is an error in running it.  When I tried to re-install Malware Bytes, it runs into an error installing it.

  •  


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:30 AM

Posted 27 November 2015 - 11:14 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please start your computer in Safe mode and use that mode with the Internet Connection option.

If not possible download this tool to a CD or Flash drive using a good computer and copy the file to the Desktop of the compromised computer. Run it and post the logs for my review.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

#3 cbm550

cbm550
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 28 November 2015 - 12:01 PM

Thanks for your help.  Here are the logs.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:30 AM

Posted 28 November 2015 - 03:17 PM



MSCONFIG\startupreg: Browser Infrastructure Helper => C:\Users\Chris\AppData\Local\Smartbar\Application\QuickShare.exe startup

Remove the programs in bold via the Control Panel > Programs Features applet.
Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden
KNCTR (HKLM-x32\...\Itibiti_is1) (Version: - Itibiti Inc.)


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset
CMD: ipconfig /release
CMD: ipconfig /renew

HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-800963117-80668312-3331147414-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> DefaultScope value is missing
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32.dll [No File]
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 ALSysIO; \??\C:\Users\Chris\AppData\Local\Temp\ALSysIO64.sys [X]
S3 dgderdrv; System32\drivers\dgderdrv.sys [X]
S3 easytether; system32\DRIVERS\easytthr.sys [X]
S3 motandroidusb; System32\Drivers\motoandroid.sys [X]
S3 MotDev; system32\DRIVERS\motodrv.sys [X]
S3 motmodem; system32\DRIVERS\motmodem.sys [X]
S3 motport; system32\DRIVERS\motport.sys [X]
S3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [X]
S3 RimUsb; System32\Drivers\RimUsb_AMD64.sys [X]
Task: {083AAC14-09CF-46EE-9EB1-822DD59A9622} - \ConsumerInputUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {3402C506-28D9-4C20-8580-212971F0D048} - System32\Tasks\Gredomre => C:\ProgramData\Gredomre\1.0.6.1\usleaski.exe
Task: {6A5AF333-5388-415F-B654-1ECEE512B340} - \CIMT_S-1-5-21-800963117-80668312-3331147414-1000 -> No File <==== ATTENTION
Task: {8B8B54FC-1658-47A3-9398-1F1564A5670F} - \ConsumerInputUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {A76A6E89-3E9E-46E9-BD3D-015D09270014} - System32\Tasks\Ubimlezu => C:\PROGRA~1\SHOPPE~1\Samkhyr.bat
Task: {C1BC5D70-A1C5-46B8-B104-A5296F88B664} - \GKLBJKEV1 -> No File <==== ATTENTION
Task: {CB49514C-D8CD-4F08-A23F-D7B6DBDC4A02} - \CIMT_daily_S-1-5-21-800963117-80668312-3331147414-1000 -> No File <==== ATTENTION
Task: {ECC8CAAE-04A8-4662-B5E9-588EC72253E4} - \PC SpeedUp Service Deactivator -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:029E021F
AlternateDataStreams: C:\ProgramData\TEMP:054203E4
AlternateDataStreams: C:\ProgramData\TEMP:08E5EE32
AlternateDataStreams: C:\ProgramData\TEMP:1392F09D
AlternateDataStreams: C:\ProgramData\TEMP:20E32CC7
AlternateDataStreams: C:\ProgramData\TEMP:24C072FF
AlternateDataStreams: C:\ProgramData\TEMP:25C7F50C
AlternateDataStreams: C:\ProgramData\TEMP:2AE74FF9
AlternateDataStreams: C:\ProgramData\TEMP:2F141B68
AlternateDataStreams: C:\ProgramData\TEMP:33DB8278
AlternateDataStreams: C:\ProgramData\TEMP:386B39C3
AlternateDataStreams: C:\ProgramData\TEMP:3FD69132
AlternateDataStreams: C:\ProgramData\TEMP:4DDE401B
AlternateDataStreams: C:\ProgramData\TEMP:4F8B72C9
AlternateDataStreams: C:\ProgramData\TEMP:6247E766
AlternateDataStreams: C:\ProgramData\TEMP:689E7F7D
AlternateDataStreams: C:\ProgramData\TEMP:700B9342
AlternateDataStreams: C:\ProgramData\TEMP:70B3C619
AlternateDataStreams: C:\ProgramData\TEMP:834DD57E
AlternateDataStreams: C:\ProgramData\TEMP:8E5EA40F
AlternateDataStreams: C:\ProgramData\TEMP:94B46CA2
AlternateDataStreams: C:\ProgramData\TEMP:9720EBEF
AlternateDataStreams: C:\ProgramData\TEMP:9B285B76
AlternateDataStreams: C:\ProgramData\TEMP:A02025CE
AlternateDataStreams: C:\ProgramData\TEMP:A4CDE823
AlternateDataStreams: C:\ProgramData\TEMP:A6D89509
AlternateDataStreams: C:\ProgramData\TEMP:A819A132
AlternateDataStreams: C:\ProgramData\TEMP:B54E4B5A
AlternateDataStreams: C:\ProgramData\TEMP:C72A744C
AlternateDataStreams: C:\ProgramData\TEMP:C76CFF82
AlternateDataStreams: C:\ProgramData\TEMP:CCB49694
AlternateDataStreams: C:\ProgramData\TEMP:D055FC10
AlternateDataStreams: C:\ProgramData\TEMP:E91ADC66
AlternateDataStreams: C:\ProgramData\TEMP:F12B7623
AlternateDataStreams: C:\ProgramData\TEMP:F41F8101
AlternateDataStreams: C:\ProgramData\TEMP:FC70A22A
AlternateDataStreams: C:\ProgramData\TEMP:FEF0DEE7
MSCONFIG\startupreg: Browser Infrastructure Helper => C:\Users\Chris\AppData\Local\Smartbar\Application\QuickShare.exe startup
FirewallRules: [{AE9291A7-CDEA-4363-BE41-AB4817E70605}] => (Allow) C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
FirewallRules: [{C5FAF283-4FD4-4695-BF50-51DDC917EF54}] => (Allow) C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Let me know of any remaining issues?

#5 cbm550

cbm550
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 28 November 2015 - 04:01 PM

The program, Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden, was not on the list to uninstall.  I checked to see hidden files and it did not show up.  Here is the log.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:30 AM

Posted 29 November 2015 - 08:26 AM

he program, Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden, was not on the list to uninstall.


Lets look in the Registry.

Please run the Farbar Recovery Scan Tool. Enter Itibiti in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.
===

Are you able to start the computer in normal mode.

What issues persists?

#7 cbm550

cbm550
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 29 November 2015 - 11:01 AM

It will start in normal mode.  When I go to the internet, all pages say that they cannot be displayed despite having no connection problems.

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:30 AM

Posted 30 November 2015 - 08:44 AM

Copy the text IN THE CODE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 
Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4\InstallProperties]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D}]
[-HKEY_USERS\S-1-5-21-800963117-80668312-3331147414-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\56859212_0]
Restart the when completed.

You can delete the fixme.reg file when done.

===

Not knowing which browser you are using reset the browsers that you have installed.
They may be compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.

====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.wisc.edu/page.php?id=15141
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141

For IE 10, 11 follow the following instructions.
http://refreshyourcache.com/en/internet-explorer-11/
===

How to clear cache and browsing history with Microsoft Edge
http://www.techulator.com/resources/14556-How-to-clear-cache-and-browsing-history-with-Microsoft-Edge.aspx

How to use Microsoft Edge, Windows 10
http://www.pcworld.com/article/2952392/browsers/how-to-use-microsoft-edge-windows-10s-new-browser.html
<<<>>>

Let me know if the problem persists and which browser is not working in Normal mode.

#9 cbm550

cbm550
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 02 December 2015 - 01:41 PM

Sorry, I have been working the past 2 days and could not perform the tasks until now.  I have both Chrome and IE.  Both say, "Page not available."  But there is internet access.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:30 AM

Posted 02 December 2015 - 02:45 PM

Try this fix.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
autoclean;
chrdefaults;
emptyalltemp;
emptyCHRcache;
emptyIEcache;
emptyjava;
iedefaults;
reset chrome;
resetieproxy;
resethosts;
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply. It's probably too long to post.

How to:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.

#11 cbm550

cbm550
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 02 December 2015 - 11:02 PM

Here is the Zoek scan

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:30 AM

Posted 03 December 2015 - 08:50 AM

Any improvement?

#13 cbm550

cbm550
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 03 December 2015 - 06:18 PM

None.  This is driving me CRAZY!!!! 



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:30 AM

Posted 04 December 2015 - 09:27 AM

This is my last hope.
Hope it works.

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.

Restart the computer normally.

Let me know if the problem persists.

#15 cbm550

cbm550
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 05 December 2015 - 06:15 PM

No change.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users