Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't access any sites, Windows virus protection access is blocked


  • Please log in to reply
13 replies to this topic

#1 Milsaps

Milsaps

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 06 August 2018 - 07:36 PM

I have internet access but cannot access any sites, sometimes I reach a page that says google.ca is down or blocked, the windows virus protection is "managed by your organization" so I'm assuming access to all sites is being blocked by the malware

 

Ran malwarebytes multiple times which came up with 400 threats the first time, ran it and restarted a few more times, now the number is usually under 10 but the main issue still persists

 

Windows 10 64 bit

 

The FRST logs were too long so I've attached the files, thank you for the help!

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:02 AM

Posted 07 August 2018 - 06:47 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ATTENTION: System Restore is disabled
Turn System Restore On for Drives in Windows 10 - Immediately.
http://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
===

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
AnonymizerGadget (HKU\S-1-5-21-2885170103-1010608853-939429740-1001\...\AnonymizerGadget) (Version: 1 - Jetico lim) <==== ATTENTION
KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version: - )
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
CloseProcesses:

(Jetico ltd) C:\Users\Admin\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe
() C:\Users\Admin\AppData\Roaming\AGData\bin\proxycheck.exe
() C:\Users\Admin\AppData\Roaming\AGData\bin\proxycheck.exe
() C:\Users\Admin\AppData\Roaming\AGData\bin\proxycheck.exe
CHR Extension: (Zoom for Google Chrome) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lajondecmobodlejlcjllhojikagldgd [2018-06-08]
R2 PaceLicenseDServices; "C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe" -u https://activation.paceap.com/InitiateActivation [X] <==== ATTENTION

Task: {356699ED-A9B7-4B41-990D-A47433E37151} - System32\Tasks\AGProxyCheck => C:\Program [Argument = Files (x86)\AnonymizerGadget\AGService.exe /recove]
Task: {DBD1DFC2-8B7F-49B3-857A-27C39CC8328C} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe
2018-08-06 19:22 - 2018-08-06 19:22 - 001917576 _____ () C:\Users\Admin\AppData\Roaming\AGData\bin\proxycheck.exe
2018-08-06 19:22 - 2018-08-06 19:22 - 009656456 _____ () C:\Users\Admin\AppData\Roaming\AGData\bin\AnonymizerGadget.dll
AlternateDataStreams: C:\Users\Admin\AppData\Local\Gt9cl6JZ88:etUPA0M3Gldd7bp7mbw4GYt [2442]
AlternateDataStreams: C:\ProgramData\TEMP:4FC01C57 [134]
AlternateDataStreams: C:\Users\Public\AppData:CSM [221]

C:\Users\Admin\AppData\Roaming\AGData
C:\Users\Admin\AppData\Roaming\AGData\bin\proxycheck.exe
C:\Program [Argument = Files (x86)\AnonymizerGadget\AGService.exe
C:\Program Files\KMSpico

VirusTotal: C:\Program Files\Phillips\Phillips.exe
VirusTotal: C:\Users\Admin\AppData\Local\Temp\tJnEXC0vCmf4kLewgcvK9Vw0V.exe

RemoveProxy:

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#3 Milsaps

Milsaps
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 07 August 2018 - 07:46 AM

Thank you for the help, I've done all the steps listed

 

Google chrome still does not connect to any websites, saying that the site cannot be reached, google.ca refused to connect etc (before this thread I had also tried installing firefox to be sure it wasn't a browser issue)

 

Windows defender virus & threat protection still says "Your virus & threat protection is managed by your organization"

 

Malwarebytes now comes up with zero threats after a scan

 

 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:02 AM

Posted 07 August 2018 - 12:24 PM

Hi,

Your copy of Chrome may have been compromised

:step1: Remove Chrome from your Computer and reinstall a fresh copy later.

:step2: Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

:step3: If you sync you account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other defices. <- Important ...
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/


:step4: Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

:step5: Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

:step6: Re-install Chrome and the Bookmarks.
====

How is it now?

#5 Milsaps

Milsaps
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 07 August 2018 - 06:32 PM

I did all the steps and same issues still, all websites are unable to connect, virus & threat protection are still "managed by your organization"

 

I scanned with malwarebytes before uninstalling and reinstalling chrome and it found new threats (haven't been using the computer other than for doing the steps in this thread) so something is still causing issues unfortunately

 

I've scanned with FRST again and attached the logs below

 

Thanks again!

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:02 AM

Posted 08 August 2018 - 07:03 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

C:\WINDOWS\system32\default_error_stack*.txt

Reboot:


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please to go:
https://www.virustotal.com/#/home/upload

Upload these two files and post the links for my review.
I need to know what we are dealing with.

C:\Program Files\fik Phillips Updater\Phillips.exe
C:\Users\Admin\AppData\Local\Temp\tJnEXC0vCmf4kLewgcvK9Vw0V.exe

.

#7 Milsaps

Milsaps
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 08 August 2018 - 09:51 AM

 

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:02 AM

Posted 08 August 2018 - 12:38 PM

Hi

Run this fix to clean it.

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

() C:\Program Files\fik Phillips Updater\Phillips.exe
() C:\Program Files\Phillips\Phillips.exe
(PatientLink Enterprises Lake ) C:\Users\Admin\AppData\Local\Temp\tJnEXC0vCmf4kLewgcvK9Vw0V.exe
(PatientLink Enterprises Lake ) C:\Users\Admin\AppData\Local\Temp\tJnEXC0vCmf4kLewgcvK9Vw0V.exe
Task: C:\WINDOWS\Tasks\Phillips.job => C:\Program Files\Phillips\Phillips.exe

C:\Program Files\fik Phillips Updater
C:\Program Files\Phillips
C:\Users\Admin\AppData\Local\Temp\tJnEXC0vCmf4kLewgcvK9Vw0V.exe
C:\WINDOWS\Tasks\Phillips.job

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

Edited by nasdaq, 08 August 2018 - 12:39 PM.


#9 Milsaps

Milsaps
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 08 August 2018 - 01:41 PM

The internet issue has been resolved! No threats are detected via malwarebyes either, however the windows virus & threat protection issue still remains. I've linked a screenshot below so you can see what I'm talking about, this message only appeared after the malware.

 

https://imgur.com/xuRNH2i

Attached Files


Edited by Milsaps, 08 August 2018 - 01:41 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:02 AM

Posted 09 August 2018 - 07:01 AM

Hi,

Are your talking about the images that follows post at Imgur?

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

#11 Milsaps

Milsaps
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 09 August 2018 - 09:58 AM

Followed all the steps, I deleted only the red ones, they were threats labelled in orange that I didn't remove. The issue in the screenshot I posted has not gone after after a restart as well

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:02 AM

Posted 09 August 2018 - 10:28 AM

Hi,

Your copy of Chrome has been compromised

:step1: Remove Chrome from your Computer and reinstall a fresh copy later.

:step2: Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

:step3: If you sync you account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other defices. <- Important ...
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

:step4: Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

:step5: Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

:step6: Re-install Chrome and the Bookmarks.
====

#13 Milsaps

Milsaps
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 09 August 2018 - 12:21 PM

Done, here's new logs in case you need them

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:02 AM

Posted 10 August 2018 - 06:34 AM

Hi,

If not already done please delete all the items found by the RogueKiller program.
Restart the computer normally when completed.
===

These default_error.....txt files are still being created.
C:\WINDOWS\system32\default_error_stack-000000-000000.txt

A good number of them were removed with my first fix.

Please open the .txt file in bold and post the contents on your next reply.
Or you can attach the file for my review.
I would like to find out which application is creating these files.
===

Any issues with this computer?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users