Jump to content

Microsoft Edge/Store/Feedback can't access internet after malware removal


mwachal

Recommended Posts

Hello,

I used Malwarebytes to scan my computer and remove some apparent adware yesterday. Since then I've had a problem where a subset of programs are not able to access the internet, but others are. For example, Chrome and Internet Explorer connect just fine, but Edge, Microsoft Mail, Windows Feedback Hub all fail when trying to get on the internet.

I've been through dozens of "fix the internet after Malwarebytes..." posts and sites and applied multiple fixes to no benefit.

  • DNSClient is running.
  • I've both enabled and disabled Automatic proxy settings.
  • My network is set to Private. (But I've also tried Public.)
  • I've tried both automatic DNS lookup as well as using the Google DNS servers that everyone seems to like.
  • I've reset Edge more than once.
  • I've run multiple adware scanners, none of them are finding anything.

Clearly there is something specific about how the Microsoft products are using the internet that is not shared by any other tools, but I've not been able to figure out what it is. Any help is appreciated.

I've attached the scan results from the run of Malwarebytes that apparently generated the problem for your enjoyment. Two things were identified:

  • Adware.DNSUnlocker.ACMB2 - multiple registry keys and a task were removed.
  • PUP.Optional.PCBackUp360 - a registry key was removed.

Does either of these point in the right direction?

 

Mike

MalwareScan.txt

Link to post
Share on other sites

  • Root Admin

Hello @mwachal and :welcome:

The fastest fix would be to do a System Restore back to before you ran the scan and removal. Unfortunately Microsoft turns off System Restore by default on Windows 10 (don't ask me why, lots of discussions and complaints of it on the Internet) if you have it enabled please try a System Restore and let me know.

In any case, best we scan again and get new logs if the System Restore option is not available to you.

It's quite late for me so I'm headed off to get some sleep but will check back on you again sometime tomorrow.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

Hi Ron,

Thanks for taking the time to reply. I've followed the steps and attached the requested files. Note that I've included two files from AdwCleaner, both the scan and clean results. I'm reviewing the FRST logs but would definately appreciate your guidance about what to do with this list.

Mike

AdwCleanerClean1227.txt

FRST1227.txt

MalwareScan1227.txt

AdwCleanerScan1227.txt

Link to post
Share on other sites

  • Root Admin

Please uninstall the following outdated and possibly compromised version of Java. If at all possible I'd recommend you try to run the computer without using Java. If you do need to use it then make sure you keep it up to date and uninstall older versions. https://java.com

Java 8 Update 141

Can you confirm or verify this file is there on the computer and what it's for? The Azure Client is valid and Microsoft has an update but your entry is dated earlier and that name is rather strange and not found on a Google search. If it is there I'd recommend uploading to https://virustotal.com and having them scan the file too just to make sure.

Task: {0EF53697-F519-4956-8226-9E23BB39729F} - System32\Tasks\AzIPClientDogfoodTask_update => C:\Program Files (x86)\Azure Information Protection Updater\MSIP.Tools.DogfoodClient.exe [2017-11-08] (Microsoft Corporation)

Microsoft Azure Information Protection (unable to find a name like yours above here)
https://www.microsoft.com/en-us/download/details.aspx?id=53018

 

Did you setup, or install this VPN entry under Scheduled Tasks? This does not look very legit either. Only 130 searches found for it on Google.

Task: {39D1EB4B-DD08-47D8-8298-71424505C63A} - C:\Windows\System32\Tasks\Microsoft IT VPN\Disconnect => Command(1): netsh.exe -> exec clean_firewall.netsh
Task: {39D1EB4B-DD08-47D8-8298-71424505C63A} - C:\Windows\System32\Tasks\Microsoft IT VPN\Disconnect => Command(2): %ALLUSERSPROFILE%\Microsoft\Network\Connections\Cm\MSITVPN\MSITVPN.exe -> /q:a /c:"cmstp.exe /ns /s /au msitvpn.inf"

 

Is your computer a work computer?
Is your computer joined to an Azure enabled Domain?

This is used for automatically enrolling a device to an Azure enabled domain

Task: {3FDFD1C3-94FC-4693-81F5-295A46FDFFAE} - System32\Tasks\Microsoft\Windows\Dmclient\PushRenewal => C:\WINDOWS\system32\deviceenroller.exe [2017-09-29] (Microsoft Corporation)

 

If this is a Standalone home computer then there are a few other items in the Scheduled Tasks I'd remove. Let me know about this stuff and I'll write a fix based on your replies.

Thanks

Ron

 

 

Link to post
Share on other sites

Hi Ron,

I have removed Java since I'm not aware of any specific programs I'm using that need it. If it turns out something requires it I'll reinstall the most current version as you suggest.

The tasks you identified are all legitimate. This is a home computer, but I use it for work as well. All those items are related to various aspects of ensuring my home computer complies with the requirements for connecting to our corporate network. For the record, I've also tried working with my corporate help desk to resolve this issue but they ran out of ideas and gave up. Even the dogfood AzIPClient is fine - I've confirmed it is signed with a valid certificate from my company.

Thanks for your continued effort to help resolve this problem.

Mike

Link to post
Share on other sites

Hi Ron,

All the same problems...none of the Microsoft products that require internet are able to connect: Edge, Windows Feedback Hub, Microsoft Mail and not even the VPN. It was fine until I removed a piece of Malware with Malwarebytes, then nothing worked anymore. It's not the internet connection itself (Chrome works for example), but rather just how those specific pieces of software use the internet.

I can't see anything from the logs that suggest why removing the malware would cause this, but there you go.

Mike

Link to post
Share on other sites

Hi Ron,

I wanted to close the loop on this and shared the outcome.

I reviewed the information on DISM and honestly it did not feel like the right answer here - a little too aggressive. I wanted to pursue one more path I have available, which was to contact the Microsoft Edge team directly and see if they could figure it out. (Not everyone can do this, but I had the option, so I took it.) They were able to identify the problem, which is documented in https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/13779603/ (I think everyone should be able to see this, if not I'm sorry about that.)

In short, the ACLs for the TCP service on my computer were corrupted. I don't fully understand the causes of this problem, it may have been related to malware, but it could also be caused by a problem with roaming profiles and a change that was made to Edge that is exposed when you move between multiple computers running different versions of Windows.

Assuming you can see the link above, there is information about the fix and some information about the symptoms that may help you if people report this problem in the future. I was also told that Microsoft is working on a fix for the problem that will be released in an upcoming patch. Thank you for all your help and the effort you put into fixing this issue.

Mike

Link to post
Share on other sites

  • Root Admin

Great, thank you for taking the time to report the fix Mike. @mwachal

Yes, I have access to the link even not logged into Microsoft, so I assume it's a fully public link. In theory DISM would have fixed it too, but not certain as it does not fix everything.

Make sure you make some good solid Backups of your data. Backup Software

The complexity of finding, preventing, and cleanup from malware

 

Thank you again, glad you were able to get it resolved. Happy New Year.

Take care Mike

Ron

 

Link to post
Share on other sites

  • 3 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.