Jump to content
Post12

Cant connect/disables internet

Recommended Posts

Hello!

Whenever I turn on malwarebytes privacy, it'll say "rerouting" for about 3 minutes total. Halfway through my internet will turn off and I am asked to set a new network location for "mbvpn" which has a number at the end increasing by one for each attempt. Please help thanks.

Share this post


Link to post
Share on other sites

To fully clarify, after the internet turns off and I am asked to set the network location of "mbvpn x", the program fails and tells me it can't connect and to check my internet connection.

Share this post


Link to post
Share on other sites

Hello @Post12

You have a few minor issues going on with the computer. I've moved your topic to the Malware Removal section where I can assist you in doing some general computer clean up that will hopefully correct your issues.

Did you setup these Persistent Routes ? If not then I will write a script to remove them.

HKLM\System\...\Parameters\PersistentRoutes: [255.255.255.255,255.255.255.255,0.0.0.0,1]
HKLM\System\...\Parameters\PersistentRoutes: [224.0.0.0,240.0.0.0,0.0.0.0,1]

 

I would like to ask you to consider uninstalling Bonjour

What exactly is mDNSResponder.exe?

https://www.groovypost.com/howto/howto/what-is-mdnsresponder-exe-and-why-is-it-running/

MDNSResponder, also known as Bonjour, is Apple’s native zero-configuration networking process for Mac that was ported over to Windows and associated with MDNSNSP.DLL.  On a Mac or iOS device, this program is used for networking nearly everything.  On Windows, this process is only necessary for sharing libraries via iTunes and other Mac applications like the Apple TV that were ported to Windows.  Bonjour allows different computers running iTunes to communicate with each other regardless of network configuration, this is because it enables automatic network discovery.

What Is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?
https://www.howtogeek.com/howto/6456/what-is-mdnsresponder.exe-bonjour-and-how-can-i-uninstall-or-remove-it/

 

You also have a very old and compromised version of Java. Please go into Control Panel, Programs, Uninstall and uninstall Java as well.

 

 

Share this post


Link to post
Share on other sites

Oh, no! I did not set up any of those. Please and thank you for helping remove them. I have uninstalled java and bonjour. 

Share this post


Link to post
Share on other sites

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.


fixlist.txt

Thanks

 

Share this post


Link to post
Share on other sites

Great the log looks good.

Please go ahead and go to Control Panel, Programs, Uninstall and uninstall the following.

Wintun-Windows
Malwarebytes Privacy

 

Then restart the computer. Then after the restart check for Windows Updates and let me know if any updates are found.

 

Share this post


Link to post
Share on other sites

I may have went ahead and installed them, but there were 3, 2020-01 Preview of monthly quality rollup for windows 7 (KB4539601), Update for windows 7 (KB3102429) , microsoft edge update for windows 7 (KB4567409). 

Share this post


Link to post
Share on other sites

Okay, please run the MBST tool again and post back new fresh logs and we'll review. I'm off work now but will check back on you and reply on Monday or sooner if I can.

Thanks

 

Share this post


Link to post
Share on other sites

Hello @Post12

Please run the following

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here.
  • Save Autoruns.exe to your desktop and double-click it to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures and Check VirusTotal.com and Submit Unknown Images
  • Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
  • When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder you just created to your next reply

 

image.png

 

 

Thanks

 

 

Share this post


Link to post
Share on other sites

So, is PowerShell running all the time, or only once in a while? Autoruns is not showing it running.

Please download Process Explorer and then extract the program to a new folder. Then run the program with Admin rights and look for the PowerShell instance.

Then click on Properties and look at the different tabs. Probably the one we want to look at the most is Image tab that lists the command line. Post back what you find out about PowerShell from there and let me know.

 

Share this post


Link to post
Share on other sites

I am not sure what powershell is but If something in that initial list of processes is supposed to be have "powershell" in it's name somewhere then I couldn't find it.

Thank you!

Share this post


Link to post
Share on other sites

I used the "Find" at the top of the "process explorer" program and looked for "powershell" and found one "file" type with the name under the "svchost.exe" process. It's command line is "C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted"

Share this post


Link to post
Share on other sites

I started up the Powershell software, then was able to find it in the process explorer. It's command line was, "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe". Also is it normal for a "thread" to be labeled "RemoteBreakin"?pow1.PNG.08c27cf130ce398f3ef684653325405a.PNG

Share this post


Link to post
Share on other sites

Running it manually will not give us what we're looking for.

RemoteBreakin - I wouldn't think it's normal but I've not see that. Do you have a log for it?

Please restart the computer. Then check and see if PowerShell is in the list of running processes or not. If it is or if it starts to run after doing some things then do the following.

Please open an elevated admin command prompt and run the following for me. Press the Enter key at the end. Then

perfmon /report

 

image.png

Let it run for the 60 seconds and it will generate a report. Then after it completes click on the File, Save-As and save the file as an .html file. Then zip up the file and attach it to a new Personal Message to me and I will review it tomorrow.

Thank you again

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.