Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

laptop infected, can't get to internet


  • Please log in to reply
30 replies to this topic

#1 CRodgers

CRodgers

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL, USA
  • Local time:10:55 AM

Posted 01 August 2016 - 07:57 AM

My daughter's surface pro (win 10) would not go to the internet.  My wife saw that MBAM was not running automatically (ended trial period), so she ran it manually and it found and removed a bunch of things.  After that, when she tried to go tot he internet with Chrome, we got a popup that says that the shortcut no longer exists or has moved.  The name of the file ended in .bat, so whatever infected her laptop changed the win 10 app to run a bat file, which I presume was deleted by MBAM. 

 

How do I make sure all the malware is gone?

 

How do I fix or create a new shortcut to chrome?  To get chrome to work, I have to search for chrome and the only option is to run chrome as a command - then that brings up the browser.

 

Thanks for your help,

Chris



BC AdBot (Login to Remove)

 


#2 CRodgers

CRodgers
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL, USA
  • Local time:10:55 AM

Posted 08 August 2016 - 08:12 PM

It has been over a week... did I post this in the wrong place or is my issue not clear?



#3 pagunio

pagunio

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 09 August 2016 - 11:21 AM

  • Download SecurityCheck from http://www.bleepingcomputer.com/download/securitycheck/


  • Run SecurityCheck.
  • Press any key to start scan.
  • When scan is finished a window should pop up with report, please post it here with your reply.


  • Mod Edit: FRST is not run here in Am I Infected

  • Dwonload MiniToolBox from http://www.bleepingcomputer.com/download/minitoolbox/


  • Run MiniToolBox.
  • A window will pop up click Yes.
  • Check the following:
    Report IE Proxy Settings
    Report FF Proxy Settings
    List content of Hosts
    List IP configuration
    List Winsock Entries
    List last 10 Event Viewer log
    List Installed Programs
    List Devices
    List Users, Partitions and Memory size
    List Restore Points

  • Click on Go, When its finished a window should pop up with report, please post it here with your reply.

Edited by boopme, 15 August 2016 - 04:50 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:55 AM

Posted 10 August 2016 - 09:42 AM

Hello and welcome..
For the connection try these...

Please click Start > Run, type inetcpl.cpl in the runbox and press enter.
Click the Connections tab and click the LAN settings option.
Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.
Now check if the internet is working again.

OR

Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.

WIN7.. Please Download this file, Click Me
Right-click on winsockfix.bat and click on Run as Administrator.
NOTE you may need to click on IGNORE in a security warning.


If all's good run Minitoolbox.. DO NOT run FRST

Edited by boopme, 10 August 2016 - 09:43 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 CRodgers

CRodgers
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL, USA
  • Local time:10:55 AM

Posted 15 August 2016 - 12:25 AM

 Results of screen317's Security Check version 1.014 --- 12/23/15 

   x64 (UAC is enabled) 

Internet Explorer 11 

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled! 

Windows Defender  

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Google Chrome (52.0.2743.116)

Google Chrome (52.0.2743.82)

Google Chrome (SetupMetrics...)

````````Process Check: objlist.exe by Laurent```````` 

Windows Defender MSMpEng.exe

Windows Defender MpCmdRun.exe  

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:  %

````````````````````End of Log``````````````````````



#6 CRodgers

CRodgers
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL, USA
  • Local time:10:55 AM

Posted 15 August 2016 - 12:31 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-08-2016

Ran by Emily (administrator) on FANTASMIC (15-08-2016 01:26:56)

Running from C:\Users\Emily\Downloads

Loaded Profiles: Emily (Available Profiles: Emily)

Platform: Windows 10 Pro Version 1511 (X64) Language: English (United States)

Internet Explorer Version 11 (Default browser: Chrome)

Boot Mode: Normal

 

 

Mod Edit FRST is not used in the Am I Infected forum


Edited by boopme, 15 August 2016 - 04:51 PM.


#7 CRodgers

CRodgers
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL, USA
  • Local time:10:55 AM

Posted 15 August 2016 - 12:37 AM

MiniToolBox by Farbar  Version: 17-06-2016

Ran by Emily (administrator) on 15-08-2016 at 01:33:20

Running from "C:\Users\Emily\Downloads"

Microsoft Windows 10 Pro  (X64)

Model: Surface Pro 3 Manufacturer: Microsoft Corporation

Boot Mode: Normal

***************************************************************************

 

========================= IE Proxy Settings: ==============================

 

Proxy is not enabled.

No Proxy Server is set.

========================= Hosts content: =================================

========================= IP Configuration: ================================

Marvell AVASTAR Wireless-AC Network Controller = Wi-Fi (Connected)

Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)

 

# ----------------------------------

# IPv4 Configuration

# ----------------------------------

pushd interface ipv4

 

reset

set global icmpredirects=enabled taskoffload=disabled

set interface interface="Local Area Connection* 3" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled

set interface interface="Local Area Connection* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled

set interface interface="Local Area Connection* 2" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled

set interface interface="Bluetooth Network Connection" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled

set interface interface="Wi-Fi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled

 

popd

# End of IPv4 configuration

 

 

Windows IP Configuration

 

   Host Name . . . . . . . . . . . . : Fantasmic

   Primary Dns Suffix  . . . . . . . :

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : home

Wireless LAN adapter Local Area Connection* 2:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter

   Physical Address. . . . . . . . . : 32-59-B7-0A-72-59

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

 

Wireless LAN adapter Wi-Fi:

 

   Connection-specific DNS Suffix  . : home

   Description . . . . . . . . . . . : Marvell AVASTAR Wireless-AC Network Controller

   Physical Address. . . . . . . . . : 30-59-B7-0A-73-58

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . : fe80::32:a719:11dd:b179%6(Preferred)

   IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Lease Obtained. . . . . . . . . . : Monday, August 15, 2016 1:03:57 AM

   Lease Expires . . . . . . . . . . : Tuesday, August 16, 2016 1:03:57 AM

   Default Gateway . . . . . . . . . : 192.168.1.1

   DHCP Server . . . . . . . . . . . : 192.168.1.1

   DHCPv6 IAID . . . . . . . . . . . : 53500343

   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-61-E2-94-30-59-B7-0A-73-58

   DNS Servers . . . . . . . . . . . : 8.8.8.8

                                       8.8.4.4

   NetBIOS over Tcpip. . . . . . . . : Enabled

 

Ethernet adapter Bluetooth Network Connection:

 

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)

   Physical Address. . . . . . . . . : 60-02-92-09-E6-4F

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

Server:  google-public-dns-a.google.com

Address:  8.8.8.8

Name:    google.com

Addresses:  2607:f8b0:4008:804::200e

   216.58.219.142

 

Pinging google.com [216.58.219.78] with 32 bytes of data:

Reply from 216.58.219.78: bytes=32 time=10ms TTL=56

Reply from 216.58.219.78: bytes=32 time=19ms TTL=56

 

Ping statistics for 216.58.219.78:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 10ms, Maximum = 19ms, Average = 14ms

Server:  google-public-dns-a.google.com

Address:  8.8.8.8

Name:    yahoo.com

Addresses:  2001:4998:58:c02::a9

   2001:4998:c:a06::2:4008

   2001:4998:44:204::a7

   98.139.183.24

   98.138.253.109

   206.190.36.45

 

Pinging yahoo.com [98.139.183.24] with 32 bytes of data:

Reply from 98.139.183.24: bytes=32 time=143ms TTL=50

Reply from 98.139.183.24: bytes=32 time=161ms TTL=50

 

Ping statistics for 98.139.183.24:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 143ms, Maximum = 161ms, Average = 152ms

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================

Interface List

  7...32 59 b7 0a 72 59 ......Microsoft Wi-Fi Direct Virtual Adapter

  6...30 59 b7 0a 73 58 ......Marvell AVASTAR Wireless-AC Network Controller

  5...60 02 92 09 e6 4f ......Bluetooth Device (Personal Area Network)

  1...........................Software Loopback Interface 1

===========================================================================

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.9     25

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      192.168.1.0    255.255.255.0         On-link       192.168.1.9    281

      192.168.1.9  255.255.255.255         On-link       192.168.1.9    281

    192.168.1.255  255.255.255.255         On-link       192.168.1.9    281

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link       192.168.1.9    281

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link       192.168.1.9    281

===========================================================================

Persistent Routes:

  None

 

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination      Gateway

  1    306 ::1/128                  On-link

  6    281 fe80::/64                On-link

  6    281 fe80::32:a719:11dd:b179/128

                                    On-link

  1    306 ff00::/8                 On-link

  6    281 ff00::/8                 On-link

===========================================================================

Persistent Routes:

  None

========================= Winsock entries =====================================

Catalog5 01 C:\WINDOWS\SysWOW64\napinsp.dll [55808] (Microsoft Corporation)

Catalog5 02 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)

Catalog5 03 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)

Catalog5 04 C:\WINDOWS\SysWOW64\NLAapi.dll [65024] (Microsoft Corporation)

Catalog5 05 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)

Catalog5 06 C:\WINDOWS\SysWOW64\winrnr.dll [23552] (Microsoft Corporation)

Catalog5 07 C:\WINDOWS\SysWOW64\wshbth.dll [51712] (Microsoft Corporation)

Catalog5 08 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [122128] (Apple Inc.)

Catalog9 01 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)

Catalog9 02 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)

Catalog9 03 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)

Catalog9 04 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)

Catalog9 05 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)

Catalog9 06 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)

Catalog9 07 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)

Catalog9 08 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)

Catalog9 09 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)

Catalog9 10 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)

Catalog9 11 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)

Catalog9 12 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)

x64-Catalog5 01 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)

x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)

x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)

x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [80896] (Microsoft Corporation)

x64-Catalog5 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)

x64-Catalog5 06 C:\Windows\System32\winrnr.dll [31744] (Microsoft Corporation)

x64-Catalog5 07 C:\Windows\System32\wshbth.dll [63488] (Microsoft Corporation)

x64-Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [133392] (Apple Inc.)

x64-Catalog9 01 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)

x64-Catalog9 02 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)

x64-Catalog9 03 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)

x64-Catalog9 04 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)

x64-Catalog9 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)

x64-Catalog9 06 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)

x64-Catalog9 07 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)

x64-Catalog9 08 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)

x64-Catalog9 09 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)

x64-Catalog9 10 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)

x64-Catalog9 11 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)

x64-Catalog9 12 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)

 

========================= Event log errors: ===============================

 

Application errors:

==================

Error: (08/15/2016 01:03:24 AM) (Source: Microsoft-Windows-Immersive-Shell) (User: FANTASMIC)

Description: Activation of app Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (08/12/2016 11:31:55 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 1687

 

Error: (08/12/2016 11:31:55 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: m->NextScheduledEvent 1687

Error: (08/12/2016 11:31:55 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: Continuously busy for more than a second

 

Error: (08/11/2016 09:04:47 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 1735

Error: (08/11/2016 09:04:47 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: m->NextScheduledEvent 1735

 

Error: (08/11/2016 09:04:47 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: Continuously busy for more than a second

Error: (08/11/2016 03:16:54 AM) (Source: Microsoft-Windows-Immersive-Shell) (User: FANTASMIC)

Description: Activation of app Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

 

Error: (08/10/2016 10:21:34 AM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 2265

Error: (08/10/2016 10:21:34 AM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: m->NextScheduledEvent 2265

 

System errors:

=============

Error: (08/15/2016 01:07:00 AM) (Source: DCOM) (User: NT AUTHORITY)

Description: {784E29F4-5EBE-4279-9948-1E8FE941646D}

 

Error: (08/15/2016 01:03:29 AM) (Source: DCOM) (User: FANTASMIC)

Description: {83FEFA40-6F67-4244-AA04-1E590C1CB1D9}

Error: (08/15/2016 01:03:24 AM) (Source: DCOM) (User: FANTASMIC)

Description: Windows.Security.Authentication.Web.Core.BackgroundGetTokenTask.ClassId.WebAccountProvider

 

Error: (08/15/2016 01:03:23 AM) (Source: Service Control Manager) (User: )

Description: A timeout was reached (30000 milliseconds) while waiting for the Sync Host_32435 service to connect.

Error: (08/15/2016 01:03:23 AM) (Source: Service Control Manager) (User: )

Description: A timeout was reached (30000 milliseconds) while waiting for the User Data Storage_32435 service to connect.

 

Error: (08/15/2016 01:03:23 AM) (Source: Service Control Manager) (User: )

Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the User Data Storage_32435 service, but this action failed with the following error:

%%1056 = An instance of the service is already running.

 

Error: (08/15/2016 01:03:13 AM) (Source: Service Control Manager) (User: )

Description: The User Data Access_32435 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

 

Error: (08/15/2016 01:03:13 AM) (Source: Service Control Manager) (User: )

Description: The User Data Storage_32435 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (08/15/2016 01:03:13 AM) (Source: Service Control Manager) (User: )

Description: The Contact Data_32435 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

 

Error: (08/15/2016 01:03:13 AM) (Source: Service Control Manager) (User: )

Description: The Sync Host_32435 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

 

Microsoft Office Sessions:

=========================

Error: (08/15/2016 01:03:24 AM) (Source: Microsoft-Windows-Immersive-Shell)(User: FANTASMIC)

Description: Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy!App-2144927141

Error: (08/12/2016 11:31:55 PM) (Source: Bonjour Service)(User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 1687

 

Error: (08/12/2016 11:31:55 PM) (Source: Bonjour Service)(User: )

Description: Task Scheduling Error: m->NextScheduledEvent 1687

Error: (08/12/2016 11:31:55 PM) (Source: Bonjour Service)(User: )

Description: Task Scheduling Error: Continuously busy for more than a second

 

Error: (08/11/2016 09:04:47 PM) (Source: Bonjour Service)(User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 1735

Error: (08/11/2016 09:04:47 PM) (Source: Bonjour Service)(User: )

Description: Task Scheduling Error: m->NextScheduledEvent 1735

 

Error: (08/11/2016 09:04:47 PM) (Source: Bonjour Service)(User: )

Description: Task Scheduling Error: Continuously busy for more than a second

Error: (08/11/2016 03:16:54 AM) (Source: Microsoft-Windows-Immersive-Shell)(User: FANTASMIC)

Description: Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy!App-2144927141

 

Error: (08/10/2016 10:21:34 AM) (Source: Bonjour Service)(User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 2265

Error: (08/10/2016 10:21:34 AM) (Source: Bonjour Service)(User: )

Description: Task Scheduling Error: m->NextScheduledEvent 2265

 

CodeIntegrity Errors:

===================================

  Date: 2016-08-14 21:39:57.508

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2016-08-11 16:45:09.967

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-07-20 16:57:52.191

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2016-07-17 17:09:02.996

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-07-14 10:57:36.375

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2016-07-14 10:28:43.958

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-07-11 12:16:27.824

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\MicRotateAPO.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2016-07-11 12:16:27.775

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\MicRotateAPO.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-07-10 13:31:46.645

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\MicRotateAPO.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2016-07-10 13:31:46.602

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\MicRotateAPO.dll because the set of per-page image hashes could not be found on the system.

 

=========================== Installed Programs ============================

 

Apple Application Support (32-bit) (HKLM-x32\...\{649A1FD9-5892-46AD-8DF0-C4A43FF61CB7}) (Version: 4.1 - Apple Inc.)

Apple Application Support (64-bit) (HKLM\...\{0DE0A178-AC7B-4650-806C-CF226DE03766}) (Version: 4.1 - Apple Inc.)

Apple Mobile Device Support (HKLM\...\{3540181E-340A-4E7A-B409-31663472B2F7}) (Version: 9.1.0.6 - Apple Inc.)

Apple Software Update (HKLM-x32\...\{FFD1F7F1-1AC9-4BC4-A908-0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.)

Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)

ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )

Fitbit Connect (HKLM-x32\...\{E54705FB-98A6-4C03-B2DC-D8C3B5486DCD}) (Version: 2.0.0.6512 - Fitbit Inc.)

Game Downloader (HKLM-x32\...\Game Downloader) (Version: 4.0 - Dev-Fire)

Google Chrome (HKLM-x32\...\Google Chrome) (Version: 52.0.2743.116 - Google Inc.)

Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.31.5 - Google Inc.) Hidden

Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden

Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 20.19.15.4331 - Intel Corporation)

Itibiti RTC (HKLM-x32\...\{730E03E4-350E-48E5-9D3E-4329903D454D}) (Version: 0.0.1 - Itibiti Inc) Hidden

iTunes (HKLM\...\{E690A491-702F-4DEC-9977-C015D1DBB57C}) (Version: 12.3.1.23 - Apple Inc.)

Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)

Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 15.0.4841.1002 - Microsoft Corporation)

Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)

Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)

Office 15 Click-to-Run Extensibility Component (HKLM-x32\...\{90150000-008C-0000-0000-0000000FF1CE}) (Version: 15.0.4841.1002 - Microsoft Corporation) Hidden

Office 15 Click-to-Run Licensing Component (HKLM\...\{90150000-008F-0000-1000-0000000FF1CE}) (Version: 15.0.4841.1002 - Microsoft Corporation) Hidden

Office 15 Click-to-Run Localization Component (HKLM-x32\...\{90150000-008C-0409-0000-0000000FF1CE}) (Version: 15.0.4841.1002 - Microsoft Corporation) Hidden

 

========================= Devices: ================================

 

========================= Memory info: ===================================

Percentage of memory in use: 48%

Total physical RAM: 4001.05 MB

Available physical RAM: 2047.13 MB

Total Virtual: 6433.05 MB

Available Virtual: 4396.59 MB

========================= Partitions: =====================================

1 Drive c: (Windows) (Fixed) (Total:111.89 GB) (Free:83.08 GB) NTFS

========================= Users: ========================================

User accounts for \\FANTASMIC

Administrator            DefaultAccount           Emily                   

Guest                   

 

========================= Restore Points ==================================

 

**** End of log ****



#8 CRodgers

CRodgers
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL, USA
  • Local time:10:55 AM

Posted 15 August 2016 - 12:42 AM

fyi, when running the inetcpl.cpl, I noticed that the home page was set to a .ru site.  changed that to www.google.com.  Ran Malwarebytes antimalware and it found more registry entries of PUP as well as pointing out that etc/hosts had 5 redirects of home in it.  I let MBAM clean that up, then proceeded with the rest of boopme commands (no proxy was set, rebooted).

 

Then I ran the 3 tools pagunio listed and pasted results here.



#9 DefaultGateway

DefaultGateway

  • Members
  • 187 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 15 August 2016 - 02:59 AM

Quote: My daughter's surface pro (win 10) would not go to the internet.

 

Do you mean that you can't go to the Internet because your Chrome Shortcut isn't working?

Or do you mean that you can't connect to the Internet itself?



#10 CRodgers

CRodgers
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL, USA
  • Local time:10:55 AM

Posted 15 August 2016 - 05:26 AM

initially could not go to the internet, MBAM fixed many things. Left with bad shortcuts.  The computer now goes to the internet.  The question is how to ensure that I am malware and virus-free, as well as how to recreate the shortcut.



#11 DefaultGateway

DefaultGateway

  • Members
  • 187 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 15 August 2016 - 06:20 AM

I don't have Google Chrome installed now.

But you can find it at C:\Program Files OR C:\Program Files (x86)

 

If you can't find Google Chrome in one of them, then maybe, there is a Folder called "Google" in one of them.

Try looking in that Folder and see if Google Chrome is in there.

 

Then Right-Click on the .EXE File of Google Chrome and select the option to Copy, and then Paste on the Desktop.

Or just select Copy To and then Desktop (Shortcut)



#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:55 AM

Posted 15 August 2016 - 06:15 PM

Run the ESET online scanner again
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 CRodgers

CRodgers
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL, USA
  • Local time:10:55 AM

Posted 15 August 2016 - 09:49 PM

Sorry - I did not see the FRST edits until now.

 

Not sure what the ESET online scanner is... scrolled up, not sure what that is...

 

Wait, I see it in the list of installed programs.  not sure what it is from, sounds familiar... maybe an old version from working on this laptop a while ago...  I will give it a whirl...


Edited by CRodgers, 15 August 2016 - 10:53 PM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:55 AM

Posted 16 August 2016 - 07:11 PM

Yes
I saw it there..

cvMlKv6.pngESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

Edited by boopme, 16 August 2016 - 07:12 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 CRodgers

CRodgers
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL, USA
  • Local time:10:55 AM

Posted 16 August 2016 - 09:54 PM

C:\Users\Emily\AppData\Local\Temp\vk_ok_adblock.exe a variant of Win32/Adware.Neoreklami.A application cleaned by deleting

C:\Users\Emily\Downloads\adobe_flash_player.exe.iso a variant of Win32/IStartSurf.BE potentially unwanted application deleted

C:\Users\Emily\Downloads\The_Glass_Castle_Audiobook (1).iso a variant of Win32/Kryptik.FCGF trojan deleted

C:\Users\Emily\Downloads\The_Glass_Castle_Audiobook.iso a variant of Win32/Kryptik.FCGF trojan deleted






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users