Windows 10: Malware Trouble; Random Command Prompt, Pop-Ups in Chrome. Solved

Page 2 of 3 FirstFirst 123 LastLast
  1.    2 Weeks Ago #11

    Hi.
    I've only read the MBAM scan log - I see you didn't enable ROOTKIT scanning...might want to do that (custom scan).

    I'm seeing a lot of adware and one may be syncing via a Chrome extension.
    Here are instructions to remove DNSUnlocker
    DNSUnlocker Ads Removal Guide

    You'll want to turn off browser syncing, clear all cache and cookies in all browsers and reset them all to default - even the browsers that you don't use. If they are on the system, they need to be reset.

    Cottonball is the FRST expert, so I will defer evaluating that log.

    EDIT:
    How to Reset Your Web Browser To Its Default Settings

    Microsoft Edge - Reset to Default in Windows 10

    .
    Last edited by simrick; 2 Weeks Ago at 14:23. Reason: added reset links
      My System SpecsSystem Spec

  2.    2 Weeks Ago #12

    @simrick,

    Expert!! No way!! LOL!!


    AustFisch,

    Malwarebytes has identified a bundle of undesirable entries. Some of them are in Quarantine waiting to be deleted, and some of them will be Deleted on Reboot, or Replaced on Reboot.

    The FRST reports have a few items on them, and Installed Programs is showing µTorrent.
    This does not mean uTorrent itself is infected, but, although Peer-to-Peer (P2P) programs, of themselves, are not malicious, the chance of downloading a malicious file is like playing Russian roulette. For all we know, this is how adware, and whatever stuff gained access to your system!

    It is your choice to keep or remove the program, but, be aware it has consequences.



    At this point, IMO, taking action with Malwarebytes is the best route to go. As simrick suggested, re-run MBAM, and select the enable RootKit scanning option under Custom Scan.

    If the new scan does not identify any RootKits, delete the entries identified, restart your computer to complete the malware-removal process, and attach the new report.

    If a RootKit is identified, then, do not delete anything, and just attach the results for our review.

    I do not think a RootKit is in play here, but, might as well be safe rather than sorry.

    Although we are giving priority to the already used MBAM, after doing so, following up with the DNSUnlocker Ads Removal Guide provided in Post 11, and the additional suggestions provided by simrick, is an excellent course of action.
      My System SpecsSystem Spec

  3.    2 Weeks Ago #13

    cottonball said: View Post
    @simrick,

    Expert!! No way!! LOL!!


    AustFisch,

    Malwarebytes has identified a bundle of undesirable entries. Some of them are in Quarantine waiting to be deleted, and some of them will be Deleted on Reboot, or Replaced on Reboot.

    The FRST reports have a few items on them, and Installed Programs is showing µTorrent.
    This does not mean uTorrent itself is infected, but, although Peer-to-Peer (P2P) programs, of themselves, are not malicious, the chance of downloading a malicious file is like playing Russian roulette. For all we know, this is how adware, and whatever stuff gained access to your system!

    It is your choice to keep or remove the program, but, be aware it has consequences.



    At this point, IMO, taking action with Malwarebytes is the best route to go. As simrick suggested, re-run MBAM, and select the enable RootKit scanning option under Custom Scan.

    If the new scan does not identify any RootKits, delete the entries identified, restart your computer to complete the malware-removal process, and attach the new report.

    If a RootKit is identified, then, do not delete anything, and just attach the results for our review.

    I do not think a RootKit is in play here, but, might as well be safe rather than sorry.

    Although we are giving priority to the already used MBAM, after doing so, following up with the DNSUnlocker Ads Removal Guide provided in Post 11, and the additional suggestions provided by simrick, is an excellent course of action.
    Hey guys,

    I've finally gotten malware to finish scanning. Here's what it found (no rootkits):
    malware2.txt

    I've removed and restarted what it found; what's the next step?
      My System SpecsSystem Spec

  4.    2 Weeks Ago #14

    ahh! i am confused now :P
      My System SpecsSystem Spec

  5.    2 Weeks Ago #15

    AustFisch,

    Would proceed by removing the 2 files in Quarantine in MBAM, and then following the instructions provided by simrick on Post 11.
      My System SpecsSystem Spec

  6.    2 Weeks Ago #16

    cottonball said: View Post
    AustFisch,

    Would proceed by removing the 2 files in Quarantine in MBAM, and then following the instructions provided by simrick on Post 11.
    Hey guys,

    So I've finally followed the instructions (DNSUnlocker Ads Removal Guide) of you and simrick by removing what was found in MBAM, and continuing on. I've attached the result logs.

    In the post, however, step 24 was a bit confusing as I was unsure what were necessary certificate authorities.

    I also have not run the Secunia PSI scan yet.

    So far so good though, no pop ups or command prompt runs in a while!

    malware3.txt --> Malware results log
    hitman_results.log --> Hitman results log
    Rkill.txt --> Rkill results

    EDIT: and just to clarify, I did not find what step 24 was asking for (www.cloudguard.me) in my certificate authorities.
      My System SpecsSystem Spec

  7.    2 Weeks Ago #17

    AustFisch,

    Great job!!

    Not finding the www.cloudguard.me certificate installed by DNSUnlocker is a good sign.

    The results of RKill show some missing services, etc., and it has been reported as an RKill bug. No worries there also.

    Malwarbytes is fine, and HitmanPro deleted some files and identified a bundle of cookies.

    Please press on with simrick's advice on Post 11, to turn off browser syncing and clear all cache and cookies in all browsers and reset them to default.

    When done, give us a final update on whether you are having Malware problems, getting any random Command Prompt, or getting any more Pop-Ups.
      My System SpecsSystem Spec

  8.    2 Weeks Ago #18

    AustFisch said: View Post
    Hey guys,

    So I've finally followed the instructions (DNSUnlocker Ads Removal Guide) of you and simrick by removing what was found in MBAM, and continuing on. I've attached the result logs.

    In the post, however, step 24 was a bit confusing as I was unsure what were necessary certificate authorities.

    I also have not run the Secunia PSI scan yet.

    So far so good though, no pop ups or command prompt runs in a while!

    malware3.txt --> Malware results log
    hitman_results.log --> Hitman results log
    Rkill.txt --> Rkill results

    EDIT: and just to clarify, I did not find what step 24 was asking for (www.cloudguard.me) in my certificate authorities.
    Just a mention here - the 2 hits in MBAM were quarantined by ADWCleaner already.
    MBAM logs looks good; HMP log looks good; RKILL log makes me think we might want to run a system file check to fix some bad images in your OS.
    Please open an admin command prompt and enter
    Code:
    sfc /scannow
    Notice the space preceding the forward slash.

    We're looking for the result "No integrity violations found". If it's anything other than that, please reboot, run it again, rinse and repeat. If you still have no luck with the scan results, please grab a log so we can have a look at the problem(s) in detail:

    Open an admin command prompt and type:
    Code:
    findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcdetails.txt"
    This will place a text file on your desktop called sfcdetails.txt. (Note: If you have relocated your user files, you may have to manually find this file.) Please upload the file and PM me when that is completed, as I am not around at present.

    For the step 24 (certificates):
    Sounds to me like that cert will be found on your system since that's the infection we identified. I'd like you to please verify that cert is not found:

    Type certmgr in the search box and click on Manage Computer Certificates.

    Click image for larger version. 

Name:	image.png 
Views:	4 
Size:	55.9 KB 
ID:	120568


    Expand Trusted Root Certification to show the sub-folder Certificates.
    In the right pane, scroll all the way down - www.cloudguard... should be at the very bottom (it's alphabetical).

    Note: If you are not sure how to reset ALL browsers on the system, or how to turn off browser syncing, please ask and we'll be happy to provide instructions.

    Please be sure to flush your DNS after clearing cache, resetting, etc.: at an admin command prompt:
    Code:
    ipconfig /flushdns
    Open your NICs' properties one at a time, and make sure your DNS is set to dynamic, or use OpenDNS DNS servers:
    Control Panel>Network and Sharing Center>Change Adapter Settings
    right-click on each NIC (Network Adapter), select Properties, highlight IPv4, select Properties to verify/change:

    Click image for larger version. 

Name:	image.png 
Views:	3 
Size:	58.3 KB 
ID:	120571

    It's my understanding that DNSUnlocker may have modified these settings.


    Also, please be careful as to what extensions you add to your browsers, as it appeared one of them was a problem.

    Cheers!
      My System SpecsSystem Spec

  9.    2 Weeks Ago #19

    simrick said: View Post
    Just a mention here - the 2 hits in MBAM were quarantined by ADWCleaner already.
    MBAM logs looks good; HMP log looks good; RKILL log makes me think we might want to run a system file check to fix some bad images in your OS.
    Please open an admin command prompt and enter
    Code:
    sfc /scannow
    Notice the space preceding the forward slash.

    We're looking for the result "No integrity violations found". If it's anything other than that, please reboot, run it again, rinse and repeat. If you still have no luck with the scan results, please grab a log so we can have a look at the problem(s) in detail:

    Open an admin command prompt and type:
    Code:
    findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcdetails.txt"
    This will place a text file on your desktop called sfcdetails.txt. (Note: If you have relocated your user files, you may have to manually find this file.) Please upload the file and PM me when that is completed, as I am not around at present.

    For the step 24 (certificates):
    Sounds to me like that cert will be found on your system since that's the infection we identified. I'd like you to please verify that cert is not found:

    Type certmgr in the search box and click on Manage Computer Certificates.

    Click image for larger version. 

Name:	image.png 
Views:	4 
Size:	55.9 KB 
ID:	120568


    Expand Trusted Root Certification to show the sub-folder Certificates.
    In the right pane, scroll all the way down - www.cloudguard... should be at the very bottom (it's alphabetical).

    Note: If you are not sure how to reset ALL browsers on the system, or how to turn off browser syncing, please ask and we'll be happy to provide instructions.

    Please be sure to flush your DNS after clearing cache, resetting, etc.: at an admin command prompt:
    Code:
    ipconfig /flushdns
    Open your NICs' properties one at a time, and make sure your DNS is set to dynamic, or use OpenDNS DNS servers:
    Control Panel>Network and Sharing Center>Change Adapter Settings
    right-click on each NIC (Network Adapter), select Properties, highlight IPv4, select Properties to verify/change:

    Click image for larger version. 

Name:	image.png 
Views:	3 
Size:	58.3 KB 
ID:	120571

    It's my understanding that DNSUnlocker may have modified these settings.


    Also, please be careful as to what extensions you add to your browsers, as it appeared one of them was a problem.

    Cheers!
    Simrick, I've done the command prompts; nothing found on one and the other still showed no cloudguard.

    I've already reset my browsers and network settings as suggested.

    Seems everything is running smoothly over here, thank you and cottonball for all of the help!!!!
      My System SpecsSystem Spec

  10.    2 Weeks Ago #20

    AustFisch,

    Glad you got rid of your problems!

    Please mark the thread as solved.

    Good luck, and happy browsing!!
      My System SpecsSystem Spec


 
Page 2 of 3 FirstFirst 123 LastLast

Related Threads
Command prompt pop up in General Support
Hi, for a while now i been having an issue with command prompt. The command prompt will randomly pop up and close immediately. i have had this issue for a while but it didn't really effect me. Recently ive been playing a lot of games and the...
Command Prompt won't open in General Support
Hi, whenever I try to open the Command Prompt in Win10 (cmd.exe) I get the following pop up: cmd.exe - Application Error The Application was unable to staart correctly (0XCoooo142). Click OK to close the application. I should add this was an...
I can not open command prompt. in General Support
I can not open command prompt. Every time I open it I got error message come up. :( The message is said http://i.imgur.com/HZi67df.jpg
Solved Command Prompt in General Support
How to call up "command Prompt (Admin) from the "run" dialog box win 10 Home?
Command Prompt? in General Support
Guys, I'm going to try one last time. The error code I received told to me to empty files and then "Run the command prompt as an administrator"?? Then, type wuauclt.exe/update now??......I don't know what run the command prompt means. I have no...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 05:24.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums