Malware Trouble; Random Command Prompt, Pop-Ups in Chrome.

Hi.
I've only read the MBAM scan log - I see you didn't enable ROOTKIT scanning...might want to do that (custom scan).

I'm seeing a lot of adware and one may be syncing via a Chrome extension.
Here are instructions to remove DNSUnlocker
DNSUnlocker Ads Removal Guide

You'll want to turn off browser syncing, clear all cache and cookies in all browsers and reset them all to default - even the browsers that you don't use. If they are on the system, they need to be reset.

Cottonball is the FRST expert, so I will defer evaluating that log.

EDIT:
How to Reset Your Web Browser To Its Default Settings

Microsoft Edge - Reset to Default in Windows 10

.

@simrick,

Expert!! No way!! LOL!!


AustFisch,

Malwarebytes has identified a bundle of undesirable entries. Some of them are in Quarantine waiting to be deleted, and some of them will be Deleted on Reboot, or Replaced on Reboot.

The FRST reports have a few items on them, and Installed Programs is showing µTorrent.
This does not mean uTorrent itself is infected, but, although Peer-to-Peer (P2P) programs, of themselves, are not malicious, the chance of downloading a malicious file is like playing Russian roulette. For all we know, this is how adware, and whatever stuff gained access to your system!

It is your choice to keep or remove the program, but, be aware it has consequences.



At this point, IMO, taking action with Malwarebytes is the best route to go. As simrick suggested, re-run MBAM, and select the enable RootKit scanning option under Custom Scan.

If the new scan does not identify any RootKits, delete the entries identified, restart your computer to complete the malware-removal process, and attach the new report.

If a RootKit is identified, then, do not delete anything, and just attach the results for our review.

I do not think a RootKit is in play here, but, might as well be safe rather than sorry.

Although we are giving priority to the already used MBAM, after doing so, following up with the DNSUnlocker Ads Removal Guide provided in Post 11, and the additional suggestions provided by simrick, is an excellent course of action.

AustFisch,

Would proceed by removing the 2 files in Quarantine in MBAM, and then following the instructions provided by simrick on Post 11.

AustFisch,

Great job!!

Not finding the www.cloudguard.me certificate installed by DNSUnlocker is a good sign.

The results of RKill show some missing services, etc., and it has been reported as an RKill bug. No worries there also.

Malwarbytes is fine, and HitmanPro deleted some files and identified a bundle of cookies.

Please press on with simrick's advice on Post 11, to turn off browser syncing and clear all cache and cookies in all browsers and reset them to default.

When done, give us a final update on whether you are having Malware problems, getting any random Command Prompt, or getting any more Pop-Ups.

AustFisch said:

Hey guys,

So I've finally followed the instructions (DNSUnlocker Ads Removal Guide) of you and simrick by removing what was found in MBAM, and continuing on. I've attached the result logs.

In the post, however, step 24 was a bit confusing as I was unsure what were necessary certificate authorities.

I also have not run the Secunia PSI scan yet.

So far so good though, no pop ups or command prompt runs in a while!

malware3.txt --> Malware results log
Attachment 120452 --> Hitman results log
Rkill.txt --> Rkill results

EDIT: and just to clarify, I did not find what step 24 was asking for (www.cloudguard.me) in my certificate authorities.

Just a mention here - the 2 hits in MBAM were quarantined by ADWCleaner already.
MBAM logs looks good; HMP log looks good; RKILL log makes me think we might want to run a system file check to fix some bad images in your OS.
Please open an admin command prompt and enter

Code:

sfc /scannow

Notice the space preceding the forward slash.

We're looking for the result "No integrity violations found". If it's anything other than that, please reboot, run it again, rinse and repeat. If you still have no luck with the scan results, please grab a log so we can have a look at the problem(s) in detail:

Open an admin command prompt and type:

Code:

findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcdetails.txt"

This will place a text file on your desktop called sfcdetails.txt. (Note: If you have relocated your user files, you may have to manually find this file.) Please upload the file and PM me when that is completed, as I am not around at present.

For the step 24 (certificates):
Sounds to me like that cert will be found on your system since that's the infection we identified. I'd like you to please verify that cert is not found:

Type certmgr in the search box and click on Manage Computer Certificates.




Expand Trusted Root Certification to show the sub-folder Certificates.
In the right pane, scroll all the way down - www.cloudguard... should be at the very bottom (it's alphabetical).

Note: If you are not sure how to reset ALL browsers on the system, or how to turn off browser syncing, please ask and we'll be happy to provide instructions.

Please be sure to flush your DNS after clearing cache, resetting, etc.: at an admin command prompt:

Code:

ipconfig /flushdns

Open your NICs' properties one at a time, and make sure your DNS is set to dynamic, or use OpenDNS DNS servers:
Control Panel>Network and Sharing Center>Change Adapter Settings
right-click on each NIC (Network Adapter), select Properties, highlight IPv4, select Properties to verify/change:



It's my understanding that DNSUnlocker may have modified these settings.


Also, please be careful as to what extensions you add to your browsers, as it appeared one of them was a problem.

Cheers!

AustFisch,

Glad you got rid of your problems!

Please mark the thread as solved.

Good luck, and happy browsing!!