BLTurntable

Attachment of scan report scan.txt

Hello, I recently had a problem where some kind of malware would bring up the command line randomly and bring me to the desktop for a second. I downloaded Malware Bytes and ran a scan. This is the scan report. I had Malware Bytes quarantine all of the things that it found but I was wondering if there are any other steps that I need to take to secure my computer. Also, how serious were these threats? Thanks you Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/31/17 Scan Time: 3:23 PM Log File: Administrator: Yes -Software Information- Version: 3.1.2.1733 Components Version: 1.0.122 Update Package Version: 1.0.2061 License: Trial -System Information- OS: Windows 10 CPU: x64 File System: NTFS User: DESKTOP-F07M541\BLTurntable -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 371740 Threats Detected: 23 Threats Quarantined: 23 Time Elapsed: 1 min, 38 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 8 PUP.Optional.Webbar, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CHROME.EXE, Quarantined, [1005], [348279],1.0.2061 PUP.Optional.Webbar, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CHROME.EXE, Quarantined, [1005], [348279],1.0.2061 PUP.Optional.PastaLeads, HKU\S-1-5-21-3765320915-4275802966-2324895758-1001_Classes\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\STORAGE\MICROSOFT.MICROSOFTEDGE_8WEKYB3D8BBWE\CHILDREN\001\INTERNET EXPLORER\EDPDOMSTORAGE\nps.pastaleads.com, Quarantined, [7394], [259184],1.0.2061 PUP.Optional.PastaLeads, HKU\S-1-5-21-3765320915-4275802966-2324895758-1001_Classes\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\STORAGE\MICROSOFT.MICROSOFTEDGE_8WEKYB3D8BBWE\CHILDREN\001\INTERNET EXPLORER\EDPDOMSTORAGE\pastaleads.com, Quarantined, [7394], [259185],1.0.2061 Adware.WinYahoo, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\eoalfhodgifhbkgmbbdafcihjpdldpll, Quarantined, [5125], [387361],1.0.2061 PUP.Optional.Spoutly, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{730E03E4-350E-48E5-9D3E-4329903D454D}, Quarantined, [8204], [386530],1.0.2061 PUP.Optional.PastaLeads, HKU\S-1-5-21-3765320915-4275802966-2324895758-1001_Classes\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\STORAGE\MICROSOFT.MICROSOFTEDGE_8WEKYB3D8BBWE\CHILDREN\001\INTERNET EXPLORER\DOMSTORAGE\nps.pastaleads.com, Quarantined, [7394], [259182],1.0.2061 PUP.Optional.PastaLeads, HKU\S-1-5-21-3765320915-4275802966-2324895758-1001_Classes\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\STORAGE\MICROSOFT.MICROSOFTEDGE_8WEKYB3D8BBWE\CHILDREN\001\INTERNET EXPLORER\DOMSTORAGE\pastaleads.com, Quarantined, [7394], [259183],1.0.2061 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.Webbar, C:\Program Files\WebDiscoverBrowser\1.259.2\locales, Quarantined, [1005], [348279],1.0.2061 File: 14 PUP.Optional.Webbar, C:\Program Files\WebDiscoverBrowser\1.259.2\locales\en-US.pak, Quarantined, [1005], [348279],1.0.2061 PUP.Optional.Webbar, C:\Program Files\WebDiscoverBrowser\1.259.2\chrome.dll, Quarantined, [1005], [348279],1.0.2061 PUP.Optional.Webbar, C:\Program Files\WebDiscoverBrowser\1.259.2\chrome.exe, Quarantined, [1005], [348279],1.0.2061 PUP.Optional.Webbar, C:\Program Files\WebDiscoverBrowser\1.259.2\chrome_100_percent.pak, Quarantined, [1005], [348279],1.0.2061 PUP.Optional.Webbar, C:\Program Files\WebDiscoverBrowser\1.259.2\chrome_child.dll, Quarantined, [1005], [348279],1.0.2061 PUP.Optional.Webbar, C:\Program Files\WebDiscoverBrowser\1.259.2\chrome_elf.dll, Quarantined, [1005], [348279],1.0.2061 PUP.Optional.Webbar, C:\Program Files\WebDiscoverBrowser\1.259.2\ffmpegsumo.dll, Quarantined, [1005], [348279],1.0.2061 PUP.Optional.Webbar, C:\Program Files\WebDiscoverBrowser\1.259.2\icudtl.dat, Quarantined, [1005], [348279],1.0.2061 PUP.Optional.Webbar, C:\Program Files\WebDiscoverBrowser\1.259.2\isa.dll, Quarantined, [1005], [348279],1.0.2061 PUP.Optional.Webbar, C:\Program Files\WebDiscoverBrowser\1.259.2\libEGL.dll, Quarantined, [1005], [348279],1.0.2061 PUP.Optional.Webbar, C:\Program Files\WebDiscoverBrowser\1.259.2\libGLESv2.dll, Quarantined, [1005], [348279],1.0.2061 PUP.Optional.Webbar, C:\Program Files\WebDiscoverBrowser\1.259.2\pdf.dll, Quarantined, [1005], [348279],1.0.2061 PUP.Optional.Webbar, C:\Program Files\WebDiscoverBrowser\1.259.2\resources.pak, Quarantined, [1005], [348279],1.0.2061 PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SPYHUNTER4.EXE, Quarantined, [927], [396112],1.0.2061 Physical Sector: 0 (No malicious items detected) (end)

I havnt had any notifications from Malware bytes about it blocking something or anything like that. So if those logs I linked in my last reply show that its clean then I think its back to normal. Thank you for your help sir. You the real MVP.

I ran the fix restarted and then ran a new scan just to be sure. Here are all of the logs. Are we good haha? Fixlog_02-03-2016_15-21-02.txt FRST_02-03-2016_15-26-54.txt Addition_02-03-2016_15-26-54.txt

So fix list should be saved to C:\FRST ?

Here are both thanks again. Addition_02-03-2016_11-50-55.txt FRST_02-03-2016_11-50-55.txt

Also when malware bytes ran a scan when I booted today it found 2 things so I'm pretty sure its still here. As I browse more malware bytes notifies me that it blocks that same outbound with the domain mentioned above. I saved the FixList to C:\FRST. Is that the wrong place? Should it be in C:\FRST\logs?

Chrome works fine. I ran another FRST scan because now everytime I open chrome malware bytes notifies me that it blocked this outbound domain m77.dnsqa.me. Do I still have it? FRST_01-03-2016_18-34-15.txt

The chrome not opening isn't really a concern for me. I'll just reinstall it but I can take a picture of the properties when I get home. My main concern is still if that fix log shows DNS Unlocker completely gone from my system?

Maybe that is the wrong term. It won't open from the shortcut or the .exe in directory.

Maybe that is the wrong term. It won't open from the shortcut or the .exe in directory.

Again thank you for the help sir. It seems that after running the fix my google chrome.exe is broken. Here is the fixlog. Fixlog_29-02-2016_12-10-52.txt

Hello there, TwinHeadedEagle. When I booted up my computer today Ive noticed that nothing has come up as blocked MalwareBytes so maybe I was just paranoid. Basically my question is if DNS Unlocker is actually out of my system or not. Here are the logs you requested. Thank you for your help. FRST_28-02-2016_16-58-54.txt FRST_28-02-2016_16-58-54.txt Addition_28-02-2016_16-58-54.txt

Malware consistently blocks a malicious website from chrome - type: outbound - domain: m77dnsqa.me The dns in that domain makes be think it is involved with DNS Unlocker.

I've been struggling with DNS Unlocker all day. I didn't even download anything the last couple days so I was very confused when this thing showed up on my system because I'm really not sure how it even got there. I just booted up today and there were adds all over my google chrome and I was being redirected every click. Naturally I went through task manager and found it running. I went through all of the classic steps: I ended the task in manager, I uninstalled it in control panel, I looked through the registry and program files/data and deleted some stuff that I found, deleted all extensions on my chrome browser, and I even learned that it can mess with actual DNS so I went in to the settings and everything was normal, but nothing worked. I downloaded malware bytes and ran it. It found a bunch more files and registries that I then deleted and I thought I was all good. I restarted my system and upon start-up malware bytes blocked an outbound from svchost.eve which was sort of alarming. So I ran malware bytes again and nothing showed up. Now when I'm browsing it will frequently notify me that it blocked something and some of the addresses I recognize from when I first got this virus. Do I still have DNS Unlocker? Is this just some lingering file from it? Im just super paranoid because I just put this rig together like a month ago and I'm pretty worried about it. Thanks