Jump to content

Recommended Posts

Hi,      :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

 

The Malwarebytes real-time web protection is keeping your pc safe from potential harm.   The attempt to that site was Stopped.

Please let me know what web site your browser had been to  when this last block event happened.   I am curious as to where this was triggered.
 

Link to post
Share on other sites

As to actions to take, please do these.

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

 

[     2     ]

I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

Let me know how things go after this.

Cheers.

Link to post
Share on other sites

I have malwarebytes browser guard installed already on all my browsers and I deleted all my history before I attempted to post here. As for which websites the popup occurs on is not really specific which ones because even google.com triggers the popup check photo please.

dakotram.thumb.jpg.e51ab18c3d739ec29ccba17b3af176e2.jpg

Link to post
Share on other sites

Hi.

Just prior to the Chrome browser being on the Google page,  what website had it been on ?

And perhaps, had you been reading online email ?

That is what I am still curious about.   

The theory is that a site visited (right at the moment of the Block) had a embedded link to "dakotaram".

In any event, the Malwarebytes Browser Guard does block "dakotaram".

.

Just to check out your system,  I suggest this scan with the Malwarebytes Adwcleaner to check for adwares.

Save, and then run Malwarebytes ADWCLEANER.
Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.
Adwcleaner  detects factory Preinstalled applications too! 

Please download  Malwarebytes AdwCleaner https://downloads.malwarebytes.com/file/adwcleaner

 
Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.
At the prompt for license agreement, review and then click on I agree.

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).
Then click on Dashboard button.
Click the blue button "Scan Now".

allow it a few minutes to finish the Scan.   Let it remove what it finds.
NOTE:  When it comes to the section "
Pre-installed applications

You can skip that.
Please find and send the Adwcleaner "C" clean report.
In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".
Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs
Thanks.  Keep me advised.
 

Link to post
Share on other sites

Thanks for the report.   I will ask you to run a F R S T report tool to get me 3-part report.   And at your next reply also, Let me know exactly from which "spot" or "link" it is that you start Chrome browser ?   ( taskbar link ?   desktop link ?   other shortcut link ? )

It sounds to me ( possibly) like the pc has a compromised link with "extra" oomph  that is referring to "dakotaram"."

And I notice from the Adwcleaner log that the pc has installed "MapsGalaxy".

.

In this here, it is important that you saved FRST64   to the Downloads folder.

I would like to have you run a report tool known as FRST. This has no personal information. It is a well-known & widely used &safe.
FRST will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run FRST64.


1: Please download FRST64 from the link below and save it to your desktop:

"Download link for 64-Bit Version Windows"

Please wait and look toward the top or bottom of your browser for the option to Run or Save.
Click Save to save the file 

Run report with FRST64

Right-click on FRST icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.


_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._
Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is checked    -    also check the box for Shortcut    listed under Optional scan on the FRST screen
and click the box "90 day files "
Press Scan button and wait.


The tool will produce three logfiles on your desktop: _FRST.txt_ , _Addition.txt_  Shortcut.txt
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 3 files to your next reply.   ( alternatively you could put all 3 in a ZIP file  & then attach the ZIP )

 

Edited by Maurice Naggar
Link to post
Share on other sites

Thank you for the information and for the FRST reports.    You said you start Chrome from the Windows Taskbar.

I need for you to visually look on the Taskbar,  at the Chrome icon  and go methodically thru what follows.  Go slow / take your time.

Click the Windows-key on the keyboard to view Taskbar.  On the Chrome icon, use the mouse pointer and do 1 Right-click   then

look at the line that says "Google Chrome"  & then do a RIGHT-click on that   & then   click on Properties

You should then see a small window like this

CHR-task_prop.jpg.f24907d310946c6c3932c97d80cf5632.jpg

 

Then look close at the content of the TARGET line   ( all of it  especially at the end of the line )

It should not contain any characters after chrome.exe"

We are looking for the possibility of  extra bits at the end that say dakotaram.com

You may click the box for Target  & move  to the far right-side to look fully at the last bits.

If there is any extra entries following the chrome.exe"

then delete those.

The content of the line Target should only be 

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

 

So,  if you make corrections, then you will need to click on Apply button at the bottom  & then on OK button.

Please keep me advised.

Link to post
Share on other sites

OK.   We just want to be sure that at the end of the lines, there is no mention of any sort of dakotaram.

Additionally,  there is a way to start Chrome in "Incognito" mode  that ought to bypass any potential "redirect bits".

Press & hold Windows-key & tap the R key

in the Run text box enter

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe -incognito"

 

Link to post
Share on other sites

ok. The only issue that i have with chrome is when malwarebytes browser guard isn't running because either it was disabled by accident or extension crashed and did not work again. So if any of these happen again then the popup will occur again and I will be aware of the issue. So at least I have this issue taken care of and if i want to use incognito mode I can. So for the logs I posted earlier did you find anything suspicious. 

Link to post
Share on other sites

Hello.   I did not see something odd on the FRST reports,   Though we should do a search  & some additional scans.

[   1     ]

I would like you to do a  special search.

There is the FRST64  tool on the Impotant scanners folder.   We will use that to do a search.

Find &   then start FRST64
Type the following ( better yet, use COPY  then Paste)   into the search box exactly as show then press the Search Files button 
 

SearchAll: dakotaram


 
Please wait while the program searches for all entries relating to this program, when done a  search.txt    log will be saved to the desktop. Please attach this log to your next reply. 

Thanks for your patience.

[      2     ]

Do one new scan with Malwarebytes for Windows.    Let me know the result of that run.

[      3     ]

Please disconnect any USB or external drives from the computer before you run this scan!

Please download RogueKiller (x64) using the link below.
→ http://download.adlice.com/api?action=download&app=roguekiller&type=x64

 

  • Save the file first,
  • Close any running programs that you started on your own ( if any).

Double-click  RogueKillerx64.exe to run the program.

Follow the prompts. If a browser window opens, close the window.

 

In the HOME tab, click Scan button

Next, on the Quick scan pane, click om the Start button to proceed.

.

Upon completion, a browser window may open. Close this window.

 Important: Please do not have RogueKiller remove any detected items.

Click the HISTORY tab followed by Scan Reports.

Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.

Please attach the file in your next reply.

Sincerely.

Link to post
Share on other sites

One important thing I forgot to mention to you about malwarebytes scan. If you look at the scan results every time I have the program scan my computer it finds and detects the same threats no matter if I quarantine and delete detection. Can you help me figure out how to get rid of the results. Here are the logs you requested. 

malwarebytes.txt roguekiller.txt Search.txt

Link to post
Share on other sites

Thanks for the reports.  As to the Malwarebytes for Windows report finding the P U P  related to Chrome SYNC   ....you first need to turn off Sync option on Google.

[   1   ] 
Use Chrome browser   to go to https://www.google.com/settings/chrome/sync

 and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok". 
[   2   ] 
Close Chrome.

Do one other   new scan with Malwarebytes for Windows.    Let me know the result of that run

[     3      ]

The F R S T  Search found no results that mention 'dakotaram'  on the machine system.   Nothing in thw Windows registry / no files that mention 'dakotaram'.

That tends to point again to the likelyhood of bad adware while Chrome is connected online.   Meaning a suspicion of a bad link from some online source while surfing or connected.

.

The Roguekiller tool reports no oddities of any sort.

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.
If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.
 
 

Link to post
Share on other sites

I'd suggest yu look anew on the web browser & insure that the Browser Guard is on.  It should stay on.

One other thing, lets get a report from Autoruns, so I can review about the autostarts on this system.

Let’s  please try to get and run a special  report  tool from Microsoft. 
It does not make changes. It will be just a report.

Please download Sysinternals Autoruns from here and save it to your desktop.

Note: you also need to do the following:

Right-click on Autoruns.exe and select Properties
Click on the Compatibility tab
Under Privilege Level check the box next to Run this program as an administrator
Click on Apply then click OK

Double-click Autoruns.exe to run it.
Once it starts, please press the Esc key on your keyboard.
Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options...
In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them:

  • Include empty locations
  • Hide Microsoft entries
  • Hide Windows entries

Verify that the following is checked, if it is unchecked, check it:

  • Verify code signatures
  • Check VirusTotal.com

 

Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.

Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
Attach the Autoruns.zip folder you just created to your next reply

Thank you.
 

Link to post
Share on other sites

Thanks for the Autoruns report.  I do not see anything there that needs action.

Let’s do a special search. 
We need to search for a few things with SystemLook:   That is a search tool that we will use to look for any mentions of 'dakotaram'.
Please download SystemLook (64-bit) by jpshortstuff and save it to your desktop 


Right-click SystemLook_x64.exe and select Run as Administrator to start the tool. 
If prompted by Windows  UAC, please allow it  to run.
If you receive an "Open file - security warning"... asking "Do you want to run this file?", press the Run button.COPY & paste the entire text into the main text box of SystemLook: 
  
 

:regfind

dakotaram

:filefind

dakotaram

:folderfind

dakotaram

Click the Look button to start the scan 
When finished, a notepad window will open with the results of the scan. 
A file will be created (on the same folder where you saved SystemLook with the results of the scan, named SystemLook.txt
Please attach  this log in your next reply. 

 

I do not expect that it will find some thing but it is worth it to check.

Sincerely.

Link to post
Share on other sites

Thank you for the log report.   The only mentions are on the Firewall block rules to block   I p   172.64.139.10

That's a very good thing to know.   At this point, I would run this custom script just to insure that the Windows Winsock is set fresh normal settings.   It will not take a lot of time.

The system will be rebooted after the script has run.

.

This custom script is for  Alyoob  only / for this  machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a    custom Fix script which is going to be used by the FRST64  tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the important scanners folder

The tool named FRST64 .exe   tool    is already on the important scanners  sub-folder
Start the Windows Explorer and then, to important scanners folder


RIGHT click on  FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

Fixlist.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.