Kush2692 Posted September 17, 2020 ID:1408218 Share Posted September 17, 2020 Hello guys, I am very well aware that this issue (Attached) has been addressed here few times. However I have never seen the Original thread starter to reply saying the issue was resolved so I am creating this topic because I will reply if it gets fixed. I keep on getting Malwarebytes pop up when I open new tab or new chrome window that domain "dakotaram" is blocked. I don't know what is happening and instead of just blocking the domain or putting it in the exclusion shouldn't be the only way of fixing it. I am looking for the team's assistance in a permanent fix. Link to post Share on other sites More sharing options...
kevinf80 Posted September 17, 2020 ID:1408233 Share Posted September 17, 2020 Hello Kush2692 and welcome to Malwarebytes, Use the following instructions and see if the issue is cleared.... https://forums.malwarebytes.com/topic/258886-chrome-secure-preferences-detection-always-returns/ Thank you, Kevin... Link to post Share on other sites More sharing options...
Kush2692 Posted September 18, 2020 Author ID:1408286 Share Posted September 18, 2020 Hey Kevin, I have tried that few times but the issue still persists. Link to post Share on other sites More sharing options...
kevinf80 Posted September 18, 2020 ID:1408342 Share Posted September 18, 2020 Hello Kush2692, Try running Chrome "incognito" that is all addons and extensions disabled, does the issue clear in that mode..? If the problem persists in that mode put Chrome back to normal mode, then do the following: Please download Zemana AntiMalware and save it to your Desktop. Install the program and once the installation is complete it will start automatically. Without changing any options, press Scan to begin. After the short scan is finished, if threats are detected press Next to remove them. Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually. Open Zemana again then do the following to get the latest report Open Reports > select the report in question to highlight > select "Ctrl - A" keys together to highlight full report message > then "Ctrl - C" keys to copy to clipboard > then open notepad and select paste to copy the report there, then attach to reply.... Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs inyour reply.. Thank you, Kevin.. Link to post Share on other sites More sharing options...
kevinf80 Posted September 21, 2020 ID:1408829 Share Posted September 21, 2020 Any progress...? Link to post Share on other sites More sharing options...
Kush2692 Posted September 21, 2020 Author ID:1408833 Share Posted September 21, 2020 Sorry for late reply. I will run this right now and let you know soon. Thanks, I appreciate it. Link to post Share on other sites More sharing options...
Kush2692 Posted September 22, 2020 Author ID:1408878 Share Posted September 22, 2020 Here are the reports as requested. I also scanned with Malwarebytes (Full scan) and nothing was found. Addition.txtZemana report.txt FRST.txt Link to post Share on other sites More sharing options...
kevinf80 Posted September 22, 2020 ID:1408900 Share Posted September 22, 2020 Hiya Kush2692, Thanks for those logs, continue: Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from. NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following: Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)Accept the EULA (I accept), then click on ScanLet the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processesOnce the cleaning process is complete, AdwCleaner will ask to restart your computer, do itAfter the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download "Microsoft's Safety Scanner" and save direct to the desktop Ensure to get the correct version for your system.... https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Right click on the Tool, select Run as Administrator the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\msert.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs in your reply... Thank you, Kevin.... fixlist.txt Link to post Share on other sites More sharing options...
Kush2692 Posted September 23, 2020 Author ID:1409072 Share Posted September 23, 2020 Hi, so far i got the FRT done and malwarebytes Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/22/20 Scan Time: 11:36 AM Log File: 7027cd2c-fce9-11ea-834d-28c671a75a98.json -Software Information- Version: 4.2.1.89 Components Version: 1.0.1045 Update Package Version: 1.0.30252 License: Premium -System Information- OS: Windows 10 (Build 19041.508) CPU: x64 File System: NTFS User: TRADEGOD\Kushal Patel -Scan Summary- Scan Type: Custom Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 926276 Threats Detected: 4 Threats Quarantined: 4 Time Elapsed: 3 hr, 21 min, 45 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 3 RiskWare.Cscript.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\{AA376AAD-40CD-42EE-8DD3-EDCE2DBCEC5D}, Quarantined, 15230, 857305, , , , , , RiskWare.Cscript.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{3A43BF45-4481-4A75-9849-51D472CF9E5C}, Quarantined, 15230, 857305, , , , , , RiskWare.Cscript.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{3A43BF45-4481-4A75-9849-51D472CF9E5C}, Quarantined, 15230, 857305, , , , , , Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 RiskWare.Cscript.Generic, C:\WINDOWS\SYSTEM32\TASKS\{AA376AAD-40CD-42EE-8DD3-EDCE2DBCEC5D}, Quarantined, 15230, 857305, 1.0.30252, , ame, , 24DC88454D0A51AC8DE17022925B0648, B8216F2B83E78BA97CCE9EE408086B681A4A4733CCD4E281330BD659D436C178 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) ===================== I also received one popup, idk how of some website getting blocked, I wasn't on any website, I was in work VM. Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/22/20 Protection Event Time: 12:00 PM Log File: b027b45c-fcec-11ea-990c-28c671a75a98.json -Software Information- Version: 4.2.1.89 Components Version: 1.0.1045 Update Package Version: 1.0.30252 License: Premium -System Information- OS: Windows 10 (Build 19041.508) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Windows\System32\cscript.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Trojan Domain: backup.justthebooks.com IP Address: 192.254.234.95 Port: 80 Type: Outbound File: C:\Windows\System32\cscript.exe (end) Fixlog.txt Link to post Share on other sites More sharing options...
Kush2692 Posted September 23, 2020 Author ID:1409074 Share Posted September 23, 2020 content of ADWCleaner Log # ------------------------------- # Malwarebytes AdwCleaner 8.0.7.0 # ------------------------------- # Build: 07-22-2020 # Database: 2020-07-20.1 (Local) # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Clean # ------------------------------- # Start: 09-23-2020 # Duration: 00:00:01 # OS: Windows 10 Home # Cleaned: 22 # Failed: 4 ***** [ Services ] ***** No malicious services cleaned. ***** [ Folders ] ***** Deleted C:\ProgramData\Application Data\Lavasoft\Web Companion Deleted C:\ProgramData\Microsoft\Windows\Start Menu\Programs\???? Deleted C:\Users\cloud\Downloads\Inbox Deleted C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent ***** [ Files ] ***** No malicious files cleaned. ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** No malicious shortcuts cleaned. ***** [ Tasks ] ***** No malicious tasks cleaned. ***** [ Registry ] ***** Deleted HKCU\Software\Lavasoft\Web Companion Deleted HKLM\Software\Classes\METNSD Deleted HKLM\Software\Wow6432Node\Lavasoft\Web Companion ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries cleaned. ***** [ Chromium URLs ] ***** No malicious Chromium URLs cleaned. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries cleaned. ***** [ Firefox URLs ] ***** No malicious Firefox URLs cleaned. ***** [ Hosts File Entries ] ***** No malicious hosts file entries cleaned. ***** [ Preinstalled Software ] ***** Deleted Preinstalled.DellCommand|PowerManager Folder C:\Program Files\DELL\COMMANDPOWERMANAGER Deleted Preinstalled.DellCommand|PowerManager Folder C:\ProgramData\DELL\COMMANDPOWERMANAGER Deleted Preinstalled.DellCommand|PowerManager Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{18469ED8-8C36-4CF7-BD43-0FC9B1931AF8} Deleted Preinstalled.DellSupportAssistAgent Folder C:\Program Files\DELL\SAREMEDIATION\AGENT Deleted Preinstalled.DellSupportAssistAgent Folder C:\Program Files\DELL\SAREMEDIATION\AUDIT Deleted Preinstalled.DellSupportAssistAgent Folder C:\ProgramData\DELL\SAREMEDIATION\AGENT Deleted Preinstalled.DellSupportAssistAgent Folder C:\ProgramData\DELL\SAREMEDIATION\PLUGIN Deleted Preinstalled.DellSupportAssistAgent Folder C:\ProgramData\SUPPORTASSIST\CLIENT\TECHNICIANTOOLKIT Deleted Preinstalled.DellSupportAssistAgent Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4942ADE4-212C-46CB-AC05-AFD3994B2131} Deleted Preinstalled.DellSupportAssistAgent Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4942ADE4-212C-46CB-AC05-AFD3994B2131} Deleted Preinstalled.DellSupportAssistAgent Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Dell SupportAssistAgent AutoUpdate Deleted Preinstalled.DellSupportAssistAgent Task C:\Windows\System32\Tasks\DELL SUPPORTASSISTAGENT AUTOUPDATE Deleted Preinstalled.DellUpdateforWindows10 Folder C:\Program Files (x86)\DELL\UPDATE Deleted Preinstalled.DellUpdateforWindows10 Folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DELL\UPDATE Deleted Preinstalled.DellUpdateforWindows10 Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{5EBBC1DA-975F-44A0-B438-F325BCD45577} Not Deleted Preinstalled.DellSupportAssistAgent Folder C:\Program Files\DELL\SAREMEDIATION\PLUGIN Not Deleted Preinstalled.DellSupportAssistAgent Folder C:\Program Files\DELL\SUPPORTASSISTAGENT Not Deleted Preinstalled.DellUpdateforWindows10 Folder C:\Program Files (x86)\DELL\UPDATESERVICE Not Deleted Preinstalled.DellUpdateforWindows10 Folder C:\ProgramData\DELL\UPDATESERVICE ************************* [+] Delete Tracing Keys [+] Reset Winsock ************************* AdwCleaner[S00].txt - [3973 octets] - [23/09/2020 01:46:51] ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ########## Link to post Share on other sites More sharing options...
Kush2692 Posted September 23, 2020 Author ID:1409076 Share Posted September 23, 2020 msert.log Link to post Share on other sites More sharing options...
kevinf80 Posted September 23, 2020 ID:1409103 Share Posted September 23, 2020 (edited) Thanks for those logs, are the blocks still happening..? Quote -Website Data- Category: Trojan Domain: backup.justthebooks.com IP Address: 192.254.234.95 Port: 80 Type: Outbound File: C:\Windows\System32\cscript.exe Cscript.exe is not really the offender, it is part of Windows OS and is part Windows Script Host module. This seems to be causing a browser re-direct. The domain is definitely a malicious server being contacted by a hijacker on your system.. Run the following please: Scan with Autoruns Please download Sysinternals Autoruns from the following link: https://live.sysinternals.com/autoruns.exe save it to your desktop. Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following: Right-click on Autoruns.exe and select Properties Click on the Compatibility tab Under Privilege Level check the box next to Run this program as an administrator Click on Apply then click OK Double-click Autoruns.exe to run it. Once it starts, please press the Esc key on your keyboard. Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:Hide empty locationsHide Windows entries Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:Verify code signaturesCheck VirusTotal.com Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish. When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns. Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder Attach the ZIP folder you just created to your next reply. Thank you, Kevin... Edited September 23, 2020 by kevinf80 typing error Link to post Share on other sites More sharing options...
Kush2692 Posted September 23, 2020 Author ID:1409112 Share Posted September 23, 2020 AutoRuns.zip Link to post Share on other sites More sharing options...
Kush2692 Posted September 23, 2020 Author ID:1409113 Share Posted September 23, 2020 so the popup has stopped but that one popup of cscript happened and that was it. Popup wasn't happening everytime. it would either happen today that i opened chrome anytime throughout the day and it will appear but tomorrow it will be totally fine. Link to post Share on other sites More sharing options...
kevinf80 Posted September 23, 2020 ID:1409126 Share Posted September 23, 2020 Hiya Kush2692, I do not expect the popup to happen again, the root cause was identified and removed with FRST. Let me know when you are happy with the out come... Quote "HKU\S-1-5-21-639866947-1707975470-2643752595-1001\Software\Microsoft\Windows\CurrentVersion\Run\\dyyijwyrc" => removed successfully C:\Users\cloud\AppData\Roaming\Microsoft\Yuithpoe => moved successfully Thank you, Kevin. Link to post Share on other sites More sharing options...
Kush2692 Posted September 23, 2020 Author ID:1409142 Share Posted September 23, 2020 Thank you so much Kevin. I will keep this thread open for a week to see if any sort of other popups appear. If not, then I can request it to be closed with success resolution. I really appreciate your help! Link to post Share on other sites More sharing options...
Solution kevinf80 Posted September 23, 2020 Solution ID:1409165 Share Posted September 23, 2020 Thanks for the update, yes please let me know the outcome... Link to post Share on other sites More sharing options...
kevinf80 Posted October 2, 2020 ID:1411555 Share Posted October 2, 2020 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts