Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DNS Unlocker Infection? FRST & MWAV Logs Attached


  • This topic is locked This topic is locked
24 replies to this topic

#1 BBdude

BBdude

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 01 November 2015 - 02:14 PM

Hi All,

 

Hope you're doing well.  Laptop appears to be infected with DNS Unlocker.  It's an AMD-based ASUS laptop running Windows 7 Home Premium.  Perhaps prematurely, I execute the instructions for DNS Unlocker removal shown in this thread.  I went through all the steps through MWAV, but this is where I stopped after encountering some strange issues.  However, I've also attached the MWAV logs for your reference.  

 

Prior to the above, I was receiving several pop-ups and my search results (independent of bing, google, IE, Chrome, etc.) were showing up as sponsored by DNS Unlocker.  After running MWAV it found ~20 items and renamed them.  However, after doing this I've lost internet and now MS Windows is saying the OS is not genuine (note I've never re-installed / replaced the OS).  I also cannot access the LAN settings to see if the DNS has been changed.

 

Thoughts and advice welcome!  Thank you in advance for your help!

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:22 AM

Posted 03 November 2015 - 04:37 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this program in bold using the Add/Remove Programs applet.

Defender Pro (HKLM-x32\...\Defender Pro) (Version: - Defender Pro)


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Defender Pro] => C:\Program Files (x86)\Defender Pro\DefenderPro.exe [1595392 2015-08-28] ()
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
BHO: TTwistGGriipS -> {58E0E494-7047-47E1-8E0D-375E85F20F65} -> C:\Program Files (x86)\TTwistGGriipS\1oo1lt5c7TBDoh.x64.dll => No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR DefaultSearchURL: Default -> hxxp://www-searching.com/search.aspx?site=shdefault&chext=v2&s=&q={searchTerms}
CHR DefaultSearchKeyword: Default -> Search Module Plus
FirewallRules: [{FB13235F-1BAB-4425-ABDC-C364CBE7386C}] => (Allow) C:\Program Files (x86)\Defender Pro\DefenderPro.exe
FirewallRules: [{10B80239-C302-4187-B9FB-DE5626296567}] => (Allow) C:\Program Files (x86)\Defender Pro\DefenderPro.exe
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
C:\Program Files (x86)\Defender Pro

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

===

How is the computer running now?

#3 BBdude

BBdude
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 06 November 2015 - 09:05 AM

Thank you for the response.  While running Zoek using the script provided, part of the way through an error was raised stating "The program can't start because DNSAPI.dll is missing from your computer.  Try reinstalling the program to fix the problem".  I clicked OK and it continued to run and it prompted me to reboot upon completion.

 

I've otherwise attached the Fixlog.txt and the zoek-results.log.  

 

The computer still says I'm not using a genuine version of windows and I still can't access the internet.

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:22 AM

Posted 06 November 2015 - 11:02 AM

DNSAPI.dll is missing from your computer.


Lets find out if you have a good copy on the hard disk.

Please run the Farbar Recovery Scan Tool. Enter DNSAPI.dll in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

#5 BBdude

BBdude
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 06 November 2015 - 11:28 AM

 

DNSAPI.dll is missing from your computer.


Lets find out if you have a good copy on the hard disk.

Please run the Farbar Recovery Scan Tool. Enter DNSAPI.dll in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

 

 

Thank you - see attached.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:22 AM

Posted 06 November 2015 - 02:15 PM

The file has been located correclty.

There could be some restrictions that we have to fix.

Please Download Tweaking.com - Windows Repair from Here

  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click on Repairs
  • Click Repairs - Open Repairs in the bottom right corner
  • Click the Unselect All button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    10 - Remove Policies Set By Infections
    13 - Repair Network (previously Repair Winsock & DNS Cache)
    15 - Repair Proxy Settings
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    Restart the computer normally.

    How is the computer running now?

    =======================

    How is the computer running now?


#7 BBdude

BBdude
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 06 November 2015 - 03:30 PM

I followed the steps above, but during the repair process I received several errors around running the ipconfig.exe program.  I've attached the log for your reference.  

 

The computer is still unable to connect to the internet and states windows copy is not genuine.

Attached Files



#8 BBdude

BBdude
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 07 November 2015 - 07:16 AM

I issued the "sfc /scanfile=C:\Windows\system32\dnsapi.dll" command as admin via the command prompt and I no longer have the genuine windows issue.  Also, while I have internet (e.g., can ping google.com via command prompt) ... I cannot access any webpages via IE or Chrome.



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:22 AM

Posted 07 November 2015 - 09:34 AM

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.

#10 BBdude

BBdude
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 07 November 2015 - 10:39 AM

Hi,

 

Thank you.  See attached.

Attached Files

  • Attached File  FSS.txt   2.64KB   3 downloads


#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:22 AM

Posted 07 November 2015 - 04:02 PM

Using a good computer download each one of these reg files to a CD or Flash drive.
Copy the files your desktop, then double click on each one and allow it to merge into the registry:

http://download.bleepingcomputer.com/win-services/7/Dhcp.reg
http://download.bleepingcomputer.com/win-services/7/Tcpip.reg
http://download.bleepingcomputer.com/win-services/7/BFE.reg
http://download.bleepingcomputer.com/win-services/7/wuauserv.reg

Reboot and run another FSS scan

How is the computer running now?

#12 BBdude

BBdude
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 09 November 2015 - 07:28 PM

Hi,

 

Thank you for the information.  All registry values were accepted.  However, I'm still unable to access the internet via IE, but able to ping web addresses.  Log attached.

Attached Files

  • Attached File  FSS.txt   2.64KB   3 downloads


#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:22 AM

Posted 10 November 2015 - 10:12 AM

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List last 10 Event Viewer log
  • List content of Hosts
  • List IP Configuration
  • List Winsock Entries
  • List Installed Programs
  • List Users, Partitions and Memory size
  • List Devices (problems only)
  • List Minidump Files
  • List Restore Points
  • Click Go and copy/paste the log (Result.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
================

Picture of the tool.
http://i.imgur.com/wNeKMCX.png

#14 BBdude

BBdude
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 10 November 2015 - 07:26 PM

Thank you.  When running the program I received the same error four time, which is that the ipconfig.exe application was unable to start correctly.  The program otherwise completed and I posted the results in the attached.

 

It's beginning to look like I'll need to reinstall windows isn't it?

Attached Files

  • Attached File  MTB.txt   29.73KB   4 downloads


#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:22 AM

Posted 11 November 2015 - 08:47 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

Move: C:\Windows\System32\dnsapi.dll c:\WINDOWS\system32\drivers\dnsapi.dll.old
Replace: C:\$Windows.~BT\Sources\SafeOS\SafeOS.Mount\Windows\System32\dnsapi.dll C:\Windows\System32\dnsapi.dll
Move: C:\Windows\SysWOW64\dnsapi(27).dll C:\Windows\SysWOW64\dnsapi(27).dll.old
Move: C:\Windows\SysWOW64\DNSAPI.dll C:\Windows\SysWOW64\DNSAPI.dll.old 
Replace: C:\$Windows.~BT\Sources\SafeOS\SafeOS.Mount\Windows\WinSxS\amd64_microsoft-windows-dns-client-
minwin_31bf3856ad364e35_10.0.10240.16384_none_9d8c256ebdd2e48a\dnsapi.dll C:\Windows\SysWOW64\DNSAPI.dll

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

p.s.
If something goes wrong with this fix you can restore the computer to it previous point created by the tool.

Keep me posted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users