Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DNS Hijack


  • This topic is locked This topic is locked
52 replies to this topic

#1 compbuff

compbuff

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:17 AM

Posted 26 July 2018 - 03:11 AM

Hi,

 

I ran my Avast Wifi inspector which noted I have a DNS hijack to my router; 2 hijacked domains, onclickads.net and popcash.net. It suggested updating the firmware on my Brightbox 2 router but this apparently cannot be done by the user but is applied periodically by EE it seems. It notes that port 53 is vulnerable and gave a vulnerable ID of CVE-2017-14491. I also have Zemena Anti-logger which after scanning found 5 chrome shortcuts which were suspicious browser settings, which it could not remove, as well as the DNS hijack. It can't remove the repair/remove the chrome shortcuts after clicking next, and consequently after repairing the DNS the same DNS hijack remains on rescanning. Also even after resetting my chrome browser settings, it still scans and finds the chrome shortcuts with suspicious browser settings. I also have Heimdal agent which picks up and blocks any potential drive-by exploits from the 2 above-mentioned hijacked domains. The last time I had a DNS hijack was a long time ago on my previous PC before my current one and I would not use other tools such as rogue killer, junkware removal tool etc without guidance. Any help would be greatly appreciated so that I could remove both the hijacked domains and any further info/advice. 

 

Kind regards



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:03:17 AM

Posted 26 July 2018 - 06:52 PM

Hello compbuff and welcome to the WTT forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please run these in the order given in the instructions.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called Frst.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply.

Logs to include with next post:

AdwCleaner log
Frst.txt
Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 compbuff

compbuff
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:17 AM

Posted 26 July 2018 - 10:29 PM

Hi Satchfan,

 

Thank you for your reply. Logs requested are attached as follows:

 

Attached File  AdwCleanerC01.txt   1.57KB   127 downloadsAttached File  AdwCleanerS01.txt   1.43KB   123 downloadsAttached File  Addition.txt   117.48KB   125 downloadsAttached File  FRST.txt   106.71KB   132 downloads

 

 

 

 



#4 satchfan

satchfan

  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:03:17 AM

Posted 27 July 2018 - 07:22 AM

I haven't completed looking at your logs but can you tell me if this is a company computer with company restrictions on it as there are some unusual policy ssettings.


Edited by satchfan, 27 July 2018 - 07:28 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 compbuff

compbuff
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:17 AM

Posted 27 July 2018 - 05:10 PM

No, this my own computer. I have hardened my computer for security purposes over time which may be the unusual policy settings you might be referring to. And besides, the logs will show you my ID footprint. I do use a computer for work but only at work.


Edited by compbuff, 27 July 2018 - 05:12 PM.


#6 satchfan

satchfan

  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:03:17 AM

Posted 27 July 2018 - 05:29 PM

Please enable Windows Defender.

================================================

You need to move Farbar Recovery Scan Tool to your desktop otherwise fixes will not work.

  • go to C:\Users\Marcus 2\Dropbox\Works-downloads in Shadow mode\Downloads\Programs
    folder and locate FRST64
  • right click and select Cut
  • go to an empty spot on your desktop, right click and select Paste

Farbar Recovery Scan Tool should now be on your desktop.

================================================

Run Farbar Recovery Scan Tool

I HAVE LEFT THE ‘Policies’ as you have chosen to set them.

  • right-click FRST/FRST64 and select ‘Run as administrator’
  • highlight the contents of the code box below, then press Ctrl+c):
Start::
CloseProcesses:
HKLM-x32\...\RunOnceEx\000: [zoek-delete] => zoek-delete.exe
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\MountPoints2: {3ef859ae-d0a5-11e4-825d-0c54a5c7d546} - "F:\AutoRun.exe"
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\MountPoints2: {3ef85aa5-d0a5-11e4-825d-0c54a5c7d546} - "F:\AutoRun.exe"
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\MountPoints2: {76f83056-ca53-11e4-825b-0c54a5c7d546} - "L:\WD Drive Unlock.exe" autoplay=true
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\MountPoints2: {76f83140-ca53-11e4-825b-0c54a5c7d546} - "L:\SecureDataUSBDrive.exe"
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {921825F4-418D-4C0E-B7B7-E05CB3E6D1EE} URL =
SearchScopes: HKU\.DEFAULT -> {921825F4-418D-4C0E-B7B7-E05CB3E6D1EE} URL =
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1002 -> DefaultScope {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1002 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1002 -> {921825F4-418D-4C0E-B7B7-E05CB3E6D1EE} URL =
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1003 -> DefaultScope {921825F4-418D-4C0E-B7B7-E05CB3E6D1EE} URL =
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1003 -> {71DCAE06-13FC-4C7F-9CF0-1A2736CF0B92} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1003 -> {921825F4-418D-4C0E-B7B7-E05CB3E6D1EE} URL =
BHO: No Name -> {F1352992-FB5B-4AAF-904C-020F6221CC73}' -> No File
BHO-x32: No Name -> {F1352992-FB5B-4AAF-904C-020F6221CC73}' -> No File
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.5.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.6 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [No File]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219272 2013-08-07] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-08-07] (McAfee, Inc.)
S2 GamesAppIntegrationService; "C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe" [X]
S3 GamesAppService; "C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe" [X]
S3 mfeapfk; C:\WINDOWS\System32\drivers\mfeapfk.sys [179664 2013-08-07] (McAfee, Inc.)
R3 mfeavfk; C:\WINDOWS\System32\drivers\mfeavfk.sys [310224 2013-08-07] (McAfee, Inc.)
S0 mfeelamk; C:\WINDOWS\System32\drivers\mfeelamk.sys [69264 2013-08-07] (McAfee, Inc.)
R3 mfefirek; C:\WINDOWS\System32\drivers\mfefirek.sys [519064 2013-08-07] (McAfee, Inc.)
R0 mfehidk; C:\WINDOWS\System32\drivers\mfehidk.sys [776168 2013-08-07] (McAfee, Inc.)
R3 mfesapsn; C:\Program Files (x86)\McAfee\SiteAdvisor\x64\mfesapsn.sys [111608 2017-02-14] (McAfee, Inc.)
R0 mfewfpk; C:\WINDOWS\System32\drivers\mfewfpk.sys [343568 2013-08-07] (McAfee, Inc.)
S3 dbx; system32\DRIVERS\dbx.sys [X]
S3 DIRECTIO; \??\E:\Programs\PerformanceTest\DirectIo64.sys [X]
S2 VBoxAswDrv; \??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [X]
S1 ZAM_Guard; \??\C:\WINDOWS\System32\drivers\zamguard64.sys [X]
2018-06-28 13:42 - 2018-06-28 13:43 - 011943856 _____ C:\Users\Marcus 2\Downloads\vdh-738180390.tmp.part
2018-06-28 13:42 - 2018-06-28 13:43 - 004624774 _____ C:\Users\Marcus 2\Downloads\vdh-238131093.tmp
2018-06-28 13:42 - 2018-06-28 13:42 - 000000000 _____ C:\Users\Marcus 2\Downloads\vdh-738180390.tmp
2018-06-28 13:31 - 2018-06-28 13:33 - 015996730 _____ C:\Users\Marcus 2\Downloads\vdh-482075808.tmp
2018-06-28 13:31 - 2018-06-28 13:32 - 004128950 _____ C:\Users\Marcus 2\Downloads\vdh-214238043.tmp
2018-06-28 13:30 - 2018-06-28 13:30 - 000000000 ____D C:\Program Files\net.downloadhelper.coapp
2018-06-27 05:07 - 2018-04-21 13:21 - 000000000 ____D C:\Users\Marcus 2\AppData\Local\F627D6D6-CFC8-4A93-8469-814BAABFB138.aplzod
2016-08-02 23:50 - 2016-08-02 23:50 - 000007598 _____ () C:\Users\Marcus 1\AppData\Local\Resmon.ResmonCfg
2018-04-17 18:48 - 2018-04-17 18:48 - 000000700 ___SH () C:\Users\Marcus 1\AppData\Local\systemFL7.dat
AlternateDataStreams: C:\ProgramData\Temp:AC64BB05 [196]
FirewallRules: [{04AE8F91-8972-4C82-A137-512317A00D12}] => (Allow) C:\Users\Marcus 1\AppData\Local\Temp\7zS4ADA\HPDiagnosticCoreUI.exe
FirewallRules: [{11B9B8F5-E1FF-4B3A-9CED-0E2B69CA657E}] => (Allow) C:\Users\Marcus 1\AppData\Local\Temp\7zS4ADA\HPDiagnosticCoreUI.exe
FirewallRules: [{54A033F0-35E6-422F-9028-0E0CFFDCB2C7}] => (Allow) C:\Users\Marcus 3\AppData\Local\Temp\7zS4843\HPDiagnosticCoreUI.exe
FirewallRules: [{962005E7-60DC-4C21-934F-B73AD27059A5}] => (Allow) C:\Users\Marcus 3\AppData\Local\Temp\7zS4843\HPDiagnosticCoreUI.exe
FirewallRules: [{53253D2F-E1BA-4056-8333-573F73B2D79E}] => (Allow) C:\Users\Marcus 1\AppData\Local\Temp\7zS5D75\HPDiagnosticCoreUI.exe
FirewallRules: [{D56A9805-BA66-4CF9-A114-76027C04337A}] => (Allow) C:\Users\Marcus 1\AppData\Local\Temp\7zS5D75\HPDiagnosticCoreUI.exe
FirewallRules: [{311C805E-37A0-408E-AC4A-B6D3AE2A46A1}] => (Allow) C:\Users\Marcus 1\AppData\Local\Temp\7zS5F9D\HPDiagnosticCoreUI.exe
FirewallRules: [{00AFCBD0-8E10-472E-97BB-06F330A96870}] => (Allow) C:\Users\Marcus 1\AppData\Local\Temp\7zS5F9D\HPDiagnosticCoreUI.exe
FirewallRules: [{F38031F0-09F0-44A5-BDAF-35113B1BCF0C}] => (Allow) C:\Users\Marcus 1\AppData\Local\Temp\7zS6012\HPDiagnosticCoreUI.exe
FirewallRules: [{592E6FBE-D06E-4247-B557-990BE90497AE}] => (Allow) C:\Users\Marcus 1\AppData\Local\Temp\7zS6012\HPDiagnosticCoreUI.exe
FirewallRules: [{404F8050-FEF2-4832-B4C5-7FDB1678E15D}] => (Allow) C:\Users\Marcus 1\AppData\Local\Temp\7zS15C9\HPDiagnosticCoreUI.exe
FirewallRules: [{736A5357-D562-44E7-B222-D31FA4BE611C}] => (Allow) C:\Users\Marcus 1\AppData\Local\Temp\7zS15C9\HPDiagnosticCoreUI.exe
FirewallRules: [{1F298F98-F8F4-412E-99ED-73626A06B39F}] => (Allow) C:\Users\Marcus 1\AppData\Local\Temp\7zS74DF\HPDiagnosticCoreUI.exe
FirewallRules: [{E49AD0E5-E3B2-4BAA-A7DF-B99688A8FED5}] => (Allow) C:\Users\Marcus 1\AppData\Local\Temp\7zS74DF\HPDiagnosticCoreUI.exe
FirewallRules: [{01EBA830-599C-4E0B-8594-AEAF78AC1352}] => (Allow) C:\Users\Marcus 1\AppData\Local\Temp\7zS3355\HPDiagnosticCoreUI.exe
FirewallRules: [{57F7E4A5-2E27-4D5E-BBC9-35FD1A9F0DF1}] => (Allow) C:\Users\Marcus 1\AppData\Local\Temp\7zS3355\HPDiagnosticCoreUI.exe
FirewallRules: [{A85E7798-547B-4BE0-9B4E-6723F56F1002}] => (Allow) C:\Users\Marcus 1\AppData\Local\Temp\7zS339D\HPDiagnosticCoreUI.exe
FirewallRules: [{BC26488C-9488-40B4-AFFD-BCE25CC8B83B}] => (Allow) C:\Users\Marcus 1\AppData\Local\Temp\7zS339D\HPDiagnosticCoreUI.exe
FirewallRules: [{FD7C6906-46CE-4A03-AD13-B322199F9A57}] => (Allow) C:\Users\Marcus 2\AppData\Local\Temp\7zS3E71\HPDiagnosticCoreUI.exe
FirewallRules: [{0E97A44A-3027-4621-9C88-5F100E7EA1D8}] => (Allow) C:\Users\Marcus 2\AppData\Local\Temp\7zS3E71\HPDiagnosticCoreUI.exe
C:\Program Files\Common Files\McAfee
C:\Windows\system32\mfevtps.exe
C:\WINDOWS\System32\drivers\mfeapfk.sys
C:\WINDOWS\System32\drivers\mfeavfk.sys
C:\WINDOWS\System32\drivers\mfeelamk.sys
C:\WINDOWS\System32\drivers\mfefirek.sys
C:\WINDOWS\System32\drivers\mfehidk.sys
C:\WINDOWS\System32\drivers\mfewfpk.sys
C:\Users\Marcus 1\AppData\Local\Temp\7zS4ADA
CMD: ipconfig /flushdns
CMD: ipconfig /release
CMD: ipconfig /renew
Hosts:
EmptyTemp:
End::

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • in the FRST window, press the ‘Fix’ button once and wait
  • please reboot the computer if requested
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

===================================================

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download RogueKiller to your desktop

  • close all running programs
  • for Windows Vista/7/8/10, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on ‘Report’ and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply with the Fixlog.txt log.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 compbuff

compbuff
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:17 AM

Posted 27 July 2018 - 07:11 PM

Hi Satchfan,

 

Thank you for your reply. It's a bit late having seen your reply just now, but I shall carry out the requested instructions and post the required logs at some point tomorrow. Just one question though; you have suggested re-enabling Windows defender? The reason why I do not use it is because I use Avast Premier which is why Windows defender is outdated. Is there a reason why you suggest doing so, since its always best to run one anti-virus and not two?

 

Much appreciated.

 

Compbuff


Edited by compbuff, 27 July 2018 - 07:25 PM.


#8 compbuff

compbuff
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:17 AM

Posted 28 July 2018 - 03:19 AM

Logs requested attached as follows:

Attached File  Fixlog.txt   22.2KB   118 downloadsAttached File  rk_415.tmp.txt   30.54KB   120 downloads


Edited by compbuff, 28 July 2018 - 03:20 AM.


#9 satchfan

satchfan

  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:03:17 AM

Posted 28 July 2018 - 04:39 AM

Thanks

 

Am busy for a few hours but will reply later.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#10 satchfan

satchfan

  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:03:17 AM

Posted 28 July 2018 - 09:57 AM

Run RogueKiller

IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again

  • close all programs
  • double-click RogueKiller.exe - Windows 7/8//10: right-click the program and select Run as Administrator'
  • after it has completed it's prescan, click on Scan
  • when the scan is finished, uncheck these:

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0CDB1D0A-CC5F-48EB-9BCE-BD7010829DC0} | NameServer : 127.7.7.3 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{14E516F3-1BBC-47FD-A016-E56E40524F45} | NameServer : 217.171.132.0 ([United Kingdom])  -> Found
[Suspicious.Path] (X64)

  • then press Remove Selected and post the log it produces.

Please then run it again and send the new log.

Satchan

 


Edited by satchfan, 28 July 2018 - 10:38 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 compbuff

compbuff
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:17 AM

Posted 28 July 2018 - 02:38 PM

Hi Satchfan,

 

Just to clarify, after running the Rogue Killer scan, I unclick the two above mentioned items, but I'm not clear about what is done before pressing remove selected; do I click every other item bar those two mentioned before pressing remove selected? Or only leave those that 'are' selected to be removed (except for the 2 mentioned items to uncheck) but not selecting others for removal that were not selected? It just seems a little unclear.

 

Thank you



#12 satchfan

satchfan

  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:03:17 AM

Posted 28 July 2018 - 04:41 PM

Everything that was found should be selected. Usually they are selected by default but I haven't run it for a few weeks so can't be sure.

 

Those entries should be dealt with but the reason I asked you to de-select the two PMS.DNS entries are because I think that that is where your initial worries came from. You have Heimdal installed and that affects the IPv4 settings and uses your DNS to resolve the addresses.

 

Your DNS alerts are probably due to this.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 compbuff

compbuff
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:17 AM

Posted 28 July 2018 - 06:14 PM

Thank you for your reply Satchfan. Sorry for the delay as I was pre-occupied. 

 

The reason why I asked was when I ran it the first time you asked me to run it to provide a log, I had remembered the list it provided did not select everything automatically which explains the slight confusion. I will run Rogue Killer tomorrow and on completion of the scan, will select everything except the two PMS DNS entries then press remove selected without rebooting the computer as instructed. And then run the program again and provide a new log

 

Compbuff



#14 satchfan

satchfan

  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:03:17 AM

Posted 28 July 2018 - 06:18 PM

:thumbup2:


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#15 compbuff

compbuff
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:17 AM

Posted 29 July 2018 - 08:24 AM

 

Run RogueKiller


IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again

  • close all programs
  • double-click RogueKiller.exe - Windows 7/8//10: right-click the program and select Run as Administrator'
  • after it has completed it's prescan, click on Scan
  • when the scan is finished, uncheck these:

Quote

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0CDB1D0A-CC5F-48EB-9BCE-BD7010829DC0} | NameServer : 127.7.7.3 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{14E516F3-1BBC-47FD-A016-E56E40524F45} | NameServer : 217.171.132.0 ([United Kingdom])  -> Found
[Suspicious.Path] (X64)

  • then press Remove Selected and post the log it produces.

Please then run it again and send the new log.

Hi Satchfan, 

 

Carried out the requested tasks and attached new log:

Attached File  rk_6EAE.tmp.txt   4.67KB   119 downloads


Edited by compbuff, 29 July 2018 - 08:25 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users