hall140

Can I delete both PUM.startmenu ? RogueKiller V12.10.7.0 (x64) [May 1 2017] (Free) by Adlice Software mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 10 (10.0.14393) 64 bits version Started in : Normal mode User : Bryan [Administrator] Started from : C:\Program Files\RogueKiller\RogueKiller64.exe Mode : Delete -- Date : 05/01/2017 12:19:07 (Duration : 00:19:09) ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 4 ¤¤¤ [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 172.18.11.1 ([]) -> Replaced () [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{be9b44c8-be9e-48c9-93ca-6ff935b40049} | DhcpNameServer : 172.18.11.1 ([]) -> Replaced () [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1332302035-2113573720-2638189068-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Not selected [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1332302035-2113573720-2638189068-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Not selected ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: SK hynix SH920 mSATA 128GB +++++ --- User --- [MBR] b224d69bf1a5eb7129ae4076bb1d9402 [BSP] b13aa31d14056dfac65d48caf3d6b181 : Empty|VT.Unknown MBR Code Partition table: 0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 450 MB 1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 923648 | Size: 100 MB 2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1128448 | Size: 16 MB 3 - Basic data partition | Offset (sectors): 1161216 | Size: 121537 MB User = LL1 ... OK User = LL2 ... OK

The laptop behaves fine. This morning Windows Ink Workspace was randomly enabled, which I had never seen. Then I noticed the reinfection. There are 2 more entries from roguekiller on this laptop, should I delete them?

Alright, I disconnected the ethernet cable from the infected PC (if it matters); then the router was reset. I ran DNSjumper, rebooted. FRST logs attached. Addition.txt FRST.txt

This is the log from the laptop, it's sense been disconnected from wireless. I deleted the 2 PUM.dns entries I had previously deleted. See the post above for the logs you requested from the PC. rk_4FA5.tmp.txt

This is the roguekiller log from the other PC. It seems my laptop that we have been working on above was reinfected. I ran roguekiller and the same IP's showed back up and couple other entries. I'll transfer the log via USB and post it bellow so you can look at it. rk_1DC8.tmp.txt

While that is scanning, should I check the other PC on this network? I found that IP in the same place within the registry of the other PC as well.

At least I don't think so....

no

Hey Kevin, So there were two detection. RK.txt

C:\Windows\System32\Drivers\etc\hosts => moved successfully Hosts restored successfully. =========== EmptyTemp: ========== BITS transfer queue => 0 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 11671766 B Java, Flash, Steam htmlcache => 543 B Windows/system/drivers => 2937016 B Edge => 211 B Chrome => 360107860 B Firefox => 106535559 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 0 B LocalService => 21322 B NetworkService => 0 B defaultuser0 => 128 B Bryan => 57737431 B RecycleBin => 305669778 B EmptyTemp: => 805.6 MB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 18:15:04 ==== FRST.txt Fixlog.txt

Thank you Kevin, I appreciate your time and help. I didn't find anything.

Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/29/17 Scan Time: 6:24 PM Logfile: log11.txt Administrator: Yes -Software Information- Version: 3.0.6.1469 Components Version: 1.0.103 Update Package Version: 1.0.1837 License: Premium -System Information- OS: Windows 10 CPU: x64 File System: NTFS User: DESKTOP-DESVS04\Bryan -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 370346 Time Elapsed: 3 min, 3 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) (end) adwCleaner Log: # AdwCleaner v6.046 - Logfile created 29/04/2017 at 18:37:04 # Updated on 24/04/2017 by Malwarebytes # Database : 2017-04-29.1 [Server] # Operating System : Windows 10 Home (X64) # Username : Bryan - DESKTOP-DESVS04 # Running from : C:\Users\Bryan\Downloads\adwcleaner_6.046.exe # Mode: Scan # Support : https://www.malwarebytes.com/support ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** No malicious folders found. ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious keys found. ***** [ Shortcuts ] ***** No infected shortcut found. ***** [ Scheduled Tasks ] ***** No malicious task found. ***** [ Registry ] ***** No malicious registry entries found. ***** [ Web browsers ] ***** No malicious Firefox based browser items found. No malicious Chromium based browser items found. ************************* C:\AdwCleaner\AdwCleaner[S0].txt - [999 Bytes] - [29/04/2017 18:37:04] ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1071 Bytes] ########## MSRT log: --------------------------------------------------------------------------------------- Microsoft Windows Malicious Software Removal Tool v5.47, April 2017 (build 5.47.13703.0) Started On Sat Apr 29 18:40:43 2017 Engine: 1.1.13601.0 Signatures: 1.239.313.0 Run Mode: Interactive Graphical Mode Results Summary: ---------------- No infection found. Successfully Submitted Heartbeat Report Microsoft Windows Malicious Software Removal Tool Finished On Sat Apr 29 18:49:32 2017 Return code: 0 (0x0)

I've had a couple accounts compromised, both used an identical password. I'm unsure how the password was stolen but I want to rule out possible backdoors / trojans. I did a fresh reformat a few months ago but have sense had another account compromised (I forgot to change the password and little harm was done). I'm unsure how my data was being stolen. I suspect a man in the middle attack but I'd like to ensure I don't have any back doors. I started a thread a few days ago but no one responded. FRST.txt Addition.txt

Sorry, I forgot to upload the other file. Addition.txt

I've had a couple accounts compromised, both used an identical password. I'm unsure how the password was stolen but I want to rule out possible backdoors / trojans. I did a fresh reformat a few months ago but have sense had another account compromised (I forgot to change the password and little harm was done). I'm unsure how my data was being stolen. Perhaps packet sniffers? I don't know, not my area of expertise.... FRST.txt