Jump to content

Recommended Posts

Hello and thank you for your support. I am an advanced windows 7 user who has been trying to remove infections from my computer for too long.  Recently a program called RogueKiller [paid MalwareBytes finds nothing]   has found continuing infections with the ever present PUM.DNS causing increasing sluggish behavior on PC. My paid MalwareBytes finds nothing.

 

Logs attached

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello and welcome to Malwarebytes.org

 

The FRST logs you have posted are from non Administrator account, that is no good. You must run tools we list from an account with Administrator privileges.....

 

P2P/Piracy Warning:

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here. Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Change the download folder setting in the default Browser so all tools we may use are saved to the Desktop:

 

Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Settings.JPG

Choose Settings. at the bottom of the screen click the

"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

 

Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

 

IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.

NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

 

Next,

 

Follow the instructions in the following link to show hidden files:

 

http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

 

Next,

 

Please open Malwarebytes Anti-Malware.

 


On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
A Threat Scan will begin.
With some infections, you may see this message box.
 
        'Could not load DDA driver'
 
Click 'Yes' to this message, to allow the driver to load after a restart.
Allow the computer to restart. Continue with the rest of these instructions.
When the scan is complete, click Apply Actions.
Wait for the prompt to restart the computer to appear, then click on Yes.
After the restart once you are back at your desktop, open MBAM once more.

 

To get the log from Malwarebytes do the following:

 


Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Export > From export you have three options:
 
  Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
  Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
 
Recommend you use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

 

 

If Malwarebytes is not installed follow these instructions first:

 

Download Malwarebytes Anti-Malware to your desktop.


Double-click mbam-setup and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
Launch Malwarebytes Anti-Malware
A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
Click Finish. Follow the instructions above....

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Let me see those logs in your reply....

 

Thank you,

 

Kevin...

 

Link to post
Share on other sites

Darn....I'm so sorry. I had it and forgot. Sorry. \\Malwarebytes Anti-Malware

www.malwarebytes.org
 
Scan Date: 5/16/2015
Scan Time: 12:02:27 PM
Logfile: malwarebutes scan incl. rootkits.txt
Administrator: Yes
 
Version: 2.01.6.1022
Malware Database: v2015.05.16.04
Rootkit Database: v2015.05.14.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Feb28
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 379537
Time Elapsed: 11 min, 26 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 


Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes select "Report", log will open. Close the program > Don't Fix anything!
Post back the report which should also be located here:

 

Thanks,

 

Kevin..

 

Fixlist.txt

Link to post
Share on other sites

Good Morning, and Gracias!

 

Fixlist:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-05-2015 02

Ran by Feb28 at 2015-05-17 05:35:12 Run:1
Running from C:\Users\Feb28\Desktop
Loaded Profiles: Feb28 & Justus (Available profiles: Feb28 & Justus)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
Start
HKLM\...\RunOnce: [] => [X]
HKLM\...\Policies\Explorer: [MemCheckBoxInRunDlg] 1
ShortcutTarget: Dropbox.lnk -> C:\Users\Feb28\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2467985793-1340154617-3576591315-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
S3 AppObserver; \??\C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter1\appobserver64.sys [X]
C:\Users\Feb28\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Justus\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp7wshyw.dll
Emptytemp:
End
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\MemCheckBoxInRunDlg => value deleted successfully.
C:\Users\Feb28\AppData\Roaming\Dropbox\bin\Dropbox.exe not found.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-2467985793-1340154617-3576591315-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
AppObserver => Service deleted successfully.
C:\Users\Feb28\AppData\Local\Temp\dllnt_dump.dll => Moved successfully.
C:\Users\Justus\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp7wshyw.dll => Moved successfully.
EmptyTemp: => Removed 55.4 MB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog 05:35:30 ====

 

 

RogueKiller:

 

RogueKiller V10.6.3.0 [May 11 2015] by Adlice Software

 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Feb28 [Administrator]
Started from : C:\Users\Feb28\Desktop\RogueKiller.exe
Mode : Scan -- Date : 05/17/2015  06:11:02
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 9 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.3.65 192.168.1.1 [-][uNITED STATES (US)][-]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.3.65 192.168.1.1 [-][uNITED STATES (US)][-]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 205.171.3.65 192.168.1.1 [-][uNITED STATES (US)][-]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7BAE1ED5-3213-4E89-98A1-2C92911546DC} | DhcpNameServer : 192.168.0.1 205.171.3.65 192.168.1.1 [-][uNITED STATES (US)][-]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ED1C8129-E7DE-4081-9E47-A139674FD959} | DhcpNameServer : 192.168.0.1 205.171.3.65 192.168.1.1 [-][uNITED STATES (US)][-]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7BAE1ED5-3213-4E89-98A1-2C92911546DC} | DhcpNameServer : 192.168.0.1 205.171.3.65 192.168.1.1 [-][uNITED STATES (US)][-]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ED1C8129-E7DE-4081-9E47-A139674FD959} | DhcpNameServer : 192.168.0.1 205.171.3.65 192.168.1.1 [-][uNITED STATES (US)][-]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7BAE1ED5-3213-4E89-98A1-2C92911546DC} | DhcpNameServer : 192.168.0.1 205.171.3.65 192.168.1.1 [-][uNITED STATES (US)][-]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{ED1C8129-E7DE-4081-9E47-A139674FD959} | DhcpNameServer : 192.168.0.1 205.171.3.65 192.168.1.1 [-][uNITED STATES (US)][-]  -> Found
 
¤¤¤ Tasks : 1 ¤¤¤
[suspicious.Path] \NCH Software\PrismSevenDays -- C:\Users\Justus\AppData\Roaming\NCH Software\Program Files\Prism\Prism.exe (-sevendays) -> Found
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10 01FAES-60Z2A0 SATA Disk Device +++++
--- User ---
[MBR] d056d727486952dd7e9ee2a1d667add2
[bSP] 47f27b763a8c381bd02383bff523862e : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: Seagate BUP Slim BK USB Device +++++
--- User ---
[MBR] fad7dd6e7038590c7bd3af798d19c678
[bSP] 7afb6a2d7abb0cd0a2403fa481b12045 : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
 
+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
+++++ PhysicalDrive3: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
+++++ PhysicalDrive4: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
+++++ PhysicalDrive5: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
 
============================================
RKreport_SCN_03162015_082859.log - RKreport_DEL_03162015_083204.log - RKreport_DEL_03162015_083215.log - RKreport_DEL_03162015_083231.log
RKreport_SCN_03192015_074337.log - RKreport_DEL_03192015_074439.log - RKreport_SCN_04132015_084112.log - RKreport_DEL_04132015_084219.log
RKreport_DEL_04132015_084302.log - RKreport_SCN_04132015_084614.log - RKreport_DEL_04132015_084645.log - RKreport_SCN_04262015_163900.log
RKreport_DEL_04262015_163944.log - RKreport_SCN_05082015_121622.log - RKreport_SCN_05082015_124421.log - RKreport_DEL_05082015_124535.log
RKreport_SCN_05082015_124642.log - RKreport_DEL_05082015_124650.log - RKreport_DEL_05082015_124712.log - RKreport_DEL_05082015_124731.log
RKreport_SCN_05082015_145452.log - RKreport_DEL_05082015_145547.log - RKreport_SCN_05082015_150026.log - RKreport_SCN_05082015_150255.log
RKreport_SCN_05122015_145232.log - RKreport_SCN_05122015_145432.log - RKreport_SCN_05122015_150201.log - RKreport_DEL_05122015_150336.log
RKreport_SCN_05122015_150826.log - RKreport_SCN_05172015_055421.log - RKreport_SCN_05172015_060611.log
Link to post
Share on other sites

Dearest Kevin, I just realized that I forgot to include the fact that I have a second external hard drive which I rarely, but occasionally turn on.

 

Terribly sorry....is this a problem or will future anti-virus programs scan it successfully?

 

Thanks!

Link to post
Share on other sites

Leave 2nd drive for now, continue:

 

Upload a File to Virustotal

Go to http://www.virustotal.com/
 

  • Click the Choose file button
  • Navigate to the file C:\Users\Justus\AppData\Roaming\NCH Software\Program Files\Prism\Prism.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.

Next,

 

Please check to see if malware has modified your DNS settings using the DNSCHECK tool from F-Secure:

 

https://www.ismydnshijacked.com/

 

Press: Start test

 

What is the Verdict?

 

Any DNS hijacking detected?

 

Thanks,

 

Kevin......

Link to post
Share on other sites




Hi Kevin, hope this is right:

DNSCHECK tool from F-Secure: ALL IS WELL, NO ISSUES

FROM VIRUS TOTAL







SHA256:

642e6161ae9c4597131161cacc7851b482dc12004dd27e78c3f27b74d18d3441

File name:

prism.exe

Detection ratio:

1 / 57

Analysis date:

2015-05-17 15:08:25 UTC ( 0 minutes ago )


 



0

 



0

 












Antivirus

Result

Update

ESET-NOD32

a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe

20150517

ALYac

 

20150517

AVG

 

20150517

AVware

 

20150517

Ad-Aware

 

20150517

AegisLab

 

20150517

Agnitum

 

20150516

AhnLab-V3

 

20150517

Alibaba

 

20150517

Antiy-AVL

 

20150517

Avast

 

20150517

Avira

 

20150517

Baidu-International

 

20150517

BitDefender

 

20150517

Bkav

 

20150516

ByteHero

 

20150517

CAT-QuickHeal

 

20150516

CMC

 

20150513

ClamAV

 

20150517

Comodo

 

20150517

Cyren

 

20150517

DrWeb

 

20150517

Emsisoft

 

20150517

F-Prot

 

20150517

F-Secure

 

20150517

Fortinet

 

20150517

GData

 

20150517

Ikarus

 

20150517

Jiangmin

 

20150516

K7AntiVirus

 

20150517

K7GW

 

20150517

Kaspersky

 

20150517

Kingsoft

 

20150517

Malwarebytes

 

20150517

McAfee

 

20150517

McAfee-GW-Edition

 

20150517

MicroWorld-eScan

 

20150517

Microsoft

 

20150517

NANO-Antivirus

 

20150517

Norman

 

20150517

Panda

 

20150517

Qihoo-360

 

20150517

Rising

 

20150517

SUPERAntiSpyware

 

20150516

Sophos

 

20150517

Symantec

 

20150517

Tencent

 

20150517

TheHacker

 

20150515

TotalDefense

 

20150517

TrendMicro

 

20150517

TrendMicro-HouseCall

 

20150517

VBA32

 

20150515

VIPRE

 

20150517

ViRobot

 

20150517

Zillya

 

20150515

Zoner

 

20150515

nProtect

 

20150515





 

Link to post
Share on other sites

I kept getting a message that an extension I was using was not permitted. this was the only thing it found

Antivirus Result Update ESET-NOD32 a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe 20150517
Link to post
Share on other sites

RogueKiller entries are not malicious, do not try to remove

 

It is possible the software cause issues, is better to remove than keep... When the uninstall is complete re-boot your PC, when complete run the following:

 

51a612a8b27e2-Zoek.pngScan with ZOEK

 

Please download ZOEK by Smeenk from here: http://hijackthis.nl/smeenk/ and save it to your desktop (preferred version is the *.exe one)

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

 


Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
Wait patiently until the main console will appear, it may take a minute or two.
In the main box please paste in the following script:

 

services_list;standardsearch;autoclean;emptyclsid;emptyfolderscheck;deleteiedefaults;firefoxlook;chromelook;FFdefaults;CHRdefaults;

 

 


Make sure that Scan All Users option is checked.
Push Run Script and wait patiently. The scan may take a couple of minutes.
When the scan completes, a zoek-results logfile should open in notepad.
If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

 

Please include its content in your next reply. Don't forget to re-enable security software!

=====================================================

 

Download Zoek.zip from here http://www.hijackthis.nl/smeenk/220813/zoek.zip and save the zip file to your Desktop.

Double click zip file and extract to your  Desktop:

 

 

Zoekd.jpg

 

 

you will now have 3 versions of the tool on the Desktop:

 

 

%7Boption%7Dhttp://i121.photobucket.com/albums/o239/kevinf80/Zoek%20Scanner/Capture.png[/img]

 

Before running Zoek make sure all Browsers are closed and Security is turned OFF. Check at the following link: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

 

Double click on each in turn until one version of Zoek will run (accept UAC) The following window will open:

 

 

Zoekb.jpg

 

 

Copy and paste the following script from the code box and paste into the field.

 

 

standardsearch;autoruns;autoclean;FFdefaults;CHRdefaults;emptyalltemp;installedprogs;emptyfolderscheck;delete

 

 

Select the "Run Script" tab. The following window will open:

 

 

 

Zoekc.jpg

 

 

 

Please be patient and do not use the PC when the scan is in progress.

 

When complete you maybe asked to re-boot your PC, if so please do

 

Zoekf.jpg

 

Post the produced log in your next reply…..

 

Reboot when Zoek is finished, post log also let me know if there has been any improvement......

 

Thanks,

 

Kevin...

Link to post
Share on other sites

  I did everything per your instructions, but the  Zoek scans [2] continue to generate   script error boxes indicating scripting error at line 68 'file not found. "file:///C:/Users/Feb28/AppData/Local/Temp/zoekrun.hta"    Zoek then stalls.   Please advise.    Thanks

Link to post
Share on other sites

You are welcome and your help is invaluable.    The only thing that concerns me, and honestly I don't have a reference point for this, is that the cursor on a tab rotates counterclockwise sometimes for two revolutions.   I know this is difficult, but how does measure optimal performance on one's personal PC?   Is there a guide or standard for performance? I know I can do a speed teat, but that is only the modem's speed.  And I know this sounds funny but I get suspicious of the effectiveness of my Avast when it never finds anything.,    

 

Otherwise seems to be running smoothly. Good job!   And finally, may I contact you in the future for the inevitable performance issues on this machine?

 

Thanks so much, Kevin.

 

yours, Rosie

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.