DNS Unlocker

[TT280]

Hi, I seem to be in the same position as Manbaby (Posted 25 August 2015 - 11:37 AM). Have been through all the steps I can find to remove 'DNSUnlocker', run Kaspersky, Malwarebytes, tried removing 'addons', but couldn't find any.

 

Finally I have followed the instructions in this topic up to the point where you advise using Rogue Killer but 'not fixing anything'. I didn't fix anything. You then advise sending some of the log files and waiting for ypour response. Please see attached below.

 

DNSUnlocker appears on all my browsers (Explorer, Chrome and Firefox).

 

<2015-08-31A Malwarebytes Scan Result.xml> is result before removal of files.

 

<2015-08-31B Malwarebytes Scan Result.xml> is a scan after removal of files

 

Thanks,

 

TT280

 

2015-08-31A Malwarebytes Scan Result.xml2015-08-31B Malwarebytes Scan Result.xml

Addition.txt

FRST.txt

Roguekiller Export TXT Log 2015-08-31A.txt

[kevinf80]

Hello and welcome,

P2P/Piracy Warning:
 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

 

Next,

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

 

Please open Malwarebytes Anti-Malware.

• On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
• Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
• Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
• A Threat Scan will begin.
• With some infections, you may or may not see this message box.
  
          'Could not load DDA driver'
• Click 'Yes' to this message, to allow the driver to load after a restart.
• Allow the computer to restart. Continue with the rest of these instructions.
• When the scan is complete, click Apply Actions.
• Wait for the prompt to restart the computer to appear, then click on Yes.
• After the restart once you are back at your desktop, open MBAM once more.
  

To get the log from Malwarebytes do the following:

• Click on the History tab > Application Logs.
• Double click on the scan log which shows the Date and time of the scan just performed.
• Click Export > From export you have three options:
  
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
• Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…
  

 

Please do not use or attach as XML file...
 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.

• Double click on Adwcleaner.exe to run the tool.
• Click on the Scan in the Actions box
• Please wait fot the scan to finish..
• When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
• Click on the Cleaning box.
• Next click OK on the "Closing Programs" pop up box.
• Click OK on the Information box & again OK to allow the necessary reboot
• After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...
  

 
Next,
 
Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts. (re-enable when done)
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.
  

 

Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log
 

 

Let me see those logs, also give an update on any remaining issues or concerns...

 

Thank you,

 

Kevin.

 

 

 

 

 

 

Fixlist.txt

[TT280]

Hi Kevin, Thanks for the help. Please find logs pasted below and note pad versions attached.

 

After a quick test the browsers look clear now, fingers crossed?

 

Thanks.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 06/09/2015
Scan Time: 12:18
Logfile:
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.09.06.03
Rootkit Database: v2015.08.16.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: User

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 438712
Time Elapsed: 6 min, 20 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

# AdwCleaner v5.005 - Logfile created 06/09/2015 at 13:42:22
# Updated 31/08/2015 by Xplode
# Database : 2015-09-04.4 [server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : User - HFIELD-YOYO-01
# Running from : C:\Users\User\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\globalUpdate
[-] Folder Deleted : C:\ProgramData\ec9c076800005c0d
[-] Folder Deleted : C:\ProgramData\{75d7e487-1bf3-6eea-75d7-7e4871bf921c}
[-] Folder Deleted : C:\Users\User\AppData\Local\globalUpdate
[-] Folder Deleted : C:\Users\User\AppData\Roaming\Store
[-] Folder Deleted : C:\Users\User\AppData\Roaming\WTools

***** [ Files ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\836e2399-690b-e108-8b60-102ea7cccd8c
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{062D6B05-B83A-46DE-81AD-1750FB7C8DE5}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{92B0265C-B929-4D42-BA54-75AA39C99198}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{062D6B05-B83A-46DE-81AD-1750FB7C8DE5}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{92B0265C-B929-4D42-BA54-75AA39C99198}
[-] Key Deleted : HKCU\Software\GlobalUpdate
[-] Key Deleted : HKCU\Software\Store
[-] Key Deleted : HKCU\Software\WTools
[-] Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
[-] Key Deleted : HKLM\SOFTWARE\GlobalUpdate
[!] Key Not Deleted : [x64] HKCU\Software\GlobalUpdate
[!] Key Not Deleted : [x64] HKCU\Software\Store
[!] Key Not Deleted : [x64] HKCU\Software\WTools

***** [ Web browsers ] *****

[-] [C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : uk.ask.com

*************************

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1998 bytes] ##########

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.0 (08.31.2015:1)
OS: Windows 7 Professional x64
Ran by User on 06/09/2015 at 13:56:24.98
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted: [File] C:\Users\User\AppData\Roaming\mozilla\firefox\profiles\5pjxz78z.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi
Emptied folder: C:\Users\User\AppData\Roaming\mozilla\firefox\profiles\5pjxz78z.default\minidumps [1 files]



~~~ Chrome


[C:\Users\User\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\User\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\User\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\User\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 06/09/2015 at 13:58:28.87
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.19, December 2014 (build 5.19.10902.0)
Started On Fri Dec 26 09:58:24 2014

Engine: 1.1.11202.0
Signatures: 1.189.872.0

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Fri Dec 26 09:59:10 2014


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.20, January 2015 (build 5.20.11000.0)
Started On Wed Jan 14 03:00:20 2015

Engine: 1.1.11302.0
Signatures: 1.191.1276.0

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Wed Jan 14 03:01:22 2015


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.21, February 2015 (build 5.21.11102.0)
Started On Wed Feb 11 03:00:49 2015

Engine: 1.1.11302.0
Signatures: 1.191.3593.0

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Wed Feb 11 03:02:05 2015


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.22, March 2015 (build 5.22.11202.0)
Started On Sat Mar 21 10:28:11 2015

Engine: 1.1.11400.0
Signatures: 1.193.1181.0

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Sat Mar 21 10:29:47 2015


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.23, April 2015 (build 5.23.11300.0)
Started On Sat Apr 18 21:38:34 2015

Engine: 1.1.11502.0
Signatures: 1.195.1215.0

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Sat Apr 18 21:40:18 2015


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.24, May 2015 (build 5.24.11401.0)
Started On Thu May 14 07:06:42 2015

Engine: 1.1.11602.0
Signatures: 1.197.1100.0

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Thu May 14 07:08:02 2015


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.25, June 2015 (build 5.25.11502.0)
Started On Wed Jun 24 02:29:03 2015

Engine: 1.1.11701.0
Signatures: 1.199.892.0

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Wed Jun 24 02:31:29 2015


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.26, July 2015 (build 5.26.11604.0)
Started On Thu Jul 23 02:53:13 2015

Engine: 1.1.11804.0
Signatures: 1.201.883.0

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Thu Jul 23 02:55:15 2015


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.27, August 2015 (build 5.27.11700.0)
Started On Wed Aug 12 01:22:42 2015

Engine: 1.1.11903.0
Signatures: 1.203.693.0

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Wed Aug 12 01:24:54 2015


Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.27, August 2015 (build 5.27.11700.0)
Started On Sun Sep 06 14:04:43 2015

Engine: 1.1.11903.0
Signatures: 1.203.693.0

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Sun Sep 06 14:16:51 2015


Return code: 0 (0x0)

mrt 2015-09-06 14-10ish.log

JRT 2015-09-06 13-56.txt

AdwCleaner 2015-09-06 13-42.txt

Malwarebytes Scan 2015-09-06 12-18.txt

[kevinf80]

Run your sytem as normal for a couple of hours, see how it responds. Post back if all is ok, or not. If ok we can clean up....

 

Cheers,

 

Kevin..

[TT280]

Hi Kevin, Been through everything I can think of that I might have used in the period I contracted the malware and everything appears to be working as it should. Next question I guess is what I should do now, assuming it has been removed, to prevent reinfection. Kaspersky seems to have failed in this case so I should inform them. What info should I send them?

 

Thanks for your help in this.

[kevinf80]

The only issue I could see was Browser Hijacker, regardless of whatever security you have these hijackers have many ways to infect your system. It could have been a simple link in an email or a poisoned website, or even exploits via Java, Adobe etc etc...

 

I personally use and Kaspersky IS combined with Malwarebytes Premium, never had any issues up to now...

 

Lets clean up...

 

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

• 
     
• Remove disinfection tools
     
• Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
     
• Reset system settings
  

Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…
 

Next,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629
 

Let me know if we are ok to close out....

 

Thank you,

 

Kevin...

[TT280]

That seemed to run OK however Kaspersky wasn't too happy about it! It thought a trojan was running and wants to disinfect? Please see attached jpeg.

[kevinf80]

Just ignore that entry from Kaspersky, is ok. I guess malware tools can get security programs on alert as they make similar actions to malware/infections...

 

Take care and surf safe,

 

Kevin..

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!