Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

ATTN: kevinf80 - Help Removing m69.dnsqa.me


bilzz
 Share

Recommended Posts

I seem to have picked up some malware that I could no clean using the usual tools, I stumbled across this forum and Kevinf80's tailored steps helped another user fix the same issue.

 

I tried a system restore to an earlier time but the following notice seems to appear every now and again (not every time I run chrome, or open a new tab) in chrome.

 

post-200039-0-36390200-1456177530_thumb.

 

Attached are the logs for the run FRST before (22/02) and after (23/02) the restore

 

Ps. I have since uninstalled uTorrent and removed it from my firewall exceptions.

 

Regards,

Bilal

 

Addition_22-02-2016_14-48-44.txt

Addition_23-02-2016_08-50-19.txt

FRST_22-02-2016_14-48-44.txt

FRST_23-02-2016_08-50-19.txt

Link to post
Share on other sites

Hello and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.


Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...
 

Next,

 

Reset your router, instructons available at the following link:

http://setuprouter.com/networking/how-to-reset-your-router/

Follow those instructions very carefully.

Next,

Download and unzip DNSJumper to your Desktop, the tool is portable no installation necessary.

Tool can be downloaded here: http://www.sordum.org/downloads/?dns-jumper

Right click on Dnsjumper.exe and select "Run as Administrator" to start the tool, For XP just double click to run.
From the left hand pane select "Flush DNS"
From the main interface select the dropdown under "Choose a DNS Server"
From the list select either "Google Public DNS" or "Open DNS"
From the left hand pane select "Apply DNS"
When done re-boot your system....

 

Next,

 

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…



Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 
Next,
 
Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.
  • Close the program > Don't Fix anything!

 

Next,

 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs....
 

Let me see the produced logs....

 

Thank you,

 

Kevin..

 

Link to post
Share on other sites

Thanks for the quick reply Kevin. Please find the logs requested.

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 23/02/2016
Scan Time: 11:38 AM
Logfile: 
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.02.22.06
Rootkit Database: v2016.02.17.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Bilal
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 437902
Time Elapsed: 11 min, 19 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.3 (02.09.2016)
Operating System: Windows 8.1 x64 
Ran by Bilal (Administrator) on Tue 23/02/2016 at 11:56:25.46
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 12 
 
Successfully deleted: C:\ProgramData\iobit\driver booster (Folder) 
Successfully deleted: C:\ProgramData\productdata (Folder) 
Successfully deleted: C:\Users\Bilal\AppData\Roaming\iobit\driver booster (Folder) 
Successfully deleted: C:\Users\Bilal\AppData\Roaming\productdata (Folder) 
Successfully deleted: C:\WINDOWS\system32\Tasks\Driver Booster Scheduler (Task)
Successfully deleted: C:\WINDOWS\system32\Tasks\Driver Booster SkipUAC (Bilal) (Task)
Successfully deleted: C:\WINDOWS\system32\Tasks\SmartDefrag4_Startup (Task)
Successfully deleted: C:\WINDOWS\system32\Tasks\Uninstaller_SkipUac_Bilal (Task)
Successfully deleted: C:\WINDOWS\Tasks\Uninstaller_SkipUac_Bilal.job (Task) 
Successfully deleted: C:\Program Files (x86)\iobit\driver booster (Folder) 
Successfully deleted: C:\WINDOWS\SysWOW64\REN13B8.tmp (File) 
Successfully deleted: C:\WINDOWS\SysWOW64\RENFDFC.tmp (File) 
 
 
 
Registry: 2 
 
Successfully deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 23/02/2016 at 11:57:59.41
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
RogueKiller V11.0.13.0 [Feb 22 2016] (Free) by Adlice Software
 
Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Bilal [Administrator]
Started from : C:\temp\RogueKiller.exe
Mode : Scan -- Date : 02/23/2016 12:15:00
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 14 ¤¤¤
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814} (C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll) -> Found
[PUP|VT.W32.Adware.Iobit!c] (X64) HKEY_USERS\S-1-5-21-2461960175-3164439494-1075639025-1002\Software\Microsoft\Windows\CurrentVersion\Run | Advanced SystemCare 9 : "C:\Program Files (x86)\IObit\Advanced SystemCare\ASCTray.exe" /Auto [7][x] -> Found
[PUP|VT.W32.Adware.Iobit!c] (X86) HKEY_USERS\S-1-5-21-2461960175-3164439494-1075639025-1002\Software\Microsoft\Windows\CurrentVersion\Run | Advanced SystemCare 9 : "C:\Program Files (x86)\IObit\Advanced SystemCare\ASCTray.exe" /Auto [7][x] -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2461960175-3164439494-1075639025-1002\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2461960175-3164439494-1075639025-1002\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 61.88.88.88 8.8.8.8 10.0.0.110 10.0.0.65 ([-][-][AU][AU])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 61.88.88.88 8.8.8.8 10.0.0.110 10.0.0.65 ([-][-][AU][AU])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{300A0167-4F0C-4E66-BD7D-C3D57AE856F3} | DhcpNameServer : 61.88.88.88 8.8.8.8 10.0.0.110 10.0.0.65 ([-][-][AU][AU])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8C8CC76D-C585-432D-B66D-C8B9DD69258D} | NameServer : 8.8.8.8,8.8.4.4,10.0.0.254 ([-][-][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8C8CC76D-C585-432D-B66D-C8B9DD69258D} | DhcpNameServer : 61.88.88.88 8.8.8.8 10.0.0.110 10.0.0.65 ([-][-][AU][AU])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{300A0167-4F0C-4E66-BD7D-C3D57AE856F3} | DhcpNameServer : 61.88.88.88 8.8.8.8 10.0.0.110 10.0.0.65 ([-][-][AU][AU])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8C8CC76D-C585-432D-B66D-C8B9DD69258D} | NameServer : 8.8.8.8,8.8.4.4,10.0.0.254 ([-][-][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8C8CC76D-C585-432D-B66D-C8B9DD69258D} | DhcpNameServer : 61.88.88.88 8.8.8.8 10.0.0.110 10.0.0.65 ([-][-][AU][AU])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8C8CC76D-C585-432D-B66D-C8B9DD69258D} | NameServer : 8.8.8.8,8.8.4.4,10.0.0.254 ([-][-][X])  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 8 ¤¤¤
[PUP][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare\Advanced SystemCare 9.lnk [LNK@] C:\PROGRA~2\IObit\Advanced SystemCare\ASC.exe /manual -> Found
[PUP][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare\Protect.lnk [LNK@] C:\PROGRA~2\IObit\Advanced SystemCare\ASC.exe /Protect -> Found
[PUP][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare\Speed Up.lnk [LNK@] C:\PROGRA~2\IObit\Advanced SystemCare\ASC.exe /turboboost -> Found
[PUP][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare\Toolbox.lnk [LNK@] C:\PROGRA~2\IObit\Advanced SystemCare\ASC.exe /toolbox -> Found
[PUP][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare\Uninstall Advanced SystemCare.lnk [LNK@] C:\PROGRA~2\IObit\Advanced SystemCare\unins000.exe -> Found
[PUP][Folder] C:\ProgramData\{BAF091CA-86C4-4627-ADA1-897E2621C1B0} -> Found
[PUP][Folder] C:\ProgramData\{FD6F83C0-EC70-4581-8361-C70CD1AA4B98} -> Found
[PUP][Folder] C:\Program Files (x86)\IObit\Advanced SystemCare -> Found
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG MZHPU128HCGM-00000 +++++
--- User ---
[MBR] b2eac867ccab171d8379cd8c4e6b096d
[bSP] d27da016aca6b06b981e0caa41543347 : Empty|VT.Unknown MBR Code
Partition table:
0 - [sYSTEM][MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB
1 - [sYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 534528 | Size: 1474 MB
2 - [MAN-MOUNT] EFI system partition | Offset (sectors): 3553280 | Size: 260 MB
3 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 4085760 | Size: 128 MB
4 - Basic data partition | Offset (sectors): 4347904 | Size: 105018 MB
5 - [sYSTEM][MAN-MOUNT]  | Offset (sectors): 219424768 | Size: 450 MB
6 - [sYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 220346368 | Size: 14513 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: SD Card +++++
--- User ---
[MBR] 960cd2a7af464ceb2d2d67ceb9d6faca
[bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 32768 | Size: 119520 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
 

 

 

Link to post
Share on other sites

Thanks for the logs, do you know of and trust the following IP address?

 

IP Information for 61.88.88.88
Quick Stats
IP Location     Australia Australia Macquarie Park Singtel Optus Pty Ltd
ASN     Australia AS7474 OPTUSCOM-AS01-AU SingTel Optus Pty Ltd (registered Feb 03, 1997)
Resolve Host     ns.optus.net.au
Whois Server     whois.apnic.net
IP Address     61.88.88.88

 

Also give me an update on any remaining issues or concerns....

 

Thanks,

 

Kevin

Link to post
Share on other sites

The logs do look normal, I see no listed dns server IP`s that match your original blocked alert from Malwarebytes.... Lets wait another 24 hours, see if the block alert shows again... Probably worth running an online AV scan, that scan may take several hours, use the scan mabe overnight when the PC is idle..

 

ESETOnline.png Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.

Click there Run ESET Online Scanner.

If using Internet Explorer:

  • Accept the Terms of Use and click Start.
  • Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:
  • Download esetsmartinstaller_enu.exe that you'll be given link to.
  • Double click esetsmartinstaller_enu.exe.
  • Allow the Terms of Use and click Start.


To perform the scan:

  • Make sure that Remove found threats is unchecked.
  • Scan archives is checked.
  • In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
  • Under “Enable Stealth Technology select “Change” select any extra drives in that window.
  • Click Start
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When the scan is done, click Finish.
  • A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.



Please include this logfile in your next reply.

Don't forget to re-enable protection software!
 

Cheers,

 

Kevin...

Link to post
Share on other sites

ESETSmartInstaller@High as downloader log:

all ok

# product=EOS

# version=8

# OnlineScannerApp.exe=1.0.0.1

# EOSSerial=414b9596a5691e4888a41067192cc647

# end=init

# utc_time=2016-02-23 12:35:14

# local_time=2016-02-23 11:35:14 (+1000, AUS Eastern Daylight Time)

# country="Australia"

# osver=6.2.9200 NT 

Update Init

Update Download

Update Finalize

Updated modules version: 28263

# product=EOS

# version=8

# OnlineScannerApp.exe=1.0.0.1

# EOSSerial=414b9596a5691e4888a41067192cc647

# end=updated

# utc_time=2016-02-23 12:41:30

# local_time=2016-02-23 11:41:30 (+1000, AUS Eastern Daylight Time)

# country="Australia"

# osver=6.2.9200 NT 

# product=EOS

# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.7777

# api_version=3.1.1

# EOSSerial=414b9596a5691e4888a41067192cc647

# engine=28263

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2016-02-23 02:38:09

# local_time=2016-02-24 01:38:09 (+1000, AUS Eastern Daylight Time)

# country="Australia"

# lang=1033

# osver=6.2.9200 NT 

# compatibility_mode_1=''

# compatibility_mode=5893 16776573 100 94 53262 20031459 0 0

# scanned=291726

# found=4

# cleaned=0

# scan_time=6998

sh=55344CC446A2FB45DDD05BB3E307FC6CC80C572C ft=0 fh=0000000000000000 vn="Win32/PSWTool.ProductKey potentially unsafe application" ac=I fn="C:\Users\Bilal\SharePoint\ICT IT - Documents\Apps\produkey.zip"

sh=D2DED3E308494EDACD0B3BD851E5BF3ECCB0AB8E ft=0 fh=0000000000000000 vn="a variant of Win32/PSWTool.PstPassword.A potentially unsafe application" ac=I fn="C:\Users\Bilal\SharePoint\ICT IT - Documents\Apps\pstpassword.zip"

sh=7457A2146E4FFAA326FC32B1EB4473C3BFECBBAB ft=0 fh=0000000000000000 vn="a variant of Win32/Sniffer.SniffPass.A potentially unsafe application" ac=I fn="C:\Users\Bilal\SharePoint\ICT IT - Documents\Apps\sniffpass.zip"

sh=9E495D2C7FE33544BDCAA199BF4CC6DC61B1FC13 ft=0 fh=0000000000000000 vn="a variant of Win32/PSWTool.MailPassView.E potentially unsafe application" ac=I fn="D:\Users\Bilal\Downloads\mailpv.zip"

 

 

The unsafe applications that it has picked up are known false positives.

Link to post
Share on other sites

Yes nothing to worry about in those results, unless you have any other issues lets clean up....

 

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:



  •    
  • Remove disinfection tools
       
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
       
  • Reset system settings



Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…
 

Next,

 

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin...  busy.gif
 

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.