Jump to content

Malwarebytes blocking outbound malicious websites - DNS unblocker


fearqq

Recommended Posts

Hi there,

 

 

I have had some issues in the last couple of days with DNS unblocker.

After reading some guides on how to remove it, I have been unsuccessful. Though it does not show up in my program list or as a Firefox addon.

 

I have however managed to get Malwarebytes Premium installed and now it prevents those annoying links, but does come up with a warning in the bottom right, every minute or two saying:

 

Blocked outgoing Malicious Website

Domain: m55.dnsqa.me

IP: 82.163.143.92

Port: 65504

Type: Outbound

Process: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

 

I have found that typically the same alert comes up each time, with a different port number. (e.g. 59515 & 58170)

 

 

I downloaded and ran the Farbar recovery Scan Tool and my logs are attached.

 

Any help in resolving this issue would be greatly appreciated!

 

 

Kind Regards,

Fearqq

Addition.txt

FRST.txt

Link to post
Share on other sites

  • Staff

Hello fearqq and welcome to Malwarebytes forum.

 

You have a newer variant of this infection.

 

Would you please upload a file to virus total so we can get a look at it, thanks

 

There will be more, but could we please start with this one while I'm analyzing the logs

 

Please do the following:

 

submit a file to virustotal for analysis

  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file C:\ProgramData\bdeda84c\98a3ef6e.dll
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed:
click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.
Link to post
Share on other sites

  • Staff

This fix is not going to fix the issue immediately, it is to collect data if that is ok with you.

Our researchers would appreciate the assistance.

We will fix it as soon as we have collected the data, thank-you.


Download attached fixlist.txt file and save it to the E:\Downloads folder where FRST64.exe is saved.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

 

Fixlist.txt

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
 

Link to post
Share on other sites

Hi Catbyte,

 

 

Thank you for your prompt reply!

 

I did as you instructed and uploaded to virus total and did have to click reanalyze after it said the file had already been analyzed.

 

Here is the link to the results page:

https://www.virustotal.com/en/file/7a803482c9fc63d9f5a95044c4606f72bdee15f9510b70b2c44e7a00c73c61d2/analysis/1456362210/

 

 

Cheers,

Fearqq

Link to post
Share on other sites

  • Staff

Hello, Could you export a couple of registry keys as well

 

(are you comfortable going into the registry regedit.exe or I can give a script)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C7000BFB-40E1-47FD-8AD1-E1444FE0F3E0}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{23B989CB-E170-4EF7-9BDE-6E843491BE89}"

please save the exports as txt files and attach

Link to post
Share on other sites

  • Staff

There are just a couple of leftovers to remove.

Do you know what this file is?

C:\Windows\AutoKMS

NEXT

Please do the following:

Download attached fixlist.txt file and save it to the E:\Downloads folder
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

 

Fixlist.txt

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

NEXT

 

Please advise how the computer is running now and if there are any outstanding issues.

Link to post
Share on other sites

  • Staff

looks good.

 

Go ahead and right click and delete this folder: C:\Windows\AutoKMS

 

Let's run the following adware removal tool to make sure there's no leftover adware now we've cleaned the nasty stuff:

 

 

Download AdwCleaner from  here and save it to your desktop.

Run AdwCleaner

Click the "Options" menu heading on the menu bar and uncheck "Reset Winsock Settings"

Now select Scan

If items are found, please select the Cleaning button

Once done it will ask to reboot, allow the reboot

On reboot a log will be produced, please attach the content of the log to your next reply

Link to post
Share on other sites

  • Staff

As long as there are no outstanding issues then you should be fine.

You can delete the FRST logs and program from your desktop.

NEXT

Double click on adwcleaner.exe to run the tool.
Click on the Uninstall button
Confirm with yes

If there are any logs/tools remaining on your desktop > right click and delete them
 
Thank you for your patience, and performing all of the procedures requested.
If there are no other questions or concerns then we can go ahead and close this thread

Link to post
Share on other sites

Okay so I hadn't had any issues until just now.

 

It seems that my malwarebytes anti-malware ran an automatic scan and detected 2 threats that are along the lines of "DNSUnblocker"

 

I clicked remove on the 2 files and have attached the log.

 

 

Does this mean it is still lurking on my computer somewhere else creating these files?

results 1 march.txt

Link to post
Share on other sites

  • Staff

Those entries represent the registry entry for your installed programs list
 
"HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL"
 
when DNSlocker installs itself it can sometimes show up in the installed programs list.

It doesn't mean the program is still installed, it's just the list entry only


Does this key exist or was Malwarebytes able to remove it?

[HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{BDEDA84C}]

(we've been updating the data base on a regular basis to remove all traces of this variant, which is why it may have found it now, but not before)

Link to post
Share on other sites

  • 2 months later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.