Jump to content

m55.dnsqa.me website blocked


Recommended Posts

Hi

 

My friend's computer picked up some malware that was redirecting them to various (presumably fake) "cleanup tool" sites.  I cleaned this using Malwarebytes (thanks!) but now whenever Google is fired up I see:

Malicious website blocked
domain m55.dnsqa.me
IP 82.163.143.92
Port 59710
Type Outbound
Process chrome.exe
 
Have tried a few other cleaners with no success.  FRST logs are attached.  Many thanks for any help in advance!
 
Steve

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello stevew88, welcome to Malwarebytes' Malware Removal forum!
 
My name is Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. smile.png
 
General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Ensure you read through my instructions thoroughly, and carry out each step in the order specified.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in providing the best set of instructions for you.
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable at times.   
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • I will notify you when I believe your computer is free of malware. Please bear in mind, absence of symptoms does not necessarily correlate to absence of malware, so please wait until the "All Clean". 

======================================================

 

Please carry out the instructions below:
 
STEP 1
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is selected and click Start Scan.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
  • If threats are detected, click Remove Selected. If you are prompted to reboot, click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
     

STEP 2
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startCreateRestorePoint:ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No FileTcpip\..\Interfaces\{1cde122d-ee0c-42bd-aef8-4f0679340206}: [DhcpNameServer] 82.163.143.171Tcpip\..\Interfaces\{37ddf4ee-caa2-4fe8-85be-11c81949b402}: [DhcpNameServer] 82.163.143.171Tcpip\..\Interfaces\{d56193f4-1d00-46f7-a021-0a49204a536c}: [DhcpNameServer] 82.163.143.171BHO-x32: No Name -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> No File2016-02-10 19:19 - 2016-02-10 19:19 - 00000000 ____D C:\Users\Public\Documents\BaiduTask: {C0B372B6-2632-4956-9845-E79C303EEA75} - System32\Tasks\{2A37BE58-94D2-477A-B423-D9B363733B0E} => pcalua.exe -a C:\Users\User\AppData\Local\{26441018-02EC-7CA0-6F74-59484B1CA5D0}\uninstall.exe -c /Uninstall /s /noun /DelSelfDirTask: {C728B1CA-CEFF-443D-AB06-472EB0F9605F} - \{BFAE3D3C-A172-E54E-54A2-6536F48531DA} -> No File <==== ATTENTIONCMD: ipconfig /flushdnsEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

======================================================

STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • MBAM log
  • Fixlog.txt
Link to post
Share on other sites

Many thanks for your help Adam!  By all means call me Steve  :)

 

Step 1 MBAM log contents:

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 09/03/2016
Scan Time: 15:47
Logfile: 
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.03.09.04
Rootkit Database: v2016.02.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: User
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 411627
Time Elapsed: 12 min, 7 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
Step 2 FRST, fixlog.txt contents:
Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by User (2016-03-09 16:06:46) Run:1
Running from C:\Users\User\Downloads
Loaded Profiles: User & hbsha (Available Profiles: User & hbsha)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
CreateRestorePoint:
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
Tcpip\..\Interfaces\{1cde122d-ee0c-42bd-aef8-4f0679340206}: [DhcpNameServer] 82.163.143.171
Tcpip\..\Interfaces\{37ddf4ee-caa2-4fe8-85be-11c81949b402}: [DhcpNameServer] 82.163.143.171
Tcpip\..\Interfaces\{d56193f4-1d00-46f7-a021-0a49204a536c}: [DhcpNameServer] 82.163.143.171
BHO-x32: No Name -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> No File
2016-02-10 19:19 - 2016-02-10 19:19 - 00000000 ____D C:\Users\Public\Documents\Baidu
Task: {C0B372B6-2632-4956-9845-E79C303EEA75} - System32\Tasks\{2A37BE58-94D2-477A-B423-D9B363733B0E} => pcalua.exe -a C:\Users\User\AppData\Local\{26441018-02EC-7CA0-6F74-59484B1CA5D0}\uninstall.exe -c /Uninstall /s /noun /DelSelfDir
Task: {C728B1CA-CEFF-443D-AB06-472EB0F9605F} - \{BFAE3D3C-A172-E54E-54A2-6536F48531DA} -> No File <==== ATTENTION
CMD: ipconfig /flushdns
EmptyTemp:
end
*****************
 
Restore point was successfully created.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. 
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1cde122d-ee0c-42bd-aef8-4f0679340206}\\DhcpNameServer => value removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{37ddf4ee-caa2-4fe8-85be-11c81949b402}\\DhcpNameServer => value removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d56193f4-1d00-46f7-a021-0a49204a536c}\\DhcpNameServer => value removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}" => key removed successfully
HKCR\Wow6432Node\CLSID\{92EF2EAD-A7CE-4424-B0DB-499CF856608E} => key not found. 
C:\Users\Public\Documents\Baidu => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C0B372B6-2632-4956-9845-E79C303EEA75}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C0B372B6-2632-4956-9845-E79C303EEA75}" => key removed successfully
C:\WINDOWS\System32\Tasks\{2A37BE58-94D2-477A-B423-D9B363733B0E} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{2A37BE58-94D2-477A-B423-D9B363733B0E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C728B1CA-CEFF-443D-AB06-472EB0F9605F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C728B1CA-CEFF-443D-AB06-472EB0F9605F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{BFAE3D3C-A172-E54E-54A2-6536F48531DA}" => key removed successfully
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
EmptyTemp: => 1.2 GB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 16:07:13 ====
 
 
Thanks again
Steve
Link to post
Share on other sites

Hi Steve, 
 
Please run the following scan, and let me know if you are still experiencing outbound website blocks from Malwarebytes Anti-Malware. 
 
GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Please download ESET Online Scan and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme. 
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
  • Click esetExport.png and save the file to your Desktop, naming it something such as "ESET Scan".
  • Push the Back button.
  • Place a checkmark next to KN1w2nv.png and click SzOC1p0.png.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.
Link to post
Share on other sites

Thanks Adam, I noticed that today the pop-up regarding the malicious website did not appear.  I disabled the AV and ran the ESET scan, and it detected no faults.  I'm still a bit confused as to what removed the malicious software but do you think this is now clear?

 

Thanks

Steve

Link to post
Share on other sites

Hello Steve, 
 
DhcpNameServer values on your computer pointed to an IP address hosting potentially malicious content, and were responsible for the outbound calls to the blocked domain. This was set by DNS Unlocker 1.4. The FRST script I had you execute in Post #2 rectified this issue. 
 
All Clean!
Congratulations, your computer appears clean! smile.png
I see no signs of malware on your computer, and feel satisfied our work here is done. The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of resources you may find useful. 
 
AFZxnZc.jpg DelFix

  • Please download DelFix and save the file to your Desktop.
  • Double-click DelFix.exe to run the programme.
  • Place a checkmark next to the following items:
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore (creates a Restore Point/removes all but the most recent)
    • Reset system settings
  • Click the Run button.

-- DelFix will remove the specialised tools we used to clean your computer. Any leftover logs, files, folders or tools remaining on your computer which were not removed can be deleted manually (right-click the file + delete).
 
======================================================
 
I have compiled below a list of resources you may find useful. The articles document information on computer security, common attack vectors and how you can stay safe on the Internet.

======================================================
 
Please confirm you have no outstanding issues, and feel happy with the state of your computer. Once I have confirmation, we can wrap things up and I will close this topic. 
 
Thank you for using Malwarebytes.
 
Safe Surfing. smile.png    
Adam

Link to post
Share on other sites

You're welcome. :)
 
Take care, 
Adam


Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.