Jump to content

Recurring DNS changer among others


Recommended Posts

So i have a dns trojan that keeps coming back before i quarantine and remove them again what can i do. thx.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/12/2017
Scan Time: 8:34 PM
Logfile: 
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2017.03.12.08
Rootkit Database: v2017.03.11.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Matthew

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 403117
Time Elapsed: 11 min, 8 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
Adware.Agent.Generic, C:\ProgramData\{8996A20F-3E3D-15A4-7753-5E77D64D8D0C}\C5348AEC-729F-3D47-890E-43103692C699.exe, 11968, , [50d84089466283b3bb1093d5ae52d12f]

Modules: 0
(No malicious items detected)

Registry Keys: 3
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E, , [64c43e8bffa9d0660c4aedf1966d29d7], 
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E, , [9593d1f8aefad26491c521bd6a99e719], 
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{82958181}, , [86a2a6230c9c7eb8b6a2e1fd0300bb45], 

Registry Values: 4
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{82958181}|1, 1489363697, , [86a2a6230c9c7eb8b6a2e1fd0300bb45]
Trojan.DNSChanger.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{0b3fda46-98a1-4a12-b173-31952fbcb724}|NameServer, 82.163.143.176 82.163.142.178, , [b8709f2a46621f17a2a924ba0bf8ca36]
Trojan.DNSChanger.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{1d618a3d-4b0e-45af-8d98-4030b890fa18}|NameServer, 82.163.143.176 82.163.142.178, , [9791f2d7f2b63006bc8f2ab4cb388c74]
Trojan.DNSChanger.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{3f936b53-ab15-4cd4-85be-f849788de36b}|NameServer, 82.163.143.176 82.163.142.178, , [5ace04c5486055e10e3d26b8af54e11f]

Registry Data: 1
Trojan.DNSChanger.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|NameServer, 82.163.143.176 82.163.142.178, Good: (8.8.8.8), Bad: (82.163.143.176 82.163.142.178),,[bc6c29a0e1c7aa8c0523250b45bf1ce4]

Folders: 5
Adware.Agent.Generic, C:\ProgramData\{8996A20F-3E3D-15A4-7753-5E77D64D8D0C}, , [50d84089466283b3bb1093d5ae52d12f], 
Rogue.Agent.D.Generic, C:\ProgramData\82958181, , [a97f16b34d5b57dfd5c5766e05fbc739], 
PUP.Optional.DNSUnlocker.ACMB2, C:\ProgramData\6fc278e9-4575-1, , [161204c5a9ffc1759256c2281de56799], 
PUP.Optional.DNSUnlocker.ACMB2, C:\ProgramData\6fc278e9-5051-0, , [a2869d2cf9af62d434b419d1b84ab54b], 
PUP.Optional.DNSUnlocker.ACMB2, C:\ProgramData\6fc278e9-7e91-0, , [bf690cbd66428ea82abeb931eb1739c7], 

Files: 2
Adware.Elex, C:\ProgramData\82958181\8ee79d0b.dll, , [bd6bcdfcf8b00c2a9e922bd9d13018e8], 
Adware.Agent.Generic, C:\ProgramData\{8996A20F-3E3D-15A4-7753-5E77D64D8D0C}\C5348AEC-729F-3D47-890E-43103692C699.exe, , [50d84089466283b3bb1093d5ae52d12f], 

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

i posted  the wrong one

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/12/2017
Scan Time: 8:34 PM
Logfile: 
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2017.03.12.08
Rootkit Database: v2017.03.11.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Matthew

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 403117
Time Elapsed: 11 min, 8 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
Adware.Agent.Generic, C:\ProgramData\{8996A20F-3E3D-15A4-7753-5E77D64D8D0C}\C5348AEC-729F-3D47-890E-43103692C699.exe, 11968, Delete-on-Reboot, [50d84089466283b3bb1093d5ae52d12f]

Modules: 0
(No malicious items detected)

Registry Keys: 3
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E, Quarantined, [64c43e8bffa9d0660c4aedf1966d29d7], 
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E, Quarantined, [9593d1f8aefad26491c521bd6a99e719], 
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{82958181}, Quarantined, [86a2a6230c9c7eb8b6a2e1fd0300bb45], 

Registry Values: 4
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{82958181}|1, 1489363697, Quarantined, [86a2a6230c9c7eb8b6a2e1fd0300bb45]
Trojan.DNSChanger.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{0b3fda46-98a1-4a12-b173-31952fbcb724}|NameServer, 82.163.143.176 82.163.142.178, Quarantined, [b8709f2a46621f17a2a924ba0bf8ca36]
Trojan.DNSChanger.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{1d618a3d-4b0e-45af-8d98-4030b890fa18}|NameServer, 82.163.143.176 82.163.142.178, Quarantined, [9791f2d7f2b63006bc8f2ab4cb388c74]
Trojan.DNSChanger.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{3f936b53-ab15-4cd4-85be-f849788de36b}|NameServer, 82.163.143.176 82.163.142.178, Quarantined, [5ace04c5486055e10e3d26b8af54e11f]

Registry Data: 1
Trojan.DNSChanger.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|NameServer, 82.163.143.176 82.163.142.178, Good: (8.8.8.8), Bad: (82.163.143.176 82.163.142.178),Replaced,[bc6c29a0e1c7aa8c0523250b45bf1ce4]

Folders: 5
Adware.Agent.Generic, C:\ProgramData\{8996A20F-3E3D-15A4-7753-5E77D64D8D0C}, Delete-on-Reboot, [50d84089466283b3bb1093d5ae52d12f], 
Rogue.Agent.D.Generic, C:\ProgramData\82958181, Quarantined, [a97f16b34d5b57dfd5c5766e05fbc739], 
PUP.Optional.DNSUnlocker.ACMB2, C:\ProgramData\6fc278e9-4575-1, Quarantined, [161204c5a9ffc1759256c2281de56799], 
PUP.Optional.DNSUnlocker.ACMB2, C:\ProgramData\6fc278e9-5051-0, Quarantined, [a2869d2cf9af62d434b419d1b84ab54b], 
PUP.Optional.DNSUnlocker.ACMB2, C:\ProgramData\6fc278e9-7e91-0, Quarantined, [bf690cbd66428ea82abeb931eb1739c7], 

Files: 2
Adware.Elex, C:\ProgramData\82958181\8ee79d0b.dll, Quarantined, [bd6bcdfcf8b00c2a9e922bd9d13018e8], 
Adware.Agent.Generic, C:\ProgramData\{8996A20F-3E3D-15A4-7753-5E77D64D8D0C}\C5348AEC-729F-3D47-890E-43103692C699.exe, Delete-on-Reboot, [50d84089466283b3bb1093d5ae52d12f], 

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Hello and :welcome:

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button. button.

    x5o4gh.png

  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.

  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Link to post
Share on other sites

Hi @TwinHeadedEagle, I'm having the exact same issue as thatguy. Windows 10, 64bit, reporting the same malware and PUPs through malwarebytes. 

Adware.Elex
Adware.Agent.Generic
and the exact same DNS Unlocker/changer PUPs

I'm currently out of ideas on how to rid myself of it as I've been fighting against it for over a month now only to have it continuously worm its way back into my system. I'm on a separate PC at the moment but when I get to the one with the issue should I post my Malwarebytes log here too? Should I also run the Farbar tool? Let me know if I should make a separate thread or if you could potentially help me here simultaneously as the issue seems nearly identical.

Thanks for your help!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.