Jump to content

Rough.TechSupportScam registry key?

sp123

By sp123
in Resolved Malware Removal Logs

 Share
Go to solution Solved by kevinf80,

Recommended Posts

  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Yes, something modified it. You can try a couple things.

Open Windows Explorer file manager to that folder

C:\WINDOWS\system32\drivers\etc

Then check properties, Previous Versions and if found restore from there.

If not, then you could do a System Restore which will put back the hosts file for you as well

You could also use Shadow Explorer to possibly grab a copy of the file from a Restore Point

https://www.shadowexplorer.com/

 

 

  • Like 1
Link to post
Share on other sites
  • Replies 84
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

kevinf80
kevinf80

Hello sp123 and welcome to Malwarebytes, Run the following scan, lets see if anything shows up: Download Farbar Recovery Scan Tool and save it to your desktop. Alternative d

kevinf80
kevinf80

FRST.txt is not complete...?

kevinf80
kevinf80

It certainly seems to be PIA causing the problem, see what happens with it OFF

Posted Images

  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Highly recommend you change username or any other personal information that might be named on Windows. Using pseudonyms for all account information is highly recommended.

 

 

Are you using Microsoft Teams?

Are you using Microsoft OneDrive?

Are you using Microsoft OneNote?

 

Are you actually using HP Print Drivers from 2012? for a printer?

HKLM\...\Print\Monitors\HP 5912 Status Monitor: C:\WINDOWS\system32\hpinksts5912LM.dll [331664 2012-06-18] (Hewlett Packard -> Hewlett-Packard Co.)
HKLM\...\Print\Monitors\HP Discovery Port Monitor (HP Officejet Pro 8600): C:\WINDOWS\system32\HPDiscoPM5912.dll [741480 2012-10-17] (Hewlett Packard -> Hewlett-Packard Co.)

 

Are you programming, or testing wampstackApache?

 

What is this file? Was this computer attacked by some type of ransomware encryption attack before?

C:\Users\xxx\Downloads\9f9c7002f4ce0dec2f3c8d485d84c03b501b0ebda89a6f14f0727eeda3e0aac3.unknown.decrypted.txt
C:\Users\xxx\Downloads\9f9c7002f4ce0dec2f3c8d485d84c03b501b0ebda89a6f14f0727eeda3e0aac3.unknown.txt

 

 

 

Your DNS Servers: 209.18.47.62 - 209.18.47.61

Please consider changing your default DNS server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

  • Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

 

 

Link to post
Share on other sites
sp123

sp123

Posted
  • Author
Posted
9 minutes ago, AdvancedSetup said:

Are you using Microsoft Teams?

Yes - I have used it. Why?

9 minutes ago, AdvancedSetup said:

Are you using Microsoft OneDrive?

I was until it ran out of room :(

9 minutes ago, AdvancedSetup said:

Are you using Microsoft OneNote?

Not often. Why?

12 minutes ago, AdvancedSetup said:

Are you actually using HP Print Drivers from 2012? for a printer?

It's an old printer. I don't own the printer so it isn't my choice to get a new one

13 minutes ago, AdvancedSetup said:

Are you programming, or testing wampstackApache?

I have a local Bitnami sever on localhost

 

14 minutes ago, AdvancedSetup said:

Your DNS Servers: 209.18.47.62 - 209.18.47.61

That seems like an error. It should be using this one - https://github.com/DandelionSprout/adfilt/tree/master/Dandelion Sprout's Official DNS Server

15 minutes ago, AdvancedSetup said:

What is this file? Was this computer attacked by some type of ransomware encryption attack before?

C:\Users\xxx\Downloads\9f9c7002f4ce0dec2f3c8d485d84c03b501b0ebda89a6f14f0727eeda3e0aac3.unknown.decrypted.txt
C:\Users\xxx\Downloads\9f9c7002f4ce0dec2f3c8d485d84c03b501b0ebda89a6f14f0727eeda3e0aac3.unknown.txt

Nope. I am a (not professional) malware analysis and that is a malware sample I was analyzing. The .decrypted version is the version I decrypted and deobfuscated.

 

17 minutes ago, AdvancedSetup said:

Highly recommend you change username or any other personal information that might be named on Windows. Using pseudonyms for all account information is highly recommended.

Sadly not sure how. I will look into this later

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Okay, no problem about all the software. Just wanted to verify because the majority of people asked don't seem to use these Microsoft applications but they start up every time and consume resources even if you don't use them.

Please run the following FIX below

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted (edited)

SystemRestore: On => completed
Restore point was successfully created.

Secure Boot Status: True

You can now delete those zip files with the Date and Time as part of the name on your desktop. I no longer need them.
https://www.virustotal.com/gui/file/48c18955d0bb46aaf2f95b31cd5f34478db9e3a25b7600bc3f1ddc43241c0a5e

 

 

Can you please do the following?

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, place a checkmark on all of the Repair System entries.
  • Then click on the Repair System button and allow it to run and restart the system.
     

image.png



After the restart please do the following

  • Run the MBST Support Tool again.
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
  • NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete


    image.png

 

After the restart please do the following

  • If you're using the paid version of Malwarebytes please activate and check for updates
  • Run the MBST Support Tool one more time.
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the All Users' desktop, please upload that file on your next reply

    image.png

Thank you

 

 

Edited by AdvancedSetup
Updated information
  • Thanks 1
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted (edited)

Please make sure all real-time antivirus protection from Windows Defender and Malwarebytes are both disabled when running the tool.

We should have backups from Farbar, but no. If it gives an error and won't backup then don't proceed.

Thank you

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Okay, let's not run the Repair. Not sure why your system is having issues with it but we don't want to cause any issues either.

Go ahead though please and do the Clean Removal and reinstall so that you have a good, clean install of the latest version of Malwarebytes

Then reboot, activate, check for updates and do a new Threat scan and post back that log.

Then also run a new Farbar scan and post those logs back and let me know what issues if any you're still having.

Thanks

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

One of the Dev's asked me to ask you if you had turned off Tamper Protection

Please disable Tamper Protection and then exit out of Malwarebytes tray application

Then disable Windows Defender real-time protection temporarily and see if you still get the same error from the MBST tool when trying to do the Repair

Thanks @sp123

 

  • Like 1
Link to post
Share on other sites
sp123

sp123

Posted
  • Author
Posted (edited)

I am still working on the reinstall.

This poped up:

image.png.5ddb4442781a10274a36946a35e9e919.png

I never bought or had installed Malwarebytes Privacy - and the VPN I already have is paid by someone else so it's free-to-me. Should I install it or can I ignore?

Just an irrelevant question: Why doesn't Malwarebytes have an online url scanner or integrate with VirusTotal? As BG is already free, I don't think this would allow people to steal it. Just would be helpful when checking if a website is detected without visiting it

Edited by sp123
Link to post
Share on other sites
sp123

sp123

Posted
  • Author
Posted
22 minutes ago, AdvancedSetup said:

One of the Dev's asked me to ask you if you had turned off Tamper Protection

WD or MB? I can't find MB's tamper protection, and Windows Defender was disabled by Malwarebytes when it install it's self.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.