TechSpot

PUM.Dns an issue?

By Kdyno24
Jun 29, 2014
  1. Hi,

    I've run MalwareBytes and it's said I have no issue on my machine, but I then ran Roguekiller and it found 4 PUM.Dns in the registry. I ran in safe mode and RK then didn't find anything. When I rebooted and ran RK again it found 4 PUM.Dns entries, again in the registry. Can anyone shed any light on what's happening. Here's a copy of the report...

    RogueKiller V9.1.0.0 [Jun 23 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : kerry [Admin rights]
    Mode : Scan -- Date : 06/29/2014 17:54:45

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 6 ¤¤¤
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{61DCCB1C-8BF9-4A52-B1D8-32F9BB785155} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{61DCCB1C-8BF9-4A52-B1D8-32F9BB785155} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{61DCCB1C-8BF9-4A52-B1D8-32F9BB785155} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ HOSTS File : 1 ¤¤¤
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

    ¤¤¤ Antirootkit : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: ST500DM002-1BD142 ATA Device +++++
    --- User ---
    [MBR] 81154b717bd4745562c4228e7bdb92cf
    [BSP] a6d790c618a1507ae45e3e9fa2fe2aa3 : HP MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
    1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 15168 MB
    2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 31145984 | Size: 461728 MB
    User = LL1 ... OK
    User = LL2 ... OK

    +++++ PhysicalDrive1: Generic- Multi-Card USB Device +++++
    Error reading User MBR! ([15] The device is not ready. )
    Error reading LL1 MBR! NOT VALID!
    Error reading LL2 MBR! ([32] The request is not supported. )


    ============================================
    RKreport_DEL_06292014_132348.log - RKreport_DEL_06292014_144438.log - RKreport_DEL_06292014_144915.log - RKreport_SCN_06292014_132213.log
    RKreport_SCN_06292014_143859.log - RKreport_SCN_06292014_144902.log - RKreport_SCN_06292014_145606.log - RKreport_SCN_06292014_170340.log
     
  2. Superdave1941

    Superdave1941 Malware Helper Posts: 152

    Hello and welcome to TechSpot.com My name is Dave. I will be helping you out with your particular problem on your computer.
    1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
    2. The fixes are specific to your problem and should only be used for this issue on this machine.
    3. If you don't know or understand something, please don't hesitate to ask.
    4. Please DO NOT run any other tools or scans while I am helping you.
    5. It is important that you reply to this thread. Do not start a new topic.
    6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    7. Absence of symptoms does not mean that everything is clear.
    If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
    *************************************************************************
    Please download AdwCleaner by Xplode onto your Desktop.
    Before starting AdwCleaner, close all open programs and internet browsers, then double-click on the AdwCleaner icon.
    [​IMG]
    If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.
    When the AdwCleaner program will open, click on the Scan button as shown below.
    [​IMG]
    AdwCleaner will now start to search for malicious files that may be installed on your computer.
    To remove the files that were detected in the previous step, please click on the Clean button.
    [​IMG]
    AdwCleaner will now prompt you to save any open files or data as the program will need to reboot the computer. Please do so and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.
    Please click on the OK button to allow AdwCleaner reboot your computer.A log will be produced. Please copy and paste this log in your next reply.
    *********************************************
    Please download Junkware Removal Tool to your desktop.
    Warning! Once the scan is complete JRT will shut down your browser with NO warning.
    Shut down your protection software now to avoid potential conflicts.
    •Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
    •Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator
    •The tool will open and start scanning your system.
    •Please be patient as this can take a while to complete depending on your system's specifications.
    •On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    •Copy and Paste the JRT.txt log into your next message.
    ***************************************************
    Download Security Check by screen317 from one of the following links and save it to your desktop.
    Link 1
    Link 2
    * Double-click Security Check.bat
    * Follow the on-screen instructions inside of the black box.
    * A Notepad document should open automatically called checkup.txt
    * Post the contents of that document in your next reply.
    Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
    **************************************************
    Malwarebytes' Anti-Rootkit
    Please download Malwarebytes' Anti-Rootkit and save it to your desktop.
    • Be sure to print out and follow the instructions provided on that same page for performing a scan.
    • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
    • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
    • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
    • Copy and paste the contents of these two log files in your next reply.
     
  3. Kdyno24

    Kdyno24 TS Rookie Topic Starter

    Hi,

    A mixed bag of results - ADW created a file but I can't find it - sorry I know that's not massively helpful...I can redo if required now .....


    Junkware removal tool report file is:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 6.1.4 (04.06.2014:1)
    OS: Windows 7 Home Premium x64
    Ran by kerry on 29/06/2014 at 21:43:35.03
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values

    Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL



    ~~~ Registry Keys



    ~~~ Files

    Successfully deleted: [File] C:\Windows\syswow64\sho1224.tmp
    Successfully deleted: [File] C:\Windows\syswow64\sho1AB5.tmp
    Successfully deleted: [File] C:\Windows\syswow64\sho3C41.tmp
    Successfully deleted: [File] C:\Windows\syswow64\sho4A67.tmp
    Successfully deleted: [File] C:\Windows\syswow64\sho4D79.tmp
    Successfully deleted: [File] C:\Windows\syswow64\sho4F5.tmp
    Successfully deleted: [File] C:\Windows\syswow64\sho50C9.tmp
    Successfully deleted: [File] C:\Windows\syswow64\sho5B4A.tmp
    Successfully deleted: [File] C:\Windows\syswow64\sho5EE.tmp
    Successfully deleted: [File] C:\Windows\syswow64\sho6E0F.tmp
    Successfully deleted: [File] C:\Windows\syswow64\sho7ACF.tmp
    Successfully deleted: [File] C:\Windows\syswow64\sho7D9F.tmp
    Successfully deleted: [File] C:\Windows\syswow64\sho8142.tmp
    Successfully deleted: [File] C:\Windows\syswow64\sho87B5.tmp
    Successfully deleted: [File] C:\Windows\syswow64\shoD5DC.tmp



    ~~~ Folders

    Successfully deleted: [Empty Folder] C:\Users\kerry\appdata\local\{7D48CB81-E06D-43C5-8B75-1801EFE77ACD}
    Successfully deleted: [Empty Folder] C:\Users\kerry\appdata\local\{8A6648B7-2A5A-4033-81C4-2956E980025D}
    Successfully deleted: [Empty Folder] C:\Users\kerry\appdata\local\{D8E3AEE0-A9C7-4028-8CE5-B23098712F99}



    ~~~ FireFox

    Successfully deleted the following from C:\Users\kerry\AppData\Roaming\mozilla\firefox\profiles\loehyn5a.default\prefs.js

    user_pref("browser.search.selectedEngine", "SecureSearch");
    Emptied folder: C:\Users\kerry\AppData\Roaming\mozilla\firefox\profiles\loehyn5a.default\minidumps [142 files]



    ~~~ Event Viewer Logs were cleared





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on 29/06/2014 at 21:49:47.85
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Screen317 didn't work - I downloaded from both links and it just created a file page that read " UNSUPPORTED OPERATING SYSTEM! ABORTED!"

    Then mbar said:
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1012

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7601 Windows 7 Service Pack 1 x64

    Account is Administrative

    Internet Explorer version: 11.0.9600.17126

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
    CPU speed: 3.292000 GHz
    Memory total: 4203352064, free: 1913040896

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1012

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7601 Windows 7 Service Pack 1 x64

    Account is Administrative

    Internet Explorer version: 11.0.9600.17126

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
    CPU speed: 3.292000 GHz
    Memory total: 4203352064, free: 1913491456

    Downloaded database version: v2014.06.29.09
    Downloaded database version: v2014.06.23.02
    =======================================
    Initializing...
    ------------ Kernel report ------------
    06/29/2014 21:56:59
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\system32\drivers\gfibto.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\system32\drivers\intelide.sys
    \SystemRoot\system32\drivers\PCIIDEX.SYS
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\PxHlpa64.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\drivers\disk.sys
    \SystemRoot\system32\drivers\CLASSPNP.SYS
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\BdSpy.sys
    \SystemRoot\system32\DRIVERS\NSKernel.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\NSNetmon.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\afw.sys
    \SystemRoot\system32\DRIVERS\afwcore.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\igdkmd64.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\HECIx64.sys
    \SystemRoot\system32\drivers\usbehci.sys
    \SystemRoot\system32\drivers\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\Rt64win7.sys
    \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\CHDRT64.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\system32\DRIVERS\IntcDAud.sys
    \SystemRoot\system32\DRIVERS\cdfs.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\V0510Vid.sys
    \SystemRoot\system32\DRIVERS\V0510Vfx.sys
    \SystemRoot\system32\drivers\usbaudio.sys
    \SystemRoot\System32\cdd.dll
    \SystemRoot\system32\drivers\hidusb.sys
    \SystemRoot\system32\drivers\HIDCLASS.SYS
    \SystemRoot\system32\drivers\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\drivers\usbscan.sys
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\system32\DRIVERS\usbprint.sys
    \SystemRoot\system32\DRIVERS\Sftvollh.sys
    \SystemRoot\system32\DRIVERS\kbdhid.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_dumpata.sys
    \SystemRoot\System32\Drivers\dump_atapi.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\System32\drivers\mpsdrv.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\system32\DRIVERS\Trufos.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\system32\DRIVERS\Sftfslh.sys
    \SystemRoot\system32\DRIVERS\Sftplaylh.sys
    \SystemRoot\system32\DRIVERS\ssadbus.sys
    \SystemRoot\system32\DRIVERS\ssadwh.sys
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\system32\DRIVERS\Sftredirlh.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\drivers\BdNet.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\WUDFRd.sys
    \SystemRoot\System32\Drivers\fastfat.SYS
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Windows\System32\comdlg32.dll
    \Windows\System32\imagehlp.dll
    \Windows\System32\ws2_32.dll
    \Windows\System32\ole32.dll
    \Windows\System32\clbcatq.dll
    \Windows\System32\sechost.dll
    \Windows\System32\msctf.dll
    \Windows\System32\shell32.dll
    \Windows\System32\Wldap32.dll
    \Windows\System32\urlmon.dll
    \Windows\System32\gdi32.dll
    \Windows\System32\nsi.dll
    \Windows\System32\lpk.dll
    \Windows\System32\imm32.dll
    \Windows\System32\advapi32.dll
    \Windows\System32\psapi.dll
    \Windows\System32\user32.dll
    \Windows\System32\oleaut32.dll
    \Windows\System32\usp10.dll
    \Windows\System32\difxapi.dll
    \Windows\System32\wininet.dll
    \Windows\System32\shlwapi.dll
    \Windows\System32\msvcrt.dll
    \Windows\System32\iertutil.dll
    \Windows\System32\setupapi.dll
    \Windows\System32\rpcrt4.dll
    \Windows\System32\normaliz.dll
    \Windows\System32\kernel32.dll
    \Windows\System32\wintrust.dll
    \Windows\System32\devobj.dll
    \Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
    \Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
    \Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    \Windows\System32\crypt32.dll
    \Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
    \Windows\System32\comctl32.dll
    \Windows\System32\cfgmgr32.dll
    \Windows\System32\KernelBase.dll
    \Windows\System32\userenv.dll
    \Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
    \Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
    \Windows\System32\msasn1.dll
    \Windows\System32\profapi.dll
    ----------- End -----------
    Done!
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR1
    Upper Device Object: 0xfffffa8008141790
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\0000007b\
    Lower Device Object: 0xfffffa8008189b60
    Lower Device Driver Name: \Driver\USBSTOR\
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xfffffa8004d54060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
    Lower Device Object: 0xfffffa800476f060
    Lower Device Driver Name: \Driver\atapi\
    <<<2>>>
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa8004d54060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8004d54b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8004d54060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8003c68d80, DeviceName: Unknown, DriverName: \Driver\ACPI\
    DevicePointer: 0xfffffa800476f060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
    Done!
    Drive 0
    This is a System drive
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 62726259

    Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 80262

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 81920 Numsec = 31064064
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 31145984 Numsec = 945618944

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 500107862016 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
    Done!
    Physical Sector Size: 0
    Drive: 1, DevicePointer: 0xfffffa8008141790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8008140040, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8008141790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8008189b60, DeviceName: \Device\0000007b\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Scan finished
    =======================================


    Removal queue found; removal started
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-I.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-81920-I.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
    Removal finished

    So if that good news, I'm now clean?
     
  4. Kdyno24

    Kdyno24 TS Rookie Topic Starter

    Hi,

    I found the first ADW report and it read:
    # AdwCleaner v3.210 - Report created 22/05/2014 at 16:58:47
    # Updated 19/05/2014 by Xplode
    # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
    # Username : kerry - KERRY-PC
    # Running from : C:\Users\kerry\AppData\Local\Temp\dlm672C.tmp\adwcleaner_3.210.exe
    # Option : Scan
    ***** [ Services ] *****

    ***** [ Files / Folders ] *****
    File Found : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\adawaretb.xml
    File Found : C:\Users\kerry\AppData\Roaming\Mozilla\Firefox\Profiles\loehyn5a.default\user.js
    File Found : C:\Users\Public\Desktop\eBay.lnk
    ***** [ Shortcuts ] *****

    ***** [ Registry ] *****
    Key Found : HKCU\Software\Conduit
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
    Key Found : [x64] HKCU\Software\Conduit
    Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{065C1A21-97F8-45FB-A9F0-861B60FACEC8}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{3204358F-5904-46A6-841F-D6B5BE3EF4E3}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{3AE67737-0E3E-44AA-AA5E-46A68BF017FF}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{3EE5B726-044A-48D2-AA7B-049BD9A0F62A}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{60FBBE03-57FF-49D8-B38E-053D3F489825}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{6A5182F1-C0B8-42B8-96CC-7F329CD46913}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{6C153418-8E4D-4FAF-AF27-5201E38463A7}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{A26A2F05-AC4D-4A1E-9531-9125F7309B78}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC5D6240-7DF0-435D-9B9B-F8586A99DE86}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{F343045E-E20A-46E1-82D8-9962C43EFC9E}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{FBB360DC-CB6C-4D6A-808A-2C773151BFFF}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{FFD7DDAC-EC28-42A5-8D39-917B9078604B}
    Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
    Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
    Key Found : HKLM\Software\Conduit
    Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\oejkcgajlodefenbbjdnaiahmbnnoole
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\YontooDesktop_RASAPI32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\YontooDesktop_RASMANCS
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner
    Key Found : [x64] HKLM\SOFTWARE\Tarma Installer
    ***** [ Browsers ] *****
    -\\ Internet Explorer v11.0.9600.17041

    -\\ Mozilla Firefox v29.0.1 (en-US)
    [ File : C:\Users\kerry\AppData\Roaming\Mozilla\Firefox\Profiles\loehyn5a.default\prefs.js ]
    Line Found : user_pref("browser.search.order.1", "Ask.com");
    Line Found : user_pref("extensions.skipscreen.hostMatchStr", "hxxp://www.4shared.com/(get|audio|file|doc...iles.com/(([a-z]{2})/files/|auth-).*|hxxp://(www.)*digg.com/(.{5}|.{6})$|hxxp:[...]
    -\\ Google Chrome v34.0.1847.137
    [ File : C:\Users\kerry\AppData\Local\Google\Chrome\User Data\Default\preferences ]

    *************************
    AdwCleaner[R0].txt - [3261 octets] - [22/05/2014 16:58:47]
    ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [3321 octets] ##########

    After I had finished with malwarebytes anti rootkit I ran it again and the latest report said:

    # AdwCleaner v3.213 - Report created 29/06/2014 at 22:31:11
    # Updated 23/06/2014 by Xplode
    # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
    # Username : kerry - KERRY-PC
    # Running from : C:\Users\kerry\Downloads\adwcleaner_3.213.exe
    # Option : Clean
    ***** [ Services ] *****

    ***** [ Files / Folders ] *****

    ***** [ Shortcuts ] *****

    ***** [ Registry ] *****

    ***** [ Browsers ] *****
    -\\ Internet Explorer v11.0.9600.17126

    -\\ Mozilla Firefox v30.0 (en-US)
    [ File : C:\Users\kerry\AppData\Roaming\Mozilla\Firefox\Profiles\loehyn5a.default\prefs.js ]

    -\\ Google Chrome v35.0.1916.153
    [ File : C:\Users\kerry\AppData\Local\Google\Chrome\User Data\Default\preferences ]

    *************************
    AdwCleaner[R0].txt - [3413 octets] - [22/05/2014 16:58:47]
    AdwCleaner[R1].txt - [1774 octets] - [29/06/2014 21:37:19]
    AdwCleaner[R2].txt - [1145 octets] - [29/06/2014 22:30:24]
    AdwCleaner[S0].txt - [3380 octets] - [22/05/2014 17:00:17]
    AdwCleaner[S1].txt - [1853 octets] - [29/06/2014 21:39:04]
    AdwCleaner[S2].txt - [1067 octets] - [29/06/2014 22:31:11]
    ########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1127 octets] ##########
     
  5. Superdave1941

    Superdave1941 Malware Helper Posts: 152

    I'd like to scan your machine with ESET OnlineScan
    •Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
    •Click the [​IMG] button.
    •For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on [​IMG] to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the [​IMG] icon on your desktop.
    •Check [​IMG]
    •Click the [​IMG] button.
    •Accept any security warnings from your browser.
    • Leave the check mark next to Remove found threats.
    •Check [​IMG]
    •Push the Start button.
    •ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    •When the scan completes, push [​IMG]
    •Push [​IMG], and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    •Push the [​IMG] button.
    •Push [​IMG]
    A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
     
  6. Kdyno24

    Kdyno24 TS Rookie Topic Starter

    Here's the log file
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=8
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.7587
    # api_version=3.0.2
    # EOSSerial=4be369f95e5cdb468bf2aa4e8b8371cd
    # engine=18953
    # end=stopped
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2014-06-30 05:03:10
    # local_time=2014-06-30 06:03:10 (+0000, GMT Daylight Time)
    # country="United Kingdom"
    # lang=1033
    # osver=6.1.7601 NT Service Pack 1
    # compatibility_mode_1='BullGuard Antivirus'
    # compatibility_mode=4611 16777215 85 100 1645 72955280 0 0
    # compatibility_mode_1=''
    # compatibility_mode=5893 16776573 100 94 97022 156612840 0 0
    # scanned=76097
    # found=10
    # cleaned=0
    # scan_time=1437
    sh=19876B0C21073CE7AC4725124851FC36B7EA7301 ft=1 fh=31b372839de59c7b vn="a variant of Win32/CNETInstaller.B potentially unwanted application" ac=I fn="C:\$Recycle.Bin\S-1-5-21-431576526-45876521-1566683477-1001\$R4FOEI0.exe"
    sh=A9D4042214171932C01BA92C20DB68B1F059BF85 ft=1 fh=68e2755456a8c578 vn="a variant of Win32/Injected.F trojan" ac=I fn="C:\$Recycle.Bin\S-1-5-21-431576526-45876521-1566683477-1001\$RW6NI3M.exe"
    sh=E15957395DB1A787B09EE7068085EAA1C5D62405 ft=1 fh=517def6085a7aa94 vn="a variant of Win32/Toolbar.Conduit.H potentially unwanted application" ac=I fn="C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe"
    sh=A461ED3268BF82653A16F6F5F7C227A278C7E4EF ft=1 fh=3596815d4c17317b vn="a variant of Win32/Toolbar.Conduit.H potentially unwanted application" ac=I fn="C:\Program Files (x86)\NCH Software\ExpressZip\expresszipsetup_v2.13.exe"
    sh=347BB66C7BE3982B2602FE946E6BCF3C7C7224B5 ft=1 fh=9946b6b2c2e14984 vn="a variant of Win32/Toolbar.Conduit.J potentially unwanted application" ac=I fn="C:\Program Files (x86)\NCH Software\VideoPad\uninst.exe"
    sh=20E2D74783E28D768F2F4C9D856EAB1742ECBAB4 ft=1 fh=6378f278c2e14984 vn="a variant of Win32/Toolbar.Conduit.J potentially unwanted application" ac=I fn="C:\Program Files (x86)\NCH Software\VideoPad\videopad.exe"
    sh=6D8A3CAC283AC47CE01261DAAC15B09AF37D87CD ft=1 fh=811f7b6ed12c913d vn="a variant of Win32/Toolbar.Conduit.J potentially unwanted application" ac=I fn="C:\Program Files (x86)\NCH Software\VideoPad\vpsetup_v2.41.exe"
    sh=53A703CEEACAE9CF85088CB25734FA649D1F7412 ft=1 fh=a224ecd1fc044448 vn="a variant of Win32/Toolbar.Conduit.H potentially unwanted application" ac=I fn="C:\Program Files (x86)\NCH Software\WavePad\uninst.exe"
    sh=6A1A6B8E397E74B17B29EE92E69E684E8745F1FE ft=1 fh=581aa81bfc044448 vn="a variant of Win32/Toolbar.Conduit.H potentially unwanted application" ac=I fn="C:\Program Files (x86)\NCH Software\WavePad\wavepad.exe"
    sh=E010C9E6333BFDE93E2F2382C394434769B5E106 ft=1 fh=232a17c99b28fa3f vn="a variant of Win32/Toolbar.Conduit.H potentially unwanted application" ac=I fn="C:\Program Files (x86)\NCH Software\WavePad\wpsetup_v5.13.exe"
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=8
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.7587
    # api_version=3.0.2
    # EOSSerial=4be369f95e5cdb468bf2aa4e8b8371cd
    # engine=18953
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2014-06-30 05:58:40
    # local_time=2014-06-30 06:58:40 (+0000, GMT Daylight Time)
    # country="United Kingdom"
    # lang=1033
    # osver=6.1.7601 NT Service Pack 1
    # compatibility_mode_1='BullGuard Antivirus'
    # compatibility_mode=4611 16777215 85 100 4975 72958610 0 0
    # compatibility_mode_1=''
    # compatibility_mode=5893 16776573 100 94 100352 156616170 0 0
    # scanned=210387
    # found=10
    # cleaned=10
    # scan_time=3187
    sh=19876B0C21073CE7AC4725124851FC36B7EA7301 ft=1 fh=31b372839de59c7b vn="a variant of Win32/CNETInstaller.B potentially unwanted application (deleted - quarantined)" ac=C fn="C:\$Recycle.Bin\S-1-5-21-431576526-45876521-1566683477-1001\$R4FOEI0.exe"
    sh=A9D4042214171932C01BA92C20DB68B1F059BF85 ft=1 fh=68e2755456a8c578 vn="a variant of Win32/Injected.F trojan (cleaned by deleting - quarantined)" ac=C fn="C:\$Recycle.Bin\S-1-5-21-431576526-45876521-1566683477-1001\$RW6NI3M.exe"
    sh=E15957395DB1A787B09EE7068085EAA1C5D62405 ft=1 fh=517def6085a7aa94 vn="a variant of Win32/Toolbar.Conduit.H potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe"
    sh=A461ED3268BF82653A16F6F5F7C227A278C7E4EF ft=1 fh=3596815d4c17317b vn="a variant of Win32/Toolbar.Conduit.H potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Program Files (x86)\NCH Software\ExpressZip\expresszipsetup_v2.13.exe"
    sh=347BB66C7BE3982B2602FE946E6BCF3C7C7224B5 ft=1 fh=9946b6b2c2e14984 vn="a variant of Win32/Toolbar.Conduit.J potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Program Files (x86)\NCH Software\VideoPad\uninst.exe"
    sh=20E2D74783E28D768F2F4C9D856EAB1742ECBAB4 ft=1 fh=6378f278c2e14984 vn="a variant of Win32/Toolbar.Conduit.J potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Program Files (x86)\NCH Software\VideoPad\videopad.exe"
    sh=6D8A3CAC283AC47CE01261DAAC15B09AF37D87CD ft=1 fh=811f7b6ed12c913d vn="a variant of Win32/Toolbar.Conduit.J potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Program Files (x86)\NCH Software\VideoPad\vpsetup_v2.41.exe"
    sh=53A703CEEACAE9CF85088CB25734FA649D1F7412 ft=1 fh=a224ecd1fc044448 vn="a variant of Win32/Toolbar.Conduit.H potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Program Files (x86)\NCH Software\WavePad\uninst.exe"
    sh=6A1A6B8E397E74B17B29EE92E69E684E8745F1FE ft=1 fh=581aa81bfc044448 vn="a variant of Win32/Toolbar.Conduit.H potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Program Files (x86)\NCH Software\WavePad\wavepad.exe"
    sh=E010C9E6333BFDE93E2F2382C394434769B5E106 ft=1 fh=232a17c99b28fa3f vn="a variant of Win32/Toolbar.Conduit.H potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Program Files (x86)\NCH Software\WavePad\wpsetup_v5.13.exe"

    C:\$Recycle.Bin\S-1-5-21-431576526-45876521-1566683477-1001\$R4FOEI0.exe a variant of Win32/CNETInstaller.B potentially unwanted application deleted - quarantined
    C:\$Recycle.Bin\S-1-5-21-431576526-45876521-1566683477-1001\$RW6NI3M.exe a variant of Win32/Injected.F trojan cleaned by deleting - quarantined
    C:\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
    C:\Program Files (x86)\NCH Software\ExpressZip\expresszipsetup_v2.13.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
    C:\Program Files (x86)\NCH Software\VideoPad\uninst.exe a variant of Win32/Toolbar.Conduit.J potentially unwanted application deleted - quarantined
    C:\Program Files (x86)\NCH Software\VideoPad\videopad.exe a variant of Win32/Toolbar.Conduit.J potentially unwanted application deleted - quarantined
    C:\Program Files (x86)\NCH Software\VideoPad\vpsetup_v2.41.exe a variant of Win32/Toolbar.Conduit.J potentially unwanted application deleted - quarantined
    C:\Program Files (x86)\NCH Software\WavePad\uninst.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
    C:\Program Files (x86)\NCH Software\WavePad\wavepad.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
    C:\Program Files (x86)\NCH Software\WavePad\wpsetup_v5.13.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
     
  7. Kdyno24

    Kdyno24 TS Rookie Topic Starter

    Oh and I just ran RK again and it returned this log

    RogueKiller V9.1.0.0 [Jun 23 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : kerry [Admin rights]
    Mode : Scan -- Date : 06/30/2014 19:09:20

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 6 ¤¤¤
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{61DCCB1C-8BF9-4A52-B1D8-32F9BB785155} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{61DCCB1C-8BF9-4A52-B1D8-32F9BB785155} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{61DCCB1C-8BF9-4A52-B1D8-32F9BB785155} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ HOSTS File : 1 ¤¤¤
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

    ¤¤¤ Antirootkit : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: ST500DM002-1BD142 ATA Device +++++
    --- User ---
    [MBR] 81154b717bd4745562c4228e7bdb92cf
    [BSP] a6d790c618a1507ae45e3e9fa2fe2aa3 : HP MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
    1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 15168 MB
    2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 31145984 | Size: 461728 MB
    User = LL1 ... OK
    User = LL2 ... OK

    +++++ PhysicalDrive1: Generic- Multi-Card USB Device +++++
    Error reading User MBR! ([15] The device is not ready. )
    Error reading LL1 MBR! NOT VALID!
    Error reading LL2 MBR! ([32] The request is not supported. )


    ============================================
    RKreport_DEL_06292014_132348.log - RKreport_DEL_06292014_144438.log - RKreport_DEL_06292014_144915.log - RKreport_SCN_06292014_132213.log
    RKreport_SCN_06292014_143859.log - RKreport_SCN_06292014_144902.log - RKreport_SCN_06292014_145606.log - RKreport_SCN_06292014_170340.log
    RKreport_SCN_06292014_175445.log
     
  8. Superdave1941

    Superdave1941 Malware Helper Posts: 152

    Please download aswMBR.exe ( 511KB ) to your desktop.
    Double click the aswMBR.exe to run it
    [​IMG]
    Click the "Scan" button to start scan
    Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives
    [​IMG]
    On completion of the scan click save log, save it to your desktop and post in your next reply
     
  9. Kdyno24

    Kdyno24 TS Rookie Topic Starter

    Here's teh log

    aswMBR version 1.0.1.2041 Copyright(c) 2014 AVAST Software
    Run date: 2014-06-30 21:14:08
    -----------------------------
    21:14:08.285 OS Version: Windows x64 6.1.7601 Service Pack 1
    21:14:08.285 Number of processors: 4 586 0x2A07
    21:14:08.286 ComputerName: KERRY-PC UserName: kerry
    21:14:14.972 Initialize success
    21:14:15.038 VM: initialized successfully
    21:14:15.058 VM: Intel CPU supported
    21:14:21.415 VM: supported disk I/O ataport.SYS
    21:14:31.540 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    21:14:31.543 Disk 0 Vendor: ST500DM002-1BD142 KC45 Size: 476940MB BusType: 3
    21:14:31.656 VM: Disk 0 MBR read successfully
    21:14:31.660 Disk 0 MBR scan
    21:14:31.664 Disk 0 Windows VISTA default MBR code
    21:14:31.668 Disk 0 Partition 1 00 DE Dell Utility DELL 4.1 39 MB offset 63
    21:14:31.675 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15168 MB offset 81920
    21:14:31.683 Disk 0 Boot: NTFS code=1
    21:14:31.700 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 461728 MB offset 31145984
    21:14:31.720 Disk 0 scanning C:\Windows\system32\drivers
    21:14:38.529 Service scanning
    21:14:52.547 Modules scanning
    21:14:52.559 Disk 0 trace - called modules:
    21:14:52.578 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys
    21:14:52.584 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004d37060]
    21:14:52.589 3 CLASSPNP.SYS[fffff880018ea43f] -> nt!IofCallDriver -> [0xfffffa8004751520]
    21:14:52.593 5 ACPI.sys[fffff88000f5e7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004753060]
    21:14:52.596 Scan finished successfully
    21:15:05.313 Disk 0 MBR has been saved successfully to "C:\Users\kerry\Desktop\MBR.dat"
    21:15:05.335 The log file has been saved successfully to "C:\Users\kerry\Desktop\aswMBR.txt"
     
  10. Superdave1941

    Superdave1941 Malware Helper Posts: 152

    Could you please run ESET again and see if anything else pops up?
     
  11. Kdyno24

    Kdyno24 TS Rookie Topic Starter

    Just finished and it said no threats found....
     
  12. Kdyno24

    Kdyno24 TS Rookie Topic Starter

    Ran RK again and it found nothing this time

    RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : kerry [Admin rights]
    Mode : Scan -- Date : 07/01/2014 19:51:27
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 0 ¤¤¤

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Browser Addons : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    127.0.0.1 localhost
     
  13. Superdave1941

    Superdave1941 Malware Helper Posts: 152

    Ok, how's your computer running now? Any other issues?
     
  14. Kdyno24

    Kdyno24 TS Rookie Topic Starter

    Seems fine - teatime.exe is a bit of a pain when I start up as it eats up processing cpacity but it settles down after a few minutes - all seems good. Thanks very much for your help.

    K
     
  15. Superdave1941

    Superdave1941 Malware Helper Posts: 152

    Spybot is old and out-of-date. You would be better off uninstalling it.
    Let's clean up.

    This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
    This is a very crucial step so make sure you don't skip it.
    Download DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.
    Double-click Delfix.exe to start the tool.
    Make sure the following items are checked:
    • Activate UAC (optional; some users prefer to keep it off)
    • Remove disinfection tools
    • Create Registry backup
    • Purge System Restore Points
    • Re-set system settings
    Now click "Run" and wait patiently.
    Once finished a logfile will be created. You don't have to attach it to your next reply.
    ***********************************************
    Click Start> Computer> right click the C Drive and choose Properties> enter
    Click Disk Cleanup from there.
    [​IMG]
    Click OK on the Disk Cleanup Screen.
    Click Yes on the Confirmation screen.
    [​IMG]
    This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
    **********************************************
    Go to Microsoft Windows Update and get all critical updates.
    I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
    Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.
    Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
    Safe Surfing!
     
  16. Kdyno24

    Kdyno24 TS Rookie Topic Starter

    Hi Dave,

    All seemed good but I decided to run RK again and it came back with this report which looks worrying to my untrained eye with its mention of disable registry tools and disable taskmgr.... No I did re-run some of the other tools we used before and they came up with nothing found... should I be worried?

    RogueKiller V9.1.0.0 [Jun 23 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : kerry [Admin rights]
    Mode : Scan -- Date : 07/06/2014 17:56:45

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 10 ¤¤¤
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{61DCCB1C-8BF9-4A52-B1D8-32F9BB785155} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{61DCCB1C-8BF9-4A52-B1D8-32F9BB785155} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{61DCCB1C-8BF9-4A52-B1D8-32F9BB785155} | DhcpNameServer : 194.168.4.100 194.168.8.100 -> FOUND
    [PUM.Policies] (X64) HKEY_USERS\S-1-5-21-431576526-45876521-1566683477-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
    [PUM.Policies] (X64) HKEY_USERS\S-1-5-21-431576526-45876521-1566683477-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
    [PUM.Policies] (X86) HKEY_USERS\S-1-5-21-431576526-45876521-1566683477-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
    [PUM.Policies] (X86) HKEY_USERS\S-1-5-21-431576526-45876521-1566683477-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤
     
  17. Superdave1941

    Superdave1941 Malware Helper Posts: 152

    Nothing to worry about.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...