Author Topic: Help with Scan (Read 7290 times)

asmaio · « **on:** October 14, 2014, 09:06:36 PM »

I downloaded what appears to be a browser redirect virus from ABC.com. I've been going through the steps found here (http://malwaretips.com/blogs/remove-browser-redirect-virus/) to get it off, and am at the RogueKiller step. I did the scan last night, but don't know enough to know whether I should delete any of these, or if they were flagged because they were changes I made. Any help?

RogueKiller V10.0.1.0 (x64) [Oct 10 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : The Newmans [Administrator]
Mode : Scan -- Date : 10/13/2014 22:45:41

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 9 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{26BED2C3-26F5-461B-ADA0-1E93BB1BFE39} | NameServer : 1.135.12.56,199.203.35.78 -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{26BED2C3-26F5-461B-ADA0-1E93BB1BFE39} | NameServer : 1.135.12.56,199.203.35.78 -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{26BED2C3-26F5-461B-ADA0-1E93BB1BFE39} | NameServer : 1.135.12.56,199.203.35.78 -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] lhn5af9n.default-1393357595627 : user_pref("browser.startup.homepage", "http://www.nbcnews.com/"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK3275GSX ATA Device +++++
--- User ---
[MBR] 427879a3e25cc50aeb5aa9418c7873d5
[BSP] bc0ba247a136d3b44aa08b5a42108d8e : Windows Vista/7/8 MBR Code
Partition table:
1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 291176 MB
3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 599402496 | Size: 12568 MB
User = LL1 ... OK
User = LL2 ... OK

Tigzy · « **Reply #1 on:** October 15, 2014, 07:26:34 AM »

Hello
Sounds like an adware, can you try AdwCleaner?

asmaio · « **Reply #2 on:** October 15, 2014, 08:15:10 AM »

I've tried all of the steps listed here:

http://malwaretips.com/blogs/remove-browser-redirect-virus/

I skipped deleting anything turned up after RogueKiller ran its scan because I don't know if any of it is essential. I went through the steps following the RougeKiller check and it's still there. So either I need to delete something turned up in the Rogue scan or these steps aren't working.

Tigzy · « **Reply #3 on:** October 15, 2014, 09:03:06 AM »

It's only PUMs, that won't probably help against that.
Did AdwCleaner came clean?

redwolfe_98 · « **Reply #4 on:** October 15, 2014, 10:39:50 AM »

the DNS-settings look suspicious.. you could check your DNS settings, or allow "roguekiller" to remove the "PUM.DNS" items that it flagged, which i assume would restore windows default settings for DNS..

if you are using custom settings for DNS and you know that they are what they are suppose to be, then you don't need to worry about that..

to check the DNS settings (in "windows" ), go to "control panel" / "network connections" and check the "properties" for the "connectoid" that you use for connecting to the internet..

here is a screenshot of the DNS settings for the "connectoid" that i use for connecting to the internet:

the DEFAULT setting for "DNS" is "obtain DNS server address automatically".. i am using custom settings for my DNS servers..

it could be that the DNS servers that are used by your computer are determined by settings in a "router" that you use.. you could check the router's settings and see if there is a problem there..

also, check your browser's settings to see if they have been modified by malware, to where they are using a "proxy"..

Tigzy · « **Reply #5 on:** October 15, 2014, 11:01:14 AM »

I think the DNS are legit, they point to Australia...

EDIT: You're right, I only checked the first IP :/
The second one points to Israel, very suspicious to have DNS in different countries...
You may want to clean them with RogueKiller.

redwolfe_98 · « **Reply #6 on:** October 15, 2014, 11:18:02 AM »

Quote

NameServer : 1.135.12.56,199.203.35.78 -> Found

the first ip address, for the DNS server, is in australia.. the second one is in israel.. something is wrong, there..

Tigzy · « **Reply #7 on:** October 15, 2014, 05:54:45 PM »

Yes, that's what I said in my edit

Let's fix this.

Author Topic: Help with Scan (Read 7290 times)

asmaio

Help with Scan

Tigzy

Re: Help with Scan

asmaio

Re: Help with Scan

Tigzy

Re: Help with Scan

redwolfe_98

Re: Help with Scan

Tigzy

Re: Help with Scan

redwolfe_98

Re: Help with Scan

Tigzy

Re: Help with Scan