Author Topic: Need Help on Malware: PUM.DNS detected  (Read 4928 times)

0 Members and 1 Guest are viewing this topic.

December 11, 2014, 09:22:17 pm

Deepblue

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Need Help on Malware: PUM.DNS detected
« on: December 11, 2014, 09:22:17 pm »
Hi,

I need help to understand if the detection is a a threat or not and if yes, what to do about it?

My laptop has been having performance issues for for a month
- all the browsers crash on starting. Only Firefox runs, but that too in safe mode.
- Speed is slow
- I live in a university in France and need to input my login credentials in the browser before I can access internet. But, of late I have observed that the laptop gets network internet access without me inputing my credentials
- I scanned with Webroot, Windows Defender, Malwarebytes but none of them found anything.

 Registry: A couple of days ago, when I updated and ran RK, it found some instances of PUM.DNS in the registry. I checked the IP address but it is a private IP. I also analyzed it in the Adlice log analyzer but it is reporting every entry as unknown.
Rootkit: I understand that n the Rootkit report, the Wrus is the Webroot Secure that is installed so that part is not a cause of worry. But I also see multiple instances of IRP:Addr detected in .....\SystemRoot\system32\drivers\mountmgr.sys

The log is reproduced below. Thanks for your help
-------------------------
RogueKiller V10.1.0.0 (x64) [Dec 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : D [Administrator]
Mode : Scan -- Date : 12/11/2014  20:54:57

Processes : 0

Registry : 9
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 172.29.188.201 172.29.188.202 [(Private Address) (XX)][(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 172.29.188.201 172.29.188.202 [(Private Address) (XX)][(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 172.29.188.201 172.29.188.202 [(Private Address) (XX)][(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1D80A5EC-D6B9-4BBD-9359-6D500A298F38} | DhcpNameServer : 172.29.188.201 172.29.188.202 [(Private Address) (XX)][(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8F179A79-A521-4D13-91D4-FF3150844B67} | DhcpNameServer : 172.29.188.201 172.29.188.202 [(Private Address) (XX)][(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1D80A5EC-D6B9-4BBD-9359-6D500A298F38} | DhcpNameServer : 172.29.188.201 172.29.188.202 [(Private Address) (XX)][(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8F179A79-A521-4D13-91D4-FF3150844B67} | DhcpNameServer : 172.29.188.201 172.29.188.202 [(Private Address) (XX)][(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1D80A5EC-D6B9-4BBD-9359-6D500A298F38} | DhcpNameServer : 172.29.188.201 172.29.188.202 [(Private Address) (XX)][(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8F179A79-A521-4D13-91D4-FF3150844B67} | DhcpNameServer : 172.29.188.201 172.29.188.202 [(Private Address) (XX)][(Private Address) (XX)]  -> Found

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 21 (Driver: Loaded)
[IAT:Inl] (firefox.exe) KERNEL32.dll - LoadLibraryExW : C:\Windows\SysWOW64\WRusr.dll @ 0x74a23840 (jmp 0xfffffffffdf0ef1b)
[IAT:Inl] (firefox.exe) USER32.dll - PostThreadMessageW : C:\Windows\SysWOW64\WRusr.dll @ 0x74a27d30 (jmp 0xffffffffff10f131)
[IAT:Inl] (firefox.exe) USER32.dll - PostThreadMessageA : C:\Windows\SysWOW64\WRusr.dll @ 0x74a27ce0 (jmp 0xffffffffff10407f)
[IAT:Inl] (firefox.exe) USER32.dll - PostMessageW : C:\Windows\SysWOW64\WRusr.dll @ 0x74a27dd0 (jmp 0xffffffffff106b2b)
[IAT:Inl] (firefox.exe) USER32.dll - PostMessageA : C:\Windows\SysWOW64\WRusr.dll @ 0x74a27d80 (jmp 0xffffffffff1041d6)
[IAT:Inl] (firefox.exe) USER32.dll - SendMessageCallbackW : C:\Windows\SysWOW64\WRusr.dll @ 0x74a27c90 (jmp 0xffffffffff1005b0)
[IAT:Inl] (firefox.exe) USER32.dll - SendMessageCallbackA : C:\Windows\SysWOW64\WRusr.dll @ 0x74a27c40 (jmp 0xffffffffff0b0f44)
[IAT:Inl] (firefox.exe) USER32.dll - SendMessageTimeoutW : C:\Windows\SysWOW64\WRusr.dll @ 0x74a27bf0 (jmp 0xffffffffff10e41e)
[IAT:Inl] (firefox.exe) USER32.dll - SendMessageTimeoutA : C:\Windows\SysWOW64\WRusr.dll @ 0x74a27ba0 (jmp 0xffffffffff100381)
[IAT:Inl] (firefox.exe) USER32.dll - SendNotifyMessageW : C:\Windows\SysWOW64\WRusr.dll @ 0x74a27b50 (jmp 0xffffffffff1004e8)
[IAT:Inl] (firefox.exe) USER32.dll - SendNotifyMessageA : C:\Windows\SysWOW64\WRusr.dll @ 0x74a27b10 (jmp 0xffffffffff0b0db3)
[IAT:Inl] (firefox.exe) USER32.dll - SendMessageW : C:\Windows\SysWOW64\WRusr.dll @ 0x74a27ad0 (jmp 0xffffffffff10e457)
[IAT:Inl] (firefox.exe) USER32.dll - SendMessageA : C:\Windows\SysWOW64\WRusr.dll @ 0x74a27a90 (jmp 0xffffffffff101962)
[IAT:Inl] (firefox.exe) USER32.dll - CreateWindowExW : C:\Windows\SysWOW64\WRusr.dll @ 0x74a1e540 (jmp 0xffffffffff105b17)
[IAT:Inl] (firefox.exe) USER32.dll - CreateWindowExA : C:\Windows\SysWOW64\WRusr.dll @ 0x74a1e4e0 (jmp 0xffffffffff1012b2)
[IAT:Inl] (firefox.exe) USER32.dll - SetWindowTextA : C:\Windows\SysWOW64\WRusr.dll @ 0x74a1e460 (jmp 0xffffffffff0f6972)
[IAT:Inl] (firefox.exe) USER32.dll - SetWindowTextW : C:\Windows\SysWOW64\WRusr.dll @ 0x74a1e420 (jmp 0xffffffffff0fc334)
[IAT:Inl] (firefox.exe) USER32.dll - DrawTextExW : C:\Windows\SysWOW64\WRusr.dll @ 0x74a1e3d0 (jmp 0xffffffffff0fcf32)
[IAT:Inl] (firefox.exe) USER32.dll - SetClipboardData : C:\Windows\SysWOW64\WRusr.dll @ 0x74a27710 (jmp 0xffffffffff0ce8b9)
[IAT:Inl] (firefox.exe) GDI32.dll - TextOutW : C:\Windows\SysWOW64\WRusr.dll @ 0x74a236d0 (jmp 0xffffffffff1a62b4)
[IAT:Inl] (firefox.exe) GDI32.dll - BitBlt : C:\Windows\SysWOW64\WRusr.dll @ 0x74a27620 (jmp 0xffffffffff1b177a)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: ST9500325AS ATA Device +++++
--- User ---
[MBR] c647fb4bb00e3813214eceb3e6f8fa49
[BSP] e0b58afe2c40307721c98a9fb902a5fa : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 59900 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 122882048 | Size: 200000 MB
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 532482048 | Size: 216938 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_11182014_172028.log - RKreport_SCN_11182014_171854.log - RKreport_SCN_12092014_222525.log - RKreport_SCN_12112014_035807.log
RKreport_SCN_12112014_185045.log


Reply #1December 12, 2014, 08:27:21 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 896
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Need Help on Malware: PUM.DNS detected
« Reply #1 on: December 12, 2014, 08:27:21 am »
Hello
Not much to tell about it...

I'd suggest to give a try to AdwCleaner, because browser crash can be because of an extension.
Webroot hook DLL will be whitelisted in next release.


Reply #2December 12, 2014, 08:47:49 pm

Deepblue

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: Need Help on Malware: PUM.DNS detected
« Reply #2 on: December 12, 2014, 08:47:49 pm »
Hi Tigzy,

Thanks for your response.
What should I do about the PUM.DNS? Should I just delete it using the RK?

Also enclosed below is the report from Adwcleaner. It did not find anything in the browsers, but found a few registry entries. Should I remove these

# AdwCleaner v4.105 - Report created 12/12/2014 at 20:43:25
# Updated 08/12/2014 by Xplode
# Database : 2014-12-12.1 [Live]
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : DD-PC
# Running from : C:\Users\DD\Desktop\adwcleaner_4.105.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17496


-\\ Mozilla Firefox v34.0.5 (x86 en-US)


-\\ Google Chrome v39.0.2171.71


*************************

AdwCleaner[R0].txt - [325 octets] - [18/11/2014 16:44:38]
AdwCleaner[R1].txt - [3331 octets] - [18/11/2014 18:02:26]
AdwCleaner[R2].txt - [980 octets] - [18/11/2014 18:22:16]
AdwCleaner[R3].txt - [1209 octets] - [28/11/2014 23:57:34]
AdwCleaner[R4].txt - [1933 octets] - [11/12/2014 19:09:09]
AdwCleaner[R5].txt - [1471 octets] - [12/12/2014 20:43:25]
AdwCleaner[S0].txt - [3373 octets] - [18/11/2014 18:05:56]
AdwCleaner[S1].txt - [1040 octets] - [18/11/2014 18:26:45]
AdwCleaner[S2].txt - [1273 octets] - [29/11/2014 00:07:59]
AdwCleaner[S3].txt - [2030 octets] - [11/12/2014 19:19:57]

########## EOF - C:\AdwCleaner\AdwCleaner[R5].txt - [1771 octets] ##########

Reply #3December 13, 2014, 07:32:40 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 896
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Need Help on Malware: PUM.DNS detected
« Reply #3 on: December 13, 2014, 07:32:40 am »
Yes.
And if that continues, I'd reinstall the browser from scratch (uninstall, install)

Reply #4December 15, 2014, 11:45:29 pm

Deepblue

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Re: Need Help on Malware: PUM.DNS detected
« Reply #4 on: December 15, 2014, 11:45:29 pm »
Thanks Tigzy