Author Topic: Found PUM.Dns and Hidden.ADS, among a few others, need help analyzing logs  (Read 10370 times)

0 Members and 2 Guests are viewing this topic.

August 10, 2018, 06:26:42 AM

terpy

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Hello, this is my first time posting here so I hope I hit all of the points. Lately my computer has been running slower than usual (especially my internet, using ATT 100mpbs fiber and usually getting 10-50 down/up, strangely my upload is usually higher than download which I haven't seen in my past internet plans) and for some reason my search function is acting strangely (seems to be only searching for files/folders but not applications, might not be related), so over the past few days I've been running some scans and attempting to fix it myself but am unsure about these threats that Roguekiller recently picked up (PUM.Dns and Hidden.ADS). I'll attach my FRST, addition and roguekiller logs here. I've also included a malwarebytes log that I ran a few days ago, upon hindsight I should have asked about the threat it picked up before removing it, but what's done is done, I suppose.
 
I usually run several virus scans each week using Bitdefender, ESET, and IOLO's malware killer. For system optimization tools I generally run Avira and Iolo System Mechanic every couple days. I've also tried using UnhackMe, Emsisoft Anti-Malware, HitmanPro, Housecall, and adwcleaner, among a few others I'm probably forgetting. I was doing a lot of googling the past week or so and wanted to see what the different programs would pick up. I ran an ESET scan earlier today that came back with clean. UnhackMe found a few unwanted services/files, but I can't seem to find any logs for it. Again, upon hindsight I should have saved those, because I know it makes your job more difficult not knowing what they may have found.

[edit] It's also worth noting, a few weeks ago a fraudulent charge was made on a credit card that I had thought was deactivated (Got a new one in the mail to replace my chip, called customer service to have the old one deactivated but apparently there must have been a glitch in the system or something, because it remained active). This is what initially sparked my flux of anti-virus scans. It's hard to pinpoint the problem to my PC though, it could easily be my phone, an RFID reader or a number of things. Strangely, all the thief bought was two tickets to Universal Studios. Weird.

Some notes regarding my FRST logs:
  • Upon reviewing them myself, the last two entries in the installed programs section in the additions.txt seem pretty suspect, with them being in other characters.
  • Any idea why Avast is still showing up in my security center, even though I uninstalled it quite a while ago? It's not listed in the installed programs section and Revo Uninstaller can't find it either, so I'm not sure what data is still on my PC from them.
  • My bitdefender firewall is normally turned on, I just turned it off temporarily for the scan to run.
  • I'm unsure of what the first account listed under "accounts" on the additions.txt file is or when it was even created.
  • In the FRST.txt drivers section, I'm not entirely sure how the CYREN Inc. drivers got there. I googled the company and it seems they work in cloud security, but I don't remember installing that. Could it have come bundled with something?
  • Same as above but with the GrdKey (Aktiv Co.) and netfilter2 entries


If there's anything else you need, just let me know. Again, sorry for running all these scans before coming here first. I hope that doesn't mess things up too badly.

Here is the RogueKiller log, I'll attach the rest to save space:

RogueKiller V12.12.30.0 (x64) [Aug  6 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.17134) 64 bits version
Started in : Normal mode
User : Shane [Administrator]
Started from : C:\Users\Shane\Downloads\RogueKiller_portable64.exe
Mode : Scan -- Date : 08/08/2018 00:44:44 (Duration : 09:19:27)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f9447a42-403d-498e-8f23-f462e8222b89} | DhcpNameServer : 10.204.0.1 ([])  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DBC82562-F866-4112-961F-B0EAF59A5F61} : v2.28|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|App=C:\Users\Shane\AppData\Local\Temp\HouseCall\tmase\nmap\nmap.exe|Name=nmap4trend|Desc=nmap4trend|EmbedCtxt=nmap4trend|Edge=TRUE|Defer=App| [-] -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 2 ¤¤¤
[Hidden.ADS][Stream] C:\ProgramData:482EE99B1E21CE8C -> Found
[Hidden.ADS][Stream] C:\ProgramData:F92137B1307D3B14 -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA DT01ACA200 +++++
--- User ---
[MBR] 4c75434087abc4d8e5c9dd16c7bc894f
[BSP] cd51738a01e463ec516757a7f9380826 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 1906927 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 3906105344 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++
--- User ---
[MBR] 9316104665a782f81734208e2c0e3e52
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8192 | Size: 30432 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
« Last Edit: August 10, 2018, 08:43:14 AM by terpy »

Reply #1August 10, 2018, 08:51:50 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Hi terpy,

Welcome to Adlice.com Forum.
Let's begin by answering your questions.
Quote
Upon reviewing them myself, the last two entries in the installed programs section in the additions.txt seem pretty suspect, with them being in other characters.
These are Russian and Chinese Language Packs for Visual Studio. If you don't need them, you can uninstall them.

Quote
Any idea why Avast is still showing up in my security center, even though I uninstalled it quite a while ago? It's not listed in the installed programs section and Revo Uninstaller can't find it either, so I'm not sure what data is still on my PC from them.
It seems Avast Uninstaller did not remove all of Avast items. We will manually remove it with the fixlist below.

Quote
I'm unsure of what the first account listed under "accounts" on the additions.txt file is or when it was even created.
It seems it was generated randomly. It will also be taken care with the fixlist.

Quote
In the FRST.txt drivers section, I'm not entirely sure how the CYREN Inc. drivers got there.
They are part of Iolo System Mechanic.

Quote
Same as above but with the GrdKey (Aktiv Co.) and netfilter2 entries
The first one is an USB Dongle Device Driver, the second one is a leftover and will be removed.

Please uninstall Spybot - Search & Destroy 2.
It's not effective anymore and can conflit with BitDefender and/or ZAM.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Regards.
« Last Edit: August 10, 2018, 08:56:05 PM by Curson »

Reply #2August 12, 2018, 09:30:08 PM

terpy

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Hi Curson, thank you for the thorough response! Sorry it took me a while to get back, I had to leave unexpectedly for a day. I've run the fix command, which produced the following log:

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.08.2018
Ran by Shane (12-08-2018 11:33:20) Run:1
Running from C:\Users\Shane\Desktop\Security  Tools
Loaded Profiles: Shane (Available Profiles: Shane & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
S1 netfilter2; system32\drivers\netfilter2.sys [X]
AV: Avast Antivirus (Disabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Spybot - Search and Destroy (Disabled - Out of date) {A16C3F68-9280-E053-1818-342707FECF4D}
AS: Avast Antivirus (Disabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: avast! Antivirus (Disabled) {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}
AlternateDataStreams: C:\ProgramData:482EE99B1E21CE8C [217]
AlternateDataStreams: C:\ProgramData:F92137B1307D3B14 [217]
AlternateDataStreams: C:\WINDOWS\SwUSB.exe:AGC

AlternateDataStreams: C:\Users\All Users:482EE99B1E21CE8C [217]
AlternateDataStreams: C:\Users\All Users:F92137B1307D3B14 [217]
AlternateDataStreams: C:\ProgramData\Application Data:482EE99B1E21CE8C [217]
AlternateDataStreams: C:\ProgramData\Application Data:F92137B1307D3B14 [217]
AlternateDataStreams: C:\ProgramData\TEMP:CB0AACC9 [286]
[-HKLM\SYSTEM\CurrentControlSet\Services\45837EB55DEAE840]
C:\WINDOWS\system32\drivers\45837EB55DEAE840.sys
CMD: net user 12FA1BE483FC47BA9482 /delete
EmptyTemp:
*****************

Processes closed successfully.
"HKLM\System\CurrentControlSet\Services\netfilter2" => removed successfully
netfilter2 => service removed successfully
"AV: Avast Antivirus (Disabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}" => removed successfully
"AS: Spybot - Search and Destroy (Disabled - Out of date) {A16C3F68-9280-E053-1818-342707FECF4D}" => removed successfully
"AS: Avast Antivirus (Disabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}" => removed successfully
"FW: avast! Antivirus (Disabled) {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}" => removed successfully
C:\ProgramData => ":482EE99B1E21CE8C" ADS removed successfully
C:\ProgramData => ":F92137B1307D3B14" ADS removed successfully
C:\WINDOWS\SwUSB.exe => ":AGC" ADS removed successfully
"C:\Users\All Users" => ":482EE99B1E21CE8C" ADS not found.
"C:\Users\All Users" => ":F92137B1307D3B14" ADS not found.
"C:\ProgramData\Application Data" => ":482EE99B1E21CE8C" ADS not found.
"C:\ProgramData\Application Data" => ":F92137B1307D3B14" ADS not found.
C:\ProgramData\TEMP => ":CB0AACC9" ADS removed successfully
HKLM\SYSTEM\CurrentControlSet\Services\45837EB55DEAE840 => not found
"C:\WINDOWS\system32\drivers\45837EB55DEAE840.sys" => not found

========= net user 12FA1BE483FC47BA9482 /delete =========

The command completed successfully.


========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 6053888 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 24446948 B
Java, Flash, Steam htmlcache => 156997395 B
Windows/system/drivers => 15769326 B
Edge => 1482240 B
Chrome => 415121840 B
Firefox => 8768464 B
Opera => 9691872 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 5438 B
LocalService => 0 B
NetworkService => 0 B
NetworkService => 0 B
Shane => 1133756826 B
Administrator => 140029 B

RecycleBin => 4684409710 B
EmptyTemp: => 6 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:59:13 ====

Reply #3August 13, 2018, 01:02:11 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Hi terpy,

Don't worry about it.
How is your system running now ?

Regards.

Reply #4August 13, 2018, 02:42:57 AM

terpy

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
Well, it seems my internet speeds are still pretty slow (19mpbs down, 29mpbs up wireless, whereas my phone gets 119 down and 64 up), which might be an issue with my ISP, last time I called them they didn't have any answers for me though. Also, for some reason my search feature still doesn't work - it doesn't search for applications but just folders and random files, but the computer itself seems to be running alright. It was never really that slow, I was just worried because my credit card had been compromised so I wanted to be sure my PC was clean.

Do you have any idea what could be causing my internet speeds to be so low on only my PC?

Thanks again for all the help.

Reply #5August 13, 2018, 03:58:16 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Hi terpy,

We are going to check your system for rootkits.
  • Please download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.



  • Check Loaded Modules and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.



  • Click Start Scan and allow the scan process to run.
    If threats are detected select Skip for all of them unless I instruct you otherwise.
  • Click Continue



  • Click Reboot computer
Please attach the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.

Regards.