120 replies to this topic

[Tomk]

I'm not sure what you learned about DNS servers but I explain it like this:

 

The internet doesn't understand words.  It only knows numbers.  Every webpage has an "address" that is a series of numbers that points to where a webpage is located.  When you type words in your browser (like www.whatthetech.com) your browser sends those words to a DNS server that then tells your computer what the numbers are that will give you that website.  It kind of like a phone book.  You look up a name and it gives you a number to reach the party you are looking for.  The nice thing about this system is that websites get moved all of the time.  However, the DNS server get repopulated with the new location so you, as a user, never have to know that.  The DNS server will report back the correct number within an hour or two of the change being made.  Most people setup the DNS server of their ISP as the default (in your case Time Warner), but often the public DNS servers like Google or OpenDNS are faster.

 

I don't know of any adverse effects that changing DNS servers should cause you.

 

To back track a little, purple is not a network.  It is the name of your computer.  You can see it in several of the logs you provided.  For example, an excerpt from FRST:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-06-2014 02
Ran by l (administrator) on PURPLE on 30-06-2014 08:23:49
Running from C:\Users\l\Desktop
Platform: Windows 8 (X64) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Normal

the rest of the "weird" line - wi.rr.com is the time warner network (also known as RoadRunner).  The whole line is just saying that the computer named purple is connected to the Time Warner network - which is correct as your computer is named purple and you gain access to the internet through your internet service provider... Time Warner.

 

I'm not convinced that this will resolve everything... I just want to try it.  If issues still continue, we will reset your MBR.  TDSSKiller didn't find a rootkit... but there could still be something there that is messing you up.

[wilma1313]

Ok I can do all that. I want to backtrack to my roguekiiller question though. I didn't do any deleting because the tabs were different thAN as described. I had a lot of items under antirootkit, registry, browser tabs and one item under hosts. Did I need to delete any of that?

[Tomk]

Please bear with me as I'm a little confused.  Based upon the roguekiller log that you posted...

 

In the registry section there were 8 entries dealing with your DNS server - fix them.

There were no bad processes - nothing to fix

There were no bad tasks - nothing to fix

There were no bad files - nothing to fix

There was one entry in your hosts file, but it is the default entry so - nothing to fix

There were no entries in Rootkit - nothing to fix

there were no entries in Browser tabs - nothing to fix.

 

Please let me know if you are seeing something different.

[wilma1313]

I had different tabs than you indicated. I had tons of entries under the tabs I indicated in my post. I have no clue what any of that meant or what the report means.

[Tomk]

Can you please mark the 8 items listed in Registry in the log you provided?

[wilma1313]

I have to run it again. I kept it open when I asked about the delete step in your directions but a thunderstorm knocked out the power.

No improvement in the computer. I am posting from my iPad because I am being blocked from posting on the computer again.

[Tomk]

To be clear... you've already ran it again?

[wilma1313]

Just ran it again. Mlooking back at the report totally do not understand how nothing under root kit. May have screwed up when I copied and pasted using my iPad. I am again copying and pasting today's report because I can't post from my computer.

RogueKiller V9.2.3.0 (x64) [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : l [Admin rights]
Mode : Scan -- Date : 07/17/2014 11:23:24

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters |
DhcpNameServer : 209.18.47.61 209.18.47.62 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters |
DhcpNameServer : 209.18.47.61 209.18.47.62 -> FOUND
[PUM.Dns] (X64)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{63F6AE22
-B6DD-4476-A864-3652DE675725} | DhcpNameServer : 209.18.47.61 209.18.47.62 -> FOUND
[PUM.Dns] (X64)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D9443B57
-4010-4CB8-8171-44BCB8CF3513} | DhcpNameServer : 209.18.47.61 209.18.47.62 -> FOUND
[PUM.Dns] (X64)
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{63F6AE22-B6D
D-4476-A864-3652DE675725} | DhcpNameServer : 209.18.47.61 209.18.47.62 -> FOUND
[PUM.Dns] (X64)
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{D9443B57-401
0-4CB8-8171-44BCB8CF3513} | DhcpNameServer : 209.18.47.61 209.18.47.62 -> FOUND
[PUM.DesktopIcons] (X86)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\New
StartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\New
StartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 10 (Driver: LOADED) ¤¤¤
[EAT:Addr] (iexplore.exe) msls31.dll - DirectInput8Create :
C:\windows\SysWOW64\DINPUT8.dll @ 0x6ba3c671
[EAT:Addr] (iexplore.exe) msls31.dll - DllCanUnloadNow : C:\windows\SysWOW64\DINPUT8.dll
@ 0x6ba3c33d
[EAT:Addr] (iexplore.exe) msls31.dll - DllGetClassObject :
C:\windows\SysWOW64\DINPUT8.dll @ 0x6ba3c2ac
[EAT:Addr] (iexplore.exe) msls31.dll - DllRegisterServer :
C:\windows\SysWOW64\DINPUT8.dll @ 0x6ba49bec
[EAT:Addr] (iexplore.exe) msls31.dll - DllUnregisterServer :
C:\windows\SysWOW64\DINPUT8.dll @ 0x6ba49c0c
[EAT:Addr] (iexplore.exe) msls31.dll - DirectInput8Create :
C:\windows\SysWOW64\DINPUT8.dll @ 0x6ba3c671
[EAT:Addr] (iexplore.exe) msls31.dll - DllCanUnloadNow : C:\windows\SysWOW64\DINPUT8.dll
@ 0x6ba3c33d
[EAT:Addr] (iexplore.exe) msls31.dll - DllGetClassObject :
C:\windows\SysWOW64\DINPUT8.dll @ 0x6ba3c2ac
[EAT:Addr] (iexplore.exe) msls31.dll - DllRegisterServer :
C:\windows\SysWOW64\DINPUT8.dll @ 0x6ba49bec
[EAT:Addr] (iexplore.exe) msls31.dll - DllUnregisterServer :
C:\windows\SysWOW64\DINPUT8.dll @ 0x6ba49c0c

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST2000DM001-1CH164 +++++
--- User ---
[MBR] fb2c3fc65261573874936bf2118697dc
[BSP] dcfc9110a497e768fae04a96b60f49a8 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- MS/MS-PRO USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_07112014_194657.log

[Tomk]

OK... I see the problem.  The report you posted only shows "bad" or "suspicious" items.  What you see under the tabs includes everything found... good and bad.  Under the rootkit tab - the items listed are shown colored green  - Correct?  These are not "bad" entries.  These are just entries that were found... but they are necessary to your system.  Also, I don't believe that they will have a checkbox to the left of them so you cannot check to remove them anyway.

 

So  don't remove any green entries... and attempt to remove the rest by checking the box next to all the entries... and then clicking on the delete button.

[wilma1313]

I just want to double check that it is ok to remove the entries under registry that have checkboxes and are not green.

[Tomk]

Yes. I believe you will find there are 8 of them.

[wilma1313]

Hi. That is done. What next?

[Tomk]

Is there any difference in the systems operation?

 

if not... then please run this tool:

 

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply


 

[wilma1313]

aswMBR version 1.0.1.2041 Copyright© 2014 AVAST Software
Run date: 2014-07-21 15:25:10
-----------------------------
15:25:10.394 OS Version: Windows x64 6.2.9200
15:25:10.394 Number of processors: 4 586 0x3C03
15:25:10.394 ComputerName: PURPLE UserName: l
15:25:11.488 Initialize success
15:25:11.488 VM: initialized successfully
15:25:11.519 VM: Intel CPU supported virtualizedSuspended
15:25:12.904 VM: disk I/O iaStorA.sys
15:25:16.373 AVAST engine defs: 14072100
15:25:18.342 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000036
15:25:18.342 Disk 0 Vendor: ST2000DM001-1CH164 HP33 Size: 1907729MB BusType: 11
15:25:18.482 Disk 0 MBR read successfully
15:25:18.498 Disk 0 MBR scan
15:25:18.498 Disk 0 unknown MBR code
15:25:18.498 Disk 0 Partition 1 00 EE GPT 2097151 MB offset 1
15:25:18.576 Disk 0 scanning C:\windows\system32\drivers
15:25:27.935 Service scanning
15:25:40.420 Modules scanning
15:25:40.420 Disk 0 trace - called modules:
15:25:40.936 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll iaStorA.sys
15:25:40.951 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800bd14060]
15:25:40.951 3 CLASSPNP.SYS[fffff88000a29e0a] -> nt!IofCallDriver -> [0xfffffa800976a700]
15:25:40.967 5 ACPI.sys[fffff8800117aa91] -> nt!IofCallDriver -> [0xfffffa800acdbe40]
15:25:40.967 7 ACPI.sys[fffff8800117aa91] -> nt!IofCallDriver -> \Device\00000036[0xfffffa8009723210]
15:25:41.920 AVAST engine scan C:\windows
15:25:44.092 AVAST engine scan C:\windows\system32
15:27:19.483 AVAST engine scan C:\windows\system32\drivers
15:27:31.061 AVAST engine scan C:\Users\l
15:33:25.709 AVAST engine scan C:\ProgramData
15:33:52.860 Scan finished successfully
16:26:16.231 Disk 0 MBR has been saved successfully to "C:\Users\l\Desktop\MBR.dat"
16:26:16.231 The log file has been saved successfully to "C:\Users\l\Desktop\aswMBR1.txt"

[Tomk]

Could you please find this file: C:\Users\l\Desktop\MBR.dat and attach it to your next reply?