Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: PUM.Dns re-director found with RogueKiller

19 May 2015   #1
NicabarP

Cross Platform
 
 
PUM.Dns re-director found with RogueKiller

I have been finding this on several machines lately using RogueKiller. (Third one today)

Registry : 4
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.1 [(Private Address) (XX)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.1 [(Private Address) (XX)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B5D00FF2-C635-4597-A707-DEE7ED712F33} | DhcpNameServer : 10.0.0.1 [(Private Address) (XX)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B5D00FF2-C635-4597-A707-DEE7ED712F33} | DhcpNameServer : 10.0.0.1 [(Private Address) (XX)] -> Found

The Private address is sometimes different but is always a class A private address.

After rebooting the entries return. Webpages are timing out on multiple browsers and ping returns >50% packet loss.

Suggestions online are to run the standard arsenal: Malewarebytes, AV cleaners, Combofix (Win 7), ESET, ect. None of these are finding the infection.

I have tried all of these and I am still receiving same findings from RogueKiller. It is persistent even when booting to safe mode.

The only solution I have found thus far has been to Refresh the OS.

I am hoping someone finds a less intrusive solution. Any help would be appreciated.


My System SpecsSystem Spec
.
21 May 2015   #2
NicabarP

Cross Platform
 
 

Update: Windows 7 Home 64 refresh via inserting Win 7 Install Disk > Upgrade option.

Entry in original post still shows up in RogueKiller. Ping no longer show packet loss. I will do some more testing to see if internet browsers are showing any problems.

I am wondering if this is caused by a feature in Windows or supporting software. If it is a remnant of an infection, I am hoping to find out what keeps rewriting this entry to the registry.

The entry did not show up after a Refresh on a Windows 8.1 machine.
My System SpecsSystem Spec
21 May 2015   #3
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Monitor Registry Changes

Well I'm not expert at monitoring what process created registry changes but since there are no other replies here's some ideas.

You can run MJRegWatcher to monitor registry changes but it won't tell you what process was responsible for the change. It will give you the option to allow or block each registry change. I run this application on boot and never shut it down. Running it on boot is tricky - for me it involves creating an Elevated Shortcut and launching the application delayed once other security software has loaded. This might not be the best approach for you so you could try running it on demand only.
PUM.Dns re-director found with RogueKiller-mjregwatcher.jpg
It monitors a preset list of important registry locations including your problem area. You'll get a prompt to block or allow the change if anything tries to modify that registry key. If you can spot any pattern and work out roughly when these changes will occur you can use Process Monitor to log the changes and filter the events log to display only events where Operation is RegSetValue.
PUM.Dns re-director found with RogueKiller-process-monitor-filter.jpg
If you think the problem happens on boot you can configure Process Monitor to create a boot log.

If you need to create a boot log here's a guide:

Enable System Boot Time Logging using Process Monitor

You can filter the boot log in the same way as before.

Edit:

Also that registry location appears to be mapped to network cards here HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards as well as relating to both physical and software driven network adapters.

Based on that I'd say you that you need a Networking expert - that's not something I'm good at!

Note: Not sure that it's an infection. RogueKiller might just be notifying on registry keys that could potentially have been modified by malware or non standard entries but that doesn't mean that the machine is infected.


My System SpecsSystem Spec
.

21 May 2015   #4
NicabarP

Cross Platform
 
 

Thank you for your response, Callender. I also thank you for the new tool. I will definitely add MJRegWatcher to my toolkit.

Unfortunately I was unable to match up the process that was making the entry with those in Process Monitor's dump files.

I was able to tell that the entry was being written during the boot process. For the sake of efficiency, thought, I am going to reload the OS on this particular machine this time. If I run into the problem again I will try to do some more research.

Thank you for your time.
My System SpecsSystem Spec
22 May 2015   #5
UsernameIssues

W7 Pro SP1 64bit
 
 

The next time you see the issue, consider taking these steps:

Disable each network adapter.
(Network & Sharing Center > Change adapter settings > Select/Disable each adapter)

Open regedit and look for one of the undesired entries.
Close regedit without collapsing anything in the left pane.

Allow RogueKiller to remove the undesired entries.

Restart the computer.

Open regedit. (It should open to the last location.)

If the undesired entries are there, then you can give up on these steps.

If the undesired entries are not there, then:

Start Process monitor.
Filter on: Operation > Contains > RegSet > Include
(That should display RegSetValue, RegSetInfoKey, RegSetKeyValue, RegSetValueEx...)
Also filter on: Path > Contains > Tcpip\Parameters > Include

Enable one network adapter.

See if Process Monitor shows the offending app.
My System SpecsSystem Spec
14 Jul 2015   #6
thenewguyau

Win7x64
 
 

Not sure if this might be useful for you, however I have the exact same issue. But i think its related to my ISP and using cable modem. Im not quite an expert at networking. But individually checking these registry keys seems to matchup with my Optus IP addresses (I have three listed, not just 10.0.0.1). Doesn't seem too suspicious. Could this be a false positive from RogueKiller?
My System SpecsSystem Spec
Reply

 PUM.Dns re-director found with RogueKiller




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Power Director Keeps Crashing
I purchased my computer new in June of 2010. It's an HP Compaq. Anyway, it came with quite a few programs/packages already installed and one of them is Cyberlink DVD Suite Deluxe. I recently bought a camcorder and intended on making some videos, so, I was looking for a way to edit them. I thought...
Music, Pictures & Video
Runned RogueKiller and found this
MBR Check: +++++ PhysicalDrive0: Samsung SSD 840 Series ATA Device +++++ --- User --- de7fae051f4eda8eaf95a1c54ec99319 5f60d1d9bab47015db2cf93e3512c96b : Windows 7/8 MBR Code Partition table: 0 - NTFS (0x07) Offset (sectors): 2048 | Size: 100 Mo 1 - NTFS (0x07) Offset...
Performance & Maintenance
Looking for Director Compare and Merge
I have 2 directories that are similar but not identical. I made one as a backup. Now, both have grown to the point of craziness. I'd like to compare the two and eventually merge them so I have one enormous directory but at least everything will be in one place. Can you recommend a utility...
Software
power director 954
Why does it take hours to burn a dvd using power director 9
Software
Acronis Disk Director
Okay, just a note for everyone, just in case: do not try to install Acronis OS Selector (part of Disk Director) from within Windows 7. First, it will not detect your Windows 7 installation. Second, when I disabled it again it completely ruined my Master Boot Record. It took me more than two...
Backup and Restore
Adobe Director 11.5
Has anyone had issues with this running? Every time I run it, the license agreement box will come up...when I click 'accept' the process dies. I've tried running Adobe Updater but it's not finding anything.
Software


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 06:25.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App