Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: PUM.Dns re-director found with RogueKiller

19 May 2015   #1

Cross Platform
PUM.Dns re-director found with RogueKiller

I have been finding this on several machines lately using RogueKiller. (Third one today)

Registry : 4
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : [(Private Address) (XX)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : [(Private Address) (XX)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B5D00FF2-C635-4597-A707-DEE7ED712F33} | DhcpNameServer : [(Private Address) (XX)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B5D00FF2-C635-4597-A707-DEE7ED712F33} | DhcpNameServer : [(Private Address) (XX)] -> Found

The Private address is sometimes different but is always a class A private address.

After rebooting the entries return. Webpages are timing out on multiple browsers and ping returns >50% packet loss.

Suggestions online are to run the standard arsenal: Malewarebytes, AV cleaners, Combofix (Win 7), ESET, ect. None of these are finding the infection.

I have tried all of these and I am still receiving same findings from RogueKiller. It is persistent even when booting to safe mode.

The only solution I have found thus far has been to Refresh the OS.

I am hoping someone finds a less intrusive solution. Any help would be appreciated.

My System SpecsSystem Spec
21 May 2015   #2

Cross Platform

Update: Windows 7 Home 64 refresh via inserting Win 7 Install Disk > Upgrade option.

Entry in original post still shows up in RogueKiller. Ping no longer show packet loss. I will do some more testing to see if internet browsers are showing any problems.

I am wondering if this is caused by a feature in Windows or supporting software. If it is a remnant of an infection, I am hoping to find out what keeps rewriting this entry to the registry.

The entry did not show up after a Refresh on a Windows 8.1 machine.
My System SpecsSystem Spec
21 May 2015   #3

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
Monitor Registry Changes

Well I'm not expert at monitoring what process created registry changes but since there are no other replies here's some ideas.

You can run MJRegWatcher to monitor registry changes but it won't tell you what process was responsible for the change. It will give you the option to allow or block each registry change. I run this application on boot and never shut it down. Running it on boot is tricky - for me it involves creating an Elevated Shortcut and launching the application delayed once other security software has loaded. This might not be the best approach for you so you could try running it on demand only.
PUM.Dns re-director found with RogueKiller-mjregwatcher.jpg
It monitors a preset list of important registry locations including your problem area. You'll get a prompt to block or allow the change if anything tries to modify that registry key. If you can spot any pattern and work out roughly when these changes will occur you can use Process Monitor to log the changes and filter the events log to display only events where Operation is RegSetValue.
PUM.Dns re-director found with RogueKiller-process-monitor-filter.jpg
If you think the problem happens on boot you can configure Process Monitor to create a boot log.

If you need to create a boot log here's a guide:

Enable System Boot Time Logging using Process Monitor

You can filter the boot log in the same way as before.


Also that registry location appears to be mapped to network cards here HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards as well as relating to both physical and software driven network adapters.

Based on that I'd say you that you need a Networking expert - that's not something I'm good at!

Note: Not sure that it's an infection. RogueKiller might just be notifying on registry keys that could potentially have been modified by malware or non standard entries but that doesn't mean that the machine is infected.

My System SpecsSystem Spec

21 May 2015   #4

Cross Platform

Thank you for your response, Callender. I also thank you for the new tool. I will definitely add MJRegWatcher to my toolkit.

Unfortunately I was unable to match up the process that was making the entry with those in Process Monitor's dump files.

I was able to tell that the entry was being written during the boot process. For the sake of efficiency, thought, I am going to reload the OS on this particular machine this time. If I run into the problem again I will try to do some more research.

Thank you for your time.
My System SpecsSystem Spec
22 May 2015   #5

W7 Pro SP1 64bit

The next time you see the issue, consider taking these steps:

Disable each network adapter.
(Network & Sharing Center > Change adapter settings > Select/Disable each adapter)

Open regedit and look for one of the undesired entries.
Close regedit without collapsing anything in the left pane.

Allow RogueKiller to remove the undesired entries.

Restart the computer.

Open regedit. (It should open to the last location.)

If the undesired entries are there, then you can give up on these steps.

If the undesired entries are not there, then:

Start Process monitor.
Filter on: Operation > Contains > RegSet > Include
(That should display RegSetValue, RegSetInfoKey, RegSetKeyValue, RegSetValueEx...)
Also filter on: Path > Contains > Tcpip\Parameters > Include

Enable one network adapter.

See if Process Monitor shows the offending app.
My System SpecsSystem Spec
14 Jul 2015   #6


Not sure if this might be useful for you, however I have the exact same issue. But i think its related to my ISP and using cable modem. Im not quite an expert at networking. But individually checking these registry keys seems to matchup with my Optus IP addresses (I have three listed, not just Doesn't seem too suspicious. Could this be a false positive from RogueKiller?
My System SpecsSystem Spec

 PUM.Dns re-director found with RogueKiller

Thread Tools

Similar help and support threads
Thread Forum
BSOD using roguekiller rimssne64.sys error
keeps on crashing when I scan for malware it's like the malware is stopping me from killing it, lol dm log in attachment please help, thanks a lot :)
BSOD Help and Support
Info on the AppData/roaming directory tree with use of RogueKiller
I was running the system cleaning tool Rogue Killer and it stopped at: Users > <Mysystem > Appdata > roaming > Microsoft > Windows > Recent > (various content) Things in there are all .lnk shortcut files. Can these be cleaned out? Does Seven Forums have a cleaning routine similar to...
System Security
BSOD when running RogueKiller (same point every time)
I'll start off by saying I also have a thread open with Rogue Killer support and am currently awaiting their assistance. In the meantime I want to rule out a hardware or driver error. Basically upon initialisation of Rogue Killer (process checking) the PC will BSOD at approximately 80% though...
BSOD Help and Support
random BSODs, freezing, and/or reboots (last during roguekiller scan)
Hi folks. I've been getting random freezes (some with BSOD, some without), random reboots, on occasion a random reboot followed by a freeze at my DELL welcome screen (where the choice to enter setup or boot options is presented). I've scanned using multiple programs, scanned with Memtest,...
BSOD Help and Support
Runned RogueKiller and found this
MBR Check: +++++ PhysicalDrive0: Samsung SSD 840 Series ATA Device +++++ --- User --- de7fae051f4eda8eaf95a1c54ec99319 5f60d1d9bab47015db2cf93e3512c96b : Windows 7/8 MBR Code Partition table: 0 - NTFS (0x07) Offset (sectors): 2048 | Size: 100 Mo 1 - NTFS (0x07) Offset...
Performance & Maintenance

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 10:09.
Twitter Facebook Google+