Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WARNING! The page does not support your version of Browser


  • Please log in to reply
29 replies to this topic

#1 wenFD

wenFD

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 05 July 2011 - 04:44 PM

Hello

im not sure if you guys are familiar with this virus or whatever it is, but its pretty new and extremely hard to get rid of. Ill just tell you aboutt the background story. So about a month ago my netbook first got this browser page saying WARNING! This page does not support your version of browser and it shows a cop holding a sign with the red and black background. My sisters friend first scanned it and did find something about a hijack but the program supposely got rid of it but it appeared on and off again . at the time we werent aware that it has to do with your router and the dns server, but now ive been reading up and found that something keeps changing the dns server but i dont know how to recongnize whats a bad dns server or DHCP since i kknow very little about computers. We have five computers all connected to our linkys router, 2 desktops and 3 laptops. At first this issue only affected our netbook but then maybe a couple weeks ago it happened to my sisters laptop but i just system restored and it went away and to this day her laptop is unaffected, but today this issue happened to my laptop which is devasting because its a new laptop!! i tried system restoring it but it didnt work. It hasnt affected my brothers desktop nor my family friends desktop. But then again i dont know if its happen to my family friends desktop since i cant just go on and open it since its not my computer . I hear that one of the computers is the one that is giving out the bad dns server but i dont know wich one! and even so , i woudnt know what to do since im not educted with pc's ! i read that the dns server 188.229.88.7 is a bad onee and that i know off because i checked and my laptop was under that dns server and i checked my sisters and her dns server is different since hers is working fine. I dont think scanning my pc's will do anytehing because it has to do with the internet connection. Soo basically i have no idea what to do!!!! Please help ! :(

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:45 PM

Posted 08 July 2011 - 11:42 AM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 wenFD

wenFD
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 08 July 2011 - 08:29 PM

Hi thanks for replying back and wait before i do this i just wanted to let you know that i temporary fixed it by manualling putting in the dns servers that i prefer to connect to the in network options so its not on automatic. Also idk which computer to do all that stuff on since i dont know which computer is the one that is hosting this virus that is changing all the dns servers on my network as well as which computer is acting as its own DHCP server. I read in a previous post before that you have to find the computer that is hosting it and disconnect it from your network from here http://www.bleepingcomputer.com/forums/topic402144.html
But idk how to do all that since i dont know how to find the computer that is hosting it.
Thank you for the help

Edit: I have 2 desktops and 3 laptops so i think it would make since to do it on my hardwired desktop?but this problem hasnt happen on my desktop yet.

Sorry but i wont be back till either sunday or monday to reply or do anything you request of me. So please dont close the thread!! ill surely be back! thank you!!

Edited by wenFD, 09 July 2011 - 06:56 AM.


#4 wenFD

wenFD
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 13 July 2011 - 12:14 PM

Hii i just wanted to say that im backk so im just waiting on your answer on which computer to do that on , but i prob will be busy again soon cause of work sooo just keep this thread open please.

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:45 PM

Posted 13 July 2011 - 06:51 PM

It doesn't matter which computer goes first.
We'll start with one of your choice.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#6 wenFD

wenFD
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 16 July 2011 - 12:36 PM

okay ill be sure to do that as soon as i find time , also should i turn back my internet settings to automatically find dns servers or that doesnt really matter? im just not sure if the programs will find the bad dns servers since i changed it to preferred dns server settings. and okay thanks i guess ill do everything on the first computer that it happened on which was my netbook. Thanks!

#7 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:01:45 AM

Posted 16 July 2011 - 12:58 PM

wenFD, Before or after you get rid of the malware:

Find out from your ISP what their DNS server addresses really are. Or look it up in your router settings (likely not destroyed yet).
On all the computers enter the same DNS numbers, or the router's IP, in the TCP/IP properties.

Better solution: tell the router to use OpenDNS, just enter these IPs:
208.67.222.222
208.67.220.220
Then enter router's IP in the TCP/IP properties on every computer, or enter OpenDNS IPs there.

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:45 PM

Posted 16 July 2011 - 01:18 PM

should i turn back my internet settings to automatically find dns servers or that doesnt really matter?

It doesn't matter.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 wenFD

wenFD
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 17 July 2011 - 07:52 PM

wenFD, Before or after you get rid of the malware:

Find out from your ISP what their DNS server addresses really are. Or look it up in your router settings (likely not destroyed yet).
On all the computers enter the same DNS numbers, or the router's IP, in the TCP/IP properties.

Better solution: tell the router to use OpenDNS, just enter these IPs:
208.67.222.222
208.67.220.220
Then enter router's IP in the TCP/IP properties on every computer, or enter OpenDNS IPs there.


Thanks for the suggestion but i dont know what a ISP is or how to do any of that stuff as a matter of fact. LOL sorry but woudnt that only cover up the problem instead of getting rid of it? because i dont know what it is that is giving out fake dns servers to my laptops.

#10 wenFD

wenFD
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 17 July 2011 - 07:55 PM

should i turn back my internet settings to automatically find dns servers or that doesnt really matter?

It doesn't matter.


Okay sorry for wasting your tiime !! i havent been able to get to it this weekend but surely one of these days in this upcoming week i will have it done!

#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:45 PM

Posted 17 July 2011 - 08:05 PM

We'll be around :)

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#12 wenFD

wenFD
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 20 July 2011 - 11:40 AM

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Rising Antivirus
```````````````````````````````
Anti-malware/Other Utilities Check:

Adobe Flash Player
Adobe Reader 9
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````



MiniToolBox by Farbar
Ran by Lindsey Dong (administrator) on 20-07-2011 at 10:28:25
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================


127.0.0.1 localhost

EDIT: Part of the log removed at OP's request ~Budapest


========================= Event log errors: ===============================

Application errors:
==================
Error: (07/19/2011 11:15:04 PM) (Source: Application Hang) (User: )
Description: Hanging application QQ.exe, version 1.50.1720.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/19/2011 11:14:54 PM) (Source: Application Hang) (User: )
Description: Hanging application QQ.exe, version 1.50.1720.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/12/2011 08:24:46 AM) (Source: Application Error) (User: )
Description: Faulting application custom.exe, version 7.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00ed5c27.
Processing media-specific event for [custom.exe!ws!]

Error: (07/07/2011 02:27:23 PM) (Source: Application Error) (User: )
Description: Faulting application rstray.exe, version 23.0.0.11, faulting module ravscrch.dll, version 23.0.0.11, fault address 0x0000bc3a.
Processing media-specific event for [rstray.exe!ws!]

Error: (06/28/2011 00:22:12 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [explorer.exe!ws!]

Error: (06/12/2011 01:38:55 AM) (Source: ESENT) (User: )
Description: wuauclt (1700) Database C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb was partially detached. Error -1032 encountered updating database headers.

Error: (06/12/2011 01:38:55 AM) (Source: ESENT) (User: )
Description: wuauclt (1700) Unable to write a shadowed header for file C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb. Error -1032.

Error: (06/12/2011 01:38:52 AM) (Source: ESENT) (User: )
Description: wuauclt (1700) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Error: (06/10/2011 04:49:56 PM) (Source: Application Error) (User: )
Description: Faulting application pphidpad.exe, version 0.0.0.0, faulting module pphidpad.exe, version 0.0.0.0, fault address 0x00005792.
Processing media-specific event for [pphidpad.exe!ws!]

Error: (06/04/2011 11:06:46 PM) (Source: Application Hang) (User: )
Description: Hanging application QQ.exe, version 1.50.1720.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.


System errors:
=============
Error: (07/19/2011 09:36:06 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (07/19/2011 09:36:06 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (07/19/2011 09:36:06 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (07/19/2011 09:36:05 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (07/19/2011 09:36:05 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (07/19/2011 09:36:05 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (07/19/2011 09:36:05 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (07/19/2011 09:36:05 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (07/19/2011 09:36:05 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126

Error: (07/19/2011 09:36:05 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126


Microsoft Office Sessions:
=========================

========================= Memory info: ===================================

Percentage of memory in use: 49%
Total physical RAM: 1014.36 MB
Available physical RAM: 511.96 MB
Total Pagefile: 2441.68 MB
Available Pagefile: 1888.34 MB
Total Virtual: 2047.88 MB
Available Virtual: 1991.89 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:139.24 GB) (Free:113.36 GB) NTFS

========================= Users: ========================================

User accounts for \\LINDSEY

Administrator Guest HelpAssistant
Lindsey Dong SUPPORT_388945a0


== End of log ==




Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7210

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/20/2011 10:45:44 AM
mbam-log-2011-07-20 (10-45-36).txt

Scan type: Quick scan
Objects scanned: 164235
Time elapsed: 9 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{53AC8551-0DE0-4606-8A1E-A51AF20ADD60} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53AC8551-0DE0-4606-8A1E-A51AF20ADD60} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{53AC8551-0DE0-4606-8A1E-A51AF20ADD60} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{53AC8551-0DE0-4606-8A1E-A51AF20ADD60} (Trojan.BHO) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\lindsey dong\local settings\Temp\wl0729184.exe (Trojan.Dropper) -> No action taken.


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-20 12:26:25
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS545016B9A300 rev.PBBOC63G
Running: t5wxe3zd.exe; Driver: C:\DOCUME~1\LINDSE~1\LOCALS~1\Temp\fwldapob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwAssignProcessToJobObject [0xF78998B1]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwCreateKey [0xF7899A5E]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwCreateMutant [0xF7899935]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwCreateProcess [0xF7899A1C]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwCreateProcessEx [0xF78999FB]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwCreateSection [0xF7899D97]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwCreateSymbolicLinkObject [0xF7899A3D]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwCreateThread [0xF78996E3]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwDebugActiveProcess [0xF789982D]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwDeleteKey [0xF7899AA0]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwDeleteValueKey [0xF7899A7F]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwDeviceIoControlFile [0xF78998D2]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwDuplicateObject [0xF78999DA]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwLoadDriver [0xF78996A1]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwLockVirtualMemory [0xF78997EB]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwOpenKey [0xF7899B24]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwOpenProcess [0xF7899977]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwOpenSection [0xF7899704]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwProtectVirtualMemory [0xF78997CA]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwQueryDirectoryFile [0xF7899914]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwQuerySystemInformation [0xF78999B9]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwQueryValueKey [0xF7899890]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwQueueApcThread [0xF78997A9]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwRenameKey [0xF7899AC1]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwRequestWaitReplyPort [0xF789986F]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwRestoreKey [0xF7899B03]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwSetContextThread [0xF7899767]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwSetInformationProcess [0xF7899998]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwSetSecurityObject [0xF7899AE2]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwSetSystemInformation [0xF789980C]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwSetSystemTime [0xF78998F3]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwSuspendProcess [0xF7899788]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwSuspendThread [0xF7899746]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwSystemDebugControl [0xF789984E]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwTerminateProcess [0xF7899680]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwTerminateThread [0xF7899725]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwUnmapViewOfSection [0xF7899956]
SSDT \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwWriteVirtualMemory [0xF78996C2]

Code \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ZwSetValueKey [0xF789B022]
Code \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.) ObReferenceObjectByHandle

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 12 Bytes [88, 97, 89, F7, 46, 97, 89, ...] {MOV [EDI-0x68b90877], DL; MOV EDI, ESI; DEC ESI; CWDE ; MOV EDI, ESI}
PAGE ntkrnlpa.exe!ObReferenceObjectByHandle 805BB4D6 5 Bytes JMP F789AFF8 \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 5 Bytes JMP F789B026 \??\C:\WINDOWS\system32\drivers\HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
? nvfw.sys The system cannot find the file specified. !
init C:\WINDOWS\system32\Drivers\OA012Afx.sys entry point in "init" section [0xAA254D50]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1288] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\PPStream\ppsap.exe[3256] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 0105867E C:\Program Files\PPStream\Vodres.dll (PPS ¶¯Ì¬Á´½Ó¿â/PPStream Inc.)
.text C:\Program Files\PPStream\ppsap.exe[3256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010585B2 C:\Program Files\PPStream\Vodres.dll (PPS ¶¯Ì¬Á´½Ó¿â/PPStream Inc.)
.text C:\Program Files\PPStream\ppsap.exe[3256] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 0105893B C:\Program Files\PPStream\Vodres.dll (PPS ¶¯Ì¬Á´½Ó¿â/PPStream Inc.)
.text C:\Program Files\PPStream\ppsap.exe[3256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01058618 C:\Program Files\PPStream\Vodres.dll (PPS ¶¯Ì¬Á´½Ó¿â/PPStream Inc.)
.text C:\Program Files\PPStream\ppsap.exe[3256] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 010589C3 C:\Program Files\PPStream\Vodres.dll (PPS ¶¯Ì¬Á´½Ó¿â/PPStream Inc.)
.text C:\Program Files\PPStream\ppsap.exe[3256] kernel32.dll!GetFileSize 7C810B17 5 Bytes JMP 0105897C C:\Program Files\PPStream\Vodres.dll (PPS ¶¯Ì¬Á´½Ó¿â/PPStream Inc.)
.text C:\Program Files\PPStream\ppsap.exe[3256] kernel32.dll!SetFilePointer 7C810C2E 5 Bytes JMP 01058830 C:\Program Files\PPStream\Vodres.dll (PPS ¶¯Ì¬Á´½Ó¿â/PPStream Inc.)
.text C:\Program Files\PPStream\ppsap.exe[3256] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 01058730 C:\Program Files\PPStream\Vodres.dll (PPS ¶¯Ì¬Á´½Ó¿â/PPStream Inc.)
.text C:\Program Files\PPStream\ppsap.exe[3256] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 0105888A C:\Program Files\PPStream\Vodres.dll (PPS ¶¯Ì¬Á´½Ó¿â/PPStream Inc.)
.text C:\Program Files\PPStream\ppsap.exe[3256] kernel32.dll!OpenFile 7C821982 5 Bytes JMP 010587E2 C:\Program Files\PPStream\Vodres.dll (PPS ¶¯Ì¬Á´½Ó¿â/PPStream Inc.)
.text C:\Program Files\PPStream\ppsap.exe[3256] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 010586D7 C:\Program Files\PPStream\Vodres.dll (PPS ¶¯Ì¬Á´½Ó¿â/PPStream Inc.)
.text C:\Program Files\PPStream\ppsap.exe[3256] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 01058A0A C:\Program Files\PPStream\Vodres.dll (PPS ¶¯Ì¬Á´½Ó¿â/PPStream Inc.)
.text C:\Program Files\PPStream\ppsap.exe[3256] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 01058789 C:\Program Files\PPStream\Vodres.dll (PPS ¶¯Ì¬Á´½Ó¿â/PPStream Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)

AttachedDevice \Driver\Tcpip \Device\Ip HookTdi.sys (hooktdi.sys/Beijing Rising Information Technology Co., Ltd.)

Device \FileSystem\RAW \Device\RawTape HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)

AttachedDevice \Driver\Tcpip \Device\Tcp HookTdi.sys (hooktdi.sys/Beijing Rising Information Technology Co., Ltd.)

Device \FileSystem\Rdbss \Device\FsWrap HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)

AttachedDevice \Driver\Tcpip \Device\Udp HookTdi.sys (hooktdi.sys/Beijing Rising Information Technology Co., Ltd.)
AttachedDevice \Driver\Tcpip \Device\RawIp HookTdi.sys (hooktdi.sys/Beijing Rising Information Technology Co., Ltd.)

Device \FileSystem\RAW \Device\RawDisk HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\MRxSmb \Device\LanmanRedirector HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\RAW \Device\RawCdRom HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fastfat \Fat HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fastfat \Fat A85DB60A
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer HOOKHELP.sys (HookHelp.sys/Beijing Rising Information Technology Co., Ltd.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@EncoderType 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mem\OpenWithProgids@QVOD

---- EOF - GMER 1.0.15 ----



Im not sure if Gmer stopped scanning or not since there wasnt a notication and it didnt do anything for a while so i assumed it stopped? like usualllyat the bottom left corner itll say what its scanning but nothing was showed there at onepoint so i assumed it stopped. ill scan again and just leave iit there longer to see if it did finish or not , but as of currently thats what ive got! Thankss so much ! and also right now it doesnt seem to be showing the bad dns server since its an on and off thing. Alll the dns servers listed onthe scan are the correct ones .

Edited by Budapest, 21 July 2011 - 11:14 PM.


#13 wenFD

wenFD
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 20 July 2011 - 11:49 AM

sorry but i have another question. isnt it dangerous to display my ip address and info like that? I heard that you can be hacked like that? sorry i just wanna be safee !

#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:45 PM

Posted 20 July 2011 - 06:36 PM

isnt it dangerous to display my ip address and info like that? I heard that you can be hacked like that?

Absolutely not.

Your MBAM log says "No action taken".

Please, re-run it, FIX all issues and post new log.

What are the current issues?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#15 wenFD

wenFD
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 20 July 2011 - 07:15 PM

ooh i did fix the issues after i posted that log , so it did get rid of the trojan. i just wanted to post it before i restarted it , and im not exactly sure myself because its an on and off thing. Currently at the moment everything is running fine because i set all my laptops to a preferred dns server so i havent been hit with the bad dns server which is 188.229.88.7 since its not automatically looking for dns servers. i dont know if the trojan i just got rid off on my netbook was the cause of it . Its really hard to tell if its really fixed since this issue always goes away and comes back. I wanted to get rid of the issue for good instead of temporary fixing it but it looks like your not exactly sure either XD

When i wrote that everything is running fine i meant that i havent been getting the page saying WARNING! This page does not support your version of browser but thats only because as i said before my laptops are set to preffered dns.

Edited by wenFD, 20 July 2011 - 07:17 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users