Hijacked home page

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Re: Hijacked home page

Post by Dr Jay on 20th December 2009, 10:06 am

Go Start and then to Run,
Type in: sfc /scannow
Click OK.
Have Windows CD/DVD handy.
If System File Checker (sfc) finds any errors, it may ask you for the CD/DVD.
If sfc does not find any errors in Windows XP, it will simply quit, without any message.

If you don't have Windows CD....

Go Start and then Run
type in regedit and click OK


Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

On the right hand side, find: SourcePath

It probably has an entry pointing to your CD-ROM drive, usually D and that is why it is asking for the XP CD.
All we need to do is change it to: C:
Now, double click the SourcePath setting and a new box will pop up.
Change the drive letter from your CD drive to your root drive, usually C:
Close Registry Editor.

Now restart your computer and try sfc /scannow again!

After the first run, reboot your computer. Do a second run. Now the scan and fix is finished.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 20th December 2009, 9:38 pm

You guys are very clever!! Almost there...

Still get one error message on startup

Cant find component.
ChangeTPMAuth.exe ......can't find Tspl.dll


also can't connect to the web when at work. I can get the compony homepage and navigate through it, but can't go anywhere else, including here.

see ya

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 21st December 2009, 9:10 am

Please download the latest version of Kaspersky GetSystemInfo (GSI) from [You must be registered and logged in to see this link.] and save it to your Desktop.
Please close all other applications running on your system.

Please double click GetSystemInfo.exe to open it.

Click the Settings button.



Set it to Maximum



IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports.


Click Create Report to run it.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to [You must be registered and logged in to see this link.] and click the Submit button.

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 21st December 2009, 10:48 am

here you go Kaspersky log adress

[You must be registered and logged in to see this link.]

see ya

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 22nd December 2009, 3:41 am

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 22nd December 2009, 5:53 am

Explorer was working for a bit today, then I had a homepage change attempt and it stopped again. I'm on new computer.

When I try to update Malwarebytes I get an error message.
Än error has occurred. Please report the following error code to the MWB support team Error code 732 (12029,0)

I didn't run the scan.

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 22nd December 2009, 6:47 am

Please navigate to this webpage: [You must be registered and logged in to see this link.] and see the section "Fix it for me" and click the Microsoft Fix-It button. This will download a fix utility to repair the security settings on your computer, due to damages of malware or other harmful system changes. Install the file after download.

==

Open a run line by clicking start -> run

Copy and paste the following bolded text into the Open: box and click OK

cmd /k cd\ && dir c:\atapi.sys /a /s > atapi.txt && notepad atapi.txt

Paste back the contents of the atapi.txt


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 22nd December 2009, 12:12 pm

here ya go:

Volume in drive C is OS
Volume Serial Number is 2AFE-9375

Directory of c:\WINDOWS\ERDNT\cache

14/04/2008 11:10 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Directory of c:\WINDOWS\system32\dllcache

14/04/2008 11:10 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Directory of c:\WINDOWS\system32\drivers

14/04/2008 11:10 PM 96,512 atapi.sys
1 File(s) 96,512 bytes

Total Files Listed:
3 File(s) 289,536 bytes
0 Dir(s) 16,415,948,800 bytes free

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 22nd December 2009, 1:06 pm

All done. I updated Malwarebytes and ran it.

This is what I had:
Malwarebytes' Anti-Malware 1.42
Database version: 3407
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

22/12/2009 11:57:58 PM
mbam-log-2009-12-22 (23-57-53).txt

Scan type: Quick Scan
Objects scanned: 146288
Time elapsed: 6 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\oleacc.dll.tmp (Rootkit.Agent) -> No action taken.


and this is the log after fixing the issues with malwarebytes:

Malwarebytes' Anti-Malware 1.42
Database version: 3407
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

22/12/2009 11:57:58 PM
mbam-log-2009-12-22 (23-57-53).txt

Scan type: Quick Scan
Objects scanned: 146288
Time elapsed: 6 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\oleacc.dll.tmp (Rootkit.Agent) -> No action taken.


see ya

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 22nd December 2009, 7:19 pm

Please download [You must be registered and logged in to see this link.] and Save it to your desktop

  1. Double click it to start the tool.
  2. Click Scan.
  3. Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 22nd December 2009, 8:20 pm

here ya go:

Rooter log

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 23 Stepping 10, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
.
C:\ [Fixed-NTFS] .. ( Total:232 Go - Free:15 Go )
D:\ [CD_Rom]
E:\ [Removable]
F:\ [Removable]
I:\ [Network] .. ( Total:0 Go - Free:0 Go )
J:\ [Network] .. ( Total:0 Go - Free:0 Go )
S:\ [Network] .. ( Total:0 Go - Free:0 Go )
.
Scan : 07:18.51
Path : C:\Documents and Settings\bryanc\Desktop\Rooter.exe
User : BryanC ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (828)
______ \??\C:\WINDOWS\system32\csrss.exe (884)
______ \??\C:\WINDOWS\system32\winlogon.exe (912)
______ C:\WINDOWS\system32\services.exe (956)
______ C:\WINDOWS\system32\lsass.exe (968)
______ C:\WINDOWS\system32\svchost.exe (1148)
______ C:\WINDOWS\system32\svchost.exe (1216)
______ C:\WINDOWS\System32\svchost.exe (1256)
______ C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (1344)
______ C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (1396)
______ C:\WINDOWS\system32\svchost.exe (1432)
______ C:\WINDOWS\system32\svchost.exe (1508)
______ C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (1776)
______ C:\WINDOWS\system32\spoolsv.exe (1908)
______ c:\drivers\audio\r213367\stacsv.exe (1996)
______ C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe (312)
______ C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe (332)
______ C:\WINDOWS\System32\SCardSvr.exe (356)
______ C:\WINDOWS\system32\svchost.exe (212)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (328)
______ C:\Program Files\Intel\ASF Agent\ASFAgent.exe (500)
______ C:\Program Files\Bonjour\mDNSResponder.exe (508)
______ C:\Program Files\Intel\WiFi\bin\EvtEng.exe (584)
______ C:\WINDOWS\system32\nvsvc32.exe (1336)
______ C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (1332)
______ C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (1784)
______ C:\WINDOWS\system32\svchost.exe (444)
______ C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (2060)
______ C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe (2264)
______ C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe (2460)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (2632)
______ C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe (2816)
______ C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe (2932)
______ C:\WINDOWS\system32\SearchIndexer.exe (2996)
______ C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (3316)
______ C:\WINDOWS\System32\alg.exe (3716)
______ C:\WINDOWS\Explorer.EXE (3872)
______ C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (3988)
______ C:\Program Files\DellTPad\Apoint.exe (1696)
______ C:\Program Files\DellTPad\ApMsgFwd.exe (1724)
______ C:\Program Files\DellTPad\HidFind.exe (2144)
______ C:\Program Files\IDT\WDM\sttray.exe (2376)
______ C:\Program Files\DellTPad\Apntex.exe (2260)
______ C:\WINDOWS\system32\AESTFltr.exe (3328)
______ C:\WINDOWS\system32\rundll32.exe (1016)
______ C:\WINDOWS\system32\RUNDLL32.EXE (1356)
______ C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe (1304)
______ C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe (548)
______ C:\Program Files\Wave Systems Corp\SecureUpgrade.exe (1188)
______ C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (1640)
______ C:\Program Files\Common Files\Symantec Shared\ccApp.exe (1680)
______ C:\Program Files\Ext2Fsd\Ext2Mgr.exe (2396)
______ C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe (3264)
______ C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe (3612)
______ C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (2452)
______ C:\Program Files\iTunes\iTunesHelper.exe (3148)
______ C:\Program Files\Microsoft ActiveSync\wcescomm.exe (1648)
______ C:\Program Files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe (2308)
______ C:\Program Files\uTorrent\uTorrent.exe (3960)
______ C:\PROGRA~1\MI3AA1~1\rapimgr.exe (1888)
______ C:\Program Files\Skype\Phone\Skype.exe (2684)
______ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (820)
______ C:\WINDOWS\system32\ctfmon.exe (4504)
______ C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (4900)
______ C:\Program Files\iPod\bin\iPodService.exe (5396)
______ C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe (1564)
______ C:\Program Files\Digital Line Detect\DLG.exe (4160)
______ C:\Program Files\Telstra\Telstra Turbo Modem Manager\Service\MdmMgr.exe (4204)
______ C:\Program Files\Windows Desktop Search\WindowsSearch.exe (4260)
______ C:\Program Files\Skype\Plugin Manager\skypePM.exe (5136)
______ C:\WINDOWS\System32\svchost.exe (5360)
______ C:\WINDOWS\system32\wuauclt.exe (4324)
______ C:\Program Files\Internet Explorer\iexplore.exe (2068)
______ C:\Program Files\Internet Explorer\iexplore.exe (5764)
______ C:\Program Files\Windows Live\Toolbar\wltuser.exe (2192)
______ C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe (1252)
______ C:\WINDOWS\system32\SearchProtocolHost.exe (4176)
______ C:\WINDOWS\system32\SearchFilterHost.exe (5228)
______ C:\Program Files\Internet Explorer\iexplore.exe (5868)
______ C:\WINDOWS\system32\SearchProtocolHost.exe (2648)
______ C:\Documents and Settings\bryanc\Desktop\Rooter.exe (5408)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:222050304)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:222082560 | Length:249834654720)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\User_Feed_Synchronization-{FD13B3EA-061B-4977-B7E0-44EEA53537C9}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 07:19.32
.
C:\Rooter$\Rooter_1.txt - (23/12/2009 | 07:19.32)

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 23rd December 2009, 3:42 am

Please download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 23rd December 2009, 4:47 am

got a blue screen error message half way through the scan:

Culpritt seemed to be kgrorpog.sys.

I'll try again

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 23rd December 2009, 5:39 am

Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

Code:
@echo off
Copy /y gmer.exe ark.exe
Start ark.exe

Save it into the gmer folder as File name: ark.cmd
Save as type: All Files

Once done, double click ark.cmd to run it.

This should start GMER, follow the steps I have outlined earlier to save a log file, then post me the contents in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 23rd December 2009, 8:39 am

Gmer log. I just ran it again and it worked.

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-23 19:21:08
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\bryanc\LOCALS~1\Temp\kgrorpog.sys


---- System - GMER 1.0.15 ----

SSDT 8B128A70 ZwAlertResumeThread
SSDT 8A451438 ZwAlertThread
SSDT 8A483CD8 ZwAllocateVirtualMemory
SSDT 8A35E108 ZwConnectPort
SSDT 8A547BB8 ZwCreateMutant
SSDT 8A4B9FB0 ZwCreateThread
SSDT 8A46BDF0 ZwFreeVirtualMemory
SSDT 8A63F918 ZwImpersonateAnonymousToken
SSDT 8AAC19E0 ZwImpersonateThread
SSDT 8A4CF340 ZwMapViewOfSection
SSDT 8B0112C8 ZwOpenEvent
SSDT 8A479EA8 ZwOpenProcessToken
SSDT 8A63D888 ZwOpenThreadToken
SSDT 8A374108 ZwResumeThread
SSDT 8A453C08 ZwSetContextThread
SSDT 8B00B348 ZwSetInformationProcess
SSDT 8A64E258 ZwSetInformationThread
SSDT 8A446C28 ZwSuspendProcess
SSDT 8A450A20 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAD18A0B0]
SSDT 8A44A838 ZwTerminateThread
SSDT 8A6224B8 ZwUnmapViewOfSection
SSDT 8A46AAE0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB903A380, 0x381B8D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2780] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Ext2Fsd.SYS (Ext2 File System Driver for Windows/www.ext2fsd.com)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 23rd December 2009, 9:30 am

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Full Scan, and press Scan. Remove selected, and post the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 23rd December 2009, 12:33 pm

mbytes log

Malwarebytes' Anti-Malware 1.42
Database version: 3414
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

23/12/2009 11:25:47 PM
mbam-log-2009-12-23 (23-25-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 289351
Time elapsed: 2 hour(s), 24 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP140\A0048107.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP145\A0055151.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP146\A0055360.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP146\A0055445.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP147\A0055756.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP147\A0055757.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP147\A0055759.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP120\A0041601.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP122\A0042886.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP124\A0044198.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP125\A0045090.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP126\A0045928.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP126\A0046020.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 23rd December 2009, 12:44 pm

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 23rd December 2009, 7:44 pm

Looks good?

Malwarebytes' Anti-Malware 1.42
Database version: 3418
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

24/12/2009 6:42:23 AM
mbam-log-2009-12-24 (06-42-23).txt

Scan type: Quick Scan
Objects scanned: 146226
Time elapsed: 4 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 23rd December 2009, 8:47 pm

Yes.

Right On!


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 23rd December 2009, 8:55 pm

Thanks mate I appreciate all your time. I'll be heading off to the "donate" page shortly :-)

I have symantec endpoint protection as part of my work stuff. I now have superantispyware, spyware blaster running. Just the free versions. Is there a benefit in getting the paid version of either of these? Real time protection?

Also how about that vbs.runauto thingy on my thumb drives. Is it bad?

see ya and Merry Christmas

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 23rd December 2009, 8:58 pm

You can remove those. That is Symantec's reaction to autorun.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 23rd December 2009, 10:25 pm

do you know what the tsp1.dll error on start up is related to. It says reinstalling the program may help. Which program? I repaired Active sync that didn't help

see ya

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 24th December 2009, 12:20 am

See if you can find the following file:

c:\windows\system32\Tsp1.dll

Then let me know if you see it.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 24th December 2009, 2:29 am

Nope, it's not there.

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 24th December 2009, 6:33 am

You need that file. Not sure how you would get it. But, since that file is not there, you will get that error continually.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 31st December 2009, 12:56 am

Thanks for all your help. I have been away for a while. Just got back.

An attempt to change the home page just occurred. I ran Malwarebytes (full version now) and it found nothing.

My web access is still OK. I tried to download combifix from BleepingComputer.com and I noticed it is blocked by the list in my new hosts file.

Any clues?

see ya

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 31st December 2009, 3:14 am

Go to C:\windows\system32\drivers\etc

You will see something that says HOSTS

Double-click on it, and open it with Notepad.

Please post the contents of that in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 31st December 2009, 6:56 am

It's over 2mbs and keeps freezing things when I cut to paste.
Should I send it in bits?

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 31st December 2009, 7:06 am

Take a different route here:

Please download the latest version of Kaspersky GetSystemInfo (GSI) from [You must be registered and logged in to see this link.] and save it to your Desktop.
Please close all other applications running on your system.

Please double click GetSystemInfo.exe to open it.

Click the Settings button.



Set it to Maximum



IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports.


Click Create Report to run it.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to [You must be registered and logged in to see this link.] and click the Submit button.

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 31st December 2009, 7:27 am

here ya go.....

[You must be registered and logged in to see this link.]

see ya

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 31st December 2009, 8:52 pm

Malwarebytes ran a scheduled scan last night and picked up and removed Disabled.SecurityCenter

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 31st December 2009, 9:15 pm

After reboot Superantispyware has just identified an attempt to change home page again. I'll run Superantispyware now.

see ya

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 31st December 2009, 9:29 pm

Seems to be ok.

Let's do another close check for rootkits:

Please download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 1st January 2010, 2:48 am

Interesting... while I was away form the computer and internet explorer was off I got a message from MWB saying that it had blocked access to a malicious ip adress. Here is the log:

07:43:31 BryanC MESSAGE Protection started successfully
07:43:41 BryanC MESSAGE IP Protection started successfully
12:16:37 BryanC MESSAGE Protection started successfully
12:16:45 BryanC MESSAGE IP Protection started successfully
12:47:31 BryanC IP-BLOCK 222.64.96.48
12:47:39 BryanC IP-BLOCK 94.96.12.63
13:33:56 BryanC IP-BLOCK 89.28.26.125

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 1st January 2010, 2:50 am

Here is the teh gmer log:

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-01 12:06:37
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\bryanc\LOCALS~1\Temp\kgrorpog.sys


---- System - GMER 1.0.15 ----

SSDT 8A45C818 ZwAlertResumeThread
SSDT 8A43F888 ZwAlertThread
SSDT 8A3FA3D8 ZwAllocateVirtualMemory
SSDT 8A56F008 ZwConnectPort
SSDT 8A35B8A0 ZwCreateMutant
SSDT 8A641550 ZwCreateThread
SSDT 89F97D90 ZwFreeVirtualMemory
SSDT 8A465450 ZwImpersonateAnonymousToken
SSDT 8A465488 ZwImpersonateThread
SSDT 8A608E60 ZwMapViewOfSection
SSDT 8A45BCD0 ZwOpenEvent
SSDT 8A366A70 ZwOpenProcessToken
SSDT 8A369218 ZwOpenThreadToken
SSDT 8A4AE518 ZwResumeThread
SSDT 8A464DD8 ZwSetContextThread
SSDT 8A37CD30 ZwSetInformationProcess
SSDT 8A38F008 ZwSetInformationThread
SSDT 8A4570B8 ZwSuspendProcess
SSDT 8A473908 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA96E00B0]
SSDT 8A45B878 ZwTerminateThread
SSDT 8A4746E8 ZwUnmapViewOfSection
SSDT 8A35F988 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FF0 8050488C 4 Bytes CALL C4DA8FD7
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB86BD380, 0x381B8D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2940] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Ext2Fsd.SYS (Ext2 File System Driver for Windows/www.ext2fsd.com)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by bryanc on 1st January 2010, 2:52 am

And another attempt to access an IP adress. this time with explorer running:

07:43:31 BryanC MESSAGE Protection started successfully
07:43:41 BryanC MESSAGE IP Protection started successfully
12:16:37 BryanC MESSAGE Protection started successfully
12:16:45 BryanC MESSAGE IP Protection started successfully
12:47:31 BryanC IP-BLOCK 222.64.96.48
12:47:39 BryanC IP-BLOCK 94.96.12.63
13:33:56 BryanC IP-BLOCK 89.28.26.125
13:50:25 BryanC IP-BLOCK 218.8.103.222

bryanc
Intermediate
Intermediate

Posts Posts : 132
Joined Joined : 2009-05-24
OS OS : XP
Points Points : 29620
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Hijacked home page

Post by Dr Jay on 1st January 2010, 3:21 am


  1. Download Win32kDiag from any of the following locations and save it to your Desktop.

  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


  • Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 1st January 2010, 5:37 am

    the number of malicious sites being blocked by MWBs is growing. It happens when internet explorer is not up and running as well as when it is.

    here is the win32kdiag log. It is very short.

    Running from: C:\Documents and Settings\bryanc\Desktop\Win32kDiag.exe

    Log file at : C:\Documents and Settings\bryanc\Desktop\Win32kDiag.txt

    WARNING: Could not get backup privileges!

    Searching 'C:\WINDOWS'...





    Finished!

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29620
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 1st January 2010, 6:23 am

    It has got to be somewhere.

    Please download the [You must be registered and logged in to see this link.] and save it to your desktop.

    You will need to enter your name, e-mail address and location in order to access the download page.

    • Once you have downloaded the file, double click the sarsfx icon
    • Review the licence agreement and click on the Accept button
    • The scanner will prompt you to extract the files to C:\SOPHTEMP - DO NOT change this location, simply click the Install button

    • Once the files have been extracted; using Windows Explorer, navigate to C:\SOPHTEMP and double click on the blue shield icon called sargui
    • Ensure that there are checkmarks next to Running processes, Windows registry and Local hard drives, then click Start scan
    • Allow the program to scan your computer - please be patient as it may take some time
    • Once the scan has completed a window will pop-up with the results of the scan - click OK to this
    • In the main window, you will see each of the entries found by the scan (if any)

      • If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
      • Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you

    • If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
    • To clean up these entries click on the Clean up checked items button
    • If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
    • Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
    • When you have re-booted, please post a fresh HijackThis log into this thread and tell me how your computer is running now


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 1st January 2010, 8:21 am

    There were no warnings but it did find 6 unknown hȋdden files:
    This one is a mazaic program recently downloaded?
    Area: Local hard drives
    Description: Unknown hȋdden file
    Location: C:\Program Files\Mazaika\mz003.exe
    Removable: Yes (but clean up not recommended for this file)
    Notes: (no more detail available)

    Not sure what this is :
    Area: Local hard drives
    Description: Unknown hȋdden file
    Location: C:\Documents and Settings\bryanc\Local Settings\Temporary Internet Files\Content.IE5\QNWT6PGV\GL_Top_20pct_Buyers;seg=GL_AllRegisteredUsers;seg=GL_AllSucBuy_Mar05;sz=300x250;ord=1262325610915;dcopt=ist;tile=1;um=8;us=11;eb_trk=117035;pr=22;xp=34;np=22[1].htm
    Removable: Yes (but clean up not recommended for this file)
    Notes: (no more detail available)

    Or this:
    Area: Local hard drives
    Description: Unknown hȋdden file
    Location: C:\Documents and Settings\bryanc\Local Settings\Temporary Internet Files\Content.IE5\QZW4F87E\GL_Top_20pct_Buyers;seg=GL_AllRegisteredUsers;seg=GL_AllSucBuy_Mar05;sz=300x250;ord=1262325576388;dcopt=ist;tile=1;um=8;us=11;eb_trk=117035;pr=22;xp=34;np=22[1].htm
    Removable: Yes (but clean up not recommended for this file)
    Notes: (no more detail available)

    Not sure:
    Area: Local hard drives
    Description: Unknown hȋdden file
    Location: C:\Program Files\MediaCoder\mplayer\mencoder.exe
    Removable: Yes (but clean up not recommended for this file)
    Notes: (no more detail available)

    Oziexplorer, I trust this one

    Area: Local hard drives
    Description: Unknown hȋdden file
    Location: C:\Documents and Settings\bryanc\My Documents\Oziexplorer\OziExp3961c.exe
    Removable: Yes (but clean up not recommended for this file)
    Notes: (no more detail available)

    Also Oziexplorer, I trust this one too:

    Area: Local hard drives
    Description: Unknown hȋdden file
    Location: C:\Documents and Settings\bryanc\My Documents\Oziexplorer\OziExp.exe
    Removable: Yes (but clean up not recommended for this file)
    Notes: (no more detail available)

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29620
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 1st January 2010, 8:24 am

    MWB's is still blocking access to malicious sites.

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29620
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 1st January 2010, 1:43 pm

    Please go to this webpage: [You must be registered and logged in to see this link.]

    This is a Conficker test. Please let me know if you see all the images at the table at the top of the page. If you do not, please tell me which ones are missing. (I.E. Top Row Second Column, or Bottom Row First Column, etc.).


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 1st January 2010, 10:30 pm

    I can see all of them.

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29620
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 1st January 2010, 10:38 pm

    I assume MWB's is using it's own database to block all these malicious IP's?

    I could reset my host file and try to download combofix again?

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29620
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 1st January 2010, 10:57 pm

    No. Do you have the premium version of Malwarebytes' Anti-Malware?

    If so, I had no idea. Which would solve this issue now.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 1st January 2010, 11:19 pm

    I'm not sure what you mean. I paid for Malwarebytes only a few days ago. Does that mean I have the premium version?

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29620
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 1st January 2010, 11:26 pm

    I was wondering if all these attempts to access malicious ip adresses was a new occurrence or is it just that the paid version of MWB's is now picking it up?

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29620
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by Dr Jay on 1st January 2010, 11:36 pm

    Yes. The paid version of Malwarebytes' Anti-Malware has IP protection. See this article: [You must be registered and logged in to see this link.]

    The IP protection is automatic. You can learn everything in the above thread.

    Now, how is your computer running?


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14310
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302971
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Hijacked home page

    Post by bryanc on 1st January 2010, 11:38 pm

    My computer is running fine. It hasn't had a homepage change attempt in a while, but I have a list of "access to malicious Ip adress" a mile long. They happen every 15mins or so.

    bryanc
    Intermediate
    Intermediate

    Posts Posts : 132
    Joined Joined : 2009-05-24
    OS OS : XP
    Points Points : 29620
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Page 1 of 2 1, 2  Next

    View previous topic View next topic Back to top

    - Similar topics

     
    Permissions in this forum:
    You cannot reply to topics in this forum