Hijacked home page

You need that file. Not sure how you would get it. But, since that file is not there, you will get that error continually.

Thanks for all your help. I have been away for a while. Just got back.

An attempt to change the home page just occurred. I ran Malwarebytes (full version now) and it found nothing.

My web access is still OK. I tried to download combifix from BleepingComputer.com and I noticed it is blocked by the list in my new hosts file.

Any clues?

see ya

Go to C:\windows\system32\drivers\etc

You will see something that says HOSTS

Double-click on it, and open it with Notepad.

Please post the contents of that in your next reply.

It's over 2mbs and keeps freezing things when I cut to paste.
Should I send it in bits?

Take a different route here:

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.
Please close all other applications running on your system.

Please double click GetSystemInfo.exe to open it.

Click the Settings button.



Set it to Maximum



IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports.


Click Create Report to run it.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to Kaspersky GSI Parser and click the Submit button.

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.

here ya go.....

http://www.getsysteminfo.com/read.php?file=5ef40b52d2cc91291a14d8a6e1cbc2d7

see ya

Malwarebytes ran a scheduled scan last night and picked up and removed Disabled.SecurityCenter

After reboot Superantispyware has just identified an attempt to change home page again. I'll run Superantispyware now.

see ya

Seems to be ok.

Let's do another close check for rootkits:

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Interesting... while I was away form the computer and internet explorer was off I got a message from MWB saying that it had blocked access to a malicious ip adress. Here is the log:

07:43:31 BryanC MESSAGE Protection started successfully
07:43:41 BryanC MESSAGE IP Protection started successfully
12:16:37 BryanC MESSAGE Protection started successfully
12:16:45 BryanC MESSAGE IP Protection started successfully
12:47:31 BryanC IP-BLOCK 222.64.96.48
12:47:39 BryanC IP-BLOCK 94.96.12.63
13:33:56 BryanC IP-BLOCK 89.28.26.125

Here is the teh gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-01 12:06:37
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\bryanc\LOCALS~1\Temp\kgrorpog.sys


---- System - GMER 1.0.15 ----

SSDT 8A45C818 ZwAlertResumeThread
SSDT 8A43F888 ZwAlertThread
SSDT 8A3FA3D8 ZwAllocateVirtualMemory
SSDT 8A56F008 ZwConnectPort
SSDT 8A35B8A0 ZwCreateMutant
SSDT 8A641550 ZwCreateThread
SSDT 89F97D90 ZwFreeVirtualMemory
SSDT 8A465450 ZwImpersonateAnonymousToken
SSDT 8A465488 ZwImpersonateThread
SSDT 8A608E60 ZwMapViewOfSection
SSDT 8A45BCD0 ZwOpenEvent
SSDT 8A366A70 ZwOpenProcessToken
SSDT 8A369218 ZwOpenThreadToken
SSDT 8A4AE518 ZwResumeThread
SSDT 8A464DD8 ZwSetContextThread
SSDT 8A37CD30 ZwSetInformationProcess
SSDT 8A38F008 ZwSetInformationThread
SSDT 8A4570B8 ZwSuspendProcess
SSDT 8A473908 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA96E00B0]
SSDT 8A45B878 ZwTerminateThread
SSDT 8A4746E8 ZwUnmapViewOfSection
SSDT 8A35F988 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FF0 8050488C 4 Bytes CALL C4DA8FD7
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB86BD380, 0x381B8D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2940] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Ext2Fsd.SYS (Ext2 File System Driver for Windows/www.ext2fsd.com)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

And another attempt to access an IP adress. this time with explorer running:

07:43:31 BryanC MESSAGE Protection started successfully
07:43:41 BryanC MESSAGE IP Protection started successfully
12:16:37 BryanC MESSAGE Protection started successfully
12:16:45 BryanC MESSAGE IP Protection started successfully
12:47:31 BryanC IP-BLOCK 222.64.96.48
12:47:39 BryanC IP-BLOCK 94.96.12.63
13:33:56 BryanC IP-BLOCK 89.28.26.125
13:50:25 BryanC IP-BLOCK 218.8.103.222

the number of malicious sites being blocked by MWBs is growing. It happens when internet explorer is not up and running as well as when it is.

here is the win32kdiag log. It is very short.

Running from: C:\Documents and Settings\bryanc\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\bryanc\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

It has got to be somewhere.

Please download the Sophos Anti-Rootkit Scanner and save it to your desktop.

You will need to enter your name, e-mail address and location in order to access the download page.

• Once you have downloaded the file, double click the sarsfx icon
  
• Review the licence agreement and click on the Accept button
  
• The scanner will prompt you to extract the files to C:\SOPHTEMP - DO NOT change this location, simply click the Install button
  
  
• Once the files have been extracted; using Windows Explorer, navigate to C:\SOPHTEMP and double click on the blue shield icon called sargui
  
• Ensure that there are checkmarks next to Running processes, Windows registry and Local hard drives, then click Start scan
  
• Allow the program to scan your computer - please be patient as it may take some time
  
• Once the scan has completed a window will pop-up with the results of the scan - click OK to this
  
• In the main window, you will see each of the entries found by the scan (if any)
  
  
  
  • If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
    
  • Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
    
  
  
• If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
  
• To clean up these entries click on the Clean up checked items button
  
• If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
  
• Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
  
• When you have re-booted, please post a fresh HijackThis log into this thread and tell me how your computer is running now