Hijacked home page

Here is the teh gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-01 12:06:37
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\bryanc\LOCALS~1\Temp\kgrorpog.sys


---- System - GMER 1.0.15 ----

SSDT 8A45C818 ZwAlertResumeThread
SSDT 8A43F888 ZwAlertThread
SSDT 8A3FA3D8 ZwAllocateVirtualMemory
SSDT 8A56F008 ZwConnectPort
SSDT 8A35B8A0 ZwCreateMutant
SSDT 8A641550 ZwCreateThread
SSDT 89F97D90 ZwFreeVirtualMemory
SSDT 8A465450 ZwImpersonateAnonymousToken
SSDT 8A465488 ZwImpersonateThread
SSDT 8A608E60 ZwMapViewOfSection
SSDT 8A45BCD0 ZwOpenEvent
SSDT 8A366A70 ZwOpenProcessToken
SSDT 8A369218 ZwOpenThreadToken
SSDT 8A4AE518 ZwResumeThread
SSDT 8A464DD8 ZwSetContextThread
SSDT 8A37CD30 ZwSetInformationProcess
SSDT 8A38F008 ZwSetInformationThread
SSDT 8A4570B8 ZwSuspendProcess
SSDT 8A473908 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA96E00B0]
SSDT 8A45B878 ZwTerminateThread
SSDT 8A4746E8 ZwUnmapViewOfSection
SSDT 8A35F988 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FF0 8050488C 4 Bytes CALL C4DA8FD7
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB86BD380, 0x381B8D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2940] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Ext2Fsd.SYS (Ext2 File System Driver for Windows/www.ext2fsd.com)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

And another attempt to access an IP adress. this time with explorer running:

07:43:31 BryanC MESSAGE Protection started successfully
07:43:41 BryanC MESSAGE IP Protection started successfully
12:16:37 BryanC MESSAGE Protection started successfully
12:16:45 BryanC MESSAGE IP Protection started successfully
12:47:31 BryanC IP-BLOCK 222.64.96.48
12:47:39 BryanC IP-BLOCK 94.96.12.63
13:33:56 BryanC IP-BLOCK 89.28.26.125
13:50:25 BryanC IP-BLOCK 218.8.103.222

the number of malicious sites being blocked by MWBs is growing. It happens when internet explorer is not up and running as well as when it is.

here is the win32kdiag log. It is very short.

Running from: C:\Documents and Settings\bryanc\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\bryanc\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

It has got to be somewhere.

Please download the Sophos Anti-Rootkit Scanner and save it to your desktop.

You will need to enter your name, e-mail address and location in order to access the download page.

• Once you have downloaded the file, double click the sarsfx icon
  
• Review the licence agreement and click on the Accept button
  
• The scanner will prompt you to extract the files to C:\SOPHTEMP - DO NOT change this location, simply click the Install button
  
  
• Once the files have been extracted; using Windows Explorer, navigate to C:\SOPHTEMP and double click on the blue shield icon called sargui
  
• Ensure that there are checkmarks next to Running processes, Windows registry and Local hard drives, then click Start scan
  
• Allow the program to scan your computer - please be patient as it may take some time
  
• Once the scan has completed a window will pop-up with the results of the scan - click OK to this
  
• In the main window, you will see each of the entries found by the scan (if any)
  
  
  
  • If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
    
  • Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
    
  
  
• If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
  
• To clean up these entries click on the Clean up checked items button
  
• If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
  
• Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
  
• When you have re-booted, please post a fresh HijackThis log into this thread and tell me how your computer is running now
  

There were no warnings but it did find 6 unknown hȋdden files:
This one is a mazaic program recently downloaded?
Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\Program Files\Mazaika\mz003.exe
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Not sure what this is :
Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\Documents and Settings\bryanc\Local Settings\Temporary Internet Files\Content.IE5\QNWT6PGV\GL_Top_20pct_Buyers;seg=GL_AllRegisteredUsers;seg=GL_AllSucBuy_Mar05;sz=300x250;ord=1262325610915;dcopt=ist;tile=1;um=8;us=11;eb_trk=117035;pr=22;xp=34;np=22[1].htm
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Or this:
Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\Documents and Settings\bryanc\Local Settings\Temporary Internet Files\Content.IE5\QZW4F87E\GL_Top_20pct_Buyers;seg=GL_AllRegisteredUsers;seg=GL_AllSucBuy_Mar05;sz=300x250;ord=1262325576388;dcopt=ist;tile=1;um=8;us=11;eb_trk=117035;pr=22;xp=34;np=22[1].htm
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Not sure:
Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\Program Files\MediaCoder\mplayer\mencoder.exe
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Oziexplorer, I trust this one

Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\Documents and Settings\bryanc\My Documents\Oziexplorer\OziExp3961c.exe
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Also Oziexplorer, I trust this one too:

Area: Local hard drives
Description: Unknown hȋdden file
Location: C:\Documents and Settings\bryanc\My Documents\Oziexplorer\OziExp.exe
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

MWB's is still blocking access to malicious sites.

Please go to this webpage: http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

This is a Conficker test. Please let me know if you see all the images at the table at the top of the page. If you do not, please tell me which ones are missing. (I.E. Top Row Second Column, or Bottom Row First Column, etc.).

I can see all of them.

I assume MWB's is using it's own database to block all these malicious IP's?

I could reset my host file and try to download combofix again?

No. Do you have the premium version of Malwarebytes' Anti-Malware?

If so, I had no idea. Which would solve this issue now.

I'm not sure what you mean. I paid for Malwarebytes only a few days ago. Does that mean I have the premium version?

I was wondering if all these attempts to access malicious ip adresses was a new occurrence or is it just that the paid version of MWB's is now picking it up?

Yes. The paid version of Malwarebytes' Anti-Malware has IP protection. See this article: http://www.malwarebytes.org/forums/index.php?showtopic=21076

The IP protection is automatic. You can learn everything in the above thread.

Now, how is your computer running?

My computer is running fine. It hasn't had a homepage change attempt in a while, but I have a list of "access to malicious Ip adress" a mile long. They happen every 15mins or so.

Funny thing about the ip adress access attempts is that they seem to occur even when explorer is off. Is this access by my computer out? or by another computer in. I guess through my wireless network?

I suggest to post for help about it in the following forum: http://www.malwarebytes.org/forums/index.php?showforum=41

Or send a message to support: support@malwarebytes.org

Thanks for the Ip protection site. I read up on the ip blocking. I understand a bit more now. Yesterday the ip access attempts were happening while I was away from the computer, which is apparently a bad thing. Today they have only occurred while I have benn on the computer. I might close everything down and let it sit idol for a while and see what happens.

see ya

Very well!

all these adresses were logged while the computer sat idol with all programs closed.

Is that good?

11:54:34 BryanC IP-BLOCK 94.96.86.69
12:10:22 BryanC IP-BLOCK 94.96.86.69
12:25:27 BryanC IP-BLOCK 94.96.60.33
12:25:28 BryanC IP-BLOCK 212.113.47.189
12:25:36 BryanC IP-BLOCK 121.9.130.51
12:26:06 BryanC IP-BLOCK 94.96.247.248

see ya

Not necessarily. Like I said, do the support with Malwarebytes, and see what they say. The IP Protection module is new, and I have not used it yet. So, I know very little information.

thanks Jay, I have already sent them an email.

My system now includes:
Symantec (a work thing so I have to keep it)
Malware Bytes Premium
Superantispyware Paid up version
and Spywareblaster

all running at the same time. Is that about as good as it gets?

see ya

That seems fine.

Just when you thought it was safe to go back in the water!!

Disabled.SecurityCentre was detected by MWB yesterday during its scheduled run late at night. It was cleared. During the day I used Firefox only.

As an experiment I ran MWB's quick scan late in the day and found Disabled,SecurityCentre again. I cleared it, rebooted and the ran the full scan. Found nothing! I did nothing more, turned off all programs and went to bed last night.

Disabled.SecurityCentre was found by MWB's again last night..

Looks like its hiding somewhere.

There is nothing hiding. We will fix it manually and lock it.

Please copy and paste the following in to Notepad:



Then, click File > Save as
Save it as fixSec.reg
Choose Save as type: All Files.
Click Save.

Once saved, double-click on the file and merge it in to the Registry.

Reboot your computer.


Then, let me know if the Security Center is still being alerted.

And now I've just had a home page change attempt :-(

Just did that. Rebooted and ran mwb's quick scan. It found disabled.securitycentre again.

What is your home page? Please note the address, and I can do an analysis.

Disabled.SecurityCenter is not an actual threat. It is just a change by malware, when it affects your system. The effects this has on your system are slim to nȯne.

Symantec Endpoint Protection, which I am guessing you still have active, correct? This is what is causing the entries in the Registry to change back.

My script above was a total fix for the Security Center in Windows XP. Since the result is the same, it means that Security software, like Symantec, will disable Security Center. It does this because it has its own security center, so using Windows Security Center would be pointless. Malwarebytes' Anti-Malware continually detects it, but can be ignored. Go ahead and add that detection to your ignore list in MBAM, and you should not get prompted about it.

My home page is
http://nexus.northrop.com.au/Canberra/default.aspx
It is password protected, it is is work page. I actually never input the password, I just ignore it and move on :-)

I do have Symantec Endpoint still active.

I will add disabled security centre to the ignore list.

see ya

ok

Do we need to do anything about the homepage change attempt?

It has to be Symantec.

Go in to Symantec's options, and see if you can find home page locking options, or home page changing options. Also look in Malwarebytes options as well.

There is something in Symantec that says:
"specify the address to use as the home page when a security risk changes it."

I have put my regular home page in there.

Good. Any change attempts?

Not yet :-) I will let you know.

thankyou

Alright.

Hi there. I just had a home page change attempt. All browsers were off at the time.

I'll run mwb's to see if it finds anything. The change attempt was picked up by Superantispyware.

see ya

MWB's found nothing.

Hi there. Are you still there?

I am still getting the odd home page change attempt to that microsoft page.

Also intermittently firefox (and explorer) bombs out and wont connect. I change the proxy settings and it works again, sometimes. It does not seem to be consistent.

any clues?

Noo idea.