WiredWX Hobby Weather ToolsLog in

 


Hijacked home page

2 posters

descriptionHijacked home page - Page 6 EmptyRe: Hijacked home page

more_horiz
Funny thing about the ip adress access attempts is that they seem to occur even when explorer is off. Is this access by my computer out? or by another computer in. I guess through my wireless network?

descriptionHijacked home page - Page 6 EmptyRe: Hijacked home page

more_horiz
I suggest to post for help about it in the following forum: http://www.malwarebytes.org/forums/index.php?showforum=41

Or send a message to support: support@malwarebytes.org

descriptionHijacked home page - Page 6 EmptyRe: Hijacked home page

more_horiz
Thanks for the Ip protection site. I read up on the ip blocking. I understand a bit more now. Yesterday the ip access attempts were happening while I was away from the computer, which is apparently a bad thing. Today they have only occurred while I have benn on the computer. I might close everything down and let it sit idol for a while and see what happens.

see ya

descriptionHijacked home page - Page 6 EmptyRe: Hijacked home page

more_horiz
Very well! Smile...

descriptionHijacked home page - Page 6 EmptyRe: Hijacked home page

more_horiz
all these adresses were logged while the computer sat idol with all programs closed.

Is that good?

11:54:34 BryanC IP-BLOCK 94.96.86.69
12:10:22 BryanC IP-BLOCK 94.96.86.69
12:25:27 BryanC IP-BLOCK 94.96.60.33
12:25:28 BryanC IP-BLOCK 212.113.47.189
12:25:36 BryanC IP-BLOCK 121.9.130.51
12:26:06 BryanC IP-BLOCK 94.96.247.248

see ya

descriptionHijacked home page - Page 6 EmptyRe: Hijacked home page

more_horiz
Not necessarily. Like I said, do the support with Malwarebytes, and see what they say. The IP Protection module is new, and I have not used it yet. So, I know very little information.

descriptionHijacked home page - Page 6 EmptyRe: Hijacked home page

more_horiz
thanks Jay, I have already sent them an email.

My system now includes:
Symantec (a work thing so I have to keep it)
Malware Bytes Premium
Superantispyware Paid up version
and Spywareblaster

all running at the same time. Is that about as good as it gets?

see ya

descriptionHijacked home page - Page 6 EmptyRe: Hijacked home page

more_horiz
That seems fine.

descriptionHijacked home page - Page 6 EmptyRe: Hijacked home page

more_horiz
Just when you thought it was safe to go back in the water!!

Disabled.SecurityCentre was detected by MWB yesterday during its scheduled run late at night. It was cleared. During the day I used Firefox only.

As an experiment I ran MWB's quick scan late in the day and found Disabled,SecurityCentre again. I cleared it, rebooted and the ran the full scan. Found nothing! I did nothing more, turned off all programs and went to bed last night.

Disabled.SecurityCentre was found by MWB's again last night..

Looks like its hiding somewhere.

descriptionHijacked home page - Page 6 EmptyRe: Hijacked home page

more_horiz
There is nothing hiding. We will fix it manually and lock it.

Please copy and paste the following in to Notepad:

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Security Center"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,77,00,69,00,6e,00,\
  6d,00,67,00,6d,00,74,00,00,00,00,00
"ObjectName"="LocalSystem"
"Description"="Monitors system security settings and configurations."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,59,00,53,00,54,00,45,00,4d,00,52,00,4f,00,4f,\
  00,54,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum]
"0"="Root\\LEGACY_WSCSVC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs]
"Description"="Provides the endpoint mapper and other miscellaneous RPC services."
"DisplayName"="Remote Procedure Call (RPC)"
"ErrorControl"=dword:00000001
"Group"="COM Infrastructure"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,20,00,2d,00,6b,00,20,00,72,00,70,00,\
  63,00,73,00,73,00,00,00
"ObjectName"="NT Authority\\NetworkService"
"Start"=dword:00000002
"Type"=dword:00000020
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\
  00,02,00,00,00,60,ea,00,00
"DependOnService"=hex(7):44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,6e,00,63,00,\
  68,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  72,00,70,00,63,00,73,00,73,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security]
"Security"=hex:01,00,14,80,a8,00,00,00,b4,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,78,00,05,00,00,00,00,00,14,00,8d,00,02,00,01,01,00,00,00,00,00,\
  05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,18,00,8d,00,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,\
  02,00,00,00,00,14,00,9d,00,00,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,\
  18,00,9d,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,21,02,00,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Enum]
"0"="Root\\LEGACY_RPCSS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs]
"Description"="Provides the endpoint mapper and other miscellaneous RPC services."
"DisplayName"="Remote Procedure Call (RPC)"
"ErrorControl"=dword:00000001
"Group"="COM Infrastructure"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,20,00,2d,00,6b,00,20,00,72,00,70,00,\
  63,00,73,00,73,00,00,00
"ObjectName"="NT Authority\\NetworkService"
"Start"=dword:00000002
"Type"=dword:00000020
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\
  00,02,00,00,00,60,ea,00,00
"DependOnService"=hex(7):44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,6e,00,63,00,\
  68,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  72,00,70,00,63,00,73,00,73,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security]
"Security"=hex:01,00,14,80,a8,00,00,00,b4,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,78,00,05,00,00,00,00,00,14,00,8d,00,02,00,01,01,00,00,00,00,00,\
  05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,18,00,8d,00,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,\
  02,00,00,00,00,14,00,9d,00,00,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,\
  18,00,9d,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,21,02,00,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Enum]
"0"="Root\\LEGACY_RPCSS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


Then, click File > Save as
Save it as fixSec.reg
Choose Save as type: All Files.
Click Save.

Once saved, double-click on the file and merge it in to the Registry.

Reboot your computer.


Then, let me know if the Security Center is still being alerted.

descriptionHijacked home page - Page 6 EmptyRe: Hijacked home page

more_horiz
And now I've just had a home page change attempt :-(

descriptionHijacked home page - Page 6 EmptyRe: Hijacked home page

more_horiz
Just did that. Rebooted and ran mwb's quick scan. It found disabled.securitycentre again.

descriptionHijacked home page - Page 6 EmptyRe: Hijacked home page

more_horiz
What is your home page? Please note the address, and I can do an analysis.

Disabled.SecurityCenter is not an actual threat. It is just a change by malware, when it affects your system. The effects this has on your system are slim to nȯne.

Symantec Endpoint Protection, which I am guessing you still have active, correct? This is what is causing the entries in the Registry to change back.

My script above was a total fix for the Security Center in Windows XP. Since the result is the same, it means that Security software, like Symantec, will disable Security Center. It does this because it has its own security center, so using Windows Security Center would be pointless. Malwarebytes' Anti-Malware continually detects it, but can be ignored. Go ahead and add that detection to your ignore list in MBAM, and you should not get prompted about it.

descriptionHijacked home page - Page 6 EmptyRe: Hijacked home page

more_horiz
My home page is
http://nexus.northrop.com.au/Canberra/default.aspx
It is password protected, it is is work page. I actually never input the password, I just ignore it and move on :-)

I do have Symantec Endpoint still active.

I will add disabled security centre to the ignore list.

see ya

descriptionHijacked home page - Page 6 EmptyRe: Hijacked home page

more_horiz
ok

descriptionHijacked home page - Page 6 EmptyRe: Hijacked home page

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum