Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infection upon entering iGoogle


  • Please log in to reply
3 replies to this topic

#1 clairecobra

clairecobra

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 02 September 2009 - 06:51 PM

I am running Windows XP. I use Firefox. I have McAfee VirusScan and Malwarebytes' Anti Malware, both of which are up to date. Starting this morning, I have had the following problem:
I have iGoogle set as my homepage. Whenever I open my browser and iGoogle loads, I get an alert from Malwarebytes' saying "Malwarebytes' Anti-Malware IP Protection: Infection detected: 212.117.164.110"

I have run on-demand scans of all my anti-virus and anti-malware programs, and they come up with nothing. The problem persists even when I shut down and reboot.

Let me know if you need a HijackThis log.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:25 AM

Posted 02 September 2009 - 08:24 PM

Hi, I'm already suspecting the latest nasty rootkit here. So Run this next please.
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 clairecobra

clairecobra
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 02 September 2009 - 08:49 PM

Thanks so much for taking the time to help me. Here is the log:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/02 21:31
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA0B2000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B2F000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA97F4000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

==EOF==

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:25 AM

Posted 02 September 2009 - 09:10 PM

Ok let's do 2 things next. Oh and you'rewelcome.
Run part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Rerun Rootrepeal .. under Scan.. Select only FILES... post that new log also.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users