Browser hijacked - even in safe mode

Environment:

• Windows XPSP3 fully updated
• FF 3.6.3
• IE 8.0.6001.18702
• Opera 10.51
• JRE 1.6.0_19
• MBAM 1.45
• Avast 5.0.462
• Hijackthis 2.0.2

Getting browser re-directs to various search engine type pages in both FF and IE. Opera seems immune. Hitting the same link repeatedly in Google loads a different page each time. I get an occasional pop-up as well, and they seem targeted to the search term I am typing in Google. Happens in safe mode as well.

What I've done/checked thus far:

• I checked if IE or FF was running via a proxy, and neither are.
• Ran Rkill before the following:
• Ran MBAM and found nothing
• Avast full scan finds nothing
• Ran ESET online, finds nothing

Interesting little bugger! I have downloaded GMER and combofix.exe. I'm not sure how to run either one but I have the programs. If I try to run combofix, it seems to load in a small blue screen, and after a few moments reboots my machine and subsequently I cannot load windows normally, If I try it continually reboots, and I must use the last good configuration to get windows to boot.

Additional details: Similar to another post here - using msconfig to boot into safe mode, I get this message: "access denied, need administrator account" even though my account is administrator. The result is that I DO boot into safe mode and any changes I make in msconfig seem to stick, but I still get the access denied error message.

I look forward to your assistance,

Tux

Edited by tuxalot, 10 April 2010 - 05:12 PM.

Please post the log from Malwarebytes.

This will help in moving forward.

I've got the same thing. Downloading hitmanpro to give it a go. Will report back.

Open up C:\WINDOWS\Temp and watch the folders get created. WOW. Fortunately, I an running executable lockdown http://www.executablelockdown.com/ so it flags and asks me if I want to run C:\WINDOWS\Temp\random-dir\svchost.exe. Before clicking the deny button, I thought I would check the offending svchost.exe (before it gets deleted automatically) with avast, MBAM, and SUPER anti-spyware. None of them see the threat. After 10 seconds, the svchost.exe automagically deletes itself.

Sneaky it is.

EDIT: Hitman pro 3.5.4 found some things.

redbook.sys is infected. I deleted this.
buMRmvNT.dll in c:\windows\system32 is suspicious - the digital signature is invalid. I quarantined this.

Need to reboot now, will check back.

Rebooted, Hitman Pro did a final scan (automatically upon boot), and all checks out clean!

What a great tool. I'm impressed. Where all other tools failed (Avast, MalwareBytes, SUPERAntiSpyware ,Spybot S&D), this one seems to have done the trick.

A must have!

Edited by tuxalot, 12 April 2010 - 06:03 PM.

I may have solved it. Not to cross post, but this is the thread I used and my posts are attached there.

http://www.bleepingcomputer.com/forums/t/282844/fake-svchostexe-trojan-created-in-windows-temp-folder/

I will run MBAM again and post the log here just to be sure.

Thanks!

To avoid confusion, I have merged your other post here and appears here as post number 3.

~ OB

Edited by Orange Blossom, 12 April 2010 - 08:38 PM.