Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijacked - even in safe mode


  • Please log in to reply
4 replies to this topic

#1 tuxalot

tuxalot

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 10 April 2010 - 04:33 PM

Environment:
  • Windows XPSP3 fully updated
  • FF 3.6.3
  • IE 8.0.6001.18702
  • Opera 10.51
  • JRE 1.6.0_19
  • MBAM 1.45
  • Avast 5.0.462
  • Hijackthis 2.0.2
Getting browser re-directs to various search engine type pages in both FF and IE. Opera seems immune. Hitting the same link repeatedly in Google loads a different page each time. I get an occasional pop-up as well, and they seem targeted to the search term I am typing in Google. Happens in safe mode as well.

What I've done/checked thus far:
  • I checked if IE or FF was running via a proxy, and neither are.
  • Ran Rkill before the following:
  • Ran MBAM and found nothing
  • Avast full scan finds nothing
  • Ran ESET online, finds nothing
Interesting little bugger! I have downloaded GMER and combofix.exe. I'm not sure how to run either one but I have the programs. If I try to run combofix, it seems to load in a small blue screen, and after a few moments reboots my machine and subsequently I cannot load windows normally, If I try it continually reboots, and I must use the last good configuration to get windows to boot.

Additional details: Similar to another post here - using msconfig to boot into safe mode, I get this message: "access denied, need administrator account" even though my account is administrator. The result is that I DO boot into safe mode and any changes I make in msconfig seem to stick, but I still get the access denied error message.

I look forward to your assistance,

Tux

Edited by tuxalot, 10 April 2010 - 05:12 PM.


BC AdBot (Login to Remove)

 


#2 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:09:43 PM

Posted 12 April 2010 - 09:43 AM

Please post the log from Malwarebytes.

This will help in moving forward.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#3 tuxalot

tuxalot
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 12 April 2010 - 05:22 PM

I've got the same thing. Downloading hitmanpro to give it a go. Will report back.

Open up C:\WINDOWS\Temp and watch the folders get created. WOW. Fortunately, I an running executable lockdown http://www.executablelockdown.com/ so it flags and asks me if I want to run C:\WINDOWS\Temp\random-dir\svchost.exe. Before clicking the deny button, I thought I would check the offending svchost.exe (before it gets deleted automatically) with avast, MBAM, and SUPER anti-spyware. None of them see the threat. After 10 seconds, the svchost.exe automagically deletes itself.

Sneaky it is.

EDIT: Hitman pro 3.5.4 found some things.

redbook.sys is infected. I deleted this.
buMRmvNT.dll in c:\windows\system32 is suspicious - the digital signature is invalid. I quarantined this.

Need to reboot now, will check back.

Rebooted, Hitman Pro did a final scan (automatically upon boot), and all checks out clean!

What a great tool. I'm impressed. Where all other tools failed (Avast, MalwareBytes, SUPERAntiSpyware ,Spybot S&D), this one seems to have done the trick.

A must have!

Edited by tuxalot, 12 April 2010 - 06:03 PM.


#4 tuxalot

tuxalot
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 12 April 2010 - 05:56 PM

I may have solved it. Not to cross post, but this is the thread I used and my posts are attached there.

http://www.bleepingcomputer.com/forums/t/282844/fake-svchostexe-trojan-created-in-windows-temp-folder/

I will run MBAM again and post the log here just to be sure.

Thanks!

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,958 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:43 PM

Posted 12 April 2010 - 08:38 PM

To avoid confusion, I have merged your other post here and appears here as post number 3.

~ OB

Edited by Orange Blossom, 12 April 2010 - 08:38 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users