[Resolved] Google and Yahoo search engines are redirected in IE and Firefox

[FireballMail]

I flushed the DNS cache with ipconfig but the problem still remains. Maybe it's hacker humor but many of the redirected sites are for anti virus software!

Again, thanks for your help so far. Are we running out of options? As a last resort I can just reformat and reinstall everything - rather not as you might imagine. :-)

This computer is used by the whole family including several teenagers. There are 5 different logins. All but mine was affected but in the course of doing these tests the Yahoo search on my login is now redirected.

All very confusing.

[Hoov]

GRR! Persistent little bugger isn't it. I know you have your own virus scanner but the next thing to do is to run a scan at Eset/NOD32 . Check the approval box and follow the instructions. You will have to use IE for this scan.

Let me know what it finds.

[FireballMail]

Ran ESET,  564572 files scanned, 0 threats found. Took about 2 hours.

This is one clever malware!

[Hoov]

Right click on the icon in the system tray that represents your internet connection and click on status, then click the details button. I need to know what the entries are for the DNS servers. Also who is your ISP.

[FireballMail]

Internet Connection Details

Physical Address:    00-16-76-C1-F1-A5
IP Address:    192.168.1.2
Subnet Mask:    255.255.255.0
Default Gateway:    192.168.1.1
DHCP Server:    192.168.1.1
Lease Obtained:    1/4/2009 9:07:59 PM
Lease Expires:    1/5/2009 1:29:51 PM
DNS Server:    192.168.1.1
WINS Server:


I have Roadrunner High Speed Internet service from Time Warner Cable. As I mentioned earlier above the cable goes into a Telephone Modem and the ethernet comes out of that and into a router.

[Hoov]

I want you to do a MBAM scan again but this time you are going to do a full scan and NOT the quick scan. I have done more digging, and apparently the quick scan misses this particular piece of malware. First run MBAM and do the update, then turn off everything that you can so there is as little running as possible (turn off your internet connection so you can turn off your other security programs) then check the option for a full scan and then run it. Post the log up when its done.

[FireballMail]

This might be it??? Two hits on something called Rootkit.Zlob.

Log file attached.

[Hoov]

Did you click remove selected when it found those files? If not, do that. Then reboot and try a search.

[FireballMail]

I ran mbam again with network cable unattached, got the same results (file attached), removed the two offending files, rebooted. Unfortunately searches are still redirected in IE and Firefox using both Google and Yahoo. Dogpile search still works correctly.

Well, we got rid of something bad anyway! Thanks for all your help so far - I'll hang in as long as you do but I don't want to monopolize your time. Do you ever have unsolvable cases?

Thanks again.

[Hoov]

Actually the log is showing that the files were left. So there is one more way to try. Reboot into safe mode, and run the full MBAM scan again. Before running it do a search for this string 04112855DEE7B78D on your entire harddrive. If a file or folder shows up with that name, delete them. Then empty the recycle bin, then run the scan. Post the log up again. 

As for monopolizing my time, no worries, I have at least a dozen other logs in the works. No unsolveds yet, but a couple real buggers though.

[FireballMail]

The log that I included with my last posting was made **before** I removed the offending files. So the files were removed. Although in my paranoia, I went into safe mode and re-ran the full scan mbam and it came up clean.

This computer has four accounts on it plus the regular Guest account. Is that a problem when doing these scans or are all files accessible to the scan applications?

[Hoov]

Well I am glad you asked that question. I was under the impression that separate accounts were scanned. I almost told you it made no difference, but decided to check and found a few cases where the scans were done in separate accounts, and some problems were found. So go ahead and log into each user and then scan each on with MBAM doing a full scan, not a quick scan.

But there is one more thing I would like you to try, Please download GooredFix and save it to your Desktop.
Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
Note: Do not run Option #2 yet.

Also I need you to uninstall Adobe Acrobat Version 8. After you uninstall it, go ahead and install version 9

[FireballMail]

1. Uninstalled Adobe 8 and Installed Adobe 9

2. Ran GooredfFix and log is below. Maybe these show something.

3. Will begin scanning individual user accounts and post those results  when done.



GooredFix v1.8 by jpshortstuff
Log created at 20:59 on 10/01/2009 running Option #1 (Paul)
Firefox version 3.0.1 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.1\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.1\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3112ca9c-de6d-4884-a869-9855de68056c}"="C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}"

[FireballMail]

Quick question -

Before scanning individual user accounts, I had a question. In Windows Explorer->Folder Options->View->Files and Folders, is it necessary to check "Display the contents of system folders" and "Show hidden files and folders"? If these are not checked are the scanning applications blocked from looking in them? Are you sure the scanning apps can see into all the nooks and crannies?

[Hoov]

It won't hurt to go ahead and make them visible.