Browser re-direct: help

Greetings,
I am new to the forums here, but have heard great things about this site.

My girlfriend got the trojan.zlob virus on her laptop 02/15. While I think it is completely gone, our Google and Yahoo search results are now being redirected to other search engines instead of the desired destinations in Internet Explorer only (this doesn’t happen in Firefox). I searched the forums and see that others are having this problem too, but I’d like advice on what to do next before going any further.

Last night, I read and followed all of the instructions in the ‘Read & Run Me First. Malware removal guide’, and in ‘Downloading, Installing, and Running HijackThis’, -- I’ll post all the logs.
I also looked in ‘Special Removal Procedures - TitanShield… etc’ post -- I thought it would be in the ‘Win32.Zlob’ section, but that seems to be the wrong direction.

I realized this morning that I did not have the most current version of Sun Java Runtime Environment. (doh!) I’m uninstalling the old/ installing the current after I post this, but I don’t think it affected my scans. Please let me know if this assumption is wrong.

I will attach (in 2 posts):

1. Counterspy.txt
2. Bitdefender: I could not run this in safe mode w/ networking as I could not connect to my wireless internet, so I ran it in normal mode.
3. Panda: Activescan.txt
4. Runkeys.txt
5. Newfiles.txt
6. hijackthis.log

Please let me know what else you need from me. I appreciate your time and assistance.
-Bill

 

Here are the next 3 files:
Runkeys.txt
Newfiles.txt
hijackthis.log

Thanks again,
Bill

 

Hi TimW,

Thank you for your help thus far! Here's what I have:

DELETED.

Done. Successful.

Ran HJT.
Found all above mentioned entries.
Checked them off.
Closed my Firefox window.
Clicked 'Fix'.
Exited HJT.

ATTACHED.

After running these again, I closed each program. I then opened Internet Explorer, typed "www.google.com" in the address bar, then performed my search (this time, "Blink 182"). I clicked on the link to Blink's home page, but it still redirected me to another search engine.

I notice 2 things:

1. When I open IE7, the main Toolbar (File, Edit, etc) is permanently visible, yet I never set it to be this way (I used to have to push the 'Alt' key for it to appear).
   
2. Before doing your suggestions, the Status bar in my Google or Yahoo search results page would show some crazy-long address. After doing your suggestions, when i hover over a results link, the status bar shows the correct address, yet clicking it still redirects. It first goes to some long address starting with '216.133.243.28', then goes to some random search page.

I don't know if this info helps, but figured I'd share it anyhow.

Please let me know if you need further info.
Thanks again,
Bill

 

I'm sorry. Here they are.


Thank you,
Bill

 

Hi again,

I'm Sorry about that. I did run it when following the initial instructions, but my girl had gone online again.

I have just run CCleaner (both Cleaner & Issues) in Safe Mode, in each of the profiles (Admin, my girls, & mine) and backed up each time. After that, I ran SpyBot in each profile and it found no problems.

After that, I ran GetRunKey, ShowNew, and HJT. These fresh logs are attached. Please let me know if you need anything else.

At your convenience, let me know what you see. Sorry for the time-waste! Thank you again for the help.
-Bill

 

Hi TimW,

First and foremost, thank you for all of your help. It feels like I'm 97% done.

1) We did not use Pocket Killbox -- I downloaded it this morning in case I will need it later.
2-5) N/A -- didn't use
6) I removed the .reg files from my desktop.
7) Deleted the .zip & .txt filed mentioned.
8) Toggled the System restore per instructions.
9) Working on it.

Now, the Internet Explorer hijack/redirect is still being attempted, with Google searches only. Yahoo search results are no longer being redirected.

In my Google searches, if I search for a Google service (I typed in 'Gmail' and 'Google Maps'), the search result links can be followed without problem. But when I search for other things (this a.m. I used 'Green Day', then 'Chamber Music'), these search result links yield a message when I try to follow them, saying something like 85.255.119.188 is trying to redirect to 64.111.198.178. Do you want to allow this? I click No, and get the 'page cannot load' message. (I looked up these IP addresses and they seem to be linked to spammers, which I kinda figured would be the case).

Please let me know what you think.
(note: I'm back at work today, so cannot access the laptop until 6p.m.)

Thank you again for all of your time and assistance.
-Bill

 

Hi Tim,

Thanks for that. It seemed to do the trick!

All seems to be working correctly, searches working properly.

I'll attach 3 logs here; the 4th (Fixwareout log) after.

We'll use the computer more this evening, I'll let you know how it goes.

Thanks again,
Bill

 

Here's the Fixwareout report.

 

Hi TimW,

24 hours later, and everything is working correctly!

A big, huge THANK YOU, from me and my girl to you and MajorGeeks. You solved our problem in less than 3 days -- I didn't think that was possible!

You rock. Keep it up.

:wave
-Bill