Google Redirect and the 8 step process

By pnorton215
Dec 8, 2009
  1. Hello,

    I am having a problem with redirection whenever I click on a search result in Google (or Yahoo for that matter). Most of the time I get redirected to a different website and it takes me 4-5 trys to finally get to the correct website. I am also experiencing popups in IE to other non-related websites as well. This happens using Firefox in addition to IE.

    I ran the 8-step process outlined on these forums and have attached the 3 log files that were identified in the 8 step process: SuperAntispyware, MalwareBytes, and HijackThis.

    The MalwareBytes and SuperAntiSpyware scans found nothing according to the logs. I am not sure what the HijackThis log tells me.

    This is a real annoying problem that I somehow need to get to the bottom of and would appreciate any help or guidance in fixing it.


    Attached Files:

  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Its looking pretty sad :(

    I'd recommend uninstalling Norton, since you have Avira already installed.

    And you really need to update Malwarebytes and run a quick scan (as per the guide)

    There are many issues in your logs, but we at least have to get you to do a full updated scan with Avira and Malwarebytes
    Then you can fix those 01 entries in the HJT log as well (there is lots more)
  3. pnorton215

    pnorton215 TS Rookie Topic Starter Posts: 20


    I am doing as you suggested. I notice that I have MalwareBytes v1.42, which is the latest version I see on their website. is there a newer version available elsewhere?

  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes Phil there is

    Its hidden from users such as you (and many others I might add ;))

    Just update Malwarebytes and you shall see that it tries (and hopefully successfully) updates

    FYI Malwarebytes is presently: Database version 3326

    Note: "UPDATE" is done in the program itself ;)
  5. pnorton215

    pnorton215 TS Rookie Topic Starter Posts: 20

    Well, you are right. I updated it like you said and its now 3326. I will run MalwareBytes and then Avira and post the logs.

    Thanks in advance for any and all help you can/are providing.
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I'll try, but I might be offline at times (as most know, not for very long)

    I tend to be straight up front, so take it with a grain of salt and follow the pointers if you can
    Then we'll both be happy :) ie everything is solvable one way or another
  7. pnorton215

    pnorton215 TS Rookie Topic Starter Posts: 20

    Will do, thanks.
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  9. pnorton215

    pnorton215 TS Rookie Topic Starter Posts: 20

    Ok, I did as you said...


    I have updata my Avira and MalwareBytes and re-ran the scans as you suggested. I also re-ran HijackThis. I have attached all three logs. Avira did find TR/Dropper.Gen.

    I noticed that I still had an unwanted popup when navigating to this site so something is still up.

    Thanks for any suggestions you may offer.

  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Hi Phil

    Well you're still infected :(

    Also, at the time of you running Malwarebytes, it had updated, actually it has updated twice since your scan (I think possibly even before scanning)
    As its only a very quick scan, I suggest you update it again (within the program) and run another quick scan, although it may not find anything.

    Please run HJT Scan Only and tick the box in the following entry
    Before selecting FIX, close all Internet browser, then select FIX :)
    Your ZoneAlarm firewall has a couple of issues too.
    The "file missing" entries means that ZoneAlarm may be corrupt (not that uncommon for this application) Info (only) supplied below
    Here's what I suggest you do ;)

    Restart, so as we can have Windows running without the above Trojan (mark_32.dll) running too
    Then go to Control > Panel > Add/Remove Programs
    And uninstall the following:
    • ZoneAlarm
    • Ad-aware
    • Symantec
    • SUPERAntispyware
    • Diskeeper (if you don't use this anymore)
    Then download the Norton Removal Tool:
    And run it, then Restart again

    • Download [​IMG]Combofix to your desktop.
    • Disable your Antivirus (as Combofix will remove any found malwares)
    • Double click ComboFix & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here
    Also restart and then provide a fresh HJT Scan log

    2 Attachments required, unless you also want to supply the Malwarebytes attachment too (making 3 ;))
  11. pnorton215

    pnorton215 TS Rookie Topic Starter Posts: 20


    Thanks, I will work on all this tonight.

  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    No problems, just let me know how it is later on
    I also forgot to mention that after Restart you can find this file and delete it: C:\WINDOWS\mark_32.dll

    Then run CCleaner again
  13. pnorton215

    pnorton215 TS Rookie Topic Starter Posts: 20

    OK, I did everything you said.


    I did everything you said and have attached the 2 logs. I have updated Malwarebytes and am running a scan now.

    Once I deleted that mark_32.dll using HJT, the system starting running a lot better. Combofix said something about detecting a rootkit which I guess it fixed. My email is much faster as is my internet connection.

    Once I get the Malware scan done I will post that log to go along with the 2 I have attached to this post.


    Attached Files:

  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Un-install Combofix
    • Click START then RUN
    • Now type Combofix /uninstall in the runbox and click OK
    • Any popup errors about Antivirus just ok or close
    Note: 1 space after ComboFix in that uninstall command

    Uninstall SUPERAntispyware
    Start > Control Panel > Add/Remove Programs > SUPERAntispyware > Uninstall

    Update Java and remove older Java versions
    Run JavaRa
    This will remove all your old Java stuff (that is not required)
    It will also help you check for new Java updates Runtime updates
    Or just go here and auto check:

    Download and run TFC
    Your computer may need to Restart

    Clear & Reset System Restore's Cache
    Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

    Restart, and let me know how its performing
  15. pnorton215

    pnorton215 TS Rookie Topic Starter Posts: 20

    Ok, it looks to be fixed but...


    I have done everything you suggested and it looks as if the redirect issue is resolved so I owe you a big thank you.

    One thing I have noticed though is that while the PC is much faster now performing tasks such as running Word and other applications, the internet browsing is very slow.

    When I completed the first series of steps you suggested (the one tha references the Hijack statement in the HJT file and ends with running ComboFix), the computer was very fast with respect to internet browsing and Outlook mail downloads. But, the next day I went and did the next steps you suggested (the ones that started with uninstalling ComboFix and Clearing and Reseting the System Restore Cache) and noticed that with respect to the Internet, the computer is once again real slow.

    Prior to doing the last set of steps(uninstall ComboFix and Reset Restore), I ran MalwareBytes, HijackThis and ComboFix again and have attached those logs here for you to look at.

    Also, I was not able to update Java since the internet connection was so slow, it would timeout during the download and never complete.

    As a test, I went and used my daughters computer which shares the same internet connection as this one I am trying to cleanup and her internet browsing is very fast so it does not appear to be a problem with the connection or ISP but rather my PC.

    Finally, I am using Avira Personal Edition as well as the free MalwareBytes. Should I upgrade to the premium versions? I don't mind spending the money if it is worth it.

    I no longer have Norton, Ad-Ware, or SuperAntivirus on the PC.

    Thanks for all your help.
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  17. pnorton215

    pnorton215 TS Rookie Topic Starter Posts: 20

    Thanks, I will run both of these when I get home from work.

    FYI, I already ran the Norton tool earlier when you suggested it but will rerun it again.

  18. pnorton215

    pnorton215 TS Rookie Topic Starter Posts: 20

    OK, I ran the two uninstallers...

    The Norton uninstaller ran fine. The ZoneAlarm one didn't :-( and now I have no internet access because the network connection has stopped working. When I ran the cpes_clean.exe program, 2 popupwindows were displayed:

    The first one:
    "Windows - No Disk
    Exception Processing Message C0000013. Parameters 75b6bf7c 75b6bf7c 75b6bf7c"

    The second one said:
    "cpes_clean.exe - Unable to locate component
    This application has failed to start because VSUTIL.dll was not found. Re-Installling the application may fix the problem"

    In addition, I ran a HJT scan and now this line appears in the output log:
    "O10 - Broken Internet access because of LSP provider 'c:\windows\system32\zonelabs\vetredir.dll' missing"

    I am not sure where to go from here. I attached the HJT log for you to see.

    Finally, to make a sad story even sadder, if I go to Add/Remove Programs, it now takes about 2 minutes for the list of installed programs to populate.
  19. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Um, did you have ZoneAlarm installed and then run the removal tool?
    I thought ZoneAlarm was already uninstalled?

    Anyway, you can either re-install ZoneAlarm, to then normally uninstall it again in Add/Remove Programs, and then Restart and then run the removal tool and then restart.

    Or just download Winsock Reset
    More info here on Winsock2:

    Run it, then restart, then test again

    Or both ;)


    And if that doesn't help, here's LSP-Fix Tool
  20. pnorton215

    pnorton215 TS Rookie Topic Starter Posts: 20

    Zone Alarm was already uninstalled but I thought I was supposed to run that removal tool anyway, unless I misread your post, which is possible.

    Anyway, I will do the steps you suggested and see how it works out.

  21. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    No you're right, I checked your logs, and ZoneAlarm was removed
    But there were still ZoneAlarm entries, hence why I posted the removal tool
    Maybe it initially didn't uninstall properly?
  22. pnorton215

    pnorton215 TS Rookie Topic Starter Posts: 20


    I ran the Winsock reset and got my netwprk connection back but it is SSSSSLLLLLLOOOOOOWWWWWW. I know its not my ISP, cable modem, etc. because my daughters computer screams.

    I am not sure what ZA files you are referring to. I can't remember when I uninstalled ZA but it has been a few years. That version was ZoneAlarm Pro 4.

    I attached a new HJT log, there is an entry in there for "nvwiz.exe /install". This seems new.

    My netwrok connection speed was very fast the other night prior to starting the steps that began with uninstalling ComboFix and ending with setting the restore points. I am not sure if that caused anything.

    Suggestions? I am open to all....

  23. AnonymousSurfer

    AnonymousSurfer TS Guru Posts: 451   +37

    This is off topic, but are you related to the creator of Norton Software? :D
  24. pnorton215

    pnorton215 TS Rookie Topic Starter Posts: 20

    I wish....but I am not.
  25. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    You have quite a number of Windows startups, actually you have 30 Startup programs. This is a lot
    And it can be any number of those programs, connecting or updating, or just running
    I've gone through the list of things to possibly remove without too much interference
    But that still leaves quite a lot
    These "04" entries in HJT can be selected then "Fix" by HJT, but the other many entries are all your programs starting
    It would be best to open the program itself, and find where it states start with Windows, and remove that setting (within the individual program itself)
    Your "daughters" computer would not have all this starting with Windows (nor would I)

    How much Ram did you say you have? I'm running 2 Gig of Ram on XP SP3, but then again I have 1 Startup only


    It is also possible that your ISP does require certain settings in your network settings, such as DNS entries
    You may want to contact them and confirm your Network settings are correct
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...