Google Redirecting/General Slowness

[ksoggie]

I have completed the 8 steps and am still having trouble with Google redirecting my searches to various spam sites, as well as other search engines like Yahoo! and MSN. I'm also having general slowness with the computer. I've heard the Google Redirecting Virus (if that's what it is) can also prevent you from updating programs but so far I haven't had any problem updating. I've completed all 8 steps and here are my logs. Your help would be greatly appreciated! I'm running Windows XP Pro.

 

[AurelloSoft]

Here's my opinion about your log file.

* Please note that I am only offering an opinion. Any decisions you choose to make are being done at your own risk, and Aurellosoft Computer Security does not take any responsibility for your actions. *

Things that look suspicious:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll


Junk Entries: (Can be removed)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

I also noted
I noticed an LSP Entry,
You may want to try running this program from www.cexx.org
http://www.cexx.org/LSPFix.exe

Additionally, you have this entry which I'm unsure if you chose the homepage or not.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.awesomestart.com/bones/

 

[Bobbye]

Okay, let's get started. we'll take care of the updates:

Update Java:

Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 12 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

Remove the older versions of Java:
1. Click Start, Control Panel, Add/Remove Programs.
2. Delete all Java updates except J2SE Runtime Environment 6.0 Update 12

Update Adobe:

Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version v9: https://www.techspot.com/downloads/2083-adobe-reader-dc.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php

Uninstasll any earlier versions of Adobe.

Please re-open HiJackThis> Click on the System Scan Only button> Put a check beside all of the items listed below (if present):

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] "C:\WINDOWS\system32\dumprep.exe" 0 -u

Regarding the following entry:

unless you have the Spybot Search & Destroy option "Lock homepages from changes" active. or your system administrator put this into place, have HijackThis fix it
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

The following entry will be handled separately:

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll>> Client Service for NetWare

(Interesting Start Page! Since it is entirely customizable, I cannot determine if it is 'safe.'
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.awesomestart.com/bones/)

· Close all open windows and browsers/email, etc...
· Click on the "Fix Checked" button
· When completed, close the application.

Run LSPFix for :
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll>> Client Service for NetWare
Can I Remove NWPROVAU.DLL From the Hijackthis log?

The answer to this question will depend on what you are doing. If your computer is connected to a Netware network, you should leave the file and entry intact. If, however, you find this log entry on a standalone computer or a personal computer that is NOT using Netware then you can for all practical purposes remove the file.

You cannot remove this entry by using Hijackthis, you must download LSPFix and use it to remove the NWPROVAU protocol. To do this, follow these directions.

1. Click on the link HERE to download LSPFix to your desktop.
2) Once the exe file is on your desktop, double-click on it to open
3) In the left hand column, you should see the NWPROVAU.DLL file listed. Click on it to highlight, then click the arrow in the middle of the screen that points to the right

This will move the filename to the right-hand column labeled Remove

NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"

4) Once the file has been transferred to the Remove column, click Finish at the bottom of the screen. You'll be presented with a results screen showing the file was removed from the Winsock layer entries in the registry. Close the LSPFix program now.

5) Run HijackThis and the entry for NWPROVAU.DLL should now be gone from the list.

Attach new HijackThis log when finished.

Nice job Aurello Soft!

 

[AurelloSoft]

Thanks for noticing our efforts!

We're a non profit company, so It's hard sometimes, but we try our best to keep computer security free.

Respectfully,
AurelloSoft Computer Security

 

[ksoggie]

Thank you both so much for your help! I have done everything you mentioned and here is the requested log.

 

[Bobbye]

AurelloSoft, okay to help. Best to not reference your company though.

Good job! Looking better, but still some things to deal with:

This was to be checked for removal:
O3 - Toolbar: (no name) - {F661BA6B-FAF4-4165-A701-F65A7585AC91} - (no file)
Did you include it in the removals from HijackThis? If Yes, we need to look further for the infection. If No, include it in the entries below for removal and we'll see of that handles it:

* Run HijackThis
* Click on the System Scan Only button
* Put a check beside all of the items listed below (if present):

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {F661BA6B-FAF4-4165-A701-F65A7585AC91} - (no file)>> (Trojan.FakeAlert)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

* Close all open windows and browsers/email, etc...
* Click on the "Fix Checked" button
* Boot into Safe Mode

For this entry: O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
Start> Run> services.msc> Right click on JavaQuickStarterService> Properties> Change Startup type to Disabled> Stop the Service

Control Panel> Java> Update tab> UNCHECK 'check automatically for updates'> Choose Yes when asked to confirm> Apply> OK

Reboot into NormalMode. Run new HijackThis scan and attach log.

The Java entries are legitimate, but you don't need any of them running and using resources. Java will work find without them.

 

[ksoggie]

I really thought I checked and double checked to make sure I had all the entries you mentioned checked, but it's entirely possible that I didn't include it. Here's the new log.

 

[Bobbye]

Great- it's gone! So I don't think it's an issue.

Your log is clean, looks good. How is the system running? Are you still experiencing any of this> "Google Redirecting/General Slowness?"

I found one other time saver you might be interested in. If you use Spysweeper as an 'on demand' scanner, rather than having it always running in the background, you can do this:

The #6 engine in Spy Sweeper 6 has a 'self protection (SPS)' process:
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
There is also a Service for this:
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

Some users were complaining that they should be able to control this is they only used SS on demand. Earlier versions, v5.5, v5.9 allow the control but v6 did not. Users finally got replies tot heir emails from Spywsweeper with instructions on how to do it on v6:

Disabling SPS on Spy Sweeper 6?

The new controls for the hidden settings are CTRL + ALT + SHIFT + S.

Also the new processes WrConsumerService.exe are taking care of the updates from the Webroot server. But if only used on demand, the updates can be done right before each scan.

Normal function would be to Disable the Service and take it off of Startup, but v6 doesn't allow that, so this is the work around. I leave this entirely up to you. Some don't want anything running that they do not need and it makes a difference whether you run SS all the time or just on demand.

Source: http://www.wilderssecurity.com/showthread.php?t=223603

IF the original problems have been resolved, you can remove the cleaning tools and old restore points:
Removing the tools:

Download OTCleanIt HERE and save it to your desktop.
Double click on OTCleanIt.exe.
Click on CleanUp!.
It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
You will receive a prompt that it needs to restart the computer to remove the files>
Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.

Clear your existing System Restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in cleanmgr
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.

Please let me know if I can be of more help.

A comment about 'general slowness':
The only processes that NEED to start on boot and run in the background are:
1. Antivirus program
2. Firewall if using third party firewall.
3. Touchpad if on laptop.
4. Network process if on network.

So you could take the following off of Startup with no problem- keep on mind that everything that start on boot runs in the background the entire time:

1. Adobe Reader Speed Launcher
2. Windows Media Player
3. [PCTVOICE]> pctspk.exe> this is used for modems based upon PC-TEL chipsets. Normally used for some Voice and Speakerphone functions and also for some Power management options- it is known ad a high resource user and doesn't need to start on boot.
4.[hplampc]> HP Scanner Lamp Utility - fixes an issue with the scanner lamp not going off

The above show as 04 entries in the HijackThis log. They can be taken off of Startup this way:
Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK each entry> Apply> OK.

NOTE: on the first reboot after changing the startups, you will get a nag message that can be ignored and closed after checking 'don't show this message again.' Stay in Selective Startup.

 

[ksoggie]

I am still experiencing the Google redirect problem, but other than that my system is running noticeably better. Thanks for all the pointers! Spysweeper has been my primary Spyware program and I've always had it running, but since it didn't catch whatever the problem was in the first place, perhaps I should reconsider that. Are there any programs that you feel protect better that you could recommend?

 

[Bobbye]

Okay, don't remove the cleaning programs yet. I am not seeing any entries that point to the Google redirect problem. SAS found and removed Adware.MyWebSearch/FunWebProducts and there are no entries showing in the HijackThis log. Adware.CoolWebSearch is another program that redirects your Internet Explorer searches, but I don't see any evidence of it.

I think these malware programs are all being included in the 'Google Redirect' category.

Run ComboFix and let's see if we can find it:

Please download ComboFix here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix.
There are screen shots to take you through so you know what to expect.

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.

**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Combofix is a general tool that helps the helper cleaning up a Hijackthis log.
It is able to remove some common infections and helps a user detect files that general scanners cannot find.
It also lists registry keys such as the key keys, the desktop keys, and other areas where malware hide.
The tool has some rootkit detectors too, allowing a helper to see if a rootkit is present on the PC.

Also, please run the Kaspersky Online scan:
Open Kaspersky Online Scanner in Internet Explorer HERE

* Click Accept and the web scanner will begin to load
* If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
* You will be prompted to install an ActiveX component from Kaspersky, click Install
* If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT and then Scan Settings
* In the scan settings make that the following are selected:
o Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
o Scan Options:
Scan Archives
Scan Mail Bases
* Click OK
* Now under select a target to scan:
Select My Computer
* The program will start to scan your system.
* Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

When finished, run new scan with HijackThis- attach that log, the Kaspersky file and the ComboFix report.


One user gave this description of the Google Redirect:

The redirect always starts with a 20x.xxx.xx.xx/x/?= (with the "x" being different numbers) and ends with a long string of gibberish. I don't ever go to any site, I get a failure to connect message or the browser window shuts down.I noticed this is happening in Google, Yahoo and MSN searches

You mention the following:

as well as other search engines like Yahoo! and MSN.

A Google redirect is going to take you to trash sites- not another legit search engine.

 

[ksoggie]

Ok I ran Combo Fix, and now I'm running the Kaspersky Online Scanner, which is taking a VERY long time. Been running nearly 14 hours and it's only 53% done. :dead: So would you like to go ahead and look at the Combo Fix report first?

 

[Bobbye]

IF you can edit your reply, okay to attach the ComboFix report. If not, wait and put them both in a new reply.

 

[ksoggie]

Alright, everything finally finished. Here are the logs/reports.

EDIT: I don't know what did it, but I'm no longer having any problems. Thanks so much for your help!