Google Redirect and the 8 step process

[pnorton215]

Hello,

I am having a problem with redirection whenever I click on a search result in Google (or Yahoo for that matter). Most of the time I get redirected to a different website and it takes me 4-5 trys to finally get to the correct website. I am also experiencing popups in IE to other non-related websites as well. This happens using Firefox in addition to IE.

I ran the 8-step process outlined on these forums and have attached the 3 log files that were identified in the 8 step process: SuperAntispyware, MalwareBytes, and HijackThis.

The MalwareBytes and SuperAntiSpyware scans found nothing according to the logs. I am not sure what the HijackThis log tells me.

This is a real annoying problem that I somehow need to get to the bottom of and would appreciate any help or guidance in fixing it.


Thanks
Phil

 

[kimsland]

Its looking pretty sad

I'd recommend uninstalling Norton, since you have Avira already installed.

And you really need to update Malwarebytes and run a quick scan (as per the guide)

There are many issues in your logs, but we at least have to get you to do a full updated scan with Avira and Malwarebytes
Then you can fix those 01 entries in the HJT log as well (there is lots more)

 

[pnorton215]

Great...

I am doing as you suggested. I notice that I have MalwareBytes v1.42, which is the latest version I see on their website. is there a newer version available elsewhere?

Thanks
Phil

 

[kimsland]

Yes Phil there is

Its hidden from users such as you (and many others I might add )

Just update Malwarebytes and you shall see that it tries (and hopefully successfully) updates

FYI Malwarebytes is presently: Database version 3326

Note: "UPDATE" is done in the program itself

 

[pnorton215]

Well, you are right. I updated it like you said and its now 3326. I will run MalwareBytes and then Avira and post the logs.

Thanks in advance for any and all help you can/are providing.

 

[kimsland]

I'll try, but I might be offline at times (as most know, not for very long)

I tend to be straight up front, so take it with a grain of salt and follow the pointers if you can
Then we'll both be happy ie everything is solvable one way or another

 

[pnorton215]

Will do, thanks.

 

[kimsland]

Also you will be needing this after un-installing Norton

Norton Removal Tool: ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

 

[pnorton215]

Ok, I did as you said...

Kimsland,

I have updata my Avira and MalwareBytes and re-ran the scans as you suggested. I also re-ran HijackThis. I have attached all three logs. Avira did find TR/Dropper.Gen.

I noticed that I still had an unwanted popup when navigating to this site so something is still up.

Thanks for any suggestions you may offer.

Phil

 

[kimsland]

Hi Phil

Well you're still infected

Also, at the time of you running Malwarebytes, it had updated, actually it has updated twice since your scan (I think possibly even before scanning)
As its only a very quick scan, I suggest you update it again (within the program) and run another quick scan, although it may not find anything.


Please run HJT Scan Only and tick the box in the following entry
Before selecting FIX, close all Internet browser, then select FIX

O18 - Filter hijack: text/html - {1f2670fb-dedd-4cdb-b7b0-c48b42ddabc9} - C:\WINDOWS\mark_32.dll

Your ZoneAlarm firewall has a couple of issues too.
The "file missing" entries means that ZoneAlarm may be corrupt (not that uncommon for this application) Info (only) supplied below

O23 - Service: CA ISafe (CAISafe) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\isafe.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)

Here's what I suggest you do

Restart, so as we can have Windows running without the above Trojan (mark_32.dll) running too
Then go to Control > Panel > Add/Remove Programs
And uninstall the following:

• ZoneAlarm
• Ad-aware
• Symantec
• SUPERAntispyware
• Diskeeper (if you don't use this anymore)

Then download the Norton Removal Tool: ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe
And run it, then Restart again


Combofix:

• Download Combofix to your desktop.
• Disable your Antivirus (as Combofix will remove any found malwares)
• Double click ComboFix & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here

Also restart and then provide a fresh HJT Scan log


2 Attachments required, unless you also want to supply the Malwarebytes attachment too (making 3 )

 

[pnorton215]

Kimsland,

Thanks, I will work on all this tonight.

Phil

 

[kimsland]

No problems, just let me know how it is later on
I also forgot to mention that after Restart you can find this file and delete it: C:\WINDOWS\mark_32.dll

Then run CCleaner again

 

[pnorton215]

OK, I did everything you said.

kimsland,

I did everything you said and have attached the 2 logs. I have updated Malwarebytes and am running a scan now.

Once I deleted that mark_32.dll using HJT, the system starting running a lot better. Combofix said something about detecting a rootkit which I guess it fixed. My email is much faster as is my internet connection.

Once I get the Malware scan done I will post that log to go along with the 2 I have attached to this post.

Thanks!!!!
Phil

 

[kimsland]

Un-install Combofix

• Click START then RUN
• Now type Combofix /uninstall in the runbox and click OK
• Any popup errors about Antivirus just ok or close

Note: 1 space after ComboFix in that uninstall command



Uninstall SUPERAntispyware
Start > Control Panel > Add/Remove Programs > SUPERAntispyware > Uninstall



Update Java and remove older Java versions
Run JavaRa
This will remove all your old Java stuff (that is not required)
It will also help you check for new Java updates Runtime updates
Or just go here and auto check: http://java.com/en/download/installed.jsp?detect=jre&try=1



Download and run TFC http://oldtimer.geekstogo.com/TFC.exe
Your computer may need to Restart



Clear & Reset System Restore's Cache
Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter

• Tick on the checkbox - Turn off System Restore on all drives
• Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK


Restart, and let me know how its performing

 

[pnorton215]

Ok, it looks to be fixed but...

Kimsland,

I have done everything you suggested and it looks as if the redirect issue is resolved so I owe you a big thank you.

One thing I have noticed though is that while the PC is much faster now performing tasks such as running Word and other applications, the internet browsing is very slow.

When I completed the first series of steps you suggested (the one tha references the Hijack statement in the HJT file and ends with running ComboFix), the computer was very fast with respect to internet browsing and Outlook mail downloads. But, the next day I went and did the next steps you suggested (the ones that started with uninstalling ComboFix and Clearing and Reseting the System Restore Cache) and noticed that with respect to the Internet, the computer is once again real slow.

Prior to doing the last set of steps(uninstall ComboFix and Reset Restore), I ran MalwareBytes, HijackThis and ComboFix again and have attached those logs here for you to look at.

Also, I was not able to update Java since the internet connection was so slow, it would timeout during the download and never complete.

As a test, I went and used my daughters computer which shares the same internet connection as this one I am trying to cleanup and her internet browsing is very fast so it does not appear to be a problem with the connection or ISP but rather my PC.

Finally, I am using Avira Personal Edition as well as the free MalwareBytes. Should I upgrade to the premium versions? I don't mind spending the money if it is worth it.

I no longer have Norton, Ad-Ware, or SuperAntivirus on the PC.

Thanks for all your help.
Phil

 

[kimsland]

Please run ZoneAlarm Removal Tool: http://download.zonealarm.com/bin/free/support/cpes_clean.exe
And Symantec Removal Tool: ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

 

[pnorton215]

Thanks, I will run both of these when I get home from work.

FYI, I already ran the Norton tool earlier when you suggested it but will rerun it again.

Thanks
Phil

 

[pnorton215]

OK, I ran the two uninstallers...

The Norton uninstaller ran fine. The ZoneAlarm one didn't :-( and now I have no internet access because the network connection has stopped working. When I ran the cpes_clean.exe program, 2 popupwindows were displayed:

The first one:
"Windows - No Disk
Exception Processing Message C0000013. Parameters 75b6bf7c 75b6bf7c 75b6bf7c"

The second one said:
"cpes_clean.exe - Unable to locate component
This application has failed to start because VSUTIL.dll was not found. Re-Installling the application may fix the problem"

In addition, I ran a HJT scan and now this line appears in the output log:
"O10 - Broken Internet access because of LSP provider 'c:\windows\system32\zonelabs\vetredir.dll' missing"

I am not sure where to go from here. I attached the HJT log for you to see.

Finally, to make a sad story even sadder, if I go to Add/Remove Programs, it now takes about 2 minutes for the list of installed programs to populate.

 

[kimsland]

Um, did you have ZoneAlarm installed and then run the removal tool?
I thought ZoneAlarm was already uninstalled?

Anyway, you can either re-install ZoneAlarm, to then normally uninstall it again in Add/Remove Programs, and then Restart and then run the removal tool and then restart.

Or just download Winsock Reset http://go.microsoft.com/?linkid=9662461
More info here on Winsock2: http://support.microsoft.com/kb/811259

Run it, then restart, then test again

Or both

EDIT

And if that doesn't help, here's LSP-Fix Tool

 

[pnorton215]

Zone Alarm was already uninstalled but I thought I was supposed to run that removal tool anyway, unless I misread your post, which is possible.

Anyway, I will do the steps you suggested and see how it works out.

Thanks
Phil

 

[kimsland]

No you're right, I checked your logs, and ZoneAlarm was removed
But there were still ZoneAlarm entries, hence why I posted the removal tool
Maybe it initially didn't uninstall properly?

 

[pnorton215]

Kimsland,

I ran the Winsock reset and got my netwprk connection back but it is SSSSSLLLLLLOOOOOOWWWWWW. I know its not my ISP, cable modem, etc. because my daughters computer screams.

I am not sure what ZA files you are referring to. I can't remember when I uninstalled ZA but it has been a few years. That version was ZoneAlarm Pro 4.

I attached a new HJT log, there is an entry in there for "nvwiz.exe /install". This seems new.

My netwrok connection speed was very fast the other night prior to starting the steps that began with uninstalling ComboFix and ending with setting the restore points. I am not sure if that caused anything.

Suggestions? I am open to all....

Thanks
Phil

 

[AnonymousSurfer]

This is off topic, but are you related to the creator of Norton Software?

 

[pnorton215]

I wish....but I am not.

 

[kimsland]

I ran the Winsock reset and got my netwprk connection back but it is SSSSSLLLLLLOOOOOOWWWWWW. I know its not my ISP, cable modem, etc. because my daughters computer screams.

You have quite a number of Windows startups, actually you have 30 Startup programs. This is a lot
And it can be any number of those programs, connecting or updating, or just running
I've gone through the list of things to possibly remove without too much interference

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Adobe\PhotoShop\Extras\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

But that still leaves quite a lot
These "04" entries in HJT can be selected then "Fix" by HJT, but the other many entries are all your programs starting
It would be best to open the program itself, and find where it states start with Windows, and remove that setting (within the individual program itself)
Your "daughters" computer would not have all this starting with Windows (nor would I)

How much Ram did you say you have? I'm running 2 Gig of Ram on XP SP3, but then again I have 1 Startup only

EDIT

It is also possible that your ISP does require certain settings in your network settings, such as DNS entries
You may want to contact them and confirm your Network settings are correct