Hi, I was advised by one of the moderators at the TechHelp forum to post here. I would be grateful if you could help me with the following problem:

Operating System: XP Professional with Service Pack 2 (updated automatically)
Internet Connection: ADSL
Router: NETGEARWG602 v2 54Mbps Wireless Point

For the last 2 days I have not been able to view google sites (co.uk, com, com.tr and other websites that use google search engine, links and/or google ads). Other websites works fine. The only Google sites I can view are Google Scholar and Google Groups.

I don't get any error messages when this problem occurs. The browser tries to connect to Google forever. It says "Loading..." on the browser's tab with the loading icon spinning, and the message on the bottom bar says "waiting for www.google.co.uk". I tried accessing google with and without the http://.

On some non-google sites that include google ads the page does not load at all and I get a continuous "Waiting for pagead2.googlesyndication.com..." message on the bottom bar of Firefox (I couldn't search the problem on this forum because of the same reason).

I have tried connecting to Google with an HTTP proxy that a friend gave, just to test. With that method I can view the Google page, but it doesn't let me run a search, it just shows the main page.

I first assumed that I might have changed something by accident during the the clean-up, however another computer (laptop) in the house (but not networked) that use the same wireless router is also having the same problem. We have re-set the wireless connection, set up the router from scratch. Nothing has changed. I use Mozilla Firefox but have tried accessing google on different browsers (IE7 and Netscape) and the same problem is happening. I couldn't see anything strange in hosts file, but I am not an expert.

The information I gathered from the internet suggests that the browsers could be hijacked on google site. I run SpyBot, AdAware (found many adwares and tracking cookies as usual), AVG, Norton and HijackThis.

I include the HijackThis log here.

Many thanks in advance.


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 18:49:09, on 18/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/uk/bookmark/7_0/tnetscape.html"); (C:\Documents and Settings\ISIL\Application Data\Mozilla\Profiles\default\54m46v84.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CNetscape_UK.src"); (C:\Documents and Settings\ISIL\Application Data\Mozilla\Profiles\default\54m46v84.slt\prefs.j s)
O1 - Hosts: 80.77.247.4 dev.tactual.org.uk
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sticky Pad] C:\Program Files\StickyPad\StickyPad.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: NETGEAR WPN311 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1146053956562
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462...l/SymDlBrg.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Nothing evident in the HijackThis LOG.


Try producing a 'trace route' report such as the following:

C:\WINDOWS\Profiles\_vop\Desktop>tracert www.google.co.uk

Tracing route to www.l.google.com [64.233.161.104]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 192.168.0.1
2 53 ms 53 ms 52 ms hlfxns01bbf-142068192001.dhcp-dynamic.ns.aliant.
net [142.68.192.1]
3 56 ms 53 ms 54 ms alns-cr01-ge-9-2.aliant.net [142.166.182.130]
4 56 ms 52 ms 55 ms alnb-cr01-pos-12-0.aliant.net [142.166.181.153]

5 53 ms 53 ms 52 ms so-8-1.car2.Boston1.Level3.net [4.79.2.81]
6 53 ms 56 ms 52 ms ae-5-5.ebr1.NewYork1.Level3.net [4.69.132.250]
7 56 ms 52 ms 63 ms ae-3.ebr1.Washington1.Level3.net [4.69.132.89]
8 53 ms 41 ms 43 ms ae-11-51.car1.Washington1.Level3.net [4.68.121.1
8]
9 53 ms 104 ms 55 ms GOOGLE-INC.car1.Level3.net [4.79.228.38]
10 53 ms 54 ms 52 ms 64.233.175.171
11 54 ms 54 ms 54 ms 216.239.48.190
12 56 ms 52 ms 56 ms www.l.google.com [64.233.161.104]

Trace complete.

NOTES:
1) is my router address (yours should begin 192.... as well)
2-4) are my ISP routing entries




Go to the 'command' prompt:
START>RUN>type CMD and hit enter key

Copy & Paste, and Execute the following command (or similar):
tracert www.google.co.uk

Highlight and copy screen text:

• Right click on the window and select 'mark'.
• Highlight desired text.
• Right click again and select 'copy'.
• Paste those results into your response.

Thank you so much for your reply. Here is the trace:


Tracing route to www.l.google.com [66.102.9.147]
over a maximum of 30 hops:

1 2 ms <1 ms <1 ms 192.168.0.1
2 12 ms 11 ms 11 ms 217.47.88.250
3 11 ms 11 ms 11 ms 217.47.88.161
4 19 ms 11 ms 20 ms 217.41.171.17
5 13 ms 12 ms 11 ms 217.41.171.122
6 12 ms 12 ms 12 ms 217.41.171.58
7 11 ms 11 ms 11 ms 217.47.46.58
8 12 ms 13 ms 10 ms core2-pos6-3.kingston.ukcore.bt.net [62.6.40.86]

9 12 ms 15 ms 11 ms core2-pos13-3.ealing.ukcore.bt.net [62.6.201.101]
10 12 ms 12 ms 12 ms core2-pos10-0.redbus.ukcore.bt.net [194.74.65.202]
11 12 ms 13 ms 13 ms 194.74.65.38
12 26 ms 14 ms 11 ms 72.14.238.244
13 24 ms 32 ms 26 ms 66.249.95.107
14 25 ms 24 ms 24 ms 72.14.232.233
15 53 ms 30 ms 49 ms 72.14.232.239
16 35 ms 36 ms 36 ms 64.233.174.18
17 24 ms 24 ms 24 ms lm-in-f147.google.com [66.102.9.147]

Trace complete.

It certainly reaches its intended valid location:

http://www.siteadvisor.com/sites/66.102.9.147
http://www.google.ca/search?hl=en&q=...=Google+Search



At the command prompt can you get the same results as this:

C:\WINDOWS\Profiles\_vop\Desktop>ping 66.102.9.147

Pinging 66.102.9.147 with 32 bytes of data:

Reply from 66.102.9.147: bytes=32 time=159ms TTL=234
Reply from 66.102.9.147: bytes=32 time=120ms TTL=234
Reply from 66.102.9.147: bytes=32 time=149ms TTL=234
Reply from 66.102.9.147: bytes=32 time=150ms TTL=234

Ping statistics for 66.102.9.147:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 120ms, Maximum = 159ms, Average = 144ms

What happens if you try and browse to:

www.google.ca

Thanks again. Yes, I see the same result with Ping apart from TTL 234, I get 236.

google.ca is having the same problem. There are a few more things I noticed since I posted this question. I wonder if they would help establishing any solution:

- I tried accessing google sites with neighbour's wireless network. It works fine. The problem seems to be on our network.

- I tried re-setting password, re-booting and re-establishing connections to the wireless router, nothing changed.

- I cannot change anything on "Internet Gateway" as it is seen as a shared connection. Internet Connection Status disappears after a few seconds. I can't see what's going on there.

- I tried to restore system to 3 days ago, but I get errors saying computer couldn't be restored to the restore points and nothing has been changed.

- When I try to create a new wireless connection (because for some reason i can't delete the old one) I get a message asking whether I want to connect it to the XYZ network or not. (I've created that network months ago but never managed to use it) I can't delete it because I can't see it in the list.

I hope I didn't complicate things with this extra information.