TechSpot

Google Redirecting/General Slowness

By ksoggie
Mar 8, 2009
  1. I have completed the 8 steps and am still having trouble with Google redirecting my searches to various spam sites, as well as other search engines like Yahoo! and MSN. I'm also having general slowness with the computer. I've heard the Google Redirecting Virus (if that's what it is) can also prevent you from updating programs but so far I haven't had any problem updating. I've completed all 8 steps and here are my logs. Your help would be greatly appreciated! :) I'm running Windows XP Pro.
     

    Attached Files:

  2. AurelloSoft

    AurelloSoft TS Rookie Posts: 30

    Here's my opinion about your log file.

    * Please note that I am only offering an opinion. Any decisions you choose to make are being done at your own risk, and Aurellosoft Computer Security does not take any responsibility for your actions. *

    Things that look suspicious:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll


    Junk Entries:
    (Can be removed)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    I also noted
    I noticed an LSP Entry,
    You may want to try running this program from www.cexx.org
    http://www.cexx.org/LSPFix.exe

    Additionally, you have this entry which I'm unsure if you chose the homepage or not.
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.awesomestart.com/bones/
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, let's get started. we'll take care of the updates:

    Update Java:
    Update Adobe:
    Please re-open HiJackThis> Click on the System Scan Only button> Put a check beside all of the items listed below (if present):
    Regarding the following entry:
    The following entry will be handled separately:
    · Close all open windows and browsers/email, etc...
    · Click on the "Fix Checked" button
    · When completed, close the application.

    Run LSPFix for :
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll>> Client Service for NetWare
    Can I Remove NWPROVAU.DLL From the Hijackthis log?

    The answer to this question will depend on what you are doing. If your computer is connected to a Netware network, you should leave the file and entry intact. If, however, you find this log entry on a standalone computer or a personal computer that is NOT using Netware then you can for all practical purposes remove the file.

    You cannot remove this entry by using Hijackthis, you must download LSPFix and use it to remove the NWPROVAU protocol. To do this, follow these directions.

    1. Click on the link HERE to download LSPFix to your desktop.
    2) Once the exe file is on your desktop, double-click on it to open
    3) In the left hand column, you should see the NWPROVAU.DLL file listed. Click on it to highlight, then click the arrow in the middle of the screen that points to the right

    This will move the filename to the right-hand column labeled Remove

    NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"

    4) Once the file has been transferred to the Remove column, click Finish at the bottom of the screen. You'll be presented with a results screen showing the file was removed from the Winsock layer entries in the registry. Close the LSPFix program now.

    5) Run HijackThis and the entry for NWPROVAU.DLL should now be gone from the list.

    Attach new HijackThis log when finished.

    Nice job Aurello Soft!
     
  4. AurelloSoft

    AurelloSoft TS Rookie Posts: 30

    Thanks for noticing our efforts!

    We're a non profit company, so It's hard sometimes, but we try our best to keep computer security free.

    Respectfully,
    AurelloSoft Computer Security
     
  5. ksoggie

    ksoggie TS Rookie Topic Starter

    Thank you both so much for your help! I have done everything you mentioned and here is the requested log.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    AurelloSoft, okay to help. Best to not reference your company though.

    Good job! Looking better, but still some things to deal with:

    This was to be checked for removal:
    O3 - Toolbar: (no name) - {F661BA6B-FAF4-4165-A701-F65A7585AC91} - (no file)
    Did you include it in the removals from HijackThis? If Yes, we need to look further for the infection. If No, include it in the entries below for removal and we'll see of that handles it:

    * Run HijackThis
    * Click on the System Scan Only button
    * Put a check beside all of the items listed below (if present):
    * Close all open windows and browsers/email, etc...
    * Click on the "Fix Checked" button
    * Boot into Safe Mode

    For this entry: O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    Start> Run> services.msc> Right click on JavaQuickStarterService> Properties> Change Startup type to Disabled> Stop the Service

    Control Panel> Java> Update tab> UNCHECK 'check automatically for updates'> Choose Yes when asked to confirm> Apply> OK

    Reboot into NormalMode. Run new HijackThis scan and attach log.

    The Java entries are legitimate, but you don't need any of them running and using resources. Java will work find without them.
     
  7. ksoggie

    ksoggie TS Rookie Topic Starter

    I really thought I checked and double checked to make sure I had all the entries you mentioned checked, but it's entirely possible that I didn't include it. :eek: Here's the new log.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Great- it's gone! So I don't think it's an issue.

    Your log is clean, looks good. How is the system running? Are you still experiencing any of this> "Google Redirecting/General Slowness?"

    I found one other time saver you might be interested in. If you use Spysweeper as an 'on demand' scanner, rather than having it always running in the background, you can do this:

    The #6 engine in Spy Sweeper 6 has a 'self protection (SPS)' process:
    C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
    There is also a Service for this:
    O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

    Some users were complaining that they should be able to control this is they only used SS on demand. Earlier versions, v5.5, v5.9 allow the control but v6 did not. Users finally got replies tot heir emails from Spywsweeper with instructions on how to do it on v6:
    Normal function would be to Disable the Service and take it off of Startup, but v6 doesn't allow that, so this is the work around. I leave this entirely up to you. Some don't want anything running that they do not need and it makes a difference whether you run SS all the time or just on demand.

    Source: http://www.wilderssecurity.com/showthread.php?t=223603

    IF the original problems have been resolved, you can remove the cleaning tools and old restore points:
    Removing the tools:
    Clear your existing System Restore points and establish a new clean restore point:
    Please let me know if I can be of more help.

    A comment about 'general slowness':
    The only processes that NEED to start on boot and run in the background are:
    1. Antivirus program
    2. Firewall if using third party firewall.
    3. Touchpad if on laptop.
    4. Network process if on network.

    So you could take the following off of Startup with no problem- keep on mind that everything that start on boot runs in the background the entire time:
    The above show as 04 entries in the HijackThis log. They can be taken off of Startup this way:
    Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK each entry> Apply> OK.

    NOTE: on the first reboot after changing the startups, you will get a nag message that can be ignored and closed after checking 'don't show this message again.' Stay in Selective Startup.
     
  9. ksoggie

    ksoggie TS Rookie Topic Starter

    I am still experiencing the Google redirect problem, but other than that my system is running noticeably better. Thanks for all the pointers! Spysweeper has been my primary Spyware program and I've always had it running, but since it didn't catch whatever the problem was in the first place, perhaps I should reconsider that. Are there any programs that you feel protect better that you could recommend?
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, don't remove the cleaning programs yet. I am not seeing any entries that point to the Google redirect problem. SAS found and removed Adware.MyWebSearch/FunWebProducts and there are no entries showing in the HijackThis log. Adware.CoolWebSearch is another program that redirects your Internet Explorer searches, but I don't see any evidence of it.

    I think these malware programs are all being included in the 'Google Redirect' category.

    Run ComboFix and let's see if we can find it:

    Please download ComboFix here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix.
    There are screen shots to take you through so you know what to expect.

    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.


    • Run Combo-Fix.exe and follow the prompts.
    Combofix is a general tool that helps the helper cleaning up a Hijackthis log.
    It is able to remove some common infections and helps a user detect files that general scanners cannot find.
    It also lists registry keys such as the key keys, the desktop keys, and other areas where malware hide.
    The tool has some rootkit detectors too, allowing a helper to see if a rootkit is present on the PC.

    Also, please run the Kaspersky Online scan:
    Open Kaspersky Online Scanner in Internet Explorer HERE
    When finished, run new scan with HijackThis- attach that log, the Kaspersky file and the ComboFix report.


    One user gave this description of the Google Redirect:
    You mention the following:
    A Google redirect is going to take you to trash sites- not another legit search engine.
     
  11. ksoggie

    ksoggie TS Rookie Topic Starter

    Ok I ran Combo Fix, and now I'm running the Kaspersky Online Scanner, which is taking a VERY long time. Been running nearly 14 hours and it's only 53% done. :dead: So would you like to go ahead and look at the Combo Fix report first?
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    IF you can edit your reply, okay to attach the ComboFix report. If not, wait and put them both in a new reply.
     
  13. ksoggie

    ksoggie TS Rookie Topic Starter

    Alright, everything finally finished. Here are the logs/reports.

    EDIT: I don't know what did it, but I'm no longer having any problems. Thanks so much for your help!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...