TechSpot

Searches redirected/internet slow

By bjacobsonny
Apr 24, 2009
Topic Status:
Not open for further replies.
  1. Hello,
    I've been having trouble with my computer the last couple weeks. First I noticed that webpages were loading slower than usual. Then I found that clicking on links provided in Google search results often would not take me to the intended page but to someother commercial site. Finally, I found that my AVG free anti-virus software was no longer able to automatically update.

    I've followed the 8 step removal instructions and attached the requested logs. I would very much appreciate any further guidance that could be provided.

    Thanks,
    Brian

    Attached Files:

  2. B00kWyrm

    B00kWyrm TechSpot Paladin Posts: 1,550   +18

    AVG and P2P detected - Go Back to the start of the 8 steps.

    Hello "Sonny":wave:
    Go back to the top... start again with the 8 steps...

    It is not that other AV software is "bad" per se...
    just that the one's recommended are among the very best and their results (success) very predictable. So
    After you have diligently followed the 8 steps as posted, repost your logs.
    This will mean getting rid of your P2P Software. :suspiciou
    Read the 8 steps, and look at the recommended resources if you have questions.

    I will be gone for a few days now. Hopefully by the time I get back others will have helped you get this all sorted out. :D
  3. bjacobsonny

    bjacobsonny TS Rookie Topic Starter Posts: 33

    Thanks for your reply. I've followed your instruction and redone the 8 steps. I've attached the 3 logs as well as a log created by Avira. I think I've removed all the P2P, please let me know I've missed something. Also, an additional symptom is Mozilla crashing every once in a while. This never occurred before a couple weeks ago.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Some of the slowness can be attributed to unnecessary processes loading on boot and running in the background. For Example: CyberLink DVD Launcher, Quicktime, iTunes, Adobe Reader, Java, Lexmark (printer) processes and some others. None of these needs to start on boot and can be launched Manually when needed.

    As mentioned, the use of BitTorrent file sharing will not only use resources but also put the system at risk for malware.
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

    Mbam found and deleted processes for Spyware.StolenData which is 'new' malware, having first been seen on 2009-03-08- a good example for always updating before running security scans!

    Remove bad HijackThis entries
    Run HijackThis
    • Click on the System Scan Onlyy button
    • Put a check beside all of the items listed below (if present):
    Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    Boot into Safe Mode:
    Right click on Start> Run> msconfig> enter> Selective Startup> Startup Menu> UNCHECK the following:
    This choice is yours. However I strongly suggest UNINSTALLING all of these:
    Control Panel> Add/Remove Programs>
    Right click on Start> Explore> Windows> System 32> do a right click> delete on these files if present:
    Rebot the system into Normal Mode. Ignore the nag message and close after clicking 'don't show message again'. Stay in Selective Startup.

    For the Firefox/Redirect:
    Part 1 - The Scan

    • Please download GooredFix and save it to your Desktop.
    • Double-click Goored.exe to run it.
      • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
      • A log will open which you can just close. The log file is named Goored.txt and is on your Desktop.
    • Please attach the Goored.txt log to your next reply
    • Note: Do not run Option #2 yet until a helper asks you to do so.

    Rescan with HijackThis when finished with Goored. Attach both logs. Depending on what the log entries show, I will give you the Goored Fix" if applicable.
  5. bjacobsonny

    bjacobsonny TS Rookie Topic Starter Posts: 33

    Thanks, Bobbye.

    I have followed your instructions and attached the logs. One issue I had was in trying to uninstall the Weather Channel app. In Add/Remove Programs I attempted to remove Desktop Weather by The Weather Channel . When I click remove, Wise Installation Wizard starts up, it appears as if the program is uninstalling but afterward it remains on the list.

    Another issue is that Avira is unable to update itself. When I try to do an automatic update I get an error message reading "An error occurred during the file download." I've attached the log from Avira with the details. I am able to manually update.

    Also, an additional symptom that has just started is that I am unable to open any links on the Yahoo homepage in Firefox. It appears that only Yahoo is affected.

    Thanks again for your help!
  6. bjacobsonny

    bjacobsonny TS Rookie Topic Starter Posts: 33

    Can any one help me with a follow up on Bobbye's last instructions? Thanks in advance!

    Brian
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Failed Avira Update:
    I am confident that this was a server problem at that time.

    Here is the rest of Goored Fix:

    Part 2 - The Fix

    You should print these instructions because all Firefox browsers MUST be closed before running the fix.
    • Please double-click Goored.exe on your Desktop to run it.
      • Select 2. Fix Goored by typing 2 and pressing Enter.
      • Make sure all instances of Firefox are closed at this point.
      • Type Y at the prompt and press Enter again.
      • A log will open which you can just close. The log file is named Goored.txt and is on your Desktop.
    • Now rerun Firefox and please attach the new Goored.txt log to your next reply

    Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

    For the Desktop Weather: Try this:
    " I seem to be unable to uninstall Desktop Weather from my computer. What can I do?"
    From that point you will be able to proceed as normal with the uninstall.

    When you have finished with the programs, make sure Firefox is set as the default browser:
    Tools> Options> Advanced> System Defaults> CHECK 'always check to see if Firefox is the default browser> Check now.

    Re-scan with HJ when through. Attach report and log. We'll remove a couple of entries if still in HJ. Let me know if Firefox is worked as it should.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Which instruction?
  9. bjacobsonny

    bjacobsonny TS Rookie Topic Starter Posts: 33

    Thanks for the reply. My last post was just asking for the next step, which you just provided.

    I've attached the requested logs. Searches in Firefox seems to be working correctly now. Also, I was able to fully uninstall Desktop Weather with your instructions. Thank you!!!

    Regarding Avira updates, I have tried several times over the past couple of days to automatically update without any success. This leads me to believe that it may not be a server problem. Also, links in the Yahoo! homepage are still unresponsive.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, There are only 2 entries in the HJ log to check for removal:

    Run HJ This> System Scan Only> Check these processes-if present:
    Close all Windows and email except HJ This
    Ckick on Fix Checked. Close program wehn through.[/QUOTE]

    Regarding this:
    Explain 'fail'> what specifically happen when you click on a link? Is it only the lonk on the Yahoo page that isn't linking?

    Excerpt fro Avira Forums re: this failed update:
    update failed!


    The failure report is fairly typical of what has been happening.

    "I" have returned the configuration settings to default position."
    The only other "odd" behaviour from my PC is that IE7 often fails to connect to my homepage first attempt. Sometines it does but most often it needs refreshing to connect. This behaviour probably began before the update issues.

    Suggestion:
    Please delete C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\UPDATE, TEMP, IDX, BACKUP
    Above assist found in Avira Forum

    Please keep me posted with the outcome. We have fixed the redirect problem, yes?
    And you are going to tell me what happen when you click on the links, right?
    (the same problem is happening to other Avira users regarding the updates..)
  11. bjacobsonny

    bjacobsonny TS Rookie Topic Starter Posts: 33

    Bobbeye,

    The redirect problem does seem to be solved. I've run a dozen or so searches and had no redirect problems since applying the fix. However, Firefox is still crashing on occassion.

    As for Yahoo!, many of the links on the homepage (excluding the ads) do not work. Nothing at all happens when they are clicked. It appears the browser tries to connect to the links for less than a second, and then nothing happens. The homepage remains on the screen. I can see the correct URLs at the bottom of the browser in the status bar when the mouse is placed over the links, but the browser does not seem able to load them.

    Also, I've followed your instructions with regard to the Avira update issues, but the problem has persisted. I read the entire Avira forum thread from you which quoted and found no other workable solutions. I don't know if this will help with the diagnosis, but I was having the same problem automatically updating the AVG anti-virus which I previously had installed. Again, this problem first appeared a couple of weeks ago, at the same time as the redirect problem. Prior to that the AVG automatic updates had no problems.
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    kimsland, the user said that a manual update can be done. It's the auto-update feature that is the problem.
    Post #5:
    bjacobsonny, if you give me a couple of the links on your homepage that don't work, I'll check them and see if I can spot a potential problem.
    Regarding the update reference to AVG: yes, when they went to v8, people began having the update problems, although it had also happened to previous versions. I'm wondering if more people are now using Avira and their servers are getting overloaded!
  14. bjacobsonny

    bjacobsonny TS Rookie Topic Starter Posts: 33

    Kimsland, I have already previously run the AVG remover.

    Bobbeye, the affected links are all links along the left side of the screen listing the different Yahoo! features, as well any items in the "featured" box up top in the middle of the screen and the news links below. Also, the link to get to Yahoo! mail does not work. A specific link that does not work is http://www.yahoo.com/s/1064171 which should be opening up a news story.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I don't see any indication of AVG after you removed it.

    Here's my adventure!
    Link you gave: http://www.yahoo.com/s/1064171
    opens to:
    Consumer confidence soars in April
    http://news.yahoo.com/s/ap/20090428/ap_on_bi_ge/us_economy>> this has time and date of:
    By ANNE D'INNOCENZIO, AP Retail Writer Anne D'innocenzio, Ap Retail Writer – 2 hrs 11 mins ago

    If I start here:
    http://my.yahoo.com/ >> then choose>> Top Stories from AP>> then Consumer confidence soars in April "- "
    The URL shows as: http://news.yahoo.com/s/ap/20090428/ap_on_bi_ge/us_economy_8 >> this has headline time and date of:
    By ANNE D'INNOCENZIO, AP Retail Writer Anne D'innocenzio, Ap Retail Writer – Tue Apr 28, 11:12 am ET

    My Yahoo mail screen has:
    Consumer confidence soars in April (AP) >> which links to same
    By ANNE D'INNOCENZIO, AP Retail Writer Anne D'innocenzio, Ap Retail Writer – 2 hrs 13 mins ago

    Paste this in your address bar: http://news.yahoo.com/s/ap/20090428/ap_on_bi_ge/us_economy

    IF these links work for you:
    Run a disc cleanup removing any temporary internet files, Cookies and temp files.
    Delete any Bookmark, Cookie or shortcut for both Yahoo Mail and the Homepage. Reset the homepage and see if it will bring up the links now.
    -------------------------------------------------------------------
    B00kWyrm, I think you are too new and a bit out of line telling someone to do this:
    >> followed with uninstall instructions. Then you go on to say:
  16. bjacobsonny

    bjacobsonny TS Rookie Topic Starter Posts: 33

    All the links in your last post did work for me. I followed your instructions the but the Yahoo! homepage still is not working. I have now just changed my homepage in firefox to mail.yahoo.com and am able to directly access my email that way.
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Have you tried resetting the homepage? If not, do that, but type URL in Address Bar. When you get the page: Tools> Internet options> General tab> Homepage section> check 'use current'.

    People have complained about strange Yahoo problems over the years. I think it's an "ever-evolving site"! After you try the resetting, please run one more HijackThis scan for review. If clean, we'll remove the cleaning tools and set new, clean restore points.

    Sorry for the delay- I am 2 days behind in everything!
  18. bjacobsonny

    bjacobsonny TS Rookie Topic Starter Posts: 33

    I updated Avira today (manually again, auto updates still have not worked for me) and the scanner began to alert me that it was finding a virus. It classifies the virus as "TR/Agent.its Trojan" and it is found in the file c:\windows\xpfxw.mrh. The virus alert comes up repeatedly and it seems every time the virus is either deleted or quarantined it reappears in the same location. I now select "deny access" whenever the warning comes up. It seems that this corrected many of the problems I was having including the dead links on Yahoo!. Is there a way I can permanently get rid of this virus? I've attached the latest Hijackthis log.

    No worries about the delay. I really appreciate all the guidance you've given me and the time you've spent helping.
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    A VDF (Virus Definition File) file was published on Tue, 14 Apr 2009 19:48 (GMT+2) by Avira. It contained a definition for several different Agent.mrh. This malware is classified as • DR/PSW. This would be a Trojan Dropper, Password stealer to the best of my knowledge.

    1. Be sure that Avira is currently updated and that the definition date is AFTER 14 April, 2009. Rescan, quarantine, then delete, reboot.
    2. Start> Search> go to Tools> Folder Options> View tab> CHECK 'show hidden files and folders'> Apply> OK.
    Run an Avira scan and let me know the results.

    I would also like you to run Combfix to make sure the P2P files have been removed:

    Please download ComboFix HERE
    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.

    • Run Combo-Fix.exe and follow the prompts.
    When finished, rescan with HijackThis.
    Attach new HJ log, Combofix report and AV scan if any malware is found.
  20. bjacobsonny

    bjacobsonny TS Rookie Topic Starter Posts: 33

    Avira scan found two things which were quarantined than deleted. Attached are requested logs. It seems that ALL issues have been resolved (including Avira automatic updates)!! Please let me know what I need to do to finish up. Thank you so much for all your help!
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Almost through:
    [/QUOTE]
    There are 2 files still showing up in the Combofix report:
    Looks like you still have the Google Quick Search> it created a new entry. It is Shared Dictionary Compression over HTTP (SDCH) Google opensource project.
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

    You can read up on it here: http://groups.google.com/group/SDCH

    We can remove the cleaning program now and set a new, clean restore point:

    Download OTCleanIt HERE & save it to your desktop.
    Clear your existing System Restore points and establish a new clean restore point:
  22. bjacobsonny

    bjacobsonny TS Rookie Topic Starter Posts: 33

    One last question. My system is still set to selective startup. Am I supposed to switch back to normal startup mode now that everything has been repaired?
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No, leave it in Selective Startup. That's how you retain the changes you've made. If you return to 'Normal' startup, the changes will go back.

    I configure my systems the day I get them. I remove everything from starting up except my antivirus program, touchpad for laptop and network process. If I had a third party firewall like ZoneAlarm, I would also leave it on startup> nothing else. Currently I have one system that has been on Selective startup for 6 years and another for 3 years. Both have always worked well.

    Once you check 'don't show this message again' when you reboot after making changes, you should not be bothered again. But any time go back using msconfig to change the Startup, the message displays> that's why we call it a "nag" message!
  24. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    I've mentioned this tool a number of times, so I'll just quote myself:
    I don't like any extra entries in Startup files, including MSconfig in diagnostic mode

    To avoid placing MSconfig in Diagnostic mode ever again, you can run this widely accepted tool: (note: I've mentioned this one a thousand times ;)
  25. bjacobsonny

    bjacobsonny TS Rookie Topic Starter Posts: 33

    Great! Thank you so much for all your help. My computer is now running smoothly!
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.