Searches redirected/internet slow

Status
Not open for further replies.

bjacobsonny

Posts: 33   +0
Hello,
I've been having trouble with my computer the last couple weeks. First I noticed that webpages were loading slower than usual. Then I found that clicking on links provided in Google search results often would not take me to the intended page but to someother commercial site. Finally, I found that my AVG free anti-virus software was no longer able to automatically update.

I've followed the 8 step removal instructions and attached the requested logs. I would very much appreciate any further guidance that could be provided.

Thanks,
Brian
 

Attachments

  • hijackthis.log
    9.9 KB · Views: 7
AVG and P2P detected - Go Back to the start of the 8 steps.

Hello "Sonny":wave:
Go back to the top... start again with the 8 steps...

It is not that other AV software is "bad" per se...
just that the one's recommended are among the very best and their results (success) very predictable. So
Uninstall your AVG Antivirus
Then run the removal tool (http://www.grisoft.cz/filedir/util/a...avgremover.exe)
Here is the 32Bit version (*most users*): http://www.avg.com/filedir/util/avg_...avgremover.exe
Here is the 64Bit version: http://www.avg.com/filedir/util/avg_...removerx64.exe
Restart
Install Avira (http://www.free-av.com/en/download/1...antivirus.html) free AntiVirus

After you have diligently followed the 8 steps as posted, repost your logs.
This will mean getting rid of your P2P Software. :suspiciou
Read the 8 steps, and look at the recommended resources if you have questions.

I will be gone for a few days now. Hopefully by the time I get back others will have helped you get this all sorted out. :D
 
Thanks for your reply. I've followed your instruction and redone the 8 steps. I've attached the 3 logs as well as a log created by Avira. I think I've removed all the P2P, please let me know I've missed something. Also, an additional symptom is Mozilla crashing every once in a while. This never occurred before a couple weeks ago.
 
First I noticed that webpages were loading slower than usual.

Some of the slowness can be attributed to unnecessary processes loading on boot and running in the background. For Example: CyberLink DVD Launcher, Quicktime, iTunes, Adobe Reader, Java, Lexmark (printer) processes and some others. None of these needs to start on boot and can be launched Manually when needed.

As mentioned, the use of BitTorrent file sharing will not only use resources but also put the system at risk for malware.
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

Mbam found and deleted processes for Spyware.StolenData which is 'new' malware, having first been seen on 2009-03-08- a good example for always updating before running security scans!

Remove bad HijackThis entries
Run HijackThis
• Click on the System Scan Onlyy button
• Put a check beside all of the items listed below (if present):
O2 - BHO: Google Audio Helper - {134F1731-860D-4C51-AEFD-D768AAF3FEEF} - %SystemRoot%\system32\apphelpf6.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Boot into Safe Mode:
* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Right click on Start> Run> msconfig> enter> Selective Startup> Startup Menu> UNCHECK the following:
BitTorrent
The Weather Channel
Adobe Reader
Poker Stars entries
Then Apply> OK
This choice is yours. However I strongly suggest UNINSTALLING all of these:
Control Panel> Add/Remove Programs>
BitTorrent
Weather Channel
Poker Stars
Right click on Start> Explore> Windows> System 32> do a right click> delete on these files if present:
lowsec
local.ds
user.ds

Rebot the system into Normal Mode. Ignore the nag message and close after clicking 'don't show message again'. Stay in Selective Startup.

For the Firefox/Redirect:
Part 1 - The Scan

  • Please download GooredFix and save it to your Desktop.
  • Double-click Goored.exe to run it.
    • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
    • A log will open which you can just close. The log file is named Goored.txt and is on your Desktop.
  • Please attach the Goored.txt log to your next reply
  • Note: Do not run Option #2 yet until a helper asks you to do so.

Rescan with HijackThis when finished with Goored. Attach both logs. Depending on what the log entries show, I will give you the Goored Fix" if applicable.
 
Thanks, Bobbye.

I have followed your instructions and attached the logs. One issue I had was in trying to uninstall the Weather Channel app. In Add/Remove Programs I attempted to remove Desktop Weather by The Weather Channel . When I click remove, Wise Installation Wizard starts up, it appears as if the program is uninstalling but afterward it remains on the list.

Another issue is that Avira is unable to update itself. When I try to do an automatic update I get an error message reading "An error occurred during the file download." I've attached the log from Avira with the details. I am able to manually update.

Also, an additional symptom that has just started is that I am unable to open any links on the Yahoo homepage in Firefox. It appears that only Yahoo is affected.

Thanks again for your help!
 
Failed Avira Update:
Okay, the HTTP Status Code 403 means: 403 Forbidden>> but it not the same code that means you're 'forbidden' even with authorization.
The request was a legal request, but the server is refusing to respond to it.
The reason given was: An error occurred inside the WinINet library.

This IP 'http://62.146.66.181/update/idx/master.idx' is for the Avira site in Germany,
So is this: 'http://80.190.143.230/update/idx/master.idx'

And at the end it says this: No other server available.
[UPD] [ERROR] Generation of update structure failed. UpdateLib delivers error 8.
I am confident that this was a server problem at that time.

Here is the rest of Goored Fix:

Part 2 - The Fix

You should print these instructions because all Firefox browsers MUST be closed before running the fix.
  • Please double-click Goored.exe on your Desktop to run it.
    • Select 2. Fix Goored by typing 2 and pressing Enter.
    • Make sure all instances of Firefox are closed at this point.
    • Type Y at the prompt and press Enter again.
    • A log will open which you can just close. The log file is named Goored.txt and is on your Desktop.
  • Now rerun Firefox and please attach the new Goored.txt log to your next reply

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

For the Desktop Weather: Try this:
" I seem to be unable to uninstall Desktop Weather from my computer. What can I do?"

This is a known issue with the product, and will be resolved in a forthcoming release.
Copying the UNWISE.EXE from the Framework folder to the Desktop Weather folder will resolve this issue. The steps are as followed:

1. Right click on Start> Explore> Programs
2. Scroll down to The Weather Channel FW folder and double click to expand the view.
3. Double click on the Framework folder to display the contents.
4. Right click on "UNWISE.EXE" on the pop-up menu click on COPY.
5. Go to the tool bar on the window and click the Back button.
6. In that window right mouse click on the "Desktop Weather" folder and in the pop-up menu click on PASTE.
From that point you will be able to proceed as normal with the uninstall.

When you have finished with the programs, make sure Firefox is set as the default browser:
Tools> Options> Advanced> System Defaults> CHECK 'always check to see if Firefox is the default browser> Check now.

Re-scan with HJ when through. Attach report and log. We'll remove a couple of entries if still in HJ. Let me know if Firefox is worked as it should.
 
Thanks for the reply. My last post was just asking for the next step, which you just provided.

I've attached the requested logs. Searches in Firefox seems to be working correctly now. Also, I was able to fully uninstall Desktop Weather with your instructions. Thank you!!!

Regarding Avira updates, I have tried several times over the past couple of days to automatically update without any success. This leads me to believe that it may not be a server problem. Also, links in the Yahoo! homepage are still unresponsive.
 
Okay, There are only 2 entries in the HJ log to check for removal:

Run HJ This> System Scan Only> Check these processes-if present:
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
04 - Global Startup: Digital Line Detect.lnk = ?
Close all Windows and email except HJ This
Ckick on Fix Checked. Close program wehn through.[/QUOTE]

Regarding this:
links in the Yahoo! homepage are still unresponsive.

Explain 'fail'> what specifically happen when you click on a link? Is it only the lonk on the Yahoo page that isn't linking?

Excerpt fro Avira Forums re: this failed update:
update failed!


The failure report is fairly typical of what has been happening.

"I" have returned the configuration settings to default position."
The only other "odd" behaviour from my PC is that IE7 often fails to connect to my homepage first attempt. Sometines it does but most often it needs refreshing to connect. This behaviour probably began before the update issues.

The only common entry is your connection WinINet and my understanding is that WinInet limits the number of connections that it makes to a single HTTP server.
And if you exceed this limit, the requests are blocked until one of the current connections has completed.
Suggestion:
Please delete C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\UPDATE, TEMP, IDX, BACKUP
Above assist found in Avira Forum

Please keep me posted with the outcome. We have fixed the redirect problem, yes?
And you are going to tell me what happen when you click on the links, right?
(the same problem is happening to other Avira users regarding the updates..)
 
Bobbeye,

The redirect problem does seem to be solved. I've run a dozen or so searches and had no redirect problems since applying the fix. However, Firefox is still crashing on occassion.

As for Yahoo!, many of the links on the homepage (excluding the ads) do not work. Nothing at all happens when they are clicked. It appears the browser tries to connect to the links for less than a second, and then nothing happens. The homepage remains on the screen. I can see the correct URLs at the bottom of the browser in the status bar when the mouse is placed over the links, but the browser does not seem able to load them.

Also, I've followed your instructions with regard to the Avira update issues, but the problem has persisted. I read the entire Avira forum thread from you which quoted and found no other workable solutions. I don't know if this will help with the diagnosis, but I was having the same problem automatically updating the AVG anti-virus which I previously had installed. Again, this problem first appeared a couple of weeks ago, at the same time as the redirect problem. Prior to that the AVG automatic updates had no problems.
 
kimsland, the user said that a manual update can be done. It's the auto-update feature that is the problem.
Post #5:
I am able to manually update.

bjacobsonny, if you give me a couple of the links on your homepage that don't work, I'll check them and see if I can spot a potential problem.
Regarding the update reference to AVG: yes, when they went to v8, people began having the update problems, although it had also happened to previous versions. I'm wondering if more people are now using Avira and their servers are getting overloaded!
 
Kimsland, I have already previously run the AVG remover.

Bobbeye, the affected links are all links along the left side of the screen listing the different Yahoo! features, as well any items in the "featured" box up top in the middle of the screen and the news links below. Also, the link to get to Yahoo! mail does not work. A specific link that does not work is http://www.yahoo.com/s/1064171 which should be opening up a news story.
 
I don't see any indication of AVG after you removed it.

Here's my adventure!
Link you gave: http://www.yahoo.com/s/1064171
opens to:
Consumer confidence soars in April
http://news.yahoo.com/s/ap/20090428/ap_on_bi_ge/us_economy>> this has time and date of:
By ANNE D'INNOCENZIO, AP Retail Writer Anne D'innocenzio, Ap Retail Writer – 2 hrs 11 mins ago

If I start here:
http://my.yahoo.com/ >> then choose>> Top Stories from AP>> then Consumer confidence soars in April "- "
The URL shows as: http://news.yahoo.com/s/ap/20090428/ap_on_bi_ge/us_economy_8 >> this has headline time and date of:
By ANNE D'INNOCENZIO, AP Retail Writer Anne D'innocenzio, Ap Retail Writer – Tue Apr 28, 11:12 am ET

My Yahoo mail screen has:
Consumer confidence soars in April (AP) >> which links to same
By ANNE D'INNOCENZIO, AP Retail Writer Anne D'innocenzio, Ap Retail Writer – 2 hrs 13 mins ago

Paste this in your address bar: http://news.yahoo.com/s/ap/20090428/ap_on_bi_ge/us_economy

IF these links work for you:
Run a disc cleanup removing any temporary internet files, Cookies and temp files.
Delete any Bookmark, Cookie or shortcut for both Yahoo Mail and the Homepage. Reset the homepage and see if it will bring up the links now.
-------------------------------------------------------------------
B00kWyrm, I think you are too new and a bit out of line telling someone to do this:
Hello "Sonny"
Go back to the top... start again with the 8 steps...
It is not that other AV software is "bad" per se...
just that the one's recommended are among the very best and their results (success) very predictable. So
>> followed with uninstall instructions. Then you go on to say:
After you have diligently followed the 8 steps as posted, repost your logs.
This will mean getting rid of your P2P Software.
Read the 8 steps, and look at the recommended resources if you have questions.

I will be gone for a few days now. Hopefully by the time I get back others will have helped you get this all sorted out.
 
All the links in your last post did work for me. I followed your instructions the but the Yahoo! homepage still is not working. I have now just changed my homepage in firefox to mail.yahoo.com and am able to directly access my email that way.
 
Have you tried resetting the homepage? If not, do that, but type URL in Address Bar. When you get the page: Tools> Internet options> General tab> Homepage section> check 'use current'.

People have complained about strange Yahoo problems over the years. I think it's an "ever-evolving site"! After you try the resetting, please run one more HijackThis scan for review. If clean, we'll remove the cleaning tools and set new, clean restore points.

Sorry for the delay- I am 2 days behind in everything!
 
I updated Avira today (manually again, auto updates still have not worked for me) and the scanner began to alert me that it was finding a virus. It classifies the virus as "TR/Agent.its Trojan" and it is found in the file c:\windows\xpfxw.mrh. The virus alert comes up repeatedly and it seems every time the virus is either deleted or quarantined it reappears in the same location. I now select "deny access" whenever the warning comes up. It seems that this corrected many of the problems I was having including the dead links on Yahoo!. Is there a way I can permanently get rid of this virus? I've attached the latest Hijackthis log.

No worries about the delay. I really appreciate all the guidance you've given me and the time you've spent helping.
 
A VDF (Virus Definition File) file was published on Tue, 14 Apr 2009 19:48 (GMT+2) by Avira. It contained a definition for several different Agent.mrh. This malware is classified as • DR/PSW. This would be a Trojan Dropper, Password stealer to the best of my knowledge.

1. Be sure that Avira is currently updated and that the definition date is AFTER 14 April, 2009. Rescan, quarantine, then delete, reboot.
2. Start> Search> go to Tools> Folder Options> View tab> CHECK 'show hidden files and folders'> Apply> OK.
Type the file name xpfxw.mrh. Do a right click>? delete on any files found.
If there are none with both xpfxw ANDmrh> search again using only xpfxw> right click> Delete any files found.

A NOTE about the search: make sure the spelling of xpfxw is absolutely correct.

Go back to Tools> Folder Options> View tab> UNCHECK 'show hidden files and folders'> Apply> OK.
Run an Avira scan and let me know the results.

I would also like you to run Combfix to make sure the P2P files have been removed:

Please download ComboFix HERE
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

When finished, rescan with HijackThis.
Attach new HJ log, Combofix report and AV scan if any malware is found.
 
Avira scan found two things which were quarantined than deleted. Attached are requested logs. It seems that ALL issues have been resolved (including Avira automatic updates)!! Please let me know what I need to do to finish up. Thank you so much for all your help!
 
Almost through:
[/QUOTE]
There are 2 files still showing up in the Combofix report:
2009-04-24 14:27 . 2006-07-22 22:45 -------- d-----w c:\program files\BitTorrent
2009-04-13 02:05 . 2006-11-16 22:59 -------- d-----w c:\program files\PokerStars

I recomend searching and deleting all entries to either and uninstall if still on Add/Remove Programs in Control Panel.

Looks like you still have the Google Quick Search> it created a new entry. It is Shared Dictionary Compression over HTTP (SDCH) Google opensource project.
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

You can read up on it here: http://groups.google.com/group/SDCH

We can remove the cleaning program now and set a new, clean restore point:

Download OTCleanIt HERE & save it to your desktop.
Double click on OTCleanIt.exe.
Click on CleanUp!.
It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
You will receive a prompt that it needs to restart the computer to remove the files>
Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.
Clear your existing System Restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in cleanmgr
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.
 
One last question. My system is still set to selective startup. Am I supposed to switch back to normal startup mode now that everything has been repaired?
 
No, leave it in Selective Startup. That's how you retain the changes you've made. If you return to 'Normal' startup, the changes will go back.

I configure my systems the day I get them. I remove everything from starting up except my antivirus program, touchpad for laptop and network process. If I had a third party firewall like ZoneAlarm, I would also leave it on startup> nothing else. Currently I have one system that has been on Selective startup for 6 years and another for 3 years. Both have always worked well.

Once you check 'don't show this message again' when you reboot after making changes, you should not be bothered again. But any time go back using msconfig to change the Startup, the message displays> that's why we call it a "nag" message!
 
I've mentioned this tool a number of times, so I'll just quote myself:
Note: if you have previously deselected any entries in MSConfig, you can use the MSConfig Cleanup Utility (which is free also :) )
I don't like any extra entries in Startup files, including MSconfig in diagnostic mode

To avoid placing MSconfig in Diagnostic mode ever again, you can run this widely accepted tool: (note: I've mentioned this one a thousand times ;)
Run Startup Control Panel and remove any not required startups
 
Status
Not open for further replies.
Back