Redirects

Status
Not open for further replies.
I completed the 8 steps. It really helped, but still get redirected frequently and many pages simply will not load. I'm using IE7, until I can disable the proxy server in Firefox 3.0.

One deviation from the 8 steps is that I used McAfee, which comes from my ISP, rather than Avira. I couldn't find a log for McAfee.

I hope someone has time to look.
 
Concerned about a few things, did you set these?

Code:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

All of these are malware:

Code:
O4 - HKUS\S-1-5-18\..\Run: [SYS32DLL] SYS32DLL (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\yyrgppw7lx.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [nzdflkioezncfiunfindiuchiuenfcdc] C:\WINDOWS\TEMP\yyrgppw7lx.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SYS32DLL] SYS32DLL (User 'Default user')Unknown

Please download ComboFix from the link in my signature and put it on your desktop. Then open up notepad and paste the following:

Code:
Killall::

Snapshot::

File::
C:\windows\system32\SYS32DLL.exe
C:\WINDOWS\TEMP\yyrgppw7lx.exe

Then, save the file also to the desktop as cfscript.txt, and drag it onto the cat icon as shown. Please do not click on the main window, as it could cause a stall.

cfscript.gif


You should also go into Hijackthis and tick the first two things I mentioned (if you didn't set them), and click fix after doing combofix.

After doing those things, please restart, and upload the ComboFix and a new HijackThis log taken after the restart.
 
kel, I'm going to intervene here and make this suggestion. First, you can't run CFFix without running Combofix first, so please skip that for now.

Open HijackThis to do system scan only

Put a check by each of the following entries,- complete all entries before clicking in Fix Checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=presario&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [SYS32DLL] SYS32DLL (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\yyrgppw7lx.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [nzdflkioezncfiunfindiuchiuenfcdc] C:\WINDOWS\TEMP\yyrgppw7lx.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SYS32DLL] SYS32DLL (User 'Default user')
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Filter hijack: text/html - {b13c0e3d-95e0-4f9f-afe7-e30c28f7b125} - (no file)
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

Now close all Windows except for HijackThis and click on Fix Checked

Boot into Safe Mode
[*] Restart your computer and start pressing the F8 key on your keyboard.
[*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Start> Run> type in msconfig> enter> Selective Startup> Startup tab> UNCHECK all of the following if present:
[*]ALL Vongo entries
[*]Superantispyware

Start> Run> type in services.msc> right click on Vongo Service> Properties> Change the Startup Type to Disabled> Stop the Service.

Control Panel> Add/Remove Programs> UNINSTALL Vongo

Right click on start> Explore> Programs> right click on Vongo> delete the entire folder.

Reboot into Normal Mode: NOTE: Ignore the nag message and close it after checking 'don't show this message again.' Stay in Selective Startup.

Run Eset NOD32 Online AntiVirushere: http://www.eset.eu/online-scanner
Note: You will need to use Internet Explorer for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Rescan with HijackThis when finished and include new log with next reply.
(Logs to include: Eset Nod32, HijackThis)

FYI:
SYSDLL is added by the W32/Aimdes-C WORM to insure automatically running, it will exploit AOL instant messenger and harvest email addresses.
Tray.exe (Vongo) is a homepage hijacker re-directing browsers to adult content websites
 
Trouble with ComboFix

I removed the files you recommended, but had trouble with combofix. The error message said "unable to create C:windows\erdnt\Hiv-backup" A popup mentioned C:Qoobox\BackEnv and C:windows\erdnt\Hiv-backup already existed.

I did attach the new hijackthis log.
 
Bobbye

Didn't see you message before I entered my last one. Thanks for your suggestions. It may take me a while to get to them, because I've got to run, but I will get to them soon and appreciate the assistance.
 
Thanks for the advice Bobbye. I spent many unsuccessful hours trying to remove Vongo. (I can't beleive HP would put such crap on a computer!) The problems on my machine affected both IE 7 and Firefox 3.0, however, I downloaded Google Chrome, and it works just fine. I'm not done with Vongo, but its a little less urgent.
 
This board has had problems the past few days. I've had to delete several duplicates of replies I made and I haven't gotten feedback on some when reply was made- yours is one of those.

You had McAfee running in your first HijackThis log- it's gone now except of an Active X entry for an online scan. Please get an antivirus program on the system before doing anything else. Here are two recommendations:
Avira Free
Avast Free

Choose either one. Once installed, run a full system scan. Save the log. Attach it with your next reply.

We need to get Combofix working- it looks like you might already have run it, so I want you to uninstall it:
To uninstall ComboFix.exe
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Cleanup.png
  • When shown the disclaimer, Select "2"
Reboot the computer. Then>
Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  • Run Combo-Fix.exe and follow the prompts.
    (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
  • Wait for the scan to be completed.
  • If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

In the HijackThis log, some of the entries I had marked were removed, others weren't:
Please reopen HijackThis to 'do system scan only.'
Check each of the following if present. NOTE: do not click on 'Fix Checked" until all of the following have been checked:
C:\Program Files\Vongo\VongoService.exe
C:\Program Files\Vongo\Tray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O18 - Filter hijack: text/html - {b13c0e3d-95e0-4f9f-afe7-e30c28f7b125} - (no file)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

Close all Windows except HijackThis and click on 'Fix Checked.'

Boot into Safe Mode
[*] Restart your computer and start pressing the F8 key on your keyboard.
[*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Start> Run> type in msconfig> enter> Selective Startup Startup tab> Uncheck the following:
All HP entries (including Digital Imaging)
All Vongo entries
AllAdobe reader entries (reader_sl.exe
AllJava entries

Start> Run> type in services.msc> Right click on each of the following Services> Properties> reset Startup type as follows:
Java Quick Starter (jqs)> Change to Disabled
Vongo Service> change to Disabled
HP Port Resolver (HPR ) change to Disabled
hpqwmiex.exe> Manual Startup
LSSrvc.exe> Manual
HPZipm12.exe> Manual

Control Panel> Add/Remove Programs> Uninstall Vongo

Control Panel> Java> Update tab> UNCHECK 'check automatically for updates'> Apply> answer Yes when asked to confirm.

Right click on Start> Explore> Programs> scroll to the Vongo folder> right click> Delete

Empty the Recycle Bin

Reboot into Normal Mode: NOTE: ignore the hag message and close after checking 'don't show this message again.' stay in Selective Startup

Please attach logs for AV scan, Combofix report and new HJ scan log.
 
Status
Not open for further replies.
Back