Pop-ups Galore in Firefox

[Eslavs]

Earlier today I was struck with numerous pop-ups coming from both Firefox and IE. I ran my AVG and detected a few trojans, as I suspected. Afterwards, I ran through the 8 steps listed on the forum, and have my logs attached. Since running the cleaners, I haven't noticed any pop-ups, and am hopeful all is well again.......

I used my updated AVG A/S, Malaware, and HJT.....

Can anyone review my logs and confirm? As I mentioned, I have had no further pop-ups, but I want to make sure all is well before I write this one off....

Thanks in advance!

As I'm sure everyone is busy - it seems a lot of folks are having similar problems - I just wanted to renew my request to have someone look over my logs......your help is much appreciated.

Thanks again

 

[woodsy011]

hey man...theres a post down the page that will help u out...have a look @ it..n see if it helps...ill grab link for ya

https://www.techspot.com/vb/topic118666.html

check that

 

[Eslavs]

Thanks woodsy - I got all that. I've followed the standard directions and am just looking for someone to check my HJT log to make sure it's clean....

 

[kimsland]

-> No action taken on MBAM scan, for found issues

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected. <========= Not Done

Please re-run Malwarebytes
Confirm updated (third tab)
Then do the above quoted message, but this time "Remove all found issues"

By the way, you will need to then restart, and run (and attach) a new HJT log

 

[Eslavs]

New logs for your review.......

Last time, I think I saved before and after I removed all the baddies. Don't know why, and don't know why I sent that particular one.....

 

[kimsland]

Please un-install AVG Anti-Spyware 7.5 (and any other AVG installed on your computer
Install Avira instead, and run a full scan

 

[Eslavs]

Done.

As it turns out, I got hit again in the meantime. Gotta love it.

Thanks in advance!

 

[kimsland]

Of the many issues in your HJT log, please run it again, tick this entry and then fix it

O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')

Un-install Window Washer (CCleaner is much better )

Un-install SuperAntiSpyware

Run CCleaner again

Restart

Run the Norton Removal tool

Start up Malwarebytes again
Update it <= notice how this gets its own line
Then run another full scan
You need to run this multiple times, until all hidden Malwares are uncovered and removed

 

[Eslavs]

1. Fixed the last HJT issue
2. Uninstalled Window Washer and SAS
3. Ran Norton Removal Tool
4. Ran CCleaner until no issues found
5. Updated Malawarebytes and ran until no bad guys found (2x)

Latest logs attached.

Thanks!

 

[kimsland]

Well done :approve:

But sadly still issues

Please re-run HJT and place a tick next to the following, then select Fix:

O4 - HKCU\..\Policies\Explorer\Run: [{38F59401-06C1-1033-0815-060426060001}] "C:\Program Files\Common Files\{38F59401-06C1-1033-0815-060426060001}\Update.exe" mc-110-12-0000272
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O24 - Desktop Component 0: (no name) - http://education.yahoo.net/degrees/images/articles/_featured_from_degree_to_pay_check.jpg

Before restarting run: the McAfee Removal Tool
Then restart

 

[Eslavs]

Done.

Fixed all issues and used mcafee removal tool.....

 

[kimsland]

Sorry still issues!

Run HJT, tick and Fix:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')

Download Combofix from here: https://www.techspot.com/downloads/5587-combofix.html
Save it to somewhere, where you can easily find ie C drive

Restart your computer to Safe Mode (pressing F8 before Windows starts)
Once in Safe Mode, locate and double click on ComboFix.exe
This may take up to 10 mins to finish, ther are some prompts to agree to, and your Desktop may reset a couple of times (all normal)

When finished, restart back to normal mode
Create yet another HJT log, and this time supply a Combofix log too

Edit:

Doh!

Locate C:\Program Files\Vongo folder and delete it

 

[Eslavs]

Done and Done. Logs attached.

Thanks!

 

[kimsland]

Daaamn!

O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')

Did you also remove the folder C:\Program Files\Vongo as stated above, from Safe mode?

 

[Eslavs]

Yep, got rid of it in safe mode. Still showing up on the latest HJT log.

Vongo came installed with the laptop when I got it. One of those packaged software programs.....

 

[Bobbye]

I found this reply from HP Support from someone else who wanted to get rid of Vongo:

Uninstall VONGO Software:
1. Restart the Notebook and keep Tapping F8.
2. Select Safe Mode and press Enter
3. Click on Start, select Run, type "msconfig" press Enter.
4. Click on Startup tab and uncheck the check box besides "isuspm"
5. Click OK and restart the system for the new settings to take effect.

Note: After you restart the machine you may receive a dialogue box stating 'System is running using Selective Startup', Check 'Don't show this message or launch the system configuration utility when Windows Starts' and click OK.

Now, restart the Notebook again and go into Safe Mode by tapping F8.:
Click on Start -> Control Panel -> Add Remove Programs>
Locate the Vongo Software and click on Remove to uninstall it.

If this does not resolve the issue, you may have to manually delete the files.
To do that:

1. Double click on My Computer
2. Double click on C Drive
3. Double click on Program Files
4. Select the Vongo Software folder and press Delete.
5. Close the Window
6. Right click on Recycle Bin folder and select Empty Recycle Bin
This will remove the Software.

Now, run the Windows Installation Cleanup Utility, this will remove the registry entries for the Software.

You can download the Utility here: http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

The Windows Installer CleanUp Utility does:

• Provide a dialog box where you can select one or more programs that were installed by Windows Installer. You select the programs on the Installed Products list in the Windows Installer CleanUp dialog box. After you make this selection, the utility removes only the Windows Installer configuration information that is related to those programs.

• Remove the files and registry settings that make up the Windows Installer configuration information for programs that you select.
[/QUOTE]
I notice the AskBar is still loading:
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
Have HijackThis remove the entry, the click on FlxChecked and boot into Safe More:
Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK any Ask bar processes> Apply> OK.

Control Panel> Add/Remove Programs> UNINSTALL any Ask related entries.

I suggest you also check and have HijackThis remove the following:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop

When rebooting into Normal mode, ignore the nag message, check 'don't show this message again.' Stay in Selective Startup.

Update Java:

Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 11 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

Remove the older versions of Java:
1. Click Start, Control Panel, Add/Remove Programs.
2. Delete all Java updates except J2SE Runtime Environment 6.0 Update 11

Update Adobe:

Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version v9: https://www.techspot.com/downloads/2083-adobe-reader-dc.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php

The following will help the Cookie and pop-up problem in Firefox:
1. Open Firefox> Tools> Options> Privacy section> Cookies> UNCHECK 'allow third party Cookies'.
2. Put the following add-ons on Firefox:
AdBlock Plus: https://addons.mozilla.org/en-US/firefox/addon/1865
Easy List: http://easylist.adblockplus.org/
(get all three)

 

[Eslavs]

Alright. Updated Java and Adobe Reader (couldn't get 9, still w/ 8.1.5 or something like that. Firefox crashes when I try to download 9.

Fixed all that was mentioned in HJT. I had already deleted the Program Files/Vongo folder before, uninstalled over a year ago, and still can't find any trace of anything related other than what keeps popping up on FF....

Otherwise, I am having no problems with pop ups. I installed Comodo, so hopefully that'll help keep me from getting hit a third time.

Thanks for all your help,

Eric

 

[Bobbye]

Well, we're making progress, but Vongo is still around- we've both had you remove this in HijackThis, but it is still loading:
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')

Did you run the Windows Installer CleanUp Utility? That should allow you to remove the process from the Registry.

This McAfee entry remains:
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab>>McAfee Security Download Control

Since it's an Active X entry, try this:
Open IE> Tools> Manage add-ons> look for any McAfee entry and highlight> disable.

IF the pop-ups return, consider removing the Weather Channel.

Remove the clean up tools:

* Download OTCleanIt
http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Clear your existing System Restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in cleanmgr
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.

Let us know if we can be of help in the future.