continuing IE hijack

Again h**p://www.zhaozhaola.com is still being downloaded automatically and hijack my IE homepage as reported in http://forum.avast.com/index.php?topic=127733.0
look like some virus is not removed :frowning:
the scan is completed (there is no extra.txt from OTL)

the extra.txt is only created when you run OTL first time… just extra tech info and usually not needed

Essexboy is notified and should be here later today

I can see no sign of the hijacker showing within IE

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Since it already late night here in Hong Kong, I’ll run the scan and attach the log tomorrow.

But before I move on, I need to mention that hijacking may be the result only
The main thing is at random period, something keep making a short cut of the URL in “my favourites” and “desktop” only on start up, after that I can just remove it and it doesn’t appear until it reach a special day and on that day, something will do that when the computer is booted up.

edit: Notice that it doesn’t change all the path though. If I open IE by clicking on the icon on the task bar, it open my yahoo.com home page

That would tend to suggest something in the task folder, I will see what combofix tells me

Here is the log

I see it removed something related to 360safe which is my antivirus
When I click on IE on the taskbar, it now show a blank page

Edit: Now I’m pretty sure that IE is infected. After the combofix run, I cannot go to any site other than h**p://www.zhaozhaola.com (click on the destop path, if I go there after clicking the icon on the taskbar, it stay blank) with IE.
But I can use firefox or chrome to access other site.

OK we will uninstall IE9 and then reinstall, that will give you a clean set of files

1.Click the Start button, type Programs and Features in the search box, and then click View installed updates in the left pane.

2.Under Uninstall an update, scroll down to the Microsoft Windows section.

3.Right-click Windows Internet Explorer 9, click Uninstall, and then, when prompted, click Yes.

4.Click one of the following:
•Restart now (to finish the process of uninstalling Internet Explorer 9 and restore the previous version of Internet Explorer).
•Restart later

Once done then download and install a fresh copy of IE9 from here http://www.microsoft.com/en-gb/download/internet-explorer-9-details.aspx

Reboot and let me know how it is behaving

But I am using windows 8, so it should be IE 10 instead of IE 9

Edit:I do a system restore at a point just before combofix because of the following reason

  1. I have some important data that I need but cannot get access due to IE 10 doesn’t work

2. I read something in Microsoft website about IE 10 cannot be reinstall unless doing a refresh in Windows 8, which is to back up all data and reinstall Windows 8

Edit2: After I have done the restore, I see two weird file named “desktop.ini” on the top left corner of the screen

Desktop ini is a system file and will be hid on completion

I could have swore that OTL said windows 7 … must be going blind

As you have restored could you run a fresh OTL scan please and let me know what the current problems are

New OTL scan
IE still only show the correct home page when using the icon on the taskbar
The path on the desktop is modified to “C:\Program Files (x86)\Internet Explorer\iexplore.exe” h**p://www.zhaozhaola.com/" it always add the site at the back when it create the shortcut
The name of the site is messed up and read “厙硊絳瑤[梑梑徽]-奻厙憩奻梑梑徽ㄐ.url” at the desktop.

Is this happening when you create the shortcut manually

I didn’t create any shortcut manually, but the site shortcut is there automatically sometimes on start up

The only thing running that I can see adding that is 360

Download Autoruns from this page http://technet.microsoft.com/en-gb/sysinternals/bb963902
Right click the programme and select “run as administrator”
Select the Scheduled tasks tab
Under options …Filter Options tick Hide Microsoft entries
Select rescan
Post a screenshot of the results

Here is the screen shot as requested

Run autoruns again and deselect the bottom line “gathernetworks vbs”