[greyknight17]

Right now the only issue remaining is that it will bring you to the correct site but with the Vietnamese (vn) in the link correct? Does this occur for Google or other sites as well?

[Advertisements]

Go to Start->Run, copy/paste in combofix /u and hit OK to remove it.

Did you do this part already?
Download Hoster at http://www.greyknigh.../spy/Hoster.exe and run it. Click on Restore Original Hosts button and press OK. If you used a custom HOSTS file, you will need to restore the file back.

Right now the only issue remaining is that it will bring you to the correct site but with the Vietnamese (vn) in the link correct? Does this occur for Google or other sites as well? Does it still log you out of GeeksToGo when you make a reply here?

[greyknight17]

Go to Start->Run, copy/paste in combofix /u and hit OK to remove it.

Did you do this part already?
Download Hoster at http://www.greyknigh.../spy/Hoster.exe and run it. Click on Restore Original Hosts button and press OK. If you used a custom HOSTS file, you will need to restore the file back.

Right now the only issue remaining is that it will bring you to the correct site but with the Vietnamese (vn) in the link correct? Does this occur for Google or other sites as well? Does it still log you out of GeeksToGo when you make a reply here?

[kochiu77]

Hi Greyknight,

Thank you for your instruction
1. I have removed combofix.
2. I was not able to do the following as the buttom do not seem to be activated. "Click on Restore Original Hosts button and press OK", also I was not able to open the whole window to view the right side of the page.
3. When I type www.yahoo.com or www.google.com into the address column then it will bring me to some other site but sometime when I hit the refresh key then it will bring me to the correct site but take over 30 second.

Thank you.

[greyknight17]

Download a-squared and install it. Run it and see what it finds. Post the log file here.

[kochiu77]

Hi Greyknight,

Thank you for your message. I will do the scanning now. Thanks.

[kochiu77]

Hi Greyknight,

Here is the result. Please kindly advise. Thank you.

a-squared Free - Version 4.0
Last update: 1/4/2009 4:26:16 AM

Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 1/4/2009 4:26:42 AM

c:\program files\the weather channel fw detected: Trace.Directory.Desktop Weather!A2
Key: HKEY_USERS\S-1-5-21-3636757540-3239776333-94227689-1006\software\kazaa detected: Trace.Registry.KaZaA!A2
C:\Documents and Settings\Michael\Cookies\michael@advertising[2].txt detected: Trace.TrackingCookie.advertising!A2
C:\Documents and Settings\Michael\Cookies\michael@atdmt[2].txt detected: Trace.TrackingCookie.atdmt!A2
C:\Documents and Settings\Michael\Cookies\michael@casalemedia[2].txt detected: Trace.TrackingCookie.casalemedia!A2
C:\Documents and Settings\Michael\Cookies\michael@computing[2].txt detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Michael\Cookies\michael@doubleclick[2].txt detected: Trace.TrackingCookie.doubleclick!A2
C:\Documents and Settings\Michael\Cookies\[email protected][2].txt detected: Trace.TrackingCookie.google.com!A2
C:\Documents and Settings\Michael\Cookies\[email protected][3].txt detected: Trace.TrackingCookie.google.com!A2
C:\Documents and Settings\Michael\Cookies\[email protected][1].txt detected: Trace.TrackingCookie.server.iad.livepers!A2
C:\Documents and Settings\Michael\Cookies\[email protected][3].txt detected: Trace.TrackingCookie.server.iad.livepers!A2
C:\Documents and Settings\Michael\Cookies\michael@tradedoubler[2].txt detected: Trace.TrackingCookie.tradedoubler!A2
C:\Documents and Settings\Michael\Cookies\michael@tribalfusion[1].txt detected: Trace.TrackingCookie.tribalfusion!A2
C:\Documents and Settings\Michael\Cookies\[email protected][2].txt detected: Trace.TrackingCookie.www.com!A2
C:\Documents and Settings\Michael\Desktop\Flash_Disinfector.exe/nircmd.exe detected: Riskware.RiskTool.Win32.NirCMD!IK

Scanned

[greyknight17]

The other computer can go to msn.com and google.com without these issues? Is this happening to both browsers (Internet Explorer and Firefox)?

See the below two links to clear out the temp files for both browsers. For IE7 click on the delete all option to clear everything:

http://pcsupport.abo...cleartifie7.htm
http://pcsupport.abo...learcacheff.htm

Open up the file at c:\windows\system32\drivers\etc\hosts in Notepad. Copy and paste the entire contents of that file here.

[kochiu77]

Hi Greyknight,

My other computer doesn't have any of these problems. Also my firefox is working fine in my problem computer.

I was not able to open the following page in my IE7 and Firefox
http://pcsupport.abo...cleartifie7.htm
http://pcsupport.abo...learcacheff.htm

I have attached the notebook file. The file is very long and if you want me to copy and paste here, please kindly advise.

Thank you

Attached Files

•  kochiu77.txt   283.93KB   110 downloads

[greyknight17]

I will ask the other staff here for help on this one. Will get back to you shortly. Just want to confirm this again, so if you go to http://www.yahoo.com it still redirects you to http://vn.yahoo.com/?p=us instead?

[kochiu77]

Hi Greyknight,

Thank you for your message.
That is correct. If I type www.yahoo.com then it will bring me to http://vn.yahoo.com/?p=us.
When I type www.msn then I will be direct to some other vietnamese site.
When I type www.download.com then the page is ok but the logo change to a devil.

[greyknight17]

This doesn't sound like it could be a language setting problem especially if it changes the logo/icon for the website, but check your Yahoo settings to see if you can change it to English. I see that in the Vietnamese Yahoo site, on the left side, there is a yahoo.com button there that brings you to the English site. Try clicking on it to see if it directs you back to the English site. Then close your browser and try going to yahoo.com again.

Download GMER from here:

• Unzip it to the desktop.
• Open the program and click on the Rootkit tab.
• Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
• Click on Scan.
• When the scan has run click Copy and paste the results (if any) into this thread.

Edited by greyknight17, 06 January 2009 - 02:05 PM.

[kochiu77]

Hi Greyknight,

Thank you for your message. I am going to a biz trip later today so I won't able to reply you until I come back on Sunday. I am running the GMER now. Thank you.

1. Yes, after I click the left button then it will bring me to the correct English site but the logo already change to something else instead of the letter Y. If I close the browser then it will either bring me back to the Vietnamese site or direct me to other site.

[kochiu77]

Hello Greyknight,

Here is the GMER log. Thank you.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-07 05:39:34
Windows 5.1.2600 Service Pack 3


---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2640] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2640] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A179F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2640] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1720 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2640] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1764 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2640] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A16AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2640] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A16E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2640] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A17DA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2640] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe[3112] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes [ DB, C8, C3, 83 ]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3740] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Windows Live Messenger/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3860] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3860] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A179F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3860] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1720 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3860] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1764 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3860] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A16AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3860] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A16E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3860] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A17DA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3860] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3352] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.14 ----

[Rorschach112]

Can you post a new HJT log

[kochiu77]

Hi Rorschach,

Thank you so much for your message. I am on biz trip now so I cannot post from any log my problem computer. I will do it on next coming Monday. Thank you.