computer infection

Hello, this is my first time in forums, sorry if I put this post in the wrong place.

My computer was infected by a virus few weeks ago. It keep showing popups of web shield from different files from Windows\system32 (msiexec.exe, msdtc.exe, ctfmom.exe, presentationhost.exe. The memory usage is huge,and took a lot of time to response. If turn off wifi, everything looks good, when wifi is on, those process keep showing up in taskmgr.

I run AdwCleaner, scan/cleaning and attached the report. I also run FRST and aswMBR.exe. really need help to fix it,
the computer is not useable for weeks.

Thanks in advance.

well it seems you dont have any antivirus installed?

download and run Malwarebytes from here and attach log https://forum.avast.com/index.php?topic=53253.0

when done, run a new fresh frst log…

Essexboy will be online and help you tomorrow…

The result of MalwareBytes,

Files: 6
Trojan.FakeMS.SVSGen2, C:\ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\spwizimg.dll, , [04759ea5cebc4cea8eb8f69fc43dde22],
Trojan.Clicker.FMS, C:\ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\8afc49b02429a, , [f7828eb51b6f1e18b03b009ba95a7d83],
Trojan.Clicker.FMS, C:\ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\igkuwqgwqc.tmp, , [f7828eb51b6f1e18b03b009ba95a7d83],
Trojan.Clicker.FMS, C:\ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\sauyaokk.tmp, , [f7828eb51b6f1e18b03b009ba95a7d83],
Trojan.Clicker.FMS, C:\ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\siscge.tmp, , [f7828eb51b6f1e18b03b009ba95a7d83],
Trojan.Clicker.FMS, C:\ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\swk.tmp, , [f7828eb51b6f1e18b03b009ba95a7d83],

You currently have parts of three antivirus programmes on your system Trend, 360 and Avast but none are properly installed. I would recommend that you remove them all and then install just one as your main antivirus

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-59814168-4129390447-2555150420-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks! ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File GroupPolicy: Group Policy on Chrome detected <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled. ProxyServer: [.DEFAULT] => http=127.0.0.1:13081 SearchScopes: HKU\S-1-5-21-59814168-4129390447-2555150420-1000 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=20041099_oem_dg&ch=33 Toolbar: HKU\S-1-5-21-59814168-4129390447-2555150420-1000 -> No Name - {0000A11D-4F01-42B2-84CD-B26ADD453703} - No File Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll No File FF Plugin: @qvod.com/QvodShare -> C:\Program Files (x86)\QvodPlayer\npShareModule_x64.dll No File FF Plugin-x32: @alibaba.com/npwangwang;version=1.0 -> C:\Program Files (x86)\AliWangWang\7.21.04C\npwangwang.dll No File FF Plugin-x32: @alipay.com/NPComBrg701,version=1.0.2011.701 -> C:\Windows\system32\itruscert\NPComBrg701.dll No File FF Plugin-x32: @baidu.com/npxbdsetup -> C:\Windows\Downloaded Program Files\5159764\npxbdsetup.dll No File FF Plugin-x32: @cfca.com/npCryptoKit.CMBC.U2.x86,version=3.2.1.0 -> C:\Windows\system32\npCryptoKit.CMBC.U2.x86.dll No File FF Plugin-x32: @cfca.com/npCryptoKit.CMBC.x86,version=3.2.0.5 -> C:\Windows\system32\npCryptoKit.CMBC.x86.dll No File FF Plugin-x32: @CMBC.com.cn/CMBCTOOL,version=1.0.0.10 -> C:\Windows\system32\npCMBCCom86.dll No File FF Plugin-x32: @iciba.com/GrabWord -> C:\Program Files (x86)\Kingsoft\PowerWordDict\plugin\NPAPI\npGrabWord.dll No File FF Plugin-x32: @jd.com/JDNPComBrg -> C:\Windows\system32\JD.COM\itruscert\NPComBrg.dll No File FF Plugin-x32: @microdone.cn/CMBC -> C:\Windows\system32\CMBC\npCMBCEdit.dll No File FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File FF Plugin-x32: @xunlei.com/npaplayer -> C:\Users\Public\Thunder Network\APlayer\codecs\npaplayer.dll No File FF Plugin-x32: @xunlei.com/npxluser -> C:\Program Files (x86)\Common Files\Thunder Network\UserAgent\npxluser2.0.2.3.dll No File CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3328693&octid=EB_ORIGINAL_CTID&ISID=MD23A5401-CDA0-4044-88A4-CADC2700ACC8&SearchSource=55&CUI=&UM=5&UP=SP5A2FF353-2CEB-4D7A-87FE-AB12148DB0CE&SSPV= U3 aswMBR; \??\C:\Users\home\AppData\Local\Temp\aswMBR.sys [X] U3 aswVmm; \??\C:\Users\home\AppData\Local\Temp\aswVmm.sys [X] U3 pxloipow; \??\C:\Users\home\AppData\Local\Temp\pxloipow.sys [X] 2015-03-25 02:43 - 2015-03-25 02:43 - 00000000 ____D () C:\ProgramData\{DB47C3FB-D1B5-4c27-8F10-5A063E7A6255}.tmp 2015-03-16 17:55 - 2015-03-16 17:56 - 00000000 ____D () C:\ProgramData\{20D875CB-B2AA-46df-B9A0-D5E4498C5887}.tmp 2015-03-16 01:17 - 2015-03-25 18:16 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} 2015-03-16 01:17 - 2015-03-16 01:17 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage 2015-01-06 20:50 - 2015-01-06 20:50 - 00000000 ____D () C:\ProgramData\{C8133608-6E54-48be-B42A-DAEBC5064D76}.tmp CustomCLSID: HKU\S-1-5-21-59814168-4129390447-2555150420-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks? Task: {727FE4E3-38C8-4B14-8A18-2D2F7EA641F9} - \DealPly No Task File <==== ATTENTION Task: {759FCF06-F50E-494A-B90C-02B1D3D4C8BF} - System32\Tasks\ruyiupdatebackup => C:\Users\home\AppData\Local\ruyitao\ruyiUpdate.exe Task: {83341F2E-67E3-461B-A76B-8F1694DB8750} - System32\Tasks\ruyiupdate => C:\Program Files (x86)\ShoppingAssistant\ruyitao\3.2.7.0\ruyiUpdate.exe Task: {F954E8F2-4235-4EAF-A0D8-93593A16DC56} - System32\Tasks\{6F891E6A-7E6F-04FC-09D5-1CFE48078DEB} => C:\Users\home\AppData\Roaming\gxoipvm.dll/s "C:\Users\home\AppData\Roaming\gxoipvm.dll" <==== ATTENTION C:\Users\home\AppData\Roaming\gxoipvm.dll/ C:\Users\home\AppData\Local\ruyitao Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Uninstallers – Security Software
https://singularlabs.com/uninstallers/security-software/
https://www.avast.com/en-eu/faq.php?article=AVKB11#artTitle

Thanks. Everything Is Working Perfectly now.