Hello, this is my first time in forums, sorry if I put this post in the wrong place.
My computer was infected by a virus few weeks ago. It keep showing popups of web shield from different files from Windows\system32 (msiexec.exe, msdtc.exe, ctfmom.exe, presentationhost.exe. The memory usage is huge,and took a lot of time to response. If turn off wifi, everything looks good, when wifi is on, those process keep showing up in taskmgr.
I run AdwCleaner, scan/cleaning and attached the report. I also run FRST and aswMBR.exe. really need help to fix it,
the computer is not useable for weeks.
You currently have parts of three antivirus programmes on your system Trend, 360 and Avast but none are properly installed. I would recommend that you remove them all and then install just one as your main antivirus
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
HKU\S-1-5-21-59814168-4129390447-2555150420-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:13081
SearchScopes: HKU\S-1-5-21-59814168-4129390447-2555150420-1000 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=20041099_oem_dg&ch=33
Toolbar: HKU\S-1-5-21-59814168-4129390447-2555150420-1000 -> No Name - {0000A11D-4F01-42B2-84CD-B26ADD453703} - No File
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll No File
FF Plugin: @qvod.com/QvodShare -> C:\Program Files (x86)\QvodPlayer\npShareModule_x64.dll No File
FF Plugin-x32: @alibaba.com/npwangwang;version=1.0 -> C:\Program Files (x86)\AliWangWang\7.21.04C\npwangwang.dll No File
FF Plugin-x32: @alipay.com/NPComBrg701,version=1.0.2011.701 -> C:\Windows\system32\itruscert\NPComBrg701.dll No File
FF Plugin-x32: @baidu.com/npxbdsetup -> C:\Windows\Downloaded Program Files\5159764\npxbdsetup.dll No File
FF Plugin-x32: @cfca.com/npCryptoKit.CMBC.U2.x86,version=3.2.1.0 -> C:\Windows\system32\npCryptoKit.CMBC.U2.x86.dll No File
FF Plugin-x32: @cfca.com/npCryptoKit.CMBC.x86,version=3.2.0.5 -> C:\Windows\system32\npCryptoKit.CMBC.x86.dll No File
FF Plugin-x32: @CMBC.com.cn/CMBCTOOL,version=1.0.0.10 -> C:\Windows\system32\npCMBCCom86.dll No File
FF Plugin-x32: @iciba.com/GrabWord -> C:\Program Files (x86)\Kingsoft\PowerWordDict\plugin\NPAPI\npGrabWord.dll No File
FF Plugin-x32: @jd.com/JDNPComBrg -> C:\Windows\system32\JD.COM\itruscert\NPComBrg.dll No File
FF Plugin-x32: @microdone.cn/CMBC -> C:\Windows\system32\CMBC\npCMBCEdit.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @xunlei.com/npaplayer -> C:\Users\Public\Thunder Network\APlayer\codecs\npaplayer.dll No File
FF Plugin-x32: @xunlei.com/npxluser -> C:\Program Files (x86)\Common Files\Thunder Network\UserAgent\npxluser2.0.2.3.dll No File
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3328693&octid=EB_ORIGINAL_CTID&ISID=MD23A5401-CDA0-4044-88A4-CADC2700ACC8&SearchSource=55&CUI=&UM=5&UP=SP5A2FF353-2CEB-4D7A-87FE-AB12148DB0CE&SSPV=
U3 aswMBR; \??\C:\Users\home\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\home\AppData\Local\Temp\aswVmm.sys [X]
U3 pxloipow; \??\C:\Users\home\AppData\Local\Temp\pxloipow.sys [X]
2015-03-25 02:43 - 2015-03-25 02:43 - 00000000 ____D () C:\ProgramData\{DB47C3FB-D1B5-4c27-8F10-5A063E7A6255}.tmp
2015-03-16 17:55 - 2015-03-16 17:56 - 00000000 ____D () C:\ProgramData\{20D875CB-B2AA-46df-B9A0-D5E4498C5887}.tmp
2015-03-16 01:17 - 2015-03-25 18:16 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-03-16 01:17 - 2015-03-16 01:17 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2015-01-06 20:50 - 2015-01-06 20:50 - 00000000 ____D () C:\ProgramData\{C8133608-6E54-48be-B42A-DAEBC5064D76}.tmp
CustomCLSID: HKU\S-1-5-21-59814168-4129390447-2555150420-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
Task: {727FE4E3-38C8-4B14-8A18-2D2F7EA641F9} - \DealPly No Task File <==== ATTENTION
Task: {759FCF06-F50E-494A-B90C-02B1D3D4C8BF} - System32\Tasks\ruyiupdatebackup => C:\Users\home\AppData\Local\ruyitao\ruyiUpdate.exe
Task: {83341F2E-67E3-461B-A76B-8F1694DB8750} - System32\Tasks\ruyiupdate => C:\Program Files (x86)\ShoppingAssistant\ruyitao\3.2.7.0\ruyiUpdate.exe
Task: {F954E8F2-4235-4EAF-A0D8-93593A16DC56} - System32\Tasks\{6F891E6A-7E6F-04FC-09D5-1CFE48078DEB} => C:\Users\home\AppData\Roaming\gxoipvm.dll/s "C:\Users\home\AppData\Roaming\gxoipvm.dll" <==== ATTENTION
C:\Users\home\AppData\Roaming\gxoipvm.dll/
C:\Users\home\AppData\Local\ruyitao
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe