system
1
My friend asked me for a clean up of his computer. I used avast to have a check. A few malware and junk is found.
Most are generic detection of the application “PPTV” (Win32:Malware-gen)
with Win32:Trojan-gen and Win32:GenMalicious-ANH [trj]
There is also an ugly warning about bad reputation pluggin in IE by avast.
Attached are picture showing the deep scan result and the pluggin warning
I know I need the scan log of MBAM and FRST, please wait, I will provide them in a few minutes
Edit: Oh boy! The link to download MBAM is hijacked to Chinese site ??? ???
Original: https://www.malwarebytes.org/getmbam
Now: htxp://malwarebytes-anti-malware.softonic.cn/download?ptn=malwarebytes
Is it safe?
Look like there IS a pluggin doing this. Did you guy heard of softonic?
Edit2: FRST download also failed. The page won’t even load, leaving a weird page layout. The attached picture “weird screen.jpg” show the half loaded webpage. 
Pondus
2
system
3
IE is flooded with weird download agent plugin which need remove.
Using a freshly installed Firefox, I am able to download MBAM and FRST. Log attached.
Weird there is google chrome entries even though chrome is not installed ???
I will initially disable the IE plugins for Baidu and QQ as they are readily hijacked
Let me know if there is any change after this
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
BHO: QQDownload IE Left Helper -> {00000000-12C9-4305-82F9-43058F20E8D2} -> C:\Program Files (x86)\Tencent\QQDownload\QQIEHelper64.dll [2013-07-31] (Tencent Technology (Shenzhen) Company Limited)
BHO-x32: QQDownload IE Left Helper -> {00000000-12C9-4305-82F9-43058F20E8D2} -> C:\Program Files (x86)\Tencent\QQDownload\QQIEHelper02.dll [2013-07-31] (Tencent Technology (Shenzhen) Company Limited)
BHO-x32: NavigateBHO Class -> {CD79381A-F551-4E4E-9FE5-68105416C550} -> C:\Users\user\AppData\Roaming\baidu\BaiduPlayerBrowser\2.6.1.57_1\ProtectBHO.dll No File
DPF: HKLM-x32 {8AFB38D0-67A4-49D3-8822-401755FC6573} http://hk.beanfun.com/beanfun_block/embeds/BFService.cab
FF Plugin-x32: @baidu.com/npxbdsetup -> C:\Windows\Downloaded Program Files\1468078\npxbdsetup.dll [2012-12-26] ()
FF Plugin-x32: @qq.com/QQDownloadPlugin -> C:\Program Files (x86)\Tencent\QQDownload\Browser\751\npXFPlugin.dll [2013-07-31] (Tencent Technology (Shenzhen) Company Limited)
FF Plugin-x32: @qq.com/TXSSO -> C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\Bin\npSSOAxCtrlForPTLogin.dll [2013-01-25] (Tencent)
Task: {9E7EE08F-E915-4FAE-8F2F-4DD16FC08933} - System32\Tasks\{8876E257-B921-40C2-8130-705213219B03} => pcalua.exe -a "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W336JY9O\install_flashplayer11x32ax_gtbp_chra_aih[1].exe" -d C:\Users\user\Desktop
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.
system
5
Fixlog and adwclaner[S0] attached.
I disabled the pluggins, leaving only those from microsoft and google, yet MBAM official site is hijacked to softonic only in IE.
But getting to http://www.malwarebytes.org/mwb-download/ from http://www.malwarebytes.org/ is no problem
Hmm that is intriguing, next step is to reset IE
First though export your favourites to a desktop file http://www.7tutorials.com/how-import-or-export-bookmarks-when-using-internet-explorer-11
Then go to Control Panel > Internet options > Advanced tab
Click Reset
Reboot and then try IE again
system
7
I did a reset on IE, still get to softonic using https://www.malwarebytes.org/getmbam
Did a total clean up on the game (the computer is too slow, and this free up some 10GB from it) and QQ, Updated from IE8 to IE11 (you can see this computer is having very old set of software :-\ )
Though there is some leftover files:
C:\xuanfeng*
C:\Program Files (x86)\Garena Plus*
C:\Program Files (x86)\GarenaLoLTW*
C:\Program Files (x86)\Gunz2*
C:\Program Files (x86)\RC語音*
Still get the softtonic site
From google safe browsing, this is not a very good site for software. See http://www.google.com/safebrowsing/diagnostic?site=softonic.com
Weird mbam fail to catch the pluggin for this
Edit: Now I know why pptv is not good! Even though I use the uninstaller, there is still a lot of folder leftover, especially the junk and adware in C:\Users\user\AppData\Roaming\PPlive. Software that is “Made in China” are usually rogue in this way
Pondus
8
run a fresh frst log for essexboy to look at
system
9
a fresh frst log
Edit: Sad new of this machine!! The harddisk suddenly beggin to produce sound and then all of a sudden I got a bsod of 0x0000007A. Since then I cannot boot successfully without a freeze or the message about not founding a boot media (guess it mean the harddisk). I guess this thread can end now.
That sounds as though you need a new hard drive
