should avast add record page and record page ads to virus list?

essexboy · 2015-07-11T14:05:24.000Z

Did you install the following programmes ?

360安全浏览器7
QQ International
QQ旋风4.7
BaiduYunGuanjia
Tencent

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

system · 2015-07-11T14:11:27.000Z

yes i do
but i install it for a long time
so i don’t think is there problem
and adwcleaner doesn’t work

system · 2015-07-11T14:36:45.000Z

http://i467.photobucket.com/albums/rr39/ranger352/20150711223423_zpsut6bmsu6.jpg

essexboy · 2015-07-11T14:45:21.000Z

Download adwcleaner from here https://dl.dropboxusercontent.com/u/73555776/AdwCleaner.exe

I will now revisit your FRST log, and create a fix

system · 2015-07-11T15:00:28.000Z

I used your adwcleaner to scan again
but it show nothing

essexboy · 2015-07-11T15:08:04.000Z

Which browser do the adverts show in ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM-x32\...\RunOnce: [360safeuninst] => C:\Users\user\AppData\Local\Temp\remove360.bat [1782 2015-07-11] () <===== ATTENTION HKU\S-1-5-21-1328610593-2988302748-3692750778-1000\...\Run: [QQ2009] => E:\Tencent\QQ\Bin\QQ.exe [139960 2015-07-10] (Tencent) HKU\S-1-5-21-1328610593-2988302748-3692750778-1000\...\MountPoints2: {5b25d3fa-9028-11e2-ac3b-bc5ff4687250} - F:\autorun.exe HKU\S-1-5-21-1328610593-2988302748-3692750778-1000\...\MountPoints2: {62dd396a-8863-11e2-8180-bc5ff4687250} - H:\autorun.exe HKU\S-1-5-21-1328610593-2988302748-3692750778-1000\...\MountPoints2: {8d43027a-8e75-11e2-9fad-bc5ff4687250} - G:\Startme.exe HKU\S-1-5-21-1328610593-2988302748-3692750778-1000\...\MountPoints2: {8e87627f-8c47-11e2-852c-806e6f6e6963} - F:\autorun.exe HKU\S-1-5-21-1328610593-2988302748-3692750778-1000\...\MountPoints2: {9b5dfcc2-9118-11e3-b22e-bc5ff4687250} - I:\autorun.exe ShellIconOverlayIdentifiers-x32: [AAADesktopTips] -> {4562B511-62E9-4533-B7B2-56A8BB10B482} => No File BHO: QQDownload IE Left Helper -> {00000000-12C9-4305-82F9-43058F20E8D2} -> E:\Tencent\QQDownload\QQIEHelper64.dll [2013-06-26] (Tencent Technology (Shenzhen) Company Limited) BHO-x32: No Name -> {00000000-12C9-4305-82F9-43058F20E8D2} -> No File BHO-x32: No Name -> {6A19C29D-ED45-4483-8999-9F939C8161F2} -> No File BHO-x32: No Name -> {889D2FEB-5411-4565-8998-1DD2C5261283} -> No File BHO-x32: QQMiniDL Helper Class -> {C9C7334B-5657-41e1-8F79-F6AACECA05F4} -> C:\Program Files (x86)\Common Files\Tencent\QQMiniDL\60\Browser\QQIEHelper01.dll [2014-07-15] (Tencent Technology (Shenzhen) Company Limited) BHO-x32: AccountProtectBHO Class -> {DDD362CF-523B-4BC9-8FDC-58F93B6BC945} -> C:\Users\user\AppData\Roaming\Tencent\QQ\QQAntiPhishing\AccountProtect.dll [2015-06-30] (Tencent) Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKU\S-1-5-21-1328610593-2988302748-3692750778-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - No File Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - No File FF Plugin-x32: @baidu.com/npxbdsetup -> C:\Windows\Downloaded Program Files\998503072\npxbdsetup.dll [2012-12-10] () FF Plugin-x32: @baidu.com/YunWebDetectPlugin -> e:\Roaming\baidu\BaiduYunGuanjia\npYunWebDetect.dll [2015-05-07] (Baidu.com, Inc.) FF Plugin-x32: @qq.com/npqscall -> C:\Program Files (x86)\Common Files\Tencent\Npchrome\npactivex.dll [2015-07-10] (Tencent) FF Plugin-x32: @qq.com/QQDownloadPlugin -> E:\Tencent\QQDownload\Browser\769\npXFPlugin.dll [2013-02-25] (Tencent Technology (Shenzhen) Company Limited) FF Plugin-x32: @qq.com/QQMiniDLPlugin -> C:\Program Files (x86)\Common Files\Tencent\QQMiniDL\60\Browser\npXFMiniDLPlugin.dll [2014-04-25] (Tencent Technology (Shenzhen) Company Limited) FF Plugin-x32: @qq.com/QQPhotoDrawEx -> C:\Program Files (x86)\Tencent\Qzone\npQQPhotoDrawEx.dll No File FF Plugin-x32: @qq.com/QzoneMusic -> C:\Program Files (x86)\Tencent\QzoneMusic\npQzoneMusic.dll [2014-08-30] (Tencent) FF Plugin-x32: @qq.com/TXSSO -> C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.3.30\Bin\npSSOAxCtrlForPTLogin.dll [2015-06-26] (Tencent) FF Plugin-x32: @tencent.com/npQQMailWebKit,version=1.0.0.1 -> C:\Program Files (x86)\QQMailPlugin\npQQMailWebKit.dll [2013-04-25] (Tencent) FF Plugin-x32: @tencent.com/nptxftnWebKit,version=1.0.0.1 -> C:\Program Files (x86)\QQMailPlugin\nptxftnWebKit.dll [2013-04-08] (Tencent Technology (Shenzhen) Company Limited) FF Plugin-x32: @xunlei.com/npxluser -> C:\Program Files (x86)\Common Files\Thunder Network\UserAgent\npxluser2.0.2.3.dll No File FF Plugin HKU\S-1-5-21-1328610593-2988302748-3692750778-1000: @xunlei.com/npxlgamebox -> D:\gay\XLGameBox\Program\npxlgamebox1.0.0.3.dll No File FF Plugin HKU\S-1-5-21-1328610593-2988302748-3692750778-1000: @xunlei.com/npxluser -> C:\Program Files (x86)\Common Files\Thunder Network\UserAgent\npxluser2.0.2.3.dll No File FF Plugin HKU\S-1-5-21-1328610593-2988302748-3692750778-1000: anvisoft.com/AdblockPlugin -> C:\ProgramData\Anvisoft\Anvi Smart Defender 2\extensions\npAdblockPlugin.dll No File FF Extension: NetVideoHunter - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\f5z0uz0x.default\Extensions\netvideohunter@netvideohunter.com [2015-06-13] S3 BaiduYunUtility; e:\Roaming\baidu\BaiduYunGuanjia\YunUtilityService.exe [90392 2015-05-07] () R2 QPCore; C:\Program Files (x86)\Common Files\Tencent\QQProtect\Bin\QQProtect.exe [96952 2015-06-30] (Tencent) R1 360Box64; C:\Windows\System32\DRIVERS\360Box64.sys [319568 2015-05-25] (360.cn) U3 acobvjox; No ImagePath R4 360netmon; system32\DRIVERS\360netmon.sys [X] R1 360reskit64; \??\C:\Windows\system32\drivers\360reskit64.sys [X] 2015-07-11 04:15 - 2015-07-11 04:15 - 00000000 ____D C:\ProgramData\360safe 2015-07-11 04:15 - 2015-07-11 04:15 - 00000000 ____D C:\ProgramData\360safe 2015-07-11 03:08 - 2015-05-25 18:41 - 00319568 _____ (360.cn) C:\Windows\system32\Drivers\360Box64.sys 2015-07-10 20:40 - 2015-07-10 20:40 - 00000000 ____D C:\Users\user\AppData\Local\Tencent 2015-07-10 20:40 - 2015-07-10 20:40 - 00000000 ____D C:\Program Files (x86)\Tencent 2015-07-10 20:38 - 2015-06-09 18:22 - 00064952 _____ (Tencent) C:\Windows\system32\Drivers\QQProtectX64.sys 2015-07-10 20:37 - 2015-07-10 23:27 - 00000000 ____D C:\ProgramData\Tencent 2015-07-11 03:29 - 2014-03-16 13:48 - 00000000 ____D C:\Program Files (x86)\360 2015-07-11 03:09 - 2013-12-25 01:53 - 00000000 ____D C:\Users\user\AppData\Roaming\360Login 2015-06-13 00:05 - 2014-11-14 08:27 - 00000000 __SHD C:\Users\user\AppData\Local\EmieBrowserModeList 2015-06-13 00:05 - 2014-04-26 00:28 - 00000000 __SHD C:\Users\user\AppData\Local\EmieUserList 2015-06-13 00:05 - 2014-04-26 00:28 - 00000000 __SHD C:\Users\user\AppData\Local\EmieSiteList 2015-06-23 00:56 - 2013-03-12 22:30 - 00000000 ____D C:\Users\user\AppData\Roaming\Youtube Downloader HD C:\Users\user\AppData\Local\Temp\remove360.bat Task: {EFF27C1B-F1EC-40CC-8207-237C4741EC3B} - System32\Tasks\{530DBFC7-1916-4153-9C46-F34D09261AF9} => C:\Users\user\Desktop\1\1.exe 2015-07-11 21:35 - 2014-09-04 07:43 - 00000456 _____ C:\Windows\Tasks\微软设备健康助手自动更新.job 2015-07-11 20:49 - 2015-02-19 13:13 - 00000462 _____ C:\Windows\Tasks\微软设备健康助手设备检查.job 2015-07-11 02:40 - 2014-11-20 20:52 - 00000440 _____ C:\Windows\Tasks\微软设备健康助手开机检测.job FF Plugin HKU\S-1-5-21-1328610593-2988302748-3692750778-1000: duowan.com/Checker -> C:\Program Files (x86)\Common Files\duowan\yy\YYSSO\1.0.0.3\npChecker.dll [2013-10-09] (广州多玩信息技术有限公司) C:\Program Files (x86)\Common Files\Tencent E:\365 E:\yy RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

system · 2015-07-11T15:09:57.000Z

chrome and firefox

system · 2015-07-11T15:46:26.000Z

https://www.sendspace.com/file/yl8xdi

essexboy · 2015-07-11T15:49:10.000Z

Could you now run a fresh FRST scan for me please and if possible attach a screenshot of one of the ads

system · 2015-07-11T16:35:01.000Z

sorry for some reason I restore back to the restore point created by FRST
I afraid my qq will lost some important message
https://www.sendspace.com/file/w1d8qf

essexboy · 2015-07-11T17:33:57.000Z

Are you still getting the ads ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

system · 2015-07-11T18:03:15.000Z

yes still getting ads
https://www.sendspace.com/file/0b5a6c

essexboy · 2015-07-11T18:16:41.000Z

I believe they are coming from tencent

Could you screenshot one of the ads please and post it here

system · 2015-07-11T18:20:24.000Z

https://www.sendspace.com/file/vkshac
plz check R0

system · 2015-07-11T18:24:18.000Z

ads look like this
http://www.theadgateway.com/a/display.php?k=55a15bca4a6d9557991.314852&h=abb1c4b351043e1e892d67a3eacd8448d7d0b5e5&ban=557991&r=360854&iid=1436638154201197429023842023729021&ci=%3D%3DgSKdwBBQQDV4kVbJ1UVsxBHMQAP0QFORVWSJkRSVUUVshDO4gDO0QFONkXDllVCZUFM1QF1VxGKdQDV4kVbJ1UVsxBHMQAP0QFORVWSJkRSVUUVshDO4gDO0QFONkXDllVCZUFM1QF0VxGKdQDV4kVbJ1UVsxBBQQDV4EVZJlQGJVRRVxGG0QFONkXDllVCZUFM1QFtVBT&pm=VIlUFNUF&pabt=%3D%3DQFHcUF&pc=%3DAgDPEAAGAgDDIwDPIABHkxB&id=557991&ct_bust=0.9687293358147144&exp=su11

http://offer.alibaba.com/exclusive.html?alpsm=true&match=rule&prior=medium&ruleid=35&rank=solelp&tv=3&imp=2m19gjf19pv5s7cvcr4r&xp=u2Qt0m34x_TI1hkm3CQivqqh_tWRYXeiwQNapURu6rsIzE0lZGVrcxJ8MWPwbAkwmPi_LtyB_iRUMbOYwlVkTywxt5qccAirBxMQBFPntL4&pid=360854&td=1&aff_id=171573465&ct=1&size=000_000&an=50001&bm=cpa&tp1=20119742901436639173&src=saf
https://thedailytrader.net/uBinary/EN/IHAgentWhite/?offer_id=496&aff_id=2776&aff_sub=Z.P&aff_sub2=NTh8NzczfEhLfDN8MXxlY2hvLWpldS1DbFNSY2duTHxVa1ZHUlZKRlVnKmFIUjBjRG92THpNMk1EZzFOQzVoWkdOaGMyZ3VZMjl0fmEyVjVkMjl5WkEqfmMybDBaV2xrKlpXTm9ieTFxWlhVdFEyeFRVbU5uYmt3&aff_sub3=echo-jeu-ClSRcgnL&aff_sub4=&aff_sub5=uBinary_IHAgentWhite_EN&source=$$CUSTOM_PARAM(URL)$$&url_id=4806

http://rvfrm2006.com/aS/sa?cid=16525-4030517&pid=16525&q=%u96CD%u65CB%20<a%20href%3D'https%3A//www.facebook.com/socrec/videos/vb.160696287290644/1177015682&ap=cmp%3DPOPUNDER

http://i467.photobucket.com/albums/rr39/ranger352/20150712022204_zpseetl5tak.png

essexboy · 2015-07-11T20:50:40.000Z

OK they are all from alibaba which is on your system, so uninstalling that should clear them

system · 2015-07-12T10:49:06.000Z

but I dont have alibaba?

system · 2015-07-12T11:26:51.000Z

https://www.sendspace.com/file/l4drc0

essexboy · 2015-07-12T11:32:25.000Z

Could you run a fresh FRST scan after this and attach it please, as sendspace is diverting to a malware site

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: FF Plugin HKU\S-1-5-21-1328610593-2988302748-3692750778-1000: @alibaba.com/npAliSSOLogin;version=1.0 -> E:\AliWangWang\8.00.34C\npAliSSOLogin.dll No File FF Plugin HKU\S-1-5-21-1328610593-2988302748-3692750778-1000: @alibaba.com/npwangwang;version=1.0 -> E:\AliWangWang\8.00.34C\npwangwang.dll No File RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

system · 2015-07-12T12:16:01.000Z

https://www.sendspace.com/file/q5d5uh

Announcements