Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Browser hijack by hao123.com [Solved]


  • This topic is locked This topic is locked

#16
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,700 posts

I notice that you have multiple anti virus programs installed on your system. If more than one program is running real time protection, then there is a very high chance of conflicts being created. This could cause the programs to 'fight' against eachother and they may render the other useless, hence reducing your protection. It is very important to ensure that you are only running one anti virus program at the same time.
 
Please remove McAfee before we continue. If you are unsure about how to do this, a list of removal tools can be found here:
 
http://kb.eset.com/e...tent&id=SOLN146   
 
 


 

Upload the suspicious files to virustotal.com and send me the link to the report please.
 
 

First,

 

  • Please download the attached fixlist.txt file and save it to the same location as FRST

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply

Next,

  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

Next,
still redirects?

Attached Files


  • 0

Advertisements


#17
happyhome

happyhome

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

Ok I have removed MacAfee

 

these are the link for scan

https://www.virustot...c744e/analysis/

https://www.virustot...c5a27/analysis/

https://www.virustot...sis/1406869518/

https://www.virustot...sis/1406869622/

https://www.virustot...sis/1406869736/

 all of seem to be clean

 

 

Fixlog

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-07-2014 01
Ran by Tng family at 2014-08-01 13:17:16 Run:1
Running from C:\Users\Tng family\Downloads
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
ShellIconOverlayIdentifiers: FunOverlay -> {A5662DF9-0C2E-4A56-9FE1-BACFF6966D88} => C:\Users\Public\Fundata\FunAir.dll No File
Toolbar: HKCU - No Name - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - No File
DPF: HKLM-x32 {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files%20(x86)/Insaniquarium%20Deluxe/Images/stg_drm.ocx
DPF: HKLM-x32 {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files%20(x86)/Plants%20vs.%20Zombies/Images/armhelper.ocx
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
2014-07-27 14:53 - 2014-07-27 14:53 - 00000000 ____H () C:\Users\Tng family\AppData\Local\BITC37D.tmp
2014-07-27 14:53 - 2014-07-27 14:53 - 00000000 _____ () C:\Users\Tng family\AppData\Local\{EE959DC4-D677-4722-ACFA-EE3ED68CF202}
2014-07-26 21:43 - 2014-07-26 21:43 - 02938144 _____ (LionSea Software co., ltd ) C:\Users\Tng family\Downloads\setup.exe
C:\ProgramData\flashax10.exe
*****************

"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\FunOverlay" => Key deleted successfully.
"HKCR\CLSID\{A5662DF9-0C2E-4A56-9FE1-BACFF6966D88}" => Key deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{759D9886-0C6F-4498-BAB6-4A5F47C6C72F} => value deleted successfully.
"HKCR\CLSID\{759D9886-0C6F-4498-BAB6-4A5F47C6C72F}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{149E45D8-163E-4189-86FC-45022AB2B6C9}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{149E45D8-163E-4189-86FC-45022AB2B6C9}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{CC450D71-CC90-424C-8638-1F2DBAC87A54}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{CC450D71-CC90-424C-8638-1F2DBAC87A54}" => Key deleted successfully.
esgiguard => Service deleted successfully.
C:\Users\Tng family\AppData\Local\BITC37D.tmp => Moved successfully.
C:\Users\Tng family\AppData\Local\{EE959DC4-D677-4722-ACFA-EE3ED68CF202} => Moved successfully.
C:\Users\Tng family\Downloads\setup.exe => Moved successfully.
C:\ProgramData\flashax10.exe => Moved successfully.

==== End of Fixlog ====

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 31-07-2014 01
Ran by Tng family (administrator) on TNG-FAMILY-PC on 01-08-2014 13:18:35
Running from C:\Users\Tng family\Downloads
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingc...can-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingc...can-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
() C:\Program Files (x86)\QvodPlayer\QvodWebBase\1.0.0.48\QvodWebService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(CANON INC.) C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-Agent.exe
(CANON INC.) C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(CANON INC.) C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_14_0_0_145_ActiveX.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(mIRC Co. Ltd.) C:\Program Files (x86)\mIRC\mirc.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12503184 2012-06-11] (Realtek Semiconductor)
HKLM\...\Run: [CanonMyPrinter] => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2779024 2011-03-15] (CANON INC.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-03-03] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe [601928 2013-07-17] (BlueStack Systems, Inc.)
HKLM-x32\...\Run: [CanonSolutionMenuEx] => C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE [1612920 2011-08-04] (CANON INC.)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [452016 2011-01-15] (CANON INC.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [4085896 2014-07-31] (AVAST Software)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-11] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoFolderOptions] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-2522120943-1274516608-2902159866-1001\...\Run: [GoogleChromeAutoLaunch_862EC30EB1851205146266A5AA620BF4] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [860488 2014-07-15] (Google Inc.)
ShellIconOverlayIdentifiers: 00avast -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
ShellIconOverlayIdentifiers: DownloadIcon -> {A8502600-B272-4F68-A67B-A0305D46D298} => C:\Program Files (x86)\QvodPlayer\QvodExtend\5.0.99.0\QvodExtend_x64.dll (Shenzhen QVOD Technology Co.,Ltd)
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Tng family\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Tng family\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Tng family\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Tng family\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: DownloadIcon -> {A8502600-B272-4F68-A67B-A0305D46D297} => C:\Program Files (x86)\QvodPlayer\QvodExtend\5.0.99.0\QvodExtend.dll (Shenzhen QVOD Technology Co.,Ltd)
ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Tng family\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Tng family\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Tng family\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Tng family\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://xin.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-SG
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://sg.yahoo.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
DPF: HKLM-x32 {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop...t/PCPitStop.CAB
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF ProfilePath: C:\Users\Tng family\AppData\Roaming\Mozilla\Firefox\Profiles\w8wjuqgw.default-1406729069794
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\windows\system32\Adobe\Director\np32dsw.dll No File
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @canon.com/EPPEX - C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.65.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.65.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=6.0.12.450 - C:\Program Files (x86)\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpjplug;version=6.0.12.448 - C:\Program Files (x86)\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.7 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2014-07-30]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2014-07-30]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2014-07-30]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2014-07-30]
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2013-07-14]

Chrome:
=======
CHR HomePage: hxxp://www.google.com.sg/
CHR StartupUrls: "hxxp://www.google.com/"
CHR Extension: (Entanglement Web App) - C:\Users\Tng family\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd [2014-05-03]
CHR Extension: (优酷一键通Sotapit) - C:\Users\Tng family\AppData\Local\Google\Chrome\User Data\Default\Extensions\alddjbjplgobbllfolehibiclbhmomla [2014-05-03]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Tng family\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-26]
CHR Extension: (avast! Online Security) - C:\Users\Tng family\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-07-08]
CHR Extension: (Go away MDA - Bypass MDA blocked sites) - C:\Users\Tng family\AppData\Local\Google\Chrome\User Data\Default\Extensions\lledpflfnanamkogoclkgaggfdgoalok [2014-05-20]
CHR Extension: (Poppit!) - C:\Users\Tng family\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2014-05-03]
CHR Extension: (Google Wallet) - C:\Users\Tng family\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-23]
CHR Extension: (Unblock Youku) - C:\Users\Tng family\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdnfnkhpgegpcingjbfihlkjeighnddk [2014-05-03]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-07-07]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-07-07] (AVAST Software)
S2 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [393032 2013-07-17] (BlueStack Systems, Inc.)
R2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [384840 2013-07-17] (BlueStack Systems, Inc.)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
S2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [X]
S2 McTaskManager; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe" [X]
S2 mfevtp; "C:\windows\system32\mfevtps.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-07-07] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-07-07] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-07-07] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-07-07] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1041168 2014-07-07] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [427360 2014-07-07] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [92008 2014-07-07] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [224896 2014-07-07] ()
R1 avgtp; C:\windows\system32\drivers\avgtpx64.sys [30568 2012-11-08] (AVG Technologies)
R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [70984 2013-07-17] (BlueStack Systems)
U3 mfeavfk01; No ImagePath
S3 RTL8023x64; C:\Windows\System32\DRIVERS\Rtnic64.sys [51712 2009-06-11] (Realtek Semiconductor Corporation                           )
S3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [42184 2013-04-25] (Anchorfree Inc.)
S3 USTOR2K; C:\Windows\System32\DRIVERS\ustor2k.sys [52224 2010-02-22] (Genesys Logic)
S1 bd0004; system32\DRIVERS\bd0004.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 e1kexpress; system32\DRIVERS\e1k62x64.sys [X]
S3 gdrv; \??\C:\windows\gdrv.sys [X]
S3 mfeapfk; system32\drivers\mfeapfk.sys [X]
R3 mfeavfk; system32\drivers\mfeavfk.sys [X]
R0 mfehidk; system32\drivers\mfehidk.sys [X]
S3 mferkdet; system32\drivers\mferkdet.sys [X]
R0 mfewfpk; system32\drivers\mfewfpk.sys [X]
S3 RkHit; \??\C:\windows\system32\drivers\RKHit.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-07-31 18:56 - 2014-07-31 18:57 - 00037189 _____ () C:\Users\Tng family\Downloads\Addition.txt
2014-07-31 18:55 - 2014-08-01 13:18 - 00017824 _____ () C:\Users\Tng family\Downloads\FRST.txt
2014-07-31 18:54 - 2014-08-01 13:18 - 00000000 ___DC () C:\FRST
2014-07-31 18:54 - 2014-07-31 18:54 - 02094080 _____ (Farbar) C:\Users\Tng family\Downloads\FRST64.exe
2014-07-31 18:49 - 2014-08-01 08:31 - 00000224 _____ () C:\windows\setupact.log
2014-07-31 18:49 - 2014-07-31 18:49 - 00000000 _____ () C:\windows\setuperr.log
2014-07-30 22:04 - 2014-07-30 22:04 - 00000000 ____D () C:\Users\Tng family\Desktop\Old Firefox Data
2014-07-30 22:02 - 2014-08-01 12:53 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-07-30 20:45 - 2014-07-30 20:45 - 00002543 _____ () C:\Users\Tng family\Desktop\aswMBR.txt
2014-07-30 20:45 - 2014-07-30 20:45 - 00000512 _____ () C:\Users\Tng family\Desktop\MBR.dat
2014-07-30 20:28 - 2014-07-30 20:28 - 05185536 _____ (AVAST Software) C:\Users\Tng family\Desktop\aswMBR.exe
2014-07-29 22:52 - 2014-07-29 22:52 - 00001120 _____ () C:\Users\Tng family\Desktop\eset.txt
2014-07-29 21:32 - 2014-07-29 21:32 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-07-29 21:23 - 2014-07-29 21:23 - 00002291 ____C () C:\mbam2907.txt
2014-07-29 21:00 - 2014-07-29 21:00 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Tng family\Downloads\mbam-setup-2.0.2.1012.exe
2014-07-29 20:26 - 2014-07-30 19:25 - 00105284 _____ () C:\Users\Tng family\Desktop\OTL.Txt
2014-07-29 20:08 - 2014-07-29 20:08 - 00000767 _____ () C:\Users\Tng family\Desktop\JRT.txt
2014-07-29 20:00 - 2014-07-29 20:00 - 01016261 _____ (Thisisu) C:\Users\Tng family\Desktop\JRT.exe
2014-07-29 19:58 - 2014-07-29 19:58 - 00001556 _____ () C:\Users\Tng family\Desktop\AdwCleaner[S3].txt
2014-07-29 19:51 - 2014-07-29 19:52 - 01365551 _____ () C:\Users\Tng family\Desktop\AdwCleaner.exe
2014-07-28 09:29 - 2014-07-28 09:29 - 00003400 ____N () C:\bootsqm.dat
2014-07-28 09:28 - 2014-07-28 09:28 - 00000000 __SHD () C:\found.000
2014-07-27 22:50 - 2014-07-27 22:50 - 00000000 ____D () C:\ProgramData\CanonIJPLM
2014-07-26 19:19 - 2014-07-26 19:19 - 00000000 ___DC () C:\_OTL
2014-07-26 19:01 - 2014-07-26 19:01 - 00602112 _____ (OldTimer Tools) C:\Users\Tng family\Desktop\OTL.exe
2014-07-26 17:28 - 2014-07-26 17:28 - 00000000 ____C () C:\autoexec.bat
2014-07-26 14:17 - 2014-07-26 14:17 - 00816128 _____ () C:\Users\Tng family\Downloads\RogueKiller.exe
2014-07-26 14:15 - 2014-07-26 14:20 - 00000000 ____D () C:\Users\Tng family\Desktop\RK_Quarantine
2014-07-26 14:07 - 2014-07-26 14:07 - 00000021 _____ () C:\windows\tpcsd
2014-07-23 22:47 - 2014-07-23 22:47 - 00000000 ____D () C:\windows\ERUNT
2014-07-23 22:46 - 2014-07-23 22:46 - 01016261 _____ (Thisisu) C:\Users\Tng family\Downloads\JRT.exe
2014-07-23 22:40 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\windows\SysWOW64\sqlite3.dll
2014-07-23 22:38 - 2014-07-23 22:39 - 01354223 _____ () C:\Users\Tng family\Downloads\adwcleaner_3.216.exe
2014-07-23 22:28 - 2014-07-23 22:28 - 00035320 ____C () C:\ComboFix.txt
2014-07-22 21:56 - 2014-07-22 21:56 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-07-22 21:56 - 2014-07-11 03:02 - 00098216 _____ (Oracle Corporation) C:\windows\SysWOW64\WindowsAccessBridge-32.dll
2014-07-22 21:56 - 2014-07-11 02:56 - 00272808 _____ (Oracle Corporation) C:\windows\SysWOW64\javaws.exe
2014-07-22 21:56 - 2014-07-11 02:56 - 00175528 _____ (Oracle Corporation) C:\windows\SysWOW64\javaw.exe
2014-07-22 21:56 - 2014-07-11 02:55 - 00175528 _____ (Oracle Corporation) C:\windows\SysWOW64\java.exe
2014-07-22 21:53 - 2014-07-22 21:56 - 00004088 _____ () C:\windows\SysWOW64\jupdate-1.7.0_65-b20.log
2014-07-22 21:50 - 2014-07-29 23:01 - 00000047 ____H () C:\Users\Tng family\FunShion.ini
2014-07-22 21:26 - 2014-07-29 21:20 - 00122584 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2014-07-22 21:24 - 2014-07-29 21:02 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-07-22 21:24 - 2014-07-29 21:02 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-07-22 21:24 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2014-07-22 21:24 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2014-07-22 21:00 - 2014-07-23 22:28 - 00000000 ___DC () C:\Qoobox
2014-07-22 20:59 - 2014-07-22 20:59 - 05562504 ____R (Swearware) C:\Users\Tng family\Downloads\ComboFix.exe
2014-07-20 08:53 - 2014-07-20 08:53 - 00033377 _____ () C:\Users\Tng family\Documents\Recipe for sandwich.pptx
2014-07-18 14:38 - 2014-07-22 21:44 - 00000000 ____D () C:\Users\Tng family\AppData\Roaming\Funshion
2014-07-16 16:24 - 2014-07-16 16:24 - 00000000 ____D () C:\Users\Tng family\AppData\Local\Giraffe
2014-07-13 15:41 - 2014-07-13 15:41 - 00000000 _____ () C:\windows\SysWOW64\_backup
2014-07-11 22:19 - 2014-07-12 13:19 - 11204096 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerInstaller.exe
2014-07-08 19:17 - 2014-07-08 19:17 - 00000000 ____D () C:\Users\Tng family\AppData\Roaming\DropboxMaster
2014-07-08 19:16 - 2014-07-08 19:17 - 00000000 ____D () C:\Users\Tng family\AppData\Roaming\Dropbox
2014-07-08 19:16 - 2014-07-08 19:16 - 00000000 ____D () C:\Users\Tng family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-07-07 20:54 - 2014-07-07 20:54 - 00043152 _____ (AVAST Software) C:\windows\avastSS.scr
2014-07-05 17:10 - 2014-07-29 22:15 - 00000000 ___HD () C:\Users\Public\FunAcce
2014-07-05 16:29 - 2014-08-01 07:14 - 00272269 _____ () C:\windows\WindowsUpdate.log

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-01 13:19 - 2013-03-30 20:40 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2014-08-01 13:18 - 2014-07-31 18:55 - 00017824 _____ () C:\Users\Tng family\Downloads\FRST.txt
2014-08-01 13:18 - 2014-07-31 18:54 - 00000000 ___DC () C:\FRST
2014-08-01 13:08 - 2013-12-18 11:29 - 00000000 ____D () C:\Program Files (x86)\mIRC
2014-08-01 12:55 - 2010-10-11 05:38 - 00000000 ____D () C:\ProgramData\McAfee
2014-08-01 12:54 - 2010-10-11 05:38 - 00000000 ____D () C:\Program Files (x86)\McAfee
2014-08-01 12:53 - 2014-07-30 22:02 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-08-01 12:42 - 2014-05-13 10:09 - 00000000 ___DC () C:\Alissa work
2014-08-01 12:37 - 2013-05-11 06:48 - 00000898 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-08-01 12:37 - 2013-05-11 06:48 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-08-01 08:38 - 2009-07-14 12:45 - 00022848 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-08-01 08:38 - 2009-07-14 12:45 - 00022848 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-08-01 08:31 - 2014-07-31 18:49 - 00000224 _____ () C:\windows\setupact.log
2014-08-01 08:31 - 2009-07-14 13:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-08-01 07:14 - 2014-07-05 16:29 - 00272269 _____ () C:\windows\WindowsUpdate.log
2014-08-01 06:41 - 2013-07-14 19:24 - 00004182 _____ () C:\windows\System32\Tasks\avast! Emergency Update
2014-07-31 18:57 - 2014-07-31 18:56 - 00037189 _____ () C:\Users\Tng family\Downloads\Addition.txt
2014-07-31 18:54 - 2014-07-31 18:54 - 02094080 _____ (Farbar) C:\Users\Tng family\Downloads\FRST64.exe
2014-07-31 18:49 - 2014-07-31 18:49 - 00000000 _____ () C:\windows\setuperr.log
2014-07-30 22:26 - 2011-11-10 22:45 - 00030208 ___SH () C:\Users\Tng family\Thumbs.db
2014-07-30 22:04 - 2014-07-30 22:04 - 00000000 ____D () C:\Users\Tng family\Desktop\Old Firefox Data
2014-07-30 20:45 - 2014-07-30 20:45 - 00002543 _____ () C:\Users\Tng family\Desktop\aswMBR.txt
2014-07-30 20:45 - 2014-07-30 20:45 - 00000512 _____ () C:\Users\Tng family\Desktop\MBR.dat
2014-07-30 20:38 - 2013-04-18 10:56 - 00000000 ___DC () C:\QUARANTINE
2014-07-30 20:28 - 2014-07-30 20:28 - 05185536 _____ (AVAST Software) C:\Users\Tng family\Desktop\aswMBR.exe
2014-07-30 19:25 - 2014-07-29 20:26 - 00105284 _____ () C:\Users\Tng family\Desktop\OTL.Txt
2014-07-29 23:01 - 2014-07-22 21:50 - 00000047 ____H () C:\Users\Tng family\FunShion.ini
2014-07-29 22:52 - 2014-07-29 22:52 - 00001120 _____ () C:\Users\Tng family\Desktop\eset.txt
2014-07-29 22:15 - 2014-07-05 17:10 - 00000000 ___HD () C:\Users\Public\FunAcce
2014-07-29 21:32 - 2014-07-29 21:32 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-07-29 21:23 - 2014-07-29 21:23 - 00002291 ____C () C:\mbam2907.txt
2014-07-29 21:20 - 2014-07-22 21:26 - 00122584 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2014-07-29 21:02 - 2014-07-22 21:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-07-29 21:02 - 2014-07-22 21:24 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-07-29 21:02 - 2014-06-08 18:16 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-07-29 21:00 - 2014-07-29 21:00 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Tng family\Downloads\mbam-setup-2.0.2.1012.exe
2014-07-29 20:08 - 2014-07-29 20:08 - 00000767 _____ () C:\Users\Tng family\Desktop\JRT.txt
2014-07-29 20:00 - 2014-07-29 20:00 - 01016261 _____ (Thisisu) C:\Users\Tng family\Desktop\JRT.exe
2014-07-29 19:58 - 2014-07-29 19:58 - 00001556 _____ () C:\Users\Tng family\Desktop\AdwCleaner[S3].txt
2014-07-29 19:56 - 2014-04-10 17:39 - 00000000 ___DC () C:\AdwCleaner
2014-07-29 19:52 - 2014-07-29 19:51 - 01365551 _____ () C:\Users\Tng family\Desktop\AdwCleaner.exe
2014-07-29 19:37 - 2014-03-22 16:21 - 00000000 ____D () C:\windows\system32\appmgmt
2014-07-29 19:36 - 2014-03-22 16:26 - 00000000 ____D () C:\Users\Tng family\AppData\Roaming\DVDVideoSoft
2014-07-28 10:41 - 2009-07-14 13:13 - 00006666 _____ () C:\windows\system32\PerfStringBackup.INI
2014-07-28 09:55 - 2013-03-29 21:11 - 00000000 ____D () C:\windows\Minidump
2014-07-28 09:29 - 2014-07-28 09:29 - 00003400 ____N () C:\bootsqm.dat
2014-07-28 09:28 - 2014-07-28 09:28 - 00000000 __SHD () C:\found.000
2014-07-27 22:50 - 2014-07-27 22:50 - 00000000 ____D () C:\ProgramData\CanonIJPLM
2014-07-27 21:12 - 2009-07-14 13:08 - 00032628 _____ () C:\windows\Tasks\SCHEDLGU.TXT
2014-07-26 19:19 - 2014-07-26 19:19 - 00000000 ___DC () C:\_OTL
2014-07-26 19:01 - 2014-07-26 19:01 - 00602112 _____ (OldTimer Tools) C:\Users\Tng family\Desktop\OTL.exe
2014-07-26 17:28 - 2014-07-26 17:28 - 00000000 ____C () C:\autoexec.bat
2014-07-26 14:20 - 2014-07-26 14:15 - 00000000 ____D () C:\Users\Tng family\Desktop\RK_Quarantine
2014-07-26 14:17 - 2014-07-26 14:17 - 00816128 _____ () C:\Users\Tng family\Downloads\RogueKiller.exe
2014-07-26 14:07 - 2014-07-26 14:07 - 00000021 _____ () C:\windows\tpcsd
2014-07-25 15:55 - 2013-04-14 22:01 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-07-25 06:44 - 2014-05-14 08:59 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-07-23 22:47 - 2014-07-23 22:47 - 00000000 ____D () C:\windows\ERUNT
2014-07-23 22:46 - 2014-07-23 22:46 - 01016261 _____ (Thisisu) C:\Users\Tng family\Downloads\JRT.exe
2014-07-23 22:39 - 2014-07-23 22:38 - 01354223 _____ () C:\Users\Tng family\Downloads\adwcleaner_3.216.exe
2014-07-23 22:34 - 2014-06-17 10:45 - 00000000 ____D () C:\Program Files (x86)\QvodPlayer
2014-07-23 22:28 - 2014-07-23 22:28 - 00035320 ____C () C:\ComboFix.txt
2014-07-23 22:28 - 2014-07-22 21:00 - 00000000 ___DC () C:\Qoobox
2014-07-23 22:23 - 2009-07-14 10:34 - 00000215 ____C () C:\windows\system.ini
2014-07-22 23:55 - 2013-07-14 19:49 - 00000000 ____D () C:\Users\Tng family\AppData\Roaming\vlc
2014-07-22 21:56 - 2014-07-22 21:56 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-07-22 21:56 - 2014-07-22 21:53 - 00004088 _____ () C:\windows\SysWOW64\jupdate-1.7.0_65-b20.log
2014-07-22 21:56 - 2013-10-19 06:55 - 00000000 ____D () C:\ProgramData\Oracle
2014-07-22 21:56 - 2011-06-08 13:20 - 00000000 ____D () C:\Program Files (x86)\Java
2014-07-22 21:50 - 2011-03-13 21:35 - 00000000 ____D () C:\Users\Tng family
2014-07-22 21:48 - 2014-05-11 14:40 - 00000000 ____D () C:\ProgramData\QvodPlayer
2014-07-22 21:44 - 2014-07-18 14:38 - 00000000 ____D () C:\Users\Tng family\AppData\Roaming\Funshion
2014-07-22 21:25 - 2013-03-30 20:06 - 00000000 ____D () C:\Users\Tng family\AppData\Roaming\Malwarebytes
2014-07-22 21:24 - 2013-03-30 20:06 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-07-22 21:24 - 2013-03-30 20:06 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-07-22 21:16 - 2009-07-14 11:20 - 00000000 ___HD () C:\Users\Default
2014-07-22 21:14 - 2013-03-30 12:48 - 00000000 ____D () C:\windows\erdnt
2014-07-22 21:10 - 2009-07-14 10:34 - 79691776 _____ () C:\windows\system32\config\software.bak
2014-07-22 21:10 - 2009-07-14 10:34 - 28049408 _____ () C:\windows\system32\config\system.bak
2014-07-22 21:10 - 2009-07-14 10:34 - 00524288 _____ () C:\windows\system32\config\default.bak
2014-07-22 21:10 - 2009-07-14 10:34 - 00262144 _____ () C:\windows\system32\config\security.bak
2014-07-22 21:10 - 2009-07-14 10:34 - 00262144 _____ () C:\windows\system32\config\sam.bak
2014-07-22 20:59 - 2014-07-22 20:59 - 05562504 ____R (Swearware) C:\Users\Tng family\Downloads\ComboFix.exe
2014-07-21 21:39 - 2013-10-27 16:17 - 00000000 ____D () C:\Users\Tng family\AppData\Local\Canon Easy-PhotoPrint EX
2014-07-21 21:31 - 2009-07-14 13:32 - 00000000 ____D () C:\windows\system32\FxsTmp
2014-07-20 22:08 - 2014-05-13 10:08 - 00000000 ___DC () C:\adrian work
2014-07-20 20:15 - 2011-09-09 22:35 - 00000954 _____ () C:\Users\Tng family\AppData\Roaming\coreavc.ini
2014-07-20 08:53 - 2014-07-20 08:53 - 00033377 _____ () C:\Users\Tng family\Documents\Recipe for sandwich.pptx
2014-07-19 21:58 - 2011-04-27 16:18 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-07-18 15:23 - 2013-02-01 17:40 - 00000000 ____D () C:\Users\Tng family\AppData\Roaming\Skype
2014-07-16 16:24 - 2014-07-16 16:24 - 00000000 ____D () C:\Users\Tng family\AppData\Local\Giraffe
2014-07-16 09:48 - 2014-06-03 19:19 - 00000000 ____D () C:\ProgramData\Norton
2014-07-13 15:41 - 2014-07-13 15:41 - 00000000 _____ () C:\windows\SysWOW64\_backup
2014-07-12 13:19 - 2014-07-11 22:19 - 11204096 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerInstaller.exe
2014-07-12 13:19 - 2013-03-30 20:40 - 00003768 _____ () C:\windows\System32\Tasks\Adobe Flash Player Updater
2014-07-12 13:19 - 2012-06-16 20:57 - 00699056 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2014-07-12 13:19 - 2012-01-27 21:26 - 00071344 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-07-11 03:02 - 2014-07-22 21:56 - 00098216 _____ (Oracle Corporation) C:\windows\SysWOW64\WindowsAccessBridge-32.dll
2014-07-11 02:56 - 2014-07-22 21:56 - 00272808 _____ (Oracle Corporation) C:\windows\SysWOW64\javaws.exe
2014-07-11 02:56 - 2014-07-22 21:56 - 00175528 _____ (Oracle Corporation) C:\windows\SysWOW64\javaw.exe
2014-07-11 02:55 - 2014-07-22 21:56 - 00175528 _____ (Oracle Corporation) C:\windows\SysWOW64\java.exe
2014-07-08 19:17 - 2014-07-08 19:17 - 00000000 ____D () C:\Users\Tng family\AppData\Roaming\DropboxMaster
2014-07-08 19:17 - 2014-07-08 19:16 - 00000000 ____D () C:\Users\Tng family\AppData\Roaming\Dropbox
2014-07-08 19:16 - 2014-07-08 19:16 - 00000000 ____D () C:\Users\Tng family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-07-07 20:54 - 2014-07-07 20:54 - 00043152 _____ (AVAST Software) C:\windows\avastSS.scr
2014-07-07 20:54 - 2014-04-19 10:35 - 00029208 _____ () C:\windows\system32\Drivers\aswHwid.sys
2014-07-07 20:54 - 2013-12-27 22:04 - 00092008 _____ (AVAST Software) C:\windows\system32\Drivers\aswstm.sys
2014-07-07 20:54 - 2013-07-14 19:24 - 01041168 _____ (AVAST Software) C:\windows\system32\Drivers\aswsnx.sys
2014-07-07 20:54 - 2013-07-14 19:24 - 00427360 _____ (AVAST Software) C:\windows\system32\Drivers\aswsp.sys
2014-07-07 20:54 - 2013-07-14 19:24 - 00224896 _____ () C:\windows\system32\Drivers\aswVmm.sys
2014-07-07 20:54 - 2013-07-14 19:24 - 00093568 _____ (AVAST Software) C:\windows\system32\Drivers\aswRdr2.sys
2014-07-07 20:54 - 2013-07-14 19:24 - 00079184 _____ (AVAST Software) C:\windows\system32\Drivers\aswMonFlt.sys
2014-07-07 20:54 - 2013-07-14 19:24 - 00065776 _____ () C:\windows\system32\Drivers\aswRvrt.sys
2014-07-07 20:54 - 2013-07-14 19:24 - 00001966 _____ () C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2014-07-07 20:54 - 2011-04-27 16:17 - 00307344 _____ (AVAST Software) C:\windows\system32\aswBoot.exe
2014-07-06 11:44 - 2012-02-19 20:12 - 00000435 _____ () C:\Users\Tng family\Desktop\gettingold.txt

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-07-28 21:33

==================== End Of Log ============================


  • 0

#18
happyhome

happyhome

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

Hi Machi

Both iE & fixfox homepage remain as hao123.com :upset:


  • 0

#19
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,700 posts
Disconnect from the internet

To open an Administrator Cmd prompt from the Desktop use Win + X and choose Command Prompt (Admin) from the list.

In the black box type in/copy the following commands, each one followed by enter :

ipconfig /flushdns
netsh winsock reset catalog
netsh int ip reset c:\resetlog.txt
ipconfig /release
ipconfig /renew

Then reboot the computer - still redirects?
  • 0

#20
happyhome

happyhome

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

Hi machi

 

it did not work still getting redirect at ie & firefox


  • 0

#21
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,700 posts
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *hao123*
    *hao*
    
    :folderfind
    *hao123*
    *hao*
    
    :regfind
    hao
    hao123
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
  • 0

#22
happyhome

happyhome

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

Hi machi

avast keep flagging the link that u pass me . I could not download the file

Infection blocked
URL hxxp://images.malwareremoval.com/jpshortstuff/SystemLook.exe Infection Win32:Rootkit-gen [Rtk]

Relax, your avast! just saved you from a virus.
Protect yourself against other types of threats by upgrading now.


  • 0

#23
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,700 posts
Disable AVAST.
  • 0

#24
happyhome

happyhome

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

Hi machi

 

SystemLook 30.07.11 by jpshortstuff
Log created at 21:40 on 01/08/2014 by Tng family
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

No Context: filefind

No Context: *hao123*

No Context: *hao*

========== folderfind ==========

Searching for "*hao123*"
C:\Users\Tng family\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NTWEU6BJ\s1.hao123img.com d------ [10:48 01/08/2014]
C:\Users\Tng family\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s1.hao123img.com d------ [10:48 01/08/2014]

Searching for "*hao*"
C:\Users\Tng family\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NTWEU6BJ\s1.hao123img.com d------ [10:48 01/08/2014]
C:\Users\Tng family\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s1.hao123img.com d------ [10:48 01/08/2014]

========== regfind ==========

Searching for "hao"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hao123.com]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.hao123.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech\PhoneConverters\Tokens\Chinese]
"PhoneMap"="- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 + 0008 * 0009 1 000A 2 000B 3 000C 4 000D 5 000E a 000F ai 0010 an 0011 ang 0012 ao 0013 ba 0014 bai 0015 ban 0016 bang 0017 bao 0018 bei 0019 ben 001A beng 001B bi 001C bian 001D biao 001E bie 001F bin 0020 bing 0021 bo 0022 bu 0023 ca 0024 cai 0025 can 0026 cang 0027 cao 0028 ce 0029 cen 002A ceng 002B cha 002C chai 002D chan 002E chang 002F chao 0030 che 0031 chen 0032 cheng 0033 chi 0034 chong 0035 chou 0036 chu 0037 chuai 0038 chuan 0039 chuang 003A chui 003B chun 003C chuo 003D ci 003E cong 003F cou 0040 cu 0041 cuan 0042 cui 0043 cun 0044 cuo 0045 da 0046 dai 0047 dan 0048 dang 0049 dao 004A de 004B dei 004C den 004D deng 004E di 004F dia 0050 dian 0051 diao 0052 die 0053 ding 0054 diu 0055 dong 0056 dou 0057 du 0058 duan 0059 dui 005A dun 005B duo 005C e 005D ei 005E en 005F er 0060 fa 0061 fan 0062 fang 0063 fei 0064 fen 0065 feng 0066 fo 0067 fou 0068 fu 0069 ga
[HKEY_USERS\S-1-5-21-2522120943-1274516608-2902159866-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hao123.com]
[HKEY_USERS\S-1-5-21-2522120943-1274516608-2902159866-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.hao123.com]

Searching for "hao123"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hao123.com]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.hao123.com]
[HKEY_USERS\S-1-5-21-2522120943-1274516608-2902159866-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hao123.com]
[HKEY_USERS\S-1-5-21-2522120943-1274516608-2902159866-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.hao123.com]

-= EOF =-


  • 0

#25
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,700 posts

Step 1: Registry Modifications
  • Go to Start > Run to bring up the run box
  • In the box, type notepad.exe and press OK to open Notepad
  • Copy (Ctrl+C) all of the text in the following box and paste (Ctrl+V) it into Notepad

    Windows Registry Editor Version 5.00
    
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hao123.com]
    
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.hao123.com]
    
    [-HKEY_USERS\S-1-5-21-2522120943-1274516608-2902159866-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hao123.com]
    
    [-HKEY_USERS\S-1-5-21-2522120943-1274516608-2902159866-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.hao123.com]
    
  • Go to File > Save As... and save it to your Desktop named Fix.reg. Make sure you change the Save as type to All Files (*.*)
  • Locate Fix.reg on your Desktop and double-click on it to merge it with your registry
  • Answer Yes when prompted about merging with the registry
Step 2: FRST Fix
  • Please download the attached fixlist.txt file and save it to the same location as FRST
Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply
 

Now - run SystemLook again (with the same script) and post the log. Still redirects?

Attached Files


  • 0

Advertisements


#26
happyhome

happyhome

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

Hi machi

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-07-2014 01
Ran by Tng family at 2014-08-01 22:03:14 Run:2
Running from C:\Users\Tng family\Downloads
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
C:\Users\Tng family\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NTWEU6BJ\s1.hao123img.com
C:\Users\Tng family\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s1.hao123img.com

*****************

C:\Users\Tng family\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NTWEU6BJ\s1.hao123img.com => Moved successfully.
C:\Users\Tng family\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s1.hao123img.com => Moved successfully.

==== End of Fixlog ====

 

 

 

SystemLook 30.07.11 by jpshortstuff
Log created at 22:05 on 01/08/2014 by Tng family
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

No Context: filefind

No Context: *hao123*

No Context: *hao*

========== folderfind ==========

Searching for "*hao123*"
C:\FRST\Quarantine\C\Users\Tng family\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NTWEU6BJ\s1.hao123img.com d------ [10:48 01/08/2014]
C:\FRST\Quarantine\C\Users\Tng family\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s1.hao123img.com d------ [10:48 01/08/2014]

Searching for "*hao*"
C:\FRST\Quarantine\C\Users\Tng family\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NTWEU6BJ\s1.hao123img.com d------ [10:48 01/08/2014]
C:\FRST\Quarantine\C\Users\Tng family\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s1.hao123img.com d------ [10:48 01/08/2014]

========== regfind ==========

Searching for "hao"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech\PhoneConverters\Tokens\Chinese]
"PhoneMap"="- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 + 0008 * 0009 1 000A 2 000B 3 000C 4 000D 5 000E a 000F ai 0010 an 0011 ang 0012 ao 0013 ba 0014 bai 0015 ban 0016 bang 0017 bao 0018 bei 0019 ben 001A beng 001B bi 001C bian 001D biao 001E bie 001F bin 0020 bing 0021 bo 0022 bu 0023 ca 0024 cai 0025 can 0026 cang 0027 cao 0028 ce 0029 cen 002A ceng 002B cha 002C chai 002D chan 002E chang 002F chao 0030 che 0031 chen 0032 cheng 0033 chi 0034 chong 0035 chou 0036 chu 0037 chuai 0038 chuan 0039 chuang 003A chui 003B chun 003C chuo 003D ci 003E cong 003F cou 0040 cu 0041 cuan 0042 cui 0043 cun 0044 cuo 0045 da 0046 dai 0047 dan 0048 dang 0049 dao 004A de 004B dei 004C den 004D deng 004E di 004F dia 0050 dian 0051 diao 0052 die 0053 ding 0054 diu 0055 dong 0056 dou 0057 du 0058 duan 0059 dui 005A dun 005B duo 005C e 005D ei 005E en 005F er 0060 fa 0061 fan 0062 fang 0063 fei 0064 fen 0065 feng 0066 fo 0067 fou 0068 fu 0069 ga

Searching for "hao123"
No data found.

-= EOF =-

 

 

I will reboot the system at let u know how it is running again


  • 0

#27
happyhome

happyhome

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

Hi Machi

Very sad to say that both iE & fixfox still remain at hao123


  • 0

#28
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,700 posts

Run Shortcut Cleaner

Please download Shortcut Cleaner and save it to the desktop.

Vista / 7/ 8 users: Right click the sc-cleaner.exe file and click Run as Administrator to run the application. Follow the prompts and post the contents of sc-cleaner.txt in your next
reply.


  • 0

#29
happyhome

happyhome

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

Hi Machi

 

Shortcut Cleaner 1.3.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Shortcut Cleaner can be found at this link:
 http://www.bleepingc...ortcut-cleaner/

Windows Version: Windows 7 Professional Service Pack 1
Program started at: 08/02/2014 11:36:28 AM.

Scanning for registry hijacks:

 * No issues found in the Registry.

Searching for Hijacked Shortcuts:

Searching C:\Users\Tng family\AppData\Roaming\Microsoft\Windows\Start Menu\

Searching C:\ProgramData\Microsoft\Windows\Start Menu\

Searching C:\Users\Tng family\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\

Searching C:\Users\Public\Desktop\

Searching C:\Users\Tng family\Desktop

0 bad shortcuts found.

Program finished at: 08/02/2014 11:36:32 AM
Execution time: 0 hours(s), 0 minute(s), and 3 seconds(s)


  • 0

#30
Machiavelli

Machiavelli

    GeekU Moderator

  • GeekU Moderator
  • 3,700 posts
We have to try something else.
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Make sure Shortcut.txt is checked.
  • Click Scan to start FRST.
  • When FRST finishes scanning, logs FRST.txt and Shortcut.txt will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of these logs into your next post please.

  • 0






Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP