Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

IE & Mozilla hijacked by hao123.com [Solved]

Started by mizriel , Sep 04 2014 12:48 AM

  • This topic is locked This topic is locked

#1
mizriel
Posted 04 September 2014 - 12:48 AM

mizriel

    Member

  • Member
  • PipPip
  • 11 posts

Googled for the past 2 days for fixing this but after trying numerous method this hao123.com still cant be fixed. Saw the solution here but i not dare to try anything as i saw the expert here stated the method is purely for the specific pc. Please do help me to solve this as this is quite annoyed to see my IE & firefox homepage is hao123.com. Thanks in advance  :D

 

OTL logfile created on: 04-Sep-14 2:55:33 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Dave\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17239)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: dd-MMM-yy
 
5.68 Gb Total Physical Memory | 3.33 Gb Available Physical Memory | 58.61% Memory free
11.36 Gb Paging File | 8.78 Gb Available in Paging File | 77.34% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 100.06 Gb Total Space | 6.04 Gb Free Space | 6.04% Space Free | Partition Type: NTFS
Drive D: | 353.60 Gb Total Space | 135.37 Gb Free Space | 38.28% Space Free | Partition Type: NTFS
 
Computer Name: DAVE-PC | User Name: Dave | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2014-09-04 14:55:04 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Dave\Desktop\OTL.exe
PRC - [2014-08-07 11:20:57 | 000,860,488 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
PRC - [2014-08-06 17:34:34 | 013,246,272 | ---- | M] (TeamViewer GmbH) -- C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
PRC - [2014-08-06 17:34:34 | 005,052,224 | ---- | M] (TeamViewer GmbH) -- C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
PRC - [2014-08-06 17:21:00 | 000,229,696 | ---- | M] (TeamViewer GmbH) -- C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
PRC - [2014-07-15 19:03:17 | 003,621,512 | ---- | M] (风行在线技术有限公司) -- C:\Users\Dave\AppData\Roaming\Funshion\funshion.exe
PRC - [2014-06-24 15:38:12 | 000,014,256 | ---- | M] () -- C:\ProgramData\QvodPlayer\QvodWebBase\1.0.0.52\QvodWebService.exe
PRC - [2014-04-28 16:20:28 | 001,238,528 | ---- | M] (RemoteMouse.net) -- C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe
PRC - [2013-12-21 14:04:16 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2014-08-15 10:56:07 | 002,297,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\6949cf18d123ab573dae67619b5364cd\System.Core.ni.dll
MOD - [2014-08-15 10:48:21 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\434e3a5de2f98ed740aac2b24c6d0890\System.Windows.Forms.ni.dll
MOD - [2014-08-15 10:48:14 | 001,593,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\bce52f0521c930a2e305badb3ea07128\System.Drawing.ni.dll
MOD - [2014-08-15 10:48:09 | 005,464,064 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\abca6deea510151b5d8e51bdabd17bea\System.Xml.ni.dll
MOD - [2014-08-15 10:48:05 | 000,978,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bce5e2af0775efc3c91ba62d5d26fb39\System.Configuration.ni.dll
MOD - [2014-08-15 10:47:52 | 007,989,760 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\2ee90c95adb50b0e75b814fcb9d87f8e\System.ni.dll
MOD - [2014-08-15 10:47:46 | 011,499,520 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f8be9e33457f57805b4068f90099e428\mscorlib.ni.dll
MOD - [2014-08-07 11:20:55 | 000,353,096 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\ppgooglenaclpluginchrome.dll
MOD - [2014-08-07 11:20:53 | 008,537,928 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\pdf.dll
MOD - [2014-08-07 11:20:49 | 000,718,152 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\libglesv2.dll
MOD - [2014-08-07 11:20:47 | 000,126,280 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\libegl.dll
MOD - [2014-08-07 11:20:46 | 001,732,936 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\ffmpegsumo.dll
MOD - [2014-06-24 15:38:12 | 000,014,256 | ---- | M] () -- C:\ProgramData\QvodPlayer\QvodWebBase\1.0.0.52\QvodWebService.exe
MOD - [2013-11-19 22:34:00 | 000,152,576 | ---- | M] () -- C:\Program Files (x86)\Remote Mouse\FileS.dll
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - [2014-07-25 21:00:25 | 000,111,616 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\IEEtwCollector.exe -- (IEEtwCollectorService)
SRV:64bit: - [2014-03-11 12:34:10 | 000,347,872 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2014-03-11 12:34:10 | 000,023,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2013-05-27 13:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2011-10-26 02:01:00 | 000,204,288 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2014-08-20 22:28:41 | 000,262,320 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2014-08-06 17:34:34 | 005,052,224 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe -- (TeamViewer9)
SRV - [2014-06-06 12:38:37 | 000,119,408 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2014-03-21 06:49:18 | 000,067,224 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2013-12-21 14:04:16 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2013-09-11 21:21:54 | 000,105,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2014-03-11 09:52:30 | 000,133,928 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2014-01-22 08:52:12 | 000,206,080 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssudserd.sys -- (ssudserd)
DRV:64bit: - [2014-01-22 08:52:10 | 000,206,080 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssudmdm.sys -- (ssudmdm)
DRV:64bit: - [2014-01-22 08:52:10 | 000,108,800 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssudbus.sys -- (dg_ssudbus)
DRV:64bit: - [2013-07-25 16:53:46 | 000,023,040 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netaapl64.sys -- (Netaapl)
DRV:64bit: - [2012-12-13 14:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012-08-23 22:10:20 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2012-08-23 22:08:26 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2012-08-23 22:07:35 | 000,057,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2012-08-21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2012-03-01 14:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011-10-26 03:05:12 | 010,496,512 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011-10-26 01:22:00 | 000,326,656 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2011-03-11 14:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011-03-11 14:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010-11-21 11:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010-08-25 12:36:02 | 010,611,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010-08-16 06:42:00 | 000,116,240 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2010-02-26 16:32:12 | 000,158,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Impcd.sys -- (Impcd)
DRV:64bit: - [2009-12-22 09:18:48 | 000,074,280 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C)
DRV:64bit: - [2009-10-05 16:34:00 | 001,542,656 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2009-09-17 19:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64)
DRV:64bit: - [2009-07-14 09:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009-07-14 09:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009-07-14 09:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009-06-11 04:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009-06-11 04:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009-06-11 04:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009-06-11 04:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2008-05-06 16:06:00 | 000,014,464 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wdcsam64.sys -- (WDC_SAM)
DRV - [2009-07-14 09:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,NewTabPageShow = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.google.com
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,NewTabPageShow = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IESR02
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - user.js - File not found
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_145.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@pps.tv/npWebPlayer: D:\IQIYI Video\LStyle\npWebPlayer.dll (爱奇艺)
FF:64bit: - HKLM\Software\MozillaPlugins\@qvod.com/QvodShare: C:\Program Files (x86)\QvodPlayer\npShareModule_x64.dll File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: D:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@funshion.com/npFunshion: C:\Users\Dave\funshion\funshiontools\npFunshion.dll File not found
FF - HKLM\Software\MozillaPlugins\@huawei.com/npHWPlugin: C:\Program Files (x86)\Web_TV\WebTVPlugin\npHWPlugin.dll ()
FF - HKLM\Software\MozillaPlugins\@iqiyi.com/npclient: D:\IQIYI Video\LStyle\npclient.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pps.tv/npWebPlayer: D:\IQIYI Video\LStyle\npWebPlayer.dll (爱奇艺)
FF - HKLM\Software\MozillaPlugins\@sohu.com/npifox: C:\Program Files (x86)\搜狐影音\npifox.dll File not found
FF - HKLM\Software\MozillaPlugins\@t.garena.com/garenatalk: C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@verimatrix.com/ViewRightWeb: C:\Program Files (x86)\Web_TV\WebTVPlugin\\npViewRight.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@pps.tv/npWebPlayer: D:\IQIYI Video\LStyle\npWebPlayer.dll (爱奇艺)
FF - HKCU\Software\MozillaPlugins\@qvod.com/QvodInsert: C:\Program Files (x86)\QvodPlayer\npQvodInsert.dll File not found
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Dave\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKCU\Software\MozillaPlugins\@verimatrix.com/ViewRightWeb: C:\Program Files (x86)\Web_TV\WebTVPlugin\\npViewRight.dll File not found
FF - HKCU\Software\MozillaPlugins\KuaiWanInsert: C:\Program Files (x86)\QvodPlayer\AddIn\KWWebgame\npKWWebGame.dll File not found
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 30.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 30.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 30.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 30.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
 
[2013-11-02 08:41:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dave\AppData\Roaming\mozilla\Extensions
[2014-07-22 10:21:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dave\AppData\Roaming\mozilla\Firefox\Profiles\xzeqs5du.default\extensions_backup
[2014-07-18 13:30:10 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions
[2014-07-18 13:30:26 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
========== Chrome  ==========
 
CHR - homepage: 
CHR - plugin: Error reading preferences file
CHR - Extension: Google Docs = C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.7_1\
CHR - Extension: Google Drive = C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_1\
CHR - Extension: Google Voice Search Hotword (Beta) = C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn\0.1.1.5023_1\
CHR - Extension: YouTube = C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_1\
CHR - Extension: Google Search = C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_1\
CHR - Extension: Google Wallet = C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.1_1\
CHR - Extension: Gmail = C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_2\
 
Hosts file not found
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4 - HKCU..\Run: [Remote Mouse] C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe (RemoteMouse.net)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {173D9E48-B527-4AA0-A929-30B446002AA8} http://210.186.135.208/DVRemoteAx.cab (DVRemoteControl Class)
O16 - DPF: {9AA03FEC-6582-48B1-BC62-821D4A7B9461} http://175.139.226.3...tiveX.cab?V1203 (N9_DVR Control)
O16 - DPF: {AC2721FA-207D-44AE-8673-AE9074FC725C} http://175.136.217.114/DvrOcx.cab (NetDvr81Serial Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2513406E-FD75-48BB-AD4B-80F30DDB089D}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5F57A0D6-50F0-49D8-B706-C05556627215}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9B0A4726-30A4-40BD-9F02-539005ED4DCF}: DhcpNameServer = 172.20.10.1
O18:64bit: - Protocol\Handler\belarc - No CLSID value found
O18:64bit: - Protocol\Handler\KuGoo - No CLSID value found
O18:64bit: - Protocol\Handler\KuGoo3 - No CLSID value found
O18:64bit: - Protocol\Handler\kuwo - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\KuGoo {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\PROGRA~2\KuGou\KGMusic\KUGOO3~1.OCX File not found
O18 - Protocol\Handler\KuGoo3 {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\PROGRA~2\KuGou\KGMusic\KUGOO3~1.OCX File not found
O18 - Protocol\Handler\kuwo - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014-09-04 14:54:59 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Dave\Desktop\OTL.exe
[2014-09-04 14:41:00 | 000,000,000 | ---D | C] -- C:\FRST
[2014-09-04 14:31:32 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2014-09-04 13:00:41 | 002,104,832 | ---- | C] (Farbar) -- C:\Users\Dave\Desktop\FRST64.exe
[2014-09-02 16:32:24 | 000,000,000 | ---D | C] -- C:\QvodPlayer
[2014-09-02 15:52:41 | 000,000,000 | ---D | C] -- C:\ProgramData\GridinSoft
[2014-09-02 15:38:10 | 000,536,576 | ---- | C] (SQLite Development Team) -- C:\Windows\SysWow64\sqlite3.dll
[2014-09-02 14:40:11 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Roaming\360safe
[2014-09-02 14:32:41 | 000,180,808 | ---- | C] (360.cn) -- C:\Windows\SysNative\drivers\BAPIDRV64.SYS
[2014-09-02 14:29:50 | 000,077,896 | ---- | C] (360.cn) -- C:\Windows\SysNative\drivers\360AvFlt.sys
[2014-09-02 14:29:48 | 000,000,000 | ---D | C] -- C:\ProgramData\360SD
[2014-09-02 12:37:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Microsoft
[2014-09-02 12:37:12 | 000,000,000 | ---D | C] -- C:\Program Files\Adware-Removal-Tool
[2014-08-30 23:26:33 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Roaming\PushApp
[2014-08-30 23:25:57 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\Temp尰
[2014-08-29 00:32:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2014-08-29 00:32:09 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2014-08-29 00:32:08 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2014-08-29 00:32:08 | 000,000,000 | ---D | C] -- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
[2014-08-29 00:27:06 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2014-08-27 21:05:20 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\爱奇艺
[2014-08-27 21:05:20 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Roaming\ppslog
[2014-08-26 10:25:33 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\Adobe
[2014-08-16 12:14:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AC3Filter
[2014-08-16 12:14:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AC3Filter
 
========== Files - Modified Within 30 Days ==========
 
[2014-09-04 14:55:04 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Dave\Desktop\OTL.exe
[2014-09-04 14:49:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014-09-04 14:28:33 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2014-09-04 14:28:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014-09-04 13:01:12 | 002,104,832 | ---- | M] (Farbar) -- C:\Users\Dave\Desktop\FRST64.exe
[2014-09-04 12:22:19 | 000,028,352 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014-09-04 12:22:19 | 000,028,352 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014-09-04 12:15:06 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2014-09-04 12:14:36 | 277,889,023 | -HS- | M] () -- C:\hiberfil.sys
[2014-09-02 15:25:43 | 000,000,954 | ---- | M] () -- C:\Users\Dave\AppData\Roaming\coreavc.ini
[2014-08-31 22:12:44 | 000,781,298 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2014-08-31 22:12:44 | 000,653,724 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2014-08-31 22:12:44 | 000,121,596 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2014-08-29 00:32:42 | 000,001,568 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2014-08-28 18:01:09 | 000,355,432 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2014-08-27 21:05:17 | 000,000,740 | ---- | M] () -- C:\Users\Dave\Application Data\Microsoft\Internet Explorer\Quick Launch\爱奇艺PPS影音.lnk
 
========== Files Created - No Company Name ==========
 
[2014-08-29 00:32:42 | 000,001,568 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2014-08-16 12:14:04 | 001,202,688 | ---- | C] () -- C:\Windows\SysNative\ac3filter64.acm
[2014-08-16 12:14:04 | 000,965,120 | ---- | C] () -- C:\Windows\SysWow64\ac3filter.acm
[2014-05-15 16:25:00 | 000,000,021 | ---- | C] () -- C:\Windows\KwYlx.dat
[2014-02-25 14:15:26 | 000,765,700 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2014-02-10 00:56:15 | 000,003,072 | ---- | C] () -- C:\Users\Dave\AppData\Roaming\Photobook Designer Prefsv3
[2013-11-03 22:42:32 | 000,000,954 | ---- | C] () -- C:\Users\Dave\AppData\Roaming\coreavc.ini
[2013-11-02 10:40:59 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2013-11-02 10:38:19 | 000,870,560 | ---- | C] () -- C:\Windows\SysWow64\igkrng575.bin
[2013-11-02 10:38:19 | 000,208,896 | ---- | C] () -- C:\Windows\SysWow64\iglhsip32.dll
[2013-11-02 10:38:19 | 000,143,360 | ---- | C] () -- C:\Windows\SysWow64\iglhcp32.dll
[2013-11-02 10:38:17 | 000,104,796 | ---- | C] () -- C:\Windows\SysWow64\igfcg575m.bin
[2013-11-02 10:38:16 | 000,127,868 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng575.bin
[2013-10-30 12:06:54 | 000,974,848 | ---- | C] () -- C:\Windows\SysWow64\cis-2.4.dll
[2013-10-30 12:06:54 | 000,081,920 | ---- | C] () -- C:\Windows\SysWow64\issacapi_bs-2.3.dll
[2013-10-30 12:06:54 | 000,065,536 | ---- | C] () -- C:\Windows\SysWow64\issacapi_pe-2.3.dll
[2013-10-30 12:06:54 | 000,057,344 | ---- | C] () -- C:\Windows\SysWow64\issacapi_se-2.3.dll
 
========== ZeroAccess Check ==========
 
[2009-07-14 12:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2014-06-25 10:05:42 | 014,175,744 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2014-06-25 09:41:30 | 012,874,240 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009-07-14 09:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010-11-21 11:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009-07-14 09:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
========== LOP Check ==========
 
[2014-09-02 14:40:11 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\360safe
[2014-08-31 22:09:41 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Animals
[2014-05-05 23:58:20 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Ashampoo
[2014-09-02 12:28:53 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\CloudMedia
[2014-06-06 00:03:10 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\DataRepair
[2014-05-31 00:23:21 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\FunAir
[2014-09-02 12:09:58 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Funshion
[2013-11-13 11:33:56 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Garena
[2014-02-25 23:58:57 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\GarenaPlus
[2013-12-26 17:14:02 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\iCan3
[2013-12-30 10:41:45 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\KGDataBak
[2014-06-03 18:28:41 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\KuGou8
[2014-06-17 19:06:06 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\MobProtect
[2014-02-10 00:55:39 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Photobook Designer
[2014-09-01 03:06:31 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\ppslog
[2014-09-01 03:07:42 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\PPStream
[2014-08-30 23:26:33 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\PushApp
[2014-01-04 13:54:31 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Samsung
[2013-11-22 17:47:15 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\TeamViewer
[2014-07-07 11:06:36 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Windows Live Writer
 
========== Purity Check ==========
 
 
 
< End of report >

Attached Files


Edited by mizriel, 04 September 2014 - 01:07 AM.

  • 0

Advertisements

#2
ruggie_uk
Posted 04 September 2014 - 03:35 AM

ruggie_uk

    Trusted Helper

  • Malware Removal
  • 2,083 posts

Greetings and :welcome:

My nickname is Ruggie and I will be assisting you in cleaning your computer.
Please be aware I am currently in the final stages of training right now and all my work will be checked by an instructor so there may be a slight delay between posts. The added benefit to this is that you will have 2 sets of eyes looking at your problem so you can be assured you will get the best possible help.

  • Malware removal can be a long process and will at times get complicated with multiple steps to perform to ensure that your system is no longer infected.
  • When we start the process, the list of instructions must be followed closely, it may seem difficult at times but it is important that you stay with me until your computer is declared clean.
  • If you are receiving help elsewhere, please let me know so we can close this thread and help someone else.

stop32.png Before going any further, I recommend that you print out (or save to a file) these guidelines and also the instructions when I post them, as part of the repair process may involve going into safe mode and therefore you will not have internet access.

The following guidelines are important but the ones highlighted in RED are of the highest importance and must not be skipped.

right-grn.pngPlease save all tools to the desktop,. Our tools are updated very regularly, sometimes several times per day so always download the latest version from the links I provide.

right-grn.pngPlease be aware, the fixes we perform are specific to this machine, at this moment in time. They must not be used on another computer or unsupervised at another time. This can render your computer unbootable.

right-grn.pngIf at all possible, Make backups of all your important files, whilst we will do our best to ensure that no files are lost or damaged, sometimes things can go wrong.

right-grn.png I will do everything in my power to ensure that this clean is successful, but occasionally failure hits us all. In this event, please have your original installation disks to hand and be prepared to have to format and reinstall your computer.

right-grn.png Refrain from using any tool that hasn't been instructed as it could alter the process that we are working through and cause further problems. Also only use the tools I instruct in the manner provided as they are very powerful and if not used properly can cause even more problems. It is best if you can avoid using the computer at all, apart from to perform the cleaning steps to ensure that any infections aren't spread.

right-grn.pngPlease stick with me until the end. malware removal is difficult and time consuming. We have to analyse hundreds of lines in log files. This takes time which we give freely so I ask that you do us the courtesy of seeing it through.

right-grn.png Only paste the contents of log files into your reply, DO NOT attach any log files unless requested to do so.

right-grn.png If you have any questions or get stuck, stop and ask....I am here to help you make this go as smoothly as possible.

right-grn.png If you do not reply within 3 days, your topic will be closed. It can be reopened if you ask. But if you plan on being gone for a longer period, just let me know and I will hold it open for you.

Ready? Now lets get to work

 

Just to let you know I am currently reviewing the logs you have provided and we can start the process soon.

 

For future reference, could you kindly paste any logs directly into the post as you did with the OTL log and not attach them as you did with the FRST logs as it makes it easier for us to read and work with. Thankyou. No need to repost the ones you already have as I will work with them as they are :D


  • 1

#3
ruggie_uk
Posted 04 September 2014 - 04:03 AM

ruggie_uk

    Trusted Helper

  • Malware Removal
  • 2,083 posts

Hi mizriel, just need to ask a question before I compete my initial fixlist.

 

You have some remote access programs on your system and a few chinese streaming site plugins and programs.

 

Are these yours or are they unknown to you?

 

The remote programs are:

Remote Mouse

Teamviewer

 

The chinese programs are:

funshion

qvodplayer

web tv

iqiyi video


  • 1

#4
mizriel
Posted 04 September 2014 - 09:47 AM

mizriel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Hi ruggie_uk, 

 

Thanks for the quick reply and i appreciate it a lot. The chinese program that you mention for funshion and qvod player i already uninstall, but for the other 2 i dont know whats that. My IE and firefox i can confirm that it has been hijacked after i update my qvod player 3 days ago. Already uninstall but the hao123.com is still there. Both remote control programs its me who install it :)


Edited by mizriel, 04 September 2014 - 09:48 AM.

  • 0

#5
ruggie_uk
Posted 04 September 2014 - 09:48 AM

ruggie_uk

    Trusted Helper

  • Malware Removal
  • 2,083 posts

Ok, I will take them all into account whilst preparing the fixes. Thank you for the information :D


  • 1

#6
mizriel
Posted 04 September 2014 - 10:12 AM

mizriel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

thanks again, will wait for your fix  :D


  • 0

#7
ruggie_uk
Posted 04 September 2014 - 01:58 PM

ruggie_uk

    Trusted Helper

  • Malware Removal
  • 2,083 posts
Hello again Mizriel.

There will be a few steps to this portion of your cleanup. I do also need to mention that your hard drive is very full and could do with space being freed up to ensure the smooth operation of your computer.

If you have any unecessary files, especially large videos for example that you can remove, now would be a good time to do that. I will clean up some space as we go along by removing old temp files etc but that will only help a little.

Step 1

FRST Fix
If FRST.exe/FRST64.exe is not on your desktop, please download Farbar Recovery Scan Tool and save it to your desktop.
  • Download the attached Attached File  fixlist.txt   16.79KB   434 downloadsand save it to your desktop <<< very important - it must be in the same location as FRST.exe/FRST64.exe
  • Right click frst.png and run as administrator. When the tool opens click Yes to the disclaimer.
  • Press the Fix button.
  • Once completed the computer will reboot
  • It will produce a log called fixlog.txt on your Desktop.
  • Please copy and paste the contents of that log back here.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.
Step 2

Please download Junkware Removal Tool to your desktop. << Important
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by right-clicking JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Items I need to see in your next post:
  • Fixlog.txt
  • jrt.txt

  • 1

#8
mizriel
Posted 04 September 2014 - 08:16 PM

mizriel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

hello ruggie_uk,

 

Follow all your step and NOW MY BROWSER IS CLEARED. Sorry for the cap but im too excited lol. Anyway below are the text that you want to see;

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 03-09-2014 02
Ran by Dave at 2014-09-05 10:01:16 Run:1
Running from C:\Users\Dave\Desktop
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
 
start
() C:\ProgramData\QvodPlayer\QvodWebBase\1.0.0.52\QvodWebService.exe
(风行在线技术有限公司) C:\Users\Dave\AppData\Roaming\Funshion\Funshion.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(RemoteMouse.net) C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
HKU\.DEFAULT\...\Run: [PPS Accelerator] => D:\PPS.tv\PPStream\\PPSKernel.exe
HKU\.DEFAULT\...\Run: [QyKernel] => D:\IQIYI Video\LStyle\QyKernel.exe [504256 2014-07-29] (爱奇艺)
HKU\S-1-5-19\...\Run: [PPS Accelerator] => D:\PPS.tv\PPStream\\PPSKernel.exe
HKU\S-1-5-19\...\Run: [QyKernel] => D:\IQIYI Video\LStyle\QyKernel.exe [504256 2014-07-29] (爱奇艺)
HKU\S-1-5-20\...\Run: [PPS Accelerator] => D:\PPS.tv\PPStream\\PPSKernel.exe
HKU\S-1-5-20\...\Run: [QyKernel] => D:\IQIYI Video\LStyle\QyKernel.exe [504256 2014-07-29] (爱奇艺)
HKU\S-1-5-21-402487621-2575195799-2967451988-1000\...\Run: [Remote Mouse] => C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe [1238528 2014-04-28] (RemoteMouse.net)
ShellIconOverlayIdentifiers: DownloadIcon -> {A8502600-B272-4F68-A67B-A0305D46D298} => C:\ProgramData\QvodPlayer\QvodExtend\5.0.100.0\QvodExtend_x64.dll (Shenzhen QVOD Technology Co.,Ltd)
ShellIconOverlayIdentifiers: FunOverlay -> {A5662DF9-0C2E-4A56-9FE1-BACFF6966D88} => C:\Users\Public\Fundata\Mindj.dll (Funshion)
ShellIconOverlayIdentifiers-x32: DownloadIcon -> {A8502600-B272-4F68-A67B-A0305D46D297} => C:\ProgramData\QvodPlayer\QvodExtend\5.0.100.0\QvodExtend.dll (Shenzhen QVOD Technology Co.,Ltd)\5.0.100.0\QvodExtend_x64.dll (Shenzhen QVOD Technology Co.,Ltd)
ShellIconOverlayIdentifiers: FunOverlay -> {A5662DF9-0C2E-4A56-9FE1-BACFF6966D88} => C:\Users\Public\Fundata\Mindj.dll (Funshion)
ShellIconOverlayIdentifiers-x32: DownloadIcon -> {A8502600-B272-4F68-A67B-A0305D46D297} => C:\ProgramData\QvodPlayer\QvodExtend\5.0.100.0\QvodExtend.dll (Shenzhen QVOD Technology Co.,Ltd))
DPF: HKLM-x32 {173D9E48-B527-4AA0-A929-30B446002AA8} http://210.186.135.208/DVRemoteAx.cab
DPF: HKLM-x32 {9AA03FEC-6582-48B1-BC62-821D4A7B9461} http://175.139.226.3...tiveX.cab?V1203
DPF: HKLM-x32 {AC2721FA-207D-44AE-8673-AE9074FC725C} http://175.136.217.114/DvrOcx.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} -  No File
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -  No File
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} -  No File
Handler: kuwo - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0C} -  No File
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler-x32: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\PROGRA~2\KuGou\KGMusic\KUGOO3~1.OCX No File
Handler-x32: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\PROGRA~2\KuGou\KGMusic\KUGOO3~1.OCX No File
Handler-x32: kuwo - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0C} -  No File
Hosts: Hosts file not detected in the default directory
FF Plugin: @pps.tv/npWebPlayer -> D:\IQIYI Video\LStyle\npWebPlayer.dll (爱奇艺)
FF Plugin: @qvod.com/QvodShare -> C:\Program Files (x86)\QvodPlayer\npShareModule_x64.dll No File
FF Plugin-x32: @funshion.com/npFunshion -> C:\Users\Dave\funshion\funshiontools\npFunshion.dll No File
FF Plugin-x32: @huawei.com/npHWPlugin -> C:\Program Files (x86)\Web_TV\WebTVPlugin\npHWPlugin.dll ()
FF Plugin-x32: @iqiyi.com/npclient -> D:\IQIYI Video\LStyle\npclient.dll ()
FF Plugin-x32: @pps.tv/npWebPlayer -> D:\IQIYI Video\LStyle\npWebPlayer.dll (爱奇艺)
FF Plugin-x32: @sohu.com/npifox -> C:\Program Files (x86)\搜狐影音\npifox.dll No File
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll No File
FF Plugin-x32: @verimatrix.com/ViewRightWeb -> C:\Program Files (x86)\Web_TV\WebTVPlugin\\npViewRight.dll No File
FF Plugin HKCU: @pps.tv/npWebPlayer -> D:\IQIYI Video\LStyle\npWebPlayer.dll (爱奇艺)
FF Plugin HKCU: @qvod.com/QvodInsert -> C:\Program Files (x86)\QvodPlayer\npQvodInsert.dll No File
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Dave\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin HKCU: @verimatrix.com/ViewRightWeb -> C:\Program Files (x86)\Web_TV\WebTVPlugin\\npViewRight.dll No File
FF Plugin HKCU: KuaiWanInsert -> C:\Program Files (x86)\QvodPlayer\AddIn\KWWebgame\npKWWebGame.dll No File
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)
S3 ssudserd; C:\Windows\System32\DRIVERS\ssudserd.sys [206080 2014-01-22] (DEVGURU Co., LTD.(www.devguru.co.kr))
S1 bd0001; system32\DRIVERS\bd0001.sys [X]
S1 bd0004; system32\DRIVERS\bd0004.sys [X]
2014-09-02 15:53 - 2014-09-02 15:53 - 00003242 _____ () C:\Windows\System32\Tasks\Trojan Killer
2014-09-02 15:52 - 2014-09-02 15:52 - 00000000 ____D () C:\ProgramData\GridinSoft
2014-09-02 14:40 - 2014-09-02 14:40 - 00000000 ____D () C:\Users\Dave\AppData\Roaming\360safe
2014-09-02 14:32 - 2014-04-15 15:18 - 00180808 _____ (360.cn) C:\Windows\system32\Drivers\BAPIDRV64.SYS
2014-09-02 14:29 - 2014-09-02 14:41 - 00000000 ____D () C:\ProgramData\360SD
2014-09-02 14:29 - 2014-04-23 11:51 - 00077896 _____ (360.cn) C:\Windows\system32\Drivers\360AvFlt.sys
2014-09-02 12:37 - 2014-09-02 12:38 - 00000000 ____D () C:\Program Files\Adware-Removal-Tool
2014-09-01 11:25 - 2014-09-01 11:25 - 00001885 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\影视搜索.lnk
2014-08-30 23:26 - 2014-08-30 23:26 - 00000000 ____D () C:\Users\Dave\AppData\Roaming\PushApp
2014-08-30 23:25 - 2014-08-30 23:25 - 00000000 ____D () C:\Users\Dave\AppData\Local\Temp尰
2014-08-27 21:05 - 2014-08-27 21:05 - 00000000 ____D () C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\爱奇艺
2014-09-04 14:38 - 2014-09-04 14:38 - 00001790 _____ () C:\sc-cleaner.txt
2014-09-04 14:30 - 2014-09-04 14:30 - 00441592 _____ (Bleeping Computer, LLC) C:\Users\Dave\Downloads\sc-cleaner.exe
2014-09-02 13:54 - 2014-07-04 11:34 - 00000000 ___HD () C:\Users\Public\FunAcce
2014-09-02 12:38 - 2014-09-02 12:37 - 00000000 ____D () C:\Program Files\Adware-Removal-Tool
2014-09-02 12:28 - 2014-04-21 22:17 - 00000000 ____D () C:\Users\Dave\AppData\Roaming\CloudMedia
2014-09-02 12:09 - 2014-07-15 19:03 - 00000000 ____D () C:\Users\Dave\AppData\Roaming\Funshion
2014-08-30 23:25 - 2014-08-30 23:25 - 00000000 ____D () C:\Users\Dave\AppData\Local\Temp尰
2014-08-27 21:05 - 2014-08-27 21:05 - 00000000 ____D () C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\爱奇艺
2014-08-27 21:05 - 2014-06-17 15:55 - 00001668 _____ () C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\爱奇艺PPS影音.lnk
2014-08-09 01:47 - 2013-12-23 09:16 - 00001102 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
C:\Users\Dave\AppData\Local\Temp\ose00000.exe
C:\Users\Dave\AppData\Local\Temp\Quarantine.exe
C:\Users\Dave\AppData\Local\Temp\thunder1.5.2.246.exe
2014-07-10 23:57 - 2013-11-19 22:34 - 00152576 _____ () C:\Program Files (x86)\Remote Mouse\FileS.dll
2014-06-24 15:38 - 2014-06-24 15:38 - 00014256 _____ () C:\ProgramData\QvodPlayer\QvodWebBase\1.0.0.52\QvodWebService.exe
Task: {34A3A191-A0DA-4699-9BE5-CF2FF9802252} - System32\Tasks\MobProtect => D:\PPS.tv\PPStream\PPSProtect.exe
Task: {363F7DE4-D3C1-49F3-A1F8-34F4AEA7941E} - System32\Tasks\Trojan Killer => C:\Program Files\GridinSoft Trojan Killer\trojankiller.exe
Task: {E40AB665-38DC-4284-A321-1DACA702F76C} - System32\Tasks\PPSProtect => D:\PPS.tv\PPStream\PPSProtect.exe
D:\PPS.tv
C:\Program Files\GridinSoft Trojan Killer
cmd: ipconfig /release
cmd: ipconfig /renew
cmd: ipconfig /flushdns
cmd: netsh winsock reset all
cmd: netsh int ip reset all
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F  
Emptytemp:
reboot:
end
*****************
 
[2032] C:\ProgramData\QvodPlayer\QvodWebBase\1.0.0.52\QvodWebService.exe => Process closed successfully.
C:\Users\Dave\AppData\Roaming\Funshion\Funshion.exe => No running process found
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe => No running process found
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe => No running process found
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe => No running process found
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe => No running process found
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe => No running process found
[2608] C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe => Process closed successfully.
[2176] C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe => Process closed successfully.
[3324] C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe => Process closed successfully.
[3332] C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe => Process closed successfully.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\PPS Accelerator => value deleted successfully.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\QyKernel => value deleted successfully.
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\\PPS Accelerator => value deleted successfully.
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\\QyKernel => value deleted successfully.
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\\PPS Accelerator => value deleted successfully.
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\\QyKernel => value deleted successfully.
HKU\S-1-5-21-402487621-2575195799-2967451988-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Remote Mouse => value deleted successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DownloadIcon" => Key deleted successfully.
"HKCR\CLSID\{A8502600-B272-4F68-A67B-A0305D46D298}" => Key deleted successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\FunOverlay" => Key deleted successfully.
"HKCR\CLSID\{A5662DF9-0C2E-4A56-9FE1-BACFF6966D88}" => Key deleted successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DownloadIcon" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{A8502600-B272-4F68-A67B-A0305D46D297}" => Key deleted successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\FunOverlay" => Key not found.
"HKCR\CLSID\{A5662DF9-0C2E-4A56-9FE1-BACFF6966D88}" => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DownloadIcon" => Key not found.
"HKCR\Wow6432Node\CLSID\{A8502600-B272-4F68-A67B-A0305D46D297}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{173D9E48-B527-4AA0-A929-30B446002AA8}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{173D9E48-B527-4AA0-A929-30B446002AA8}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{9AA03FEC-6582-48B1-BC62-821D4A7B9461}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{9AA03FEC-6582-48B1-BC62-821D4A7B9461}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{AC2721FA-207D-44AE-8673-AE9074FC725C}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{AC2721FA-207D-44AE-8673-AE9074FC725C}" => Key deleted successfully.
"HKCR\PROTOCOLS\Handler\belarc" => Key deleted successfully.
"HKCR\CLSID\{6318E0AB-2E93-11D1-B8ED-00608CC9A71F}" => Key not found.
"HKCR\PROTOCOLS\Handler\KuGoo" => Key deleted successfully.
"HKCR\CLSID\{6AC4FBC7-AA38-45EC-9634-D6D20B679EFC}" => Key not found.
"HKCR\PROTOCOLS\Handler\KuGoo3" => Key deleted successfully.
"HKCR\CLSID\{6AC4FBC7-AA38-45EC-9634-D6D20B679EFC}" => Key not found.
"HKCR\PROTOCOLS\Handler\kuwo" => Key deleted successfully.
"HKCR\CLSID\{3050f3DA-98B5-11CF-BB82-00AA00BDCE0C}" => Key not found.
"HKCR\Wow6432Node\PROTOCOLS\Handler\belarc" => Key not found.
"HKCR\Wow6432Node\CLSID\{6318E0AB-2E93-11D1-B8ED-00608CC9A71F}" => Key deleted successfully.
"HKCR\Wow6432Node\PROTOCOLS\Handler\KuGoo" => Key not found.
"HKCR\Wow6432Node\CLSID\{6AC4FBC7-AA38-45EC-9634-D6D20B679EFC}" => Key deleted successfully.
"HKCR\Wow6432Node\PROTOCOLS\Handler\KuGoo3" => Key not found.
"HKCR\Wow6432Node\CLSID\{6AC4FBC7-AA38-45EC-9634-D6D20B679EFC}" => Key not found.
"HKCR\Wow6432Node\PROTOCOLS\Handler\kuwo" => Key not found.
"HKCR\Wow6432Node\CLSID\{3050f3DA-98B5-11CF-BB82-00AA00BDCE0C}" => Key not found.
Hosts was reset successfully.
"HKLM\Software\MozillaPlugins\@pps.tv/npWebPlayer" => Key deleted successfully.
D:\IQIYI Video\LStyle\npWebPlayer.dll => Moved successfully.
"HKLM\Software\MozillaPlugins\@qvod.com/QvodShare" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@funshion.com/npFunshion" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@huawei.com/npHWPlugin" => Key deleted successfully.
C:\Program Files (x86)\Web_TV\WebTVPlugin\npHWPlugin.dll => Moved successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@iqiyi.com/npclient" => Key deleted successfully.
D:\IQIYI Video\LStyle\npclient.dll => Moved successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@pps.tv/npWebPlayer" => Key deleted successfully.
D:\IQIYI Video\LStyle\npWebPlayer.dll not found.
"HKLM\Software\Wow6432Node\MozillaPlugins\@sohu.com/npifox" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@t.garena.com/garenatalk" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@verimatrix.com/ViewRightWeb" => Key deleted successfully.
"HKCU\Software\MozillaPlugins\@pps.tv/npWebPlayer" => Key deleted successfully.
D:\IQIYI Video\LStyle\npWebPlayer.dll not found.
"HKCU\Software\MozillaPlugins\@qvod.com/QvodInsert" => Key deleted successfully.
C:\Program Files (x86)\QvodPlayer\npQvodInsert.dll not found.
"HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0" => Key deleted successfully.
C:\Users\Dave\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll => Moved successfully.
"HKCU\Software\MozillaPlugins\@verimatrix.com/ViewRightWeb" => Key deleted successfully.
C:\Program Files (x86)\Web_TV\WebTVPlugin\\npViewRight.dll not found.
"HKCU\Software\MozillaPlugins\KuaiWanInsert" => Key deleted successfully.
C:\Program Files (x86)\QvodPlayer\AddIn\KWWebgame\npKWWebGame.dll not found.
MpFilter => Unable to stop service
MpFilter => Error deleting Service
NisDrv => Unable to stop service
NisDrv => Error deleting Service
ssudserd => Service deleted successfully.
bd0001 => Service deleted successfully.
bd0004 => Service deleted successfully.
C:\Windows\System32\Tasks\Trojan Killer => Moved successfully.
C:\ProgramData\GridinSoft => Moved successfully.
C:\Users\Dave\AppData\Roaming\360safe => Moved successfully.
C:\Windows\system32\Drivers\BAPIDRV64.SYS => Moved successfully.
C:\ProgramData\360SD => Moved successfully.
C:\Windows\system32\Drivers\360AvFlt.sys => Moved successfully.
C:\Program Files\Adware-Removal-Tool => Moved successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\影视搜索.lnk => Moved successfully.
C:\Users\Dave\AppData\Roaming\PushApp => Moved successfully.
C:\Users\Dave\AppData\Local\Temp尰 => Moved successfully.
C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\爱奇艺 => Moved successfully.
C:\sc-cleaner.txt => Moved successfully.
C:\Users\Dave\Downloads\sc-cleaner.exe => Moved successfully.
 
"C:\Users\Public\FunAcce" directory move:
 
C:\Users\Public\FunAcce\Condor.daw => Moved successfully.
C:\Users\Public\FunAcce\Condor.dll => Moved successfully.
C:\Users\Public\FunAcce\config.ini => Moved successfully.
C:\Users\Public\FunAcce\Cuckoo.daw => Moved successfully.
C:\Users\Public\FunAcce\Cuckoo.dll => Moved successfully.
C:\Users\Public\FunAcce\FunAcce.daw => Moved successfully.
C:\Users\Public\FunAcce\FunAcce.dll => Moved successfully.
C:\Users\Public\FunAcce\FunAcceil.daw => Moved successfully.
C:\Users\Public\FunAcce\FunAcceil.dll => Moved successfully.
C:\Users\Public\FunAcce\FunBSS.daw => Moved successfully.
C:\Users\Public\FunAcce\FunBSS64.daw => Moved successfully.
C:\Users\Public\FunAcce\FunNest.daw => Moved successfully.
C:\Users\Public\FunAcce\FunNest64.daw => Moved successfully.
C:\Users\Public\FunAcce\Glede.daw => Moved successfully.
C:\Users\Public\FunAcce\Glede.dll => Moved successfully.
C:\Users\Public\FunAcce\Pecker.daw => Moved successfully.
C:\Users\Public\FunAcce\Pecker.dll => Moved successfully.
C:\Users\Public\FunAcce\Pigeon.daw => Moved successfully.
C:\Users\Public\FunAcce\Tag.daw => Moved successfully.
C:\Users\Public\FunAcce\TagLog.daw => Moved successfully.
C:\Users\Public\FunAcce\Turkey.daw => Moved successfully.
C:\Users\Public\FunAcce\LogData\94506b1d-b697-43a8-91ed-86c967b8b8c1_LOG20140901 => Moved successfully.
C:\Users\Public\FunAcce\LogData\LOG20140827.daw => Moved successfully.
C:\Users\Public\FunAcce\LogData\LOG20140828.daw => Moved successfully.
C:\Users\Public\FunAcce\LogData\LOG20140829.daw => Moved successfully.
C:\Users\Public\FunAcce\LogData\LOG20140830.daw => Moved successfully.
C:\Users\Public\FunAcce\LogData\LOG20140831.daw => Moved successfully.
C:\Users\Public\FunAcce\LogData\LOG20140901.daw => Moved successfully.
C:\Users\Public\FunAcce\BaseData\20140904.daw => Moved successfully.
Could not move "C:\Users\Public\FunAcce\BaseData\20140905.daw" => Scheduled to move on reboot.
Could not move "C:\Users\Public\FunAcce" directory. => Scheduled to move on reboot.
 
"C:\Program Files\Adware-Removal-Tool" => File/Directory not found.
C:\Users\Dave\AppData\Roaming\CloudMedia => Moved successfully.
C:\Users\Dave\AppData\Roaming\Funshion => Moved successfully.
"C:\Users\Dave\AppData\Local\Temp尰" => File/Directory not found.
"C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\爱奇艺" => File/Directory not found.
C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\爱奇艺PPS影音.lnk => Moved successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\ose00000.exe => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\thunder1.5.2.246.exe => Moved successfully.
C:\Program Files (x86)\Remote Mouse\FileS.dll => Moved successfully.
C:\ProgramData\QvodPlayer\QvodWebBase\1.0.0.52\QvodWebService.exe => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{34A3A191-A0DA-4699-9BE5-CF2FF9802252}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{34A3A191-A0DA-4699-9BE5-CF2FF9802252}" => Key deleted successfully.
C:\Windows\System32\Tasks\MobProtect => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MobProtect" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{363F7DE4-D3C1-49F3-A1F8-34F4AEA7941E}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{363F7DE4-D3C1-49F3-A1F8-34F4AEA7941E}" => Key deleted successfully.
C:\Windows\System32\Tasks\Trojan Killer not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Trojan Killer" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E40AB665-38DC-4284-A321-1DACA702F76C}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E40AB665-38DC-4284-A321-1DACA702F76C}" => Key deleted successfully.
C:\Windows\System32\Tasks\PPSProtect => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PPSProtect" => Key deleted successfully.
D:\PPS.tv => Moved successfully.
"C:\Program Files\GridinSoft Trojan Killer" => File/Directory not found.
 
=========  ipconfig /release =========
 
 
Windows IP Configuration
 
No operation can be performed on Wireless Network Connection 2 while it has its media disconnected.
No operation can be performed on Local Area Connection while it has its media disconnected.
 
Wireless LAN adapter Wireless Network Connection 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Ethernet adapter Local Area Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Wireless Network Connection:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::31d9:b8c2:421b:8c52%11
   Default Gateway . . . . . . . . . : 
 
Tunnel adapter isatap.{5F57A0D6-50F0-49D8-B706-C05556627215}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:2053:18f0:3f57:ff87
   Link-local IPv6 Address . . . . . : fe80::2053:18f0:3f57:ff87%12
   Default Gateway . . . . . . . . . : ::
 
========= End of CMD: =========
 
 
=========  ipconfig /renew =========
 
 
Windows IP Configuration
 
No operation can be performed on Wireless Network Connection 2 while it has its media disconnected.
No operation can be performed on Local Area Connection while it has its media disconnected.
 
Wireless LAN adapter Wireless Network Connection 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Ethernet adapter Local Area Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Wireless Network Connection:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::31d9:b8c2:421b:8c52%11
   IPv4 Address. . . . . . . . . . . : 192.168.0.120
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
 
Tunnel adapter isatap.{5F57A0D6-50F0-49D8-B706-C05556627215}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:2caf:1d03:3f57:ff87
   Link-local IPv6 Address . . . . . : fe80::2caf:1d03:3f57:ff87%12
   Default Gateway . . . . . . . . . : ::
 
========= End of CMD: =========
 
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
=========  netsh winsock reset all =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
=========  netsh int ip reset all =========
 
Reseting Global, OK!
Reseting Interface, OK!
Reseting Unicast Address, OK!
Reseting Route, OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
=========  netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
=========  netsh advfirewall set allprofiles state on =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
========= Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
EmptyTemp: => Removed 945.1 MB temporary data.
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-09-05 10:05:41)<=
 
C:\Users\Public\FunAcce\BaseData\20140905.daw => Is moved successfully.
C:\Users\Public\FunAcce => Is moved successfully.
 
==== End of Fixlog ====
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by Dave on 05-Sep-14 at 10:08:43.40
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 05-Sep-14 at 10:13:47.61
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 

  • 0

#9
ruggie_uk
Posted 05 September 2014 - 05:41 AM

ruggie_uk

    Trusted Helper

  • Malware Removal
  • 2,083 posts

Thats great news Mizriel, lets get you fully cleaned up :D

Step 1

Please run FRST/FRST64 again from your Deskop. If you do not currently have it on your system, download it from here and save it to your desktop.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to the disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.

Step 2

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.Optional:

NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

  • Vista/7/8 users: Right click the adwcleaner.pngAdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
  • You will see the following console:

    AdwScan.jpg?
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove. Please Do Not delete anything at this time.
  • Click the Report button to get the log.
  • Copy and Paste it into your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[R0].txt.
  • Click the X in the upper right corner of the program or click the File menu and click Exit to close the program.

Items I need to see in your next post:

  • FRST log
  • ADWcleaner log

  • 1

#10
mizriel
Posted 05 September 2014 - 06:34 AM

mizriel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Hi ruggie,

 

There you go..

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 03-09-2014 02
Ran by Dave (administrator) on DAVE-PC on 05-09-2014 20:29:23
Running from C:\Users\Dave\Desktop
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com
StartMenuInternet: IEXPLORE.EXE - C:\program files (x86)\Internet Explorer\iexplore.exe
Tcpip\Parameters: [DhcpNameServer] 192.168.1.5
Tcpip\..\Interfaces\{2513406E-FD75-48BB-AD4B-80F30DDB089D}: [NameServer] 8.8.8.8,8.8.4.4
 
FireFox:
========
FF ProfilePath: C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\xzeqs5du.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_145.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> D:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> 
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR DefaultSearchKeyword: Default -> 7031BCA959F1CF826C0394D5C2A057BF9F64354F380471522F3B6B8E9FC5D244
CHR DefaultSearchProvider: Default -> 2EE3968D0F31FB75ABC697CEA07075238928273F58C1B99132403B61C54BCF2B
CHR DefaultSearchURL: Default -> 1961B51E9CF03D5544F3D2314C3D86E99FE398416F8B60939A9F796064B85943
CHR Profile: C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-11-02]
CHR Extension: (Google Drive) - C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-11-02]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-25]
CHR Extension: (YouTube) - C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-11-02]
CHR Extension: (Google Search) - C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-11-02]
CHR Extension: (Google Wallet) - C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-11-02]
CHR Extension: (Gmail) - C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-11-02]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-09-05 10:13 - 2014-09-05 10:13 - 00000622 _____ () C:\Users\Dave\Desktop\JRT.txt
2014-09-04 15:06 - 2014-09-04 15:06 - 00068538 _____ () C:\Users\Dave\Desktop\OTL.Txt
2014-09-04 15:06 - 2014-09-04 15:06 - 00064304 _____ () C:\Users\Dave\Desktop\Extras.Txt
2014-09-04 14:54 - 2014-09-04 14:55 - 00602112 _____ (OldTimer Tools) C:\Users\Dave\Desktop\OTL.exe
2014-09-04 14:41 - 2014-09-05 20:29 - 00007717 _____ () C:\Users\Dave\Desktop\FRST.txt
2014-09-04 14:41 - 2014-09-05 20:29 - 00000000 ____D () C:\FRST
2014-09-04 14:31 - 2014-09-04 14:31 - 01016261 _____ (Thisisu) C:\Users\Dave\Desktop\JRT.exe
2014-09-04 14:31 - 2014-09-04 14:31 - 00000000 ____D () C:\Windows\ERUNT
2014-09-04 13:00 - 2014-09-04 13:01 - 02104832 _____ (Farbar) C:\Users\Dave\Desktop\FRST64.exe
2014-09-03 09:43 - 2014-09-05 10:45 - 00008955 _____ () C:\Users\Dave\Desktop\claims.xlsx
2014-09-02 16:32 - 2014-09-02 16:32 - 00000000 ____D () C:\QvodPlayer
2014-09-02 15:38 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\SysWOW64\sqlite3.dll
2014-09-02 12:38 - 2014-09-02 12:38 - 00290304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\subinacl.exe
2014-08-29 00:32 - 2014-08-29 00:32 - 00001568 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-08-29 00:32 - 2014-08-29 00:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-08-29 00:32 - 2014-08-29 00:32 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-08-29 00:32 - 2014-08-29 00:32 - 00000000 ____D () C:\Program Files\iTunes
2014-08-29 00:32 - 2014-08-29 00:32 - 00000000 ____D () C:\Program Files\iPod
2014-08-29 00:32 - 2012-08-21 13:01 - 00033240 _____ (GEAR Software Inc.) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2014-08-28 09:24 - 2014-08-23 10:07 - 00404480 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2014-08-28 09:24 - 2014-08-23 09:45 - 00311808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2014-08-28 09:24 - 2014-08-23 08:59 - 03163648 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-08-27 21:05 - 2014-09-01 03:06 - 00000000 ____D () C:\Users\Dave\AppData\Roaming\ppslog
2014-08-26 11:44 - 2014-08-26 12:09 - 00000000 _____ () C:\sparkraw.log
2014-08-26 10:25 - 2014-08-26 10:25 - 00000000 ____D () C:\Users\Dave\AppData\Local\Adobe
2014-08-16 12:14 - 2014-08-16 12:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AC3Filter
2014-08-16 12:14 - 2014-08-16 12:14 - 00000000 ____D () C:\Program Files (x86)\AC3Filter
2014-08-16 12:14 - 2012-06-17 22:18 - 01202688 _____ () C:\Windows\system32\ac3filter64.acm
2014-08-16 12:14 - 2012-06-17 22:10 - 00965120 _____ () C:\Windows\SysWOW64\ac3filter.acm
2014-08-15 10:06 - 2014-07-16 11:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-08-15 10:06 - 2014-07-16 10:46 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-08-15 10:06 - 2014-07-09 10:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDYAK.DLL
2014-08-15 10:06 - 2014-07-09 10:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDTAT.DLL
2014-08-15 10:06 - 2014-07-09 10:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDRU1.DLL
2014-08-15 10:06 - 2014-07-09 10:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDBASH.DLL
2014-08-15 10:06 - 2014-07-09 10:03 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\KBDRU.DLL
2014-08-15 10:06 - 2014-07-09 09:31 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDYAK.DLL
2014-08-15 10:06 - 2014-07-09 09:31 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDTAT.DLL
2014-08-15 10:06 - 2014-07-09 09:31 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDRU1.DLL
2014-08-15 10:06 - 2014-07-09 09:31 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDRU.DLL
2014-08-15 10:06 - 2014-07-09 09:31 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDBASH.DLL
2014-08-15 10:06 - 2014-07-09 06:38 - 00419992 _____ () C:\Windows\system32\locale.nls
2014-08-15 10:06 - 2014-07-09 06:30 - 00419992 _____ () C:\Windows\SysWOW64\locale.nls
2014-08-15 10:06 - 2014-06-16 10:10 - 00985536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2014-08-15 10:06 - 2014-06-03 18:02 - 03241984 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-08-15 10:06 - 2014-06-03 18:02 - 01941504 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2014-08-15 10:06 - 2014-06-03 18:02 - 00504320 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
2014-08-15 10:06 - 2014-06-03 18:02 - 00112064 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2014-08-15 10:06 - 2014-06-03 17:29 - 02363392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2014-08-15 10:06 - 2014-06-03 17:29 - 01805824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2014-08-15 10:06 - 2014-06-03 17:29 - 00337408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msihnd.dll
2014-08-15 10:05 - 2014-08-01 07:41 - 00348856 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-08-15 10:05 - 2014-08-01 07:16 - 00307384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-08-15 10:05 - 2014-07-25 22:52 - 23645696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-08-15 10:05 - 2014-07-25 22:02 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-08-15 10:05 - 2014-07-25 22:01 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-08-15 10:05 - 2014-07-25 21:51 - 17524224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-08-15 10:05 - 2014-07-25 21:30 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-08-15 10:05 - 2014-07-25 21:28 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-08-15 10:05 - 2014-07-25 21:28 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-08-15 10:05 - 2014-07-25 21:25 - 02774528 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-08-15 10:05 - 2014-07-25 21:25 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-08-15 10:05 - 2014-07-25 21:11 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-08-15 10:05 - 2014-07-25 21:10 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-08-15 10:05 - 2014-07-25 21:04 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-08-15 10:05 - 2014-07-25 21:03 - 00598016 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-08-15 10:05 - 2014-07-25 21:00 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-08-15 10:05 - 2014-07-25 21:00 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-08-15 10:05 - 2014-07-25 20:59 - 00758272 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-08-15 10:05 - 2014-07-25 20:47 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-08-15 10:05 - 2014-07-25 20:40 - 00452096 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-08-15 10:05 - 2014-07-25 20:34 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-08-15 10:05 - 2014-07-25 20:34 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-08-15 10:05 - 2014-07-25 20:33 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-08-15 10:05 - 2014-07-25 20:30 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-08-15 10:05 - 2014-07-25 20:28 - 05824512 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-08-15 10:05 - 2014-07-25 20:28 - 00072704 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-08-15 10:05 - 2014-07-25 20:21 - 02184704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-08-15 10:05 - 2014-07-25 20:19 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-08-15 10:05 - 2014-07-25 20:18 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-08-15 10:05 - 2014-07-25 20:17 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-08-15 10:05 - 2014-07-25 20:17 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-08-15 10:05 - 2014-07-25 20:12 - 00438784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-08-15 10:05 - 2014-07-25 20:10 - 00292864 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-08-15 10:05 - 2014-07-25 20:10 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-08-15 10:05 - 2014-07-25 20:08 - 00597504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-08-15 10:05 - 2014-07-25 20:06 - 04204032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-08-15 10:05 - 2014-07-25 19:52 - 00367104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-08-15 10:05 - 2014-07-25 19:47 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-08-15 10:05 - 2014-07-25 19:43 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-08-15 10:05 - 2014-07-25 19:42 - 00692736 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-08-15 10:05 - 2014-07-25 19:39 - 02087936 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-08-15 10:05 - 2014-07-25 19:39 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-08-15 10:05 - 2014-07-25 19:36 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-08-15 10:05 - 2014-07-25 19:34 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-08-15 10:05 - 2014-07-25 19:29 - 00239616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-08-15 10:05 - 2014-07-25 19:23 - 13547008 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-08-15 10:05 - 2014-07-25 19:13 - 00526336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-08-15 10:05 - 2014-07-25 19:07 - 02001920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-08-15 10:05 - 2014-07-25 19:07 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-08-15 10:05 - 2014-07-25 19:03 - 11772928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-08-15 10:05 - 2014-07-25 18:52 - 02266624 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-08-15 10:05 - 2014-07-25 18:26 - 01431040 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-08-15 10:05 - 2014-07-25 18:17 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-08-15 10:05 - 2014-07-25 18:09 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-08-15 10:05 - 2014-07-25 18:05 - 01792512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-08-15 10:05 - 2014-07-25 18:00 - 01169920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-08-15 10:05 - 2014-06-25 10:05 - 14175744 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2014-08-15 10:05 - 2014-06-25 09:41 - 12874240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2014-08-15 09:53 - 2014-08-07 10:06 - 00529920 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-08-15 09:53 - 2014-08-07 10:01 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-08-15 09:53 - 2014-07-14 10:02 - 01216000 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2014-08-15 09:53 - 2014-07-14 09:40 - 00664064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2014-08-15 00:42 - 2014-07-01 06:24 - 00008856 _____ (Microsoft Corporation) C:\Windows\system32\icardres.dll
2014-08-15 00:42 - 2014-07-01 06:14 - 00008856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardres.dll
2014-08-15 00:42 - 2014-06-06 14:16 - 00035480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TsWpfWrp.exe
2014-08-15 00:42 - 2014-06-06 14:12 - 00035480 _____ (Microsoft Corporation) C:\Windows\system32\TsWpfWrp.exe
2014-08-15 00:42 - 2014-03-10 05:48 - 01389208 _____ (Microsoft Corporation) C:\Windows\system32\icardagt.exe
2014-08-15 00:42 - 2014-03-10 05:48 - 00171160 _____ (Microsoft Corporation) C:\Windows\system32\infocardapi.dll
2014-08-15 00:42 - 2014-03-10 05:47 - 00619672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardagt.exe
2014-08-15 00:42 - 2014-03-10 05:47 - 00099480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\infocardapi.dll
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-09-05 20:29 - 2014-09-04 14:41 - 00007717 _____ () C:\Users\Dave\Desktop\FRST.txt
2014-09-05 20:29 - 2014-09-04 14:41 - 00000000 ____D () C:\FRST
2014-09-05 20:28 - 2014-07-03 10:16 - 00000000 ____D () C:\Users\Dave\Desktop\Sambal
2014-09-05 20:24 - 2013-11-02 23:17 - 01990414 _____ () C:\Windows\WindowsUpdate.log
2014-09-05 20:23 - 2013-11-02 08:39 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-09-05 20:23 - 2009-07-14 12:45 - 00028352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-05 20:23 - 2009-07-14 12:45 - 00028352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-05 20:22 - 2013-11-02 18:57 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-09-05 16:23 - 2013-11-02 08:39 - 00000890 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-09-05 16:23 - 2010-11-21 11:47 - 00307562 _____ () C:\Windows\PFRO.log
2014-09-05 16:23 - 2009-07-14 13:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-09-05 16:23 - 2009-07-14 12:51 - 00233662 _____ () C:\Windows\setupact.log
2014-09-05 11:14 - 2013-11-03 01:53 - 00001209 _____ () C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\GOM Player.lnk
2014-09-05 10:45 - 2014-09-03 09:43 - 00008955 _____ () C:\Users\Dave\Desktop\claims.xlsx
2014-09-05 10:13 - 2014-09-05 10:13 - 00000622 _____ () C:\Users\Dave\Desktop\JRT.txt
2014-09-05 10:02 - 2014-07-10 23:57 - 00000000 ____D () C:\Program Files (x86)\Remote Mouse
2014-09-05 10:02 - 2013-11-03 11:15 - 00000000 ___HD () C:\Users\Public\Fundata
2014-09-05 10:01 - 2009-07-14 11:20 - 00000000 ____D () C:\Windows\system32\migwiz
2014-09-04 15:06 - 2014-09-04 15:06 - 00068538 _____ () C:\Users\Dave\Desktop\OTL.Txt
2014-09-04 15:06 - 2014-09-04 15:06 - 00064304 _____ () C:\Users\Dave\Desktop\Extras.Txt
2014-09-04 14:55 - 2014-09-04 14:54 - 00602112 _____ (OldTimer Tools) C:\Users\Dave\Desktop\OTL.exe
2014-09-04 14:31 - 2014-09-04 14:31 - 01016261 _____ (Thisisu) C:\Users\Dave\Desktop\JRT.exe
2014-09-04 14:31 - 2014-09-04 14:31 - 00000000 ____D () C:\Windows\ERUNT
2014-09-04 13:01 - 2014-09-04 13:00 - 02104832 _____ (Farbar) C:\Users\Dave\Desktop\FRST64.exe
2014-09-02 16:32 - 2014-09-02 16:32 - 00000000 ____D () C:\QvodPlayer
2014-09-02 15:34 - 2013-11-03 02:00 - 00000000 ____D () C:\ProgramData\QvodPlayer
2014-09-02 15:25 - 2013-11-03 22:42 - 00000954 _____ () C:\Users\Dave\AppData\Roaming\coreavc.ini
2014-09-02 12:38 - 2014-09-02 12:38 - 00290304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\subinacl.exe
2014-09-02 12:09 - 2013-11-02 08:23 - 00000000 ____D () C:\Users\Dave
2014-09-02 11:48 - 2013-12-04 18:00 - 00000118 _____ () C:\Users\Dave\Desktop\New Text Document.txt
2014-09-02 11:10 - 2013-11-02 11:06 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-02 10:43 - 2013-11-03 11:17 - 00000000 ____D () C:\ppsfile
2014-09-01 03:07 - 2013-11-03 11:17 - 00000000 ____D () C:\Users\Dave\AppData\Roaming\PPStream
2014-09-01 03:06 - 2014-08-27 21:05 - 00000000 ____D () C:\Users\Dave\AppData\Roaming\ppslog
2014-08-31 22:12 - 2009-07-14 13:13 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-08-31 22:09 - 2014-05-31 00:23 - 00000000 ____D () C:\Users\Dave\AppData\Roaming\Animals
2014-08-29 00:32 - 2014-08-29 00:32 - 00001568 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-08-29 00:32 - 2014-08-29 00:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-08-29 00:32 - 2014-08-29 00:32 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-08-29 00:32 - 2014-08-29 00:32 - 00000000 ____D () C:\Program Files\iTunes
2014-08-29 00:32 - 2014-08-29 00:32 - 00000000 ____D () C:\Program Files\iPod
2014-08-28 18:01 - 2009-07-14 12:45 - 00355432 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-08-27 10:00 - 2009-07-14 13:08 - 00032546 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-08-26 12:09 - 2014-08-26 11:44 - 00000000 _____ () C:\sparkraw.log
2014-08-26 10:25 - 2014-08-26 10:25 - 00000000 ____D () C:\Users\Dave\AppData\Local\Adobe
2014-08-23 10:07 - 2014-08-28 09:24 - 00404480 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2014-08-23 09:45 - 2014-08-28 09:24 - 00311808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2014-08-23 08:59 - 2014-08-28 09:24 - 03163648 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-08-20 22:28 - 2013-11-02 18:57 - 00699568 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-08-20 22:28 - 2013-11-02 18:57 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-08-20 22:28 - 2013-11-02 18:57 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-08-16 14:42 - 2009-07-14 11:20 - 00000000 ____D () C:\Windows\rescache
2014-08-16 12:14 - 2014-08-16 12:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AC3Filter
2014-08-16 12:14 - 2014-08-16 12:14 - 00000000 ____D () C:\Program Files (x86)\AC3Filter
2014-08-16 09:45 - 2009-07-14 11:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-08-16 01:12 - 2014-01-07 00:15 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-08-15 09:57 - 2014-05-03 20:47 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-08-15 00:48 - 2013-11-02 09:15 - 00000000 ____D () C:\Windows\system32\MRT
2014-08-15 00:45 - 2013-11-02 11:09 - 99218768 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-08-07 10:06 - 2014-08-15 09:53 - 00529920 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-08-07 10:01 - 2014-08-15 09:53 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-08-07 09:28 - 2014-01-03 21:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MPC-HC x64
2014-08-07 09:28 - 2014-01-03 21:11 - 00000000 ____D () C:\Program Files\MPC-HC
 
Some content of TEMP:
====================
C:\Users\Dave\AppData\Local\Temp\ExPromo.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-08-19 23:17
 
==================== End Of Log ============================
 
# AdwCleaner v3.309 - Report created 05/09/2014 at 20:31:39
# Updated 02/09/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Dave - DAVE-PC
# Running from : C:\Users\Dave\Desktop\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17239
 
 
-\\ Mozilla Firefox v30.0 (en-US)
 
[ File : C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\xzeqs5du.default\prefs.js ]
 
 
-\\ Google Chrome v37.0.2062.103
 
[ File : C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
 
*************************
 
AdwCleaner[R2].txt - [932 octets] - [05/09/2014 20:31:39]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R2].txt - [991 octets] ##########
 

  • 0

Advertisements

#11
ruggie_uk
Posted 05 September 2014 - 03:58 PM

ruggie_uk

    Trusted Helper

  • Malware Removal
  • 2,083 posts

Looking good :prop:

 

First...

Re-run AdwCleaner

Close all open windows and browsers.

  • Double click the adwcleaner.pngAdwCleaner icon to run AdwCleaner. (Vista and 7 users) Right click the adwcleaner.pngAdwCleaner icon, click Run as administrator and accept the UAC prompt to run AdwCleaner.
  • Click the Scan button and wait for the scan to complete.
  • When the Scan has finished the Scan button will be grayed out and the Clean button will be activated.
  • Click the Clean button.
  • Everything checked will be deleted.
  • When the program has finished cleaning a report appears.
  • Once done it will ask to reboot, allow this

    adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt

Next...

Install and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

  • Double Click the downloaded mbam-setup-x.x.x.xxxx.exe to install the application. (x.x.x.xxxx represents the current version number).
  • During installation, make sure uncheck Enable free trial of Malwarebytes Anti-Malware Premium, then click Finish. You can always upgrade later ;) :
    MBAM1_zps65d773c0.png
  • If an update is found, it will download and install the latest updates automatically:
    MBAM2_zps52e3211b.png
  • Now select the Settings tab, and check the box next to Scan for rootkits:
    MBAM3_zps83324155.png
  • Go back to the Dashboard tab, and click the Scan Now button:
    MBAM4_zpse3cd4a79.png
  • The scan may take some time to finish,so please be patient.
    MBAM5_zps36d7537b.png
  • When the scan is complete, it will show you the results. (This one is clean):
    MBAM65_zpsb0aa143c.png
  • Make sure that everything is checked, and click Quarantine All (or similar).
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note below) If the log doesn't open, select View detailed log in the Scan tab:
    MBAM7_zps782405f0.png
  • The log is automatically saved by MBAM and can be viewed by going to the History tab and clicking on Application Logs:
    MBAM9_zps1f87702b.png
  • Choose the latest Scan Log, and click on the View button:
    MBAM10_zps5a48f689.png
  • In the bottom of the Scanning History Log window that opens, you can click on Export > Save to Text file (*.txt). Save the report to your Desktop.
    MBAM8_zpsad402941.png
  • Copy & Paste the entire contents of the report log in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

*** In your next reply, I need you to Copy&Paste the contents of the MBAM log file.


Then...

Please run a free online scan with the ESET Online Scanner

  • Click Run Eset Online Scanner

Runscan.png


Note: You will need to use Internet Explorer or Firefox (You will be prompted to install a helper program if you use firefox)for this scan.
Important: Please disable your existing AV software for the duration of the scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the option Enable detection of potentially unwanted applications is checked
  • Next click on Advanced Settings and select:

eset-selections.png

  • Make sure that the option Remove found threats is NOT checked
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology

eset-selections.png

  • Click Start, the virus database will update, this may take a while depending on your internet connection.
  • Once updated, the online scan will begin. (This scan can take several hours, so please be patient)
  • Once the scan is completed, click Finish
  • Use Notepad to open the logfile located at C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt[/b]
  • Copy and paste that log as a reply to this topic

  • 1

#12
mizriel
Posted 06 September 2014 - 09:31 AM

mizriel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Hi ruggie,

 

Sorry for late reply 

 

 # AdwCleaner v3.309 - Report created 06/09/2014 at 08:59:03

# Updated 02/09/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Dave - DAVE-PC
# Running from : C:\Users\Dave\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17239
 
 
-\\ Mozilla Firefox v30.0 (en-US)
 
[ File : C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\xzeqs5du.default\prefs.js ]
 
 
-\\ Google Chrome v37.0.2062.103
 
[ File : C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
 
*************************
 
AdwCleaner[R2].txt - [1070 octets] - [05/09/2014 20:31:39]
AdwCleaner[R3].txt - [1131 octets] - [06/09/2014 08:57:06]
AdwCleaner[S1].txt - [1057 octets] - [06/09/2014 08:59:03]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1117 octets] ##########
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 06-Sep-14
Scan Time: 9:05:31 AM
Logfile: MBAM.txt
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.09.05.10
Rootkit Database: v2014.08.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Dave
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 305180
Time Elapsed: 12 min, 50 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 5
PUP.Funshion, C:\Users\Public\Fundata\FunTesting.dll, Quarantined, [f0a9a1288af141f595456714817fed13], 
PUP.Funshion, C:\Users\Public\Fundata\gma.dll, Quarantined, [fa9f01c86c0f69cd5b7f3d3e966a8977], 
PUP.Funshion, C:\Users\Public\Fundata\JadeHe.dll, Quarantined, [b9e050796d0e8da9f1e9106b8f71d22e], 
PUP.Funshion, C:\Users\Public\Fundata\Raptor.dll, Quarantined, [68317e4bbebd5dd9f0ea0576a25e0df3], 
PUP.Funshion, C:\Users\Public\Fundata\Turkey.dll, Quarantined, [aaef8e3b88f3b2847763dd9e6997d22e], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
For ESET i only have this, is it correct?
 
ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
 

  • 0

#13
ruggie_uk
Posted 06 September 2014 - 09:43 AM

ruggie_uk

    Trusted Helper

  • Malware Removal
  • 2,083 posts

Normally i would expect a bit more from ESET.

Did the scan complete fully?


  • 1

#14
mizriel
Posted 06 September 2014 - 09:45 AM

mizriel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Yes, the scan completed fully. I try 1 more time again see whether the result is the same or not


  • 0

#15
mizriel
Posted 06 September 2014 - 11:32 AM

mizriel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Same result after scan 1 more time  :upset:


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP