Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

wangzhisong problem


  • Please log in to reply
20 replies to this topic

#1 Bag McDamage

Bag McDamage

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 AM

Posted 20 December 2013 - 08:05 PM

(Thanks condobloke)

 

Hi,

I was so happy to be able to join as I have this wangzhisong problem too. I would appreciate any help you can provide.

 

Over the last 2 days I tried the steps you recommended to previous posters. I downloaded and ran the programs. It resulted in some cleaning up but the wangzhisong problem remains. 

 

Would appreciate your help..what do you need to know?

 

Regards

Mark



BC AdBot (Login to Remove)

 


#2 Condobloke

Condobloke

  • Members
  • 952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australian Outback....middle of nowhere....
  • Local time:05:57 AM

Posted 20 December 2013 - 08:10 PM

Please describe what your pc has been doing

What OS are your running?

What steps/tools have you run already ?

Why do you suspect you have the 'wangzhisong problem' ?


Condobloke

Outback Australia.

 

The difference between a stupid man and a wise one is the stupid man’s inability to calculate the consequences of the action.


#3 Bag McDamage

Bag McDamage
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 AM

Posted 20 December 2013 - 08:25 PM

Please describe what your pc has been doing

Before the last few days, it was turning itself off after about 1 minute of 'screen time'. The USB drivers were also very sluggish.  After removing some internal dust - it seemed a little warm - it improved. I was very careful not to bump any leads.

 

What OS are your running?

Windows 7.

AVG is my anti-virus

 

What steps/tools have you run already ?

Followed previous posts instructions, I have download and run the following in this order:

Temp File Cleaner (TFC)

AdwCleaner

Junkware Removal Tool

ESET Online Scanner

 Malwarebytes' Anti-Malware

 Malwarebytes Anti-Rootkit

Rkill

 

 

Why do you suspect you have the 'wangzhisong problem' ?

I can see 'wangzhisong'  - and subfolders below it - listed as a user when going to map a shared network drive 



#4 Condobloke

Condobloke

  • Members
  • 952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australian Outback....middle of nowhere....
  • Local time:05:57 AM

Posted 20 December 2013 - 08:32 PM

 
 

Download Security Check by Screen317 from HERE
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If a security program requests permission to access the Internet, allow it to do so.

 

Download  MiniToolBox MiniToolBox, Save it to your desktop and run it.
Close any Firefox browsers you may have open
Checkmark the following boxes:
•Flush DNS
•Report IE Proxy Settings
•Reset IE Proxy Settings
•Report FF Proxy Settings
•Reset FF Proxy Settings
•List content of Hosts
•List IP configuration
•List last 10 Event Viewer log
•List Installed Programs
•List Users, Partitions and Memory size.
•List Minidump Files
 
Click Go and copy / paste the result (Result.txt).

 

Condobloke

Outback Australia.

 

The difference between a stupid man and a wise one is the stupid man’s inability to calculate the consequences of the action.


#5 Bag McDamage

Bag McDamage
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 AM

Posted 20 December 2013 - 08:48 PM

 Results of screen317's Security Check version 0.99.77  
 
removed

Edited by Bag McDamage, 21 December 2013 - 04:30 PM.


#6 Condobloke

Condobloke

  • Members
  • 952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australian Outback....middle of nowhere....
  • Local time:05:57 AM

Posted 20 December 2013 - 09:21 PM

 
 

Apart from the extra Users being present....is there any other activity which you suspect is coming from wangzhisong ??

Have you attempted to delete the user  ??

 

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool,  If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by the infection when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate the Infection that we are attempting to get rid of. So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.


rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

* Double-click on the Rkill desktop icon to run the tool.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

 

Download TDSSKiller and save it to your desktop.
* Extract (unzip) its contents to your desktop.
* Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
* If an infected file is detected, the default action will be Cure, click on Continue.
* If a suspicious file is detected, the default action will be Skip, click on Continue.
* It may ask you to reboot the computer to complete the process. Click on Reboot Now.
* If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
* If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

 

Condobloke

Outback Australia.

 

The difference between a stupid man and a wise one is the stupid man’s inability to calculate the consequences of the action.


#7 Bag McDamage

Bag McDamage
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 AM

Posted 20 December 2013 - 09:33 PM

Apart from the extra Users being present....is there any other activity which you suspect is coming from wangzhisong ??

No

 

Have you attempted to delete the user  ??

No - could you point me in the right direction how to do this?

 

Should I try this before re-running rkill; and running TDDSKIller?



#8 Condobloke

Condobloke

  • Members
  • 952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australian Outback....middle of nowhere....
  • Local time:05:57 AM

Posted 20 December 2013 - 09:47 PM

Run Rkill....download a fresh copy using the link i provided, and then run TDSS


Condobloke

Outback Australia.

 

The difference between a stupid man and a wise one is the stupid man’s inability to calculate the consequences of the action.


#9 Bag McDamage

Bag McDamage
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 AM

Posted 20 December 2013 - 11:51 PM

removed


Edited by Bag McDamage, 21 December 2013 - 04:30 PM.


#10 Condobloke

Condobloke

  • Members
  • 952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australian Outback....middle of nowhere....
  • Local time:05:57 AM

Posted 21 December 2013 - 12:07 AM

RKill ?


Condobloke

Outback Australia.

 

The difference between a stupid man and a wise one is the stupid man’s inability to calculate the consequences of the action.


#11 Bag McDamage

Bag McDamage
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 AM

Posted 21 December 2013 - 12:14 AM

apologies - yes it was run before TDSS. Have not yet rebooted.

 

Rkill 2.6.4 by Lawrence Abrams (Grinler)
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 12/21/2013 03:43:51 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * Network Connections (Netman) is not Running.
   Startup Type set to: Manual
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 12/21/2013 03:44:56 PM
Execution time: 0 hours(s), 1 minute(s), and 5 seconds(s)


#12 Condobloke

Condobloke

  • Members
  • 952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australian Outback....middle of nowhere....
  • Local time:05:57 AM

Posted 21 December 2013 - 12:29 AM

 
 

Q. have you ever had a program called "mobogenie" installed on your PC?....it is used for backing up android system phones

 

 

To create a restore point

    Open System by clicking the Start button Picture of the Start button, right-clicking Computer, and then clicking Properties.

    In the left pane, click System protection. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

    Click the System Protection tab, and then click Create.

    In the System Protection dialog box, type a description, and then click Create

 

then :

Please Download ::   ERUNT

This will make a backup of your Registry.

 

then ::

Removing a User

    Open User Accounts by clicking the Start button , clicking Control Panel, clicking User Accounts and Family Safety, clicking User Accounts, and then clicking Manage another account. Administrator permission required (If you're prompted for an administrator password or confirmation, type the password or provide confirmation.)

    Click the account you want to delete, and then click Delete the account.

    Decide if you want to keep or delete the files created under the account by clicking Keep Files or Delete Files.

    Click Delete Account.
 

 

 

 

 

Condobloke

Outback Australia.

 

The difference between a stupid man and a wise one is the stupid man’s inability to calculate the consequences of the action.


#13 Bag McDamage

Bag McDamage
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 AM

Posted 21 December 2013 - 12:55 AM

 have you ever had a program called "mobogenie" installed on your PC?....it is used for backing up android system phones

yes its possible I downloaded this  - in error - a few weeks ago

 

 

I created the restore point

 

I downloaded and ran ERUNT

 

Then, 'removing a user' hasn't gone as described.:-

 

I opened User Accounts 

I hesitated then to "Click the account you want to delete" because the screen heading is "choose the account you would like to change", and the only options to choose from are "Mark" (which is my account) and "Guest" , which is off. 



#14 Condobloke

Condobloke

  • Members
  • 952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australian Outback....middle of nowhere....
  • Local time:05:57 AM

Posted 21 December 2013 - 01:10 AM

Ok. I am thinking that mobogenie is where wangzhisong came from.

 

 

Do a search on your pc for ::   

C:\Users\wangzhisong

if you find it....delete it


Edited by Condobloke, 21 December 2013 - 01:11 AM.

Condobloke

Outback Australia.

 

The difference between a stupid man and a wise one is the stupid man’s inability to calculate the consequences of the action.


#15 Bag McDamage

Bag McDamage
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 AM

Posted 21 December 2013 - 01:17 AM

found it there

deleted it successfully

deleted it from the recycle bin

checked the 'map network drives' and its no longer there

 

 

...case solved?? 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users