Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijacked by Crossbrowser, and 3 chinese programs


  • This topic is locked This topic is locked
122 replies to this topic

#1 PGHinBKK

PGHinBKK

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bangkok, Thailand
  • Local time:06:07 PM

Posted 14 September 2015 - 05:21 AM

Testing

Attached Files


Life is strange......and then there's Thailand....

BC AdBot (Login to Remove)

 


#2 PGHinBKK

PGHinBKK
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bangkok, Thailand
  • Local time:06:07 PM

Posted 14 September 2015 - 05:35 AM

[OK the previous post was because after typing in a detailed explanation of the problem, I attached the files from the scan and was told I didn't have permission to do that, and I ost the whole thing except the attachment. So I wasn't sure if it was the malware messing with me or I did something incorrect about the posting...guess I just mis-typed something.]

 

OK, I got hit by some (*&^%$#) hydra thing.

1. It has a broswer called 'Crossbroswer' that hijacked my FF and will not uninstall from the Control Panel. It came bundled with a few other delights, all chinese-titled and texted items; to wit:

2.  a video player which set itself up as my default broswer, prevents me from selecting any other default browser and also will not uninstall. It has a dark green square with a white trapezoid-shape thing in it as the logo.

3. There is something else with a more pea-green with white chinese characters icon, and

4. something that looks like the WINRAR logo (a pile of books) that I've not yet touched.

5. I am also getting a small round thing on the right of my screen that displays a percentage (of what I've no idea) that changes every so often, and it also sometimes brings up a small ad-type window.

6. When I see that, I check my Task Manager and see that there are at least 1 but often several instances of something called 'surfanonymous' running. These I can shut down from the TM, and the ad window closes.

7. I am also getting the fake-Adobe-expired notice constantly. Thank god I've ignored THAT so far, as I read about the malware that comes behind that nasty thing.

 

Here is the first notepad scan-log, and the addition is in the post above. I don't want to run the risk of trying to attach it again and  losing this again after all this typing. 

 


Life is strange......and then there's Thailand....

#3 PGHinBKK

PGHinBKK
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bangkok, Thailand
  • Local time:06:07 PM

Posted 14 September 2015 - 05:37 AM

OK, it happened again, I pasted the First text file in the log, and got a little window again telling me I do not have permission to do that. I'll try to attach it to this post

Attached Files

  • Attached File  FRST.txt   61.54KB   14 downloads

Life is strange......and then there's Thailand....

#4 PGHinBKK

PGHinBKK
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bangkok, Thailand
  • Local time:06:07 PM

Posted 14 September 2015 - 05:38 AM

Whheeewwwwww!! (wipes brow theatrically....)  glad it 'took'.  And thanks in advance for the help.

 

Sorry it took me so long to get on this..some 'upheavals' at work this week, and some extra hours. 


Life is strange......and then there's Thailand....

#5 PGHinBKK

PGHinBKK
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bangkok, Thailand
  • Local time:06:07 PM

Posted 14 September 2015 - 06:10 AM

BTW,  I just looked at my C: drive and saw some 'new' folders that I forgot to mention...a folder labeled 'qycache'...in it is a file labeled 'iqiyi.pgf'...and another folder labeled 'QMDownload,' containing 'SoftMgr', which in turn contains the program 'bigzipsetup1.0.0.1061', (which apparently is the program using the WINRAR icon of a pile of books) ....another folder labeled 'IQIYI Video' which contains 'Common', 'GeePlayer', 'GpUpdate' and 'LStyle' folders...

 

....it makes me grit my teeth when I see these things... :angry:


Edited by PGHinBKK, 14 September 2015 - 06:12 AM.

Life is strange......and then there's Thailand....

#6 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 AM

Posted 14 September 2015 - 08:30 AM

Hello and welcome to Bleeping Computer! My nickname is Pystryker :) , and I will be helping you with your issue today.


Before we get started, I have a few things I need to go over with you
  • If you are receiving help for this issue at another forum, please let me know so I can close this thread.
  • Please download to and run all requested tools from your Desktop.
  • Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process.
  • At the top of your post, please click on the "Follow this topic" button and make sure that the "Received notification" box is checked and set to "Instantly" This will send an email to you as soon as I reply to your topic, allowing us to solve your problem faster.
  • If any of your security programs give you a warning about any tool I ask you to use, please do not worry. All the links and tools I provide to you will be safe.
  • Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  • This is a complicated process. It requires several steps, patience, and careful following of my instructions in the order they are given to diagnose your problems to get your machine back in working order.
  • Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. I promise to do the same for you.
  • It is impossible for me to know what interactions may happen between your computer's software and the tools we will use to clean your machine. Therefore, I highly recommend you backup any critical personal files on your machine before we start.
  • If you have any questions at all, please don't hesitate to ask. There's no such thing as a stupid question when dealing with malware.
  • If you are unsure of an instruction I give you, or if something unexepected occurs, Do NOT proceed! Stop and ask for clarification of the instruction or tell me what occurred.
  • Please remember, the fixes are for your machine and your machine ONLY! Do not use these fixes on any other machine, each fix is tailor made for your system only. Using a fix on another machine can and will cause serious damage.
  • Once we have cleaned your machine, we'll have some cleanup and prevention steps to go through. We will also provide you with some information about how to reduce your chances of infection and get some protections in place to help defend you against this in the future
  • Please be patient while I am analyzing your logs. I know you are probably scared and very frustrated with this problem, but I am a volunteer and sometimes life does get in the way. :)
Now, let's get started, shall we? :thumbsup:

Hello :)

There's much to be done, as the machine is heavily infected. Your anti-virus is showing in the log as one of those Chinese programs. We'll install a different one once the machine is clean.

There are several steps in this initial stage of cleaning, but please take your time and read the instructions of each step through before performing each one. Let's get started showing your uninvited guests the door. :thumbup2:

Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.


Step 1: P2P Warning

The Dangers of P2P Programs

I noticed that you have a P2P file sharing program on your computer . I cannot stress highly enough the danger in using these types of programs. P2P programs are the major avenue of infection these days. The files downloaded with these programs are more likely than not infected with trojans, malware, rootkits, etc.

You run the risk of getting an infection that can compromise your sensitive data, such as financial records, personal information, etc. That is just the infection aspect of using P2P programs. You also run the risk of possible arrest, fines, or in severe cases, jail time for illegal downloading of copyrighted material.

There are also new infections out there such as CryptoWall 3.0 and CryptoLocker. When infected with these, all of your personal files on any drive connected to your computer will be affected. These infections copy all your files, encrypt them, and then delete the originals, leaving you with the encrypted copies. You are then presented with a screen telling you you have a certain amount of time to pay the ransom for the decryption code to decrypt your files. Even if you pay the ransom, there decryption process usually results in corrupt and unusable files.

There is nothing we can do to decrypt the files, as they use very sophisticated encryption techniques. Please consider this when using P2P programs. Malware and ransomware writers use P2P to spread their infections.


Here are some information sources about the dangers of P2P programs:

FBI - Peer to Peer Scams

USA Today Artticle on P2P Programs

File Sharing Infects 500,000 Computers

I very much recommend you uninstall this program from your machine. If not, I can guarantee you will be back needing help with your machine again. The risks of infections from content downloaded with P2P programs far outweigh any benefit of using them.

It is, of course, your choice as to whether or not you remove the program from your machine. It is my duty though, to point out how dangerous it is to use these programs. However, I must request that you do not use it while we are cleaning your machine.


Step 2: Program Uninstalls and Chrome Extension Removal

Please uninstall the following programs from your machine as they are adware/malware related. If one of the programs fails to uninstall, please move on to the next one in the list.
  • Cinema_Plus-3.6pV08.09
  • Crossbrowse
  • globalupdate Helper
  • YTD Video Downloader 4.9.1
  • Any program with Chinese characters
Remove Chrome Extensions

There are extensions in Chrome that need to be removed, please follow the instructions below to remove them.

Start Chrome and type this into the address bar: chrome:extensions
This will display a page of all the installed extensions. Please remove the extensions by clicking the trash can icon beside it.
If one of the extensions I've asked you to remove is not listed, don't worry about it. Just move on to the next one in the list. :)
  • Cinema_Plus-3.6pV08.00
  • Any extension with Chinese characters
Step 3: Fix with FRST

Note: Before performing this step, please move FRST64.exe from C:\Users\David\Downloads to your Desktop or the fix will not work.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
Right-click in the open notepad and select Paste).
Select File and then Save as, then click on the Encoding bar located by the Save button and select UTF-8 and then save it on the desktop as fixlist.txt. Please be sure to save it in the UTF-8 format so that it will be able to remove the Chinese garbage.

NOTE: It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.




Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [wenguanjia] => C:\Users\David\AppData\Roaming\wenguanjia\SurfAnonymous.exe [417168 2015-09-08] (wgj)
C:\Users\David\AppData\Roaming\wenguanjia
globalupdate Helper (x32 Version: 1.3.25.0 - globalupdate Inc.) Hidden <==== ATTENTION
(Tencent) C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\QQPCRTP.exe
C:\Program Files (x86)\Tencent
(iQIYI.COM) C:\IQIYI Video\LStyle\QyKernel.exe
C:\IQIYI Video
(Tencent) C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\QQPCTray.exe
(Tencent) C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\plugins\QMNetMon\QQPCNetFlow.exe
(Tencent) C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\QQPCRealTimeSpeedup.exe
(Crossbrowse) C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\crossbrowse.exe
(Crossbrowse) C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\crossbrowse.exe
C:\Program Files (x86)\Crossbrowse
(Crossbrowse) C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\crossbrowse.exe
(Crossbrowse) C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\crossbrowse.exe
(Crossbrowse) C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\crossbrowse.exe
HKLM-x32\...\Run: [ QQPCTray] => C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\QQPCTRAY.EXE [355296 2015-09-08] (Tencent)
HKU\S-1-5-21-3518043377-424418613-2629474751-1000\...\Run: [apphide] => C:\Program Files (x86)\baidu\pps.exe
HKU\S-1-5-21-3518043377-424418613-2629474751-1000\...\Run: [HCDNClient] => C:\IQIYI Video\LStyle\QyKernel.exe [576104 2015-08-04] (iQIYI.COM)
HKU\S-1-5-21-3518043377-424418613-2629474751-1000\...\Run: [GoogleChromeAutoLaunch_74E00820ADB8E922B35BF56F5E88A35C] => C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\crossbrowse.exe [770048 2015-05-11] (Crossbrowse)
ShellIconOverlayIdentifiers: [.QMDeskTopGCIcon] -> {B7667919-3765-4815-A66D-98A09BE662D6} => C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\QMGCShellExt64.dll [2015-09-08] (Tencent)
C:\Program Files (x86)\baidu
ShellIconOverlayIdentifiers: [.QMDeskTopGCIcon] -> {B7667919-3765-4815-A66D-98A09BE662D6} => C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\QMGCShellExt64.dll [2015-09-08] (Tencent)
ShellIconOverlayIdentifiers: [Fatlfn] -> {646BAAE7-7538-4866-8EEE-974C0AA910AB} => C:\ProgramData\sagibkifhyxd.dll [2015-09-08] ()
ShellIconOverlayIdentifiers-x32: [Fatlfn] -> {646BAAE7-7538-4866-8EEE-974C0AA910AB} => C:\ProgramData\sagibkifhyxd.dll [2015-09-08] ()
Startup: C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crossbrowse.lnk [2015-09-08]
ShortcutTarget: crossbrowse.lnk -> C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\crossbrowse.exe (Crossbrowse)
C:\ProgramData\sagibkifhyxd.dll
C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crossbrowse.lnk
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.hao123.com/?tn=94493384_hao_pg
HKU\S-1-5-21-3518043377-424418613-2629474751-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.hao123.com/?tn=94493384_hao_pg
SearchScopes: HKU\S-1-5-21-3518043377-424418613-2629474751-1000 -> DefaultScope {A060E7FB-91F5-4c7c-BD0F-4A11A581D878} URL = hxxps://www.baidu.com/s?wd={searchTerms}&tn=96010190_dg
SearchScopes: HKU\S-1-5-21-3518043377-424418613-2629474751-1000 -> {A060E7FB-91F5-4c7c-BD0F-4A11A581D878} URL = hxxps://www.baidu.com/s?wd={searchTerms}&tn=96010190_dg
BHO: 电脑管家网页防火墙 -> {7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B} -> C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\TSWebMon64.dat [2015-09-08] (Tencent)
BHO-x32: Ó¦Óñ¦Ò»¼ü°²×°²å¼þ -> {50F4150A-48B2-417A-BE4C-C83F580FB904} -> C:\Program Files (x86)\Common Files\Tencent\QQPhoneManager\2.0.201.3198\npQQPhoneManagerExt.dll [2014-05-30] (腾讯公司)
C:\Program Files (x86)\Common Files\Tencent
SearchScopes: HKU\S-1-5-21-3518043377-424418613-2629474751-1000 -> {A060E7FB-91F5-4c7c-BD0F-4A11A581D878} URL = hxxps://www.baidu.com/s?wd={searchTerms}&tn=96010190_dg
BHO: 电脑管家网页防火墙 -> {7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B} -> C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\TSWebMon64.dat [2015-09-08] (Tencent)
BHO-x32: Ó¦Óñ¦Ò»¼ü°²×°²å¼þ -> {50F4150A-48B2-417A-BE4C-C83F580FB904} -> C:\Program Files (x86)\Common Files\Tencent\QQPhoneManager\2.0.201.3198\npQQPhoneManagerExt.dll [2014-05-30] (腾讯公司)
BHO-x32: °®ÆæÒÕÖúÊÖ -> {FB4F6285-4C32-49F2-950F-A5998F9CEC6C} -> C:\IQIYI Video\LStyle\Accelerator\IEHelper.dll [2015-08-04] (爱奇艺)
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.oursurfing.com/?type=sc&ts=1441778630&z=5258477741746e410d0d822gez4zcg3meofz0g5qbg&from=amt&uid=ST500LT012-1DG142_W3PHP61BXXXXW3PHP61B
FF DefaultSearchEngine: oursurfing
FF SelectedSearchEngine: oursurfing
FF Homepage: hxxp://www.oursurfing.com/?type=hp&ts=1441778630&z=5258477741746e410d0d822gez4zcg3meofz0g5qbg&from=amt&uid=ST500LT012-1DG142_W3PHP61BXXXXW3PHP61B
FF Plugin: @iqiyi.com/npclient -> C:\IQIYI Video\LStyle\npclient.dll [2015-08-04] ()
FF Plugin: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll [No File]
FF Plugin-x32: @iqiyi.com/npclient -> C:\IQIYI Video\LStyle\npclient.dll [2015-08-04] ()
FF Plugin-x32: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll [No File]
FF Plugin-x32: @qq.com/npAndroidAssistant -> C:\Program Files (x86)\Common Files\Tencent\QQPhoneManager\2.0.201.3198\npQQPhoneManagerExt.dll [2014-05-30] (腾讯公司)
FF Plugin-x32: @qq.com/QQPCMgr -> C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\npQMExtensionsMozilla.dll [2015-09-08] (Tencent Technology (Shenzhen) Company Limited)
FF Plugin-x32: @staging.google.com/globalUpdate Update;version=10 -> C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npglobalupdateUpdate4.dll [2015-09-08] (globalUpdate)
FF Plugin-x32: @staging.google.com/globalUpdate Update;version=4 -> C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npglobalupdateUpdate4.dll [2015-09-08] (globalUpdate)
FF Plugin HKU\S-1-5-21-3518043377-424418613-2629474751-1000: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll No File
FF SearchPlugin: C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\lpb2e9ax.default\searchplugins\oursurfing.xml [2015-09-13]
FF Extension: CinemaPlus-3.3c - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\lpb2e9ax.default\Extensions\AVJYFVOD75109374@HCDE39471360.com [2015-09-12]
FF Extension: Default SearchProtected - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\lpb2e9ax.default\Extensions\defsearchp@gmail.com [2015-09-08]
FF Extension: deskCut - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\lpb2e9ax.default\Extensions\deskCutv2@gmail.com [2015-09-08]
FF HKLM-x32\...\Firefox\Extensions: [defsearchp@gmail.com] - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\lpb2e9ax.default\extensions\defsearchp@gmail.com
FF HKLM-x32\...\Firefox\Extensions: [deskCutv2@gmail.com] - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\lpb2e9ax.default\extensions\deskCutv2@gmail.com
StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.oursurfing.com/?type=sc&ts=1441778630&z=5258477741746e410d0d822gez4zcg3meofz0g5qbg&from=amt&uid=ST500LT012-1DG142_W3PHP61BXXXXW3PHP61B
CHR StartupUrls: Default -> "hxxp://www.oursurfing.com/?type=hp&ts=1441778630&z=5258477741746e410d0d822gez4zcg3meofz0g5qbg&from=amt&uid=ST500LT012-1DG142_W3PHP61BXXXXW3PHP61B"
CHR DefaultSearchURL: Default -> hxxp://www.oursurfing.com/web/?type=ds&ts=1441778630&z=5258477741746e410d0d822gez4zcg3meofz0g5qbg&from=amt&uid=ST500LT012-1DG142_W3PHP61BXXXXW3PHP61B&q={searchTerms}
CHR DefaultSearchKeyword: Default -> oursurfing
C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\lkadffjmnaiokkdncgdlecdegajoiemi
C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\ooebklgpfnbcnpokahmdidgbmlcdepkm
StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe http://www.oursurfing.com/?
type=sc&ts=1441778630&z=5258477741746e410d0d822gez4zcg3meofz0g5qbg&from=amt&uid=ST500LT012-1DG142_W3PHP61BXXXXW3PHP61B
S2 globalUpdate; C:\Program Files (x86)\globalUpdate\Update\globalupdate.exe [68608 2015-09-08] (globalUpdate) [File not signed] <==== ATTENTION
S3 globalUpdatem; C:\Program Files (x86)\globalUpdate\Update\globalupdate.exe [68608 2015-09-08] (globalUpdate) [File not signed] <==== ATTENTION
R2 QQPCRTP; C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\QQPCRTP.exe [301728 2015-09-08] (Tencent)
S3 TAOFrame; C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\TAOFrame.exe [293856 2015-09-08] (Tencent)
R1 QMUdisk; C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\QMUdisk64.sys [62264 2015-09-08] (Tencent)
R2 QQSysMonX64; C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\QQSysMonX64.sys [138040 2015-09-08] (电脑管家)
R3 TAOAccelerator; C:\Windows\system32\Drivers\TAOAccelerator64.sys [87160 2015-08-21] (Tencent)
R1 TAOKernelDriver; C:\Windows\System32\Drivers\TAOKernel64.sys [274232 2015-09-08] (Tencent Technology(Shenzhen) Company Limited)
R3 TFsFlt; C:\Windows\System32\Drivers\TFsFltX64.sys [87864 2015-09-08] (电脑管家)
R3 TS888x64; C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\TS888x64.sys [28984 2015-09-14] (Tencent)
R1 TSDefenseBt; C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\TSDefenseBT64.sys [28472 2015-09-08] (Tencent)
S3 TSSKX64; C:\Windows\System32\drivers\tsskx64.sys [38200 2015-09-08] (电脑管家)
R1 TSSysKit; C:\Program Files (x86)\Tencent\QQPCMgr\10.11.16575.227\TSSysKit64.sys [87352 2015-09-08] (电脑管家)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Windows\system32\Drivers\TAOAccelerator64.sys
C:\Windows\System32\Drivers\TAOKernel64.sys
C:\Windows\System32\Drivers\TFsFltX64.sys
C:\Windows\System32\drivers\tsskx64.sys
2015-09-09 21:25 - 2015-09-09 21:25 - 00000958 _____ C:\Users\Public\Desktop\饼干压缩.lnk
2015-09-09 21:25 - 2015-09-09 21:25 - 00000000 ____D C:\Program Files (x86)\BGZip
2015-09-09 21:24 - 2015-09-09 21:24 - 00000000 ____D C:\QMDownload
2015-09-08 23:13 - 2015-09-14 16:39 - 00028984 _____ (Tencent) C:\Windows\SysWOW64\Drivers\TS888x64.sys
2015-09-08 22:49 - 2015-09-08 22:49 - 00001270 _____ C:\Users\David\Desktop\全网影视.lnk
2015-09-08 22:49 - 2015-09-08 22:49 - 00000979 _____ C:\Users\David\Desktop\PPS游戏大厅.lnk
2015-09-08 22:49 - 2015-09-08 22:49 - 00000000 ____D C:\Users\David\AppData\Roaming\ppslog
2015-09-08 22:46 - 2015-09-08 22:46 - 00000000 ____D C:\ProgramData\TXQMPC
C:\ProgramData\ocissmjdlbrjhvqkolsvpr
C:\ProgramData\inf.dat
C:\Users\David\AppData\Roaming\Tencent
2015-09-08 22:14 - 2015-09-14 16:39 - 00001056 _____ C:\Windows\Tasks\Crossbrowse.job
2015-09-08 22:14 - 2015-09-08 22:14 - 00004082 _____ C:\Windows\System32\Tasks\Crossbrowse
2015-09-08 22:14 - 2015-09-08 22:14 - 00002394 _____ C:\Users\Public\Desktop\Crossbrowse.lnk
2015-09-08 22:14 - 2015-09-08 22:14 - 00000000 ____D C:\Users\David\AppData\Local\Crossbrowse
2015-09-08 22:14 - 2015-09-08 22:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Crossbrowse
2015-09-08 22:14 - 2015-09-08 22:14 - 00000000 ____D C:\Program Files (x86)\Crossbrowse
2015-09-08 22:11 - 2015-09-14 17:11 - 00003140 _____ C:\Windows\Tasks\eb58d441-d85a-49d4-95de-734601636806-1-6.job
2015-09-08 22:11 - 2015-09-14 16:39 - 00003140 _____ C:\Windows\Tasks\eb58d441-d85a-49d4-95de-734601636806-1-7.job
2015-09-08 22:11 - 2015-09-14 16:39 - 00002448 _____ C:\Windows\Tasks\eb58d441-d85a-49d4-95de-734601636806-5_user.job
2015-09-08 22:11 - 2015-09-14 16:39 - 00002448 _____ C:\Windows\Tasks\eb58d441-d85a-49d4-95de-734601636806-5.job
2015-09-08 22:11 - 2015-09-08 22:11 - 00006170 _____ C:\Windows\System32\Tasks\eb58d441-d85a-49d4-95de-734601636806-1-7
2015-09-08 22:11 - 2015-09-08 22:11 - 00006168 _____ C:\Windows\System32\Tasks\eb58d441-d85a-49d4-95de-734601636806-1-6
2015-09-08 22:11 - 2015-09-08 22:11 - 00005478 _____ C:\Windows\System32\Tasks\eb58d441-d85a-49d4-95de-734601636806-5
2015-09-08 22:10 - 2015-09-14 17:10 - 00005520 _____ C:\Windows\Tasks\eb58d441-d85a-49d4-95de-734601636806-6.job
2015-09-08 22:10 - 2015-09-14 16:39 - 00005184 _____ C:\Windows\Tasks\eb58d441-d85a-49d4-95de-734601636806-7.job
2015-09-08 22:10 - 2015-09-14 16:39 - 00004160 _____ C:\Windows\Tasks\eb58d441-d85a-49d4-95de-734601636806-4.job
2015-09-08 22:10 - 2015-09-14 16:39 - 00004160 _____ C:\Windows\Tasks\eb58d441-d85a-49d4-95de-734601636806-3.job
2015-09-08 22:10 - 2015-09-14 16:39 - 00000970 _____ C:\Windows\Tasks\globalUpdateUpdateTaskMachineCore.job
2015-09-08 22:10 - 2015-09-13 22:15 - 00000974 _____ C:\Windows\Tasks\globalUpdateUpdateTaskMachineUA.job
2015-09-08 22:10 - 2015-09-10 22:11 - 00000000 ____D C:\Program Files (x86)\Cinema_Plus-3.6pV08.09
2015-09-08 22:10 - 2015-09-08 22:10 - 00008548 _____ C:\Windows\System32\Tasks\eb58d441-d85a-49d4-95de-734601636806-6
2015-09-08 22:10 - 2015-09-08 22:10 - 00008214 _____ C:\Windows\System32\Tasks\eb58d441-d85a-49d4-95de-734601636806-7
2015-09-08 22:10 - 2015-09-08 22:10 - 00007190 _____ C:\Windows\System32\Tasks\eb58d441-d85a-49d4-95de-734601636806-4
2015-09-08 22:10 - 2015-09-08 22:10 - 00007190 _____ C:\Windows\System32\Tasks\eb58d441-d85a-49d4-95de-734601636806-3
2015-09-08 22:10 - 2015-09-08 22:10 - 00003972 _____ C:\Windows\System32\Tasks\globalUpdateUpdateTaskMachineUA
2015-09-08 22:10 - 2015-09-08 22:10 - 00003718 _____ C:\Windows\System32\Tasks\globalUpdateUpdateTaskMachineCore
2015-09-08 22:10 - 2015-09-08 22:10 - 00000000 ____D C:\Users\David\AppData\Local\globalUpdate
2015-09-08 22:10 - 2015-09-08 22:10 - 00000000 ____D C:\Program Files (x86)\globalUpdate
2015-09-08 22:10 - 2015-09-08 22:10 - 00000000 ____D C:\Program Files (x86)\8f77f97b-2be3-4a62-8d5f-b0a760763a6f
2015-09-08 22:09 - 2015-09-08 22:09 - 00000000 ____D C:\Users\David\AppData\Roaming\cpuminer
2015-09-08 22:03 - 2015-09-08 22:49 - 00000000 ____D C:\Users\David\AppData\Roaming\IQIYI Video
2015-09-08 22:03 - 2015-09-08 22:43 - 00000000 ____D C:\ProgramData\IQIYI Video
2015-09-08 22:03 - 2015-09-08 22:03 - 00000000 ____D C:\Users\Public\QiYi
2015-09-08 22:03 - 2015-09-08 22:03 - 00000000 ____D C:\Users\David\AppData\Local\SysassistByHotWheel
2015-09-08 22:03 - 2015-09-08 22:03 - 00000000 ____D C:\ppsfile
2015-09-08 21:59 - 2015-09-08 21:59 - 00000000 ____D C:\Program Files (x86)\baidu
2015-09-06 16:25 - 2015-09-06 16:25 - 00001289 _____ C:\Users\Public\Desktop\YTD Video Downloader.lnk
2015-09-06 16:25 - 2015-09-06 16:25 - 00000000 ____D C:\ProgramData\YTD Video Downloader
2015-09-06 16:25 - 2015-09-06 16:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader
2015-09-06 16:25 - 2015-09-06 16:25 - 00000000 ____D C:\Program Files (x86)\GreenTree Applications
2015-09-06 16:22 - 2015-09-06 16:22 - 00102704 _____ (GreenTree Applications SRL) C:\YTDSetup.exe
C:\ProgramData\inf.dat
C:\ProgramData\sagibkifhyxd.dll
C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
C:\Users\David\ChromeSetup.exe
Task: C:\Windows\Tasks\AdobeoaUpdate Ver 201599.job => C:\Users\David\AppData\Roaming\wenguanjia\SurfAnonymous.exe/check_update C:\Users\David\AppData\Roaming\wenguanjia\David'This task detect has update.Ver
Task: {0410AFDA-7E26-44C7-B0CA-C6EB467D165D} - System32\Tasks\AdobeoaUpdate Ver 201599 => C:\Users\David\AppData\Roaming\wenguanjia\SurfAnonymous.exe [2015-09-08] (wgj)
Task: {1D51C312-B4EC-451F-B256-90C6603A08C4} - System32\Tasks\eb58d441-d85a-49d4-95de-734601636806-5 => C:\Program Files (x86)\Cinema_Plus-3.6pV08.09\eb58d441-d85a-49d4-95de-734601636806-5.exe <==== ATTENTION
Task: {2DC9381E-738C-49C1-89D5-9133DA00ADF6} - System32\Tasks\eb58d441-d85a-49d4-95de-734601636806-1-7 => C:\Program Files (x86)\Cinema_Plus-3.6pV08.09\eb58d441-d85a-49d4-95de-734601636806-1-7.exe <==== ATTENTION
Task: {390A3005-8889-4E42-A397-2AA4581BB906} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {3CB143FC-62C8-41AD-85DB-DF6BE32A2194} - System32\Tasks\eb58d441-d85a-49d4-95de-734601636806-7 => C:\Program Files (x86)\Cinema_Plus-3.6pV08.09\eb58d441-d85a-49d4-95de-734601636806-7.exe <==== ATTENTION
Task: {9311106D-3752-4852-9FDC-E443630B248D} - System32\Tasks\globalUpdateUpdateTaskMachineUA => C:\Program Files (x86)\globalUpdate\Update\globalupdate.exe [2015-09-08] (globalUpdate) <====ATTENTION
Task: {BF8547A9-8B7D-4B4E-BE07-38981B07F860} - System32\Tasks\Crossbrowse => C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\utility.exe <==== ATTENTION
Task: {C01CC309-F950-45EA-8693-F116CAC61B77} - System32\Tasks\eb58d441-d85a-49d4-95de-734601636806-3 => C:\Program Files (x86)\Cinema_Plus-3.6pV08.09\eb58d441-d85a-49d4-95de-734601636806-3.exe <==== ATTENTION
Task: {C0F78C6B-C1FB-4C4B-9DF2-C8CF19216851} - System32\Tasks\globalUpdateUpdateTaskMachineCore => C:\Program Files (x86)\globalUpdate\Update\globalupdate.exe [2015-09-08] (globalUpdate)<==== ATTENTION
Task: {D3F515D1-1227-4636-9AC0-F052355746C9} - System32\Tasks\eb58d441-d85a-49d4-95de-734601636806-4 => C:\Program Files (x86)\Cinema_Plus-3.6pV08.09\eb58d441-d85a-49d4-95de-734601636806-4.exe <==== ATTENTION
Task: {DDD14A78-D76C-4435-B841-86A010FB5B6C} - System32\Tasks\eb58d441-d85a-49d4-95de-734601636806-5_user => C:\Program Files (x86)\Cinema_Plus-3.6pV08.09\eb58d441-d85a-49d4-95de-734601636806-5.exe <==== ATTENTION
Task: {F17BCD3C-9751-4350-89B0-A73AEB20E115} - System32\Tasks\eb58d441-d85a-49d4-95de-734601636806-6 => C:\Program Files (x86)\Cinema_Plus-3.6pV08.09\eb58d441-d85a-49d4-95de-734601636806-6.exe <==== ATTENTION
Task: {F55FA74F-B9C0-401E-8737-889BF6429831} - System32\Tasks\eb58d441-d85a-49d4-95de-734601636806-1-6 => C:\Program Files (x86)\Cinema_Plus-3.6pV08.09\eb58d441-d85a-49d4-95de-734601636806-1-6.exe <==== ATTENTION
Task: C:\Windows\Tasks\Crossbrowse.job => C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\utility.exe <==== ATTENTION
Task: C:\Windows\Tasks\eb58d441-d85a-49d4-95de-734601636806-1-6.job => C:\Program Files (x86)\Cinema_Plus-3.6pV08.09\eb58d441-d85a-49d4-95de-734601636806-1-6.exe <==== ATTENTION
Task: C:\Windows\Tasks\eb58d441-d85a-49d4-95de-734601636806-1-7.job => C:\Program Files (x86)\Cinema_Plus-3.6pV08.09\eb58d441-d85a-49d4-95de-734601636806-1-7.exe <==== ATTENTION
Task: C:\Windows\Tasks\eb58d441-d85a-49d4-95de-734601636806-3.job => C:\Program Files (x86)\Cinema_Plus-3.6pV08.09\eb58d441-d85a-49d4-95de-734601636806-3.exe <==== ATTENTION
Task: C:\Windows\Tasks\eb58d441-d85a-49d4-95de-734601636806-4.job => C:\Program Files (x86)\Cinema_Plus-3.6pV08.09\eb58d441-d85a-49d4-95de-734601636806-4.exe <==== ATTENTION
Task: C:\Windows\Tasks\eb58d441-d85a-49d4-95de-734601636806-5.job => C:\Program Files (x86)\Cinema_Plus-3.6pV08.09\eb58d441-d85a-49d4-95de-734601636806-5.exe <==== ATTENTION
Task: C:\Windows\Tasks\eb58d441-d85a-49d4-95de-734601636806-5_user.job => C:\Program Files (x86)\Cinema_Plus-3.6pV08.09\eb58d441-d85a-49d4-95de-734601636806-5.exe <==== ATTENTION
Task: C:\Windows\Tasks\eb58d441-d85a-49d4-95de-734601636806-6.job => C:\Program Files (x86)\Cinema_Plus-3.6pV08.09\eb58d441-d85a-49d4-95de-734601636806-6.exe <==== ATTENTION
Task: C:\Windows\Tasks\eb58d441-d85a-49d4-95de-734601636806-7.job => C:\Program Files (x86)\Cinema_Plus-3.6pV08.09\eb58d441-d85a-49d4-95de-734601636806-7.exe <==== ATTENTION
Task: C:\Windows\Tasks\globalUpdateUpdateTaskMachineCore.job => C:\Program Files (x86)\globalUpdate\Update\globalupdate.exe <==== ATTENTION
Task: C:\Windows\Tasks\globalUpdateUpdateTaskMachineUA.job => C:\Program Files (x86)\globalUpdate\Update\globalupdate.exe <==== ATTENTION
CMD: bitsadmin /reset /allusers
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
Emptytemp:
Hosts:
End


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Run FRST and press the Fix button just once and wait. This can take a while and you may see a Not Responding message on FRST's menu. This is normal, so please let it continue till finished. The tool will make a log on the desktop (Fixlog.txt) please post it in your next reply.



Step 4: Junkware Removal Tool

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 5: AdwCleaner

Download ADWcleaner by clicking here. Please save it to your Desktop


adwcleanerscreen_zpsm6wq1ei9.jpg
  • Double click (Vista and 7 Users)right click the adwcleaner.exe file and click Run as Adminstrator and accept the UAC prompt to run AdwCleaner
  • Once AdwCleaner's control panel is open and it says "Waiting for Action", click on Options at the top of the control panel.
  • Please Check the following options:
    • Reset Proxy Settings
    • Reset Winsock Settings
    • Reset TCP/IP Settings
    • Reset Firewall Settings
    • Reset IPSec Settings
    • Reset BITS Queue
    • Reset Internet Explorer Policies
    • Reset Chrome Policies
  • Close any open windows or browsers.
  • Pause your Anti-Virus program if it is running.
  • Once it starts, click on the Scan button.
  • Let the scan complete itself. This may take a few minutes.
  • Once the scan has finished, it will say "Pending, uncheck elements you don't want to remove.", don't worry about unchecking anything and then click the Cleaning button. When finished, it will ask to reboot. Please reboot.
  • When the machine has rebooted, a log will be produced. Please copy/paste that in your next reply. Here's how:
    • Click the Logfile button and the log will open. Copy and Paste the contents of the log file into your next reply.
    This report is also saved at C:\
Step 6: Fresh FRST Scan
  • Start Farbar's Recovery Scan Tool and press the Scan button.
  • FRST will scan your system and produce two logs: FRST.txt and Addition.txt. Please post them in your next reply.
Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.
  • Fixlog.txt Log
  • Junkware Removal Tool Log
  • AdwCleaner Log
  • Fresh FRST.txt Log
  • Fresh Addition.txt Log
  • Question: How is the machine running?

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#7 PGHinBKK

PGHinBKK
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bangkok, Thailand
  • Local time:06:07 PM

Posted 14 September 2015 - 07:32 PM

Pystryker,

 

     it's nice to meet you, and thanks for the help. I'm at work now so I'll start trying to follow these instructions tonight when

Ii get home.  I'm an American but I live and work in Bangkok, so I'm ahead of you in time (12 hours ahead of the East Coast)...

 

One thing from your post. (actually several...)

 

You mention to "Please download to, and run programs from, the desktop."  

 

When I downloaded FRST last night, (and the other 'repair' programs) it did not give me the option of where to download it to, even though I'd set FireFox to do that. So it went automatically to my 'Downloads' folder. Could this malware crap have changed the FF setting about asking where to download things to?   I'll try to move it tonight to the desktop and see what happens.

 

Also mentioned is "Please remove these programs..."     and the list includes crossbrowse and 'any programs with Chinese characters'.  I mentioned in my initial post that these programs refuse to uninstall    (SOOOO infuriating!!) from the Control Panel, hence my coming to BC for assistance.   

 

I use utorrent to download movies and music, it's one of the things that keeps me sane over here, and I've never gotten any type of infection from it.

I will uninstall it while fixing this, if it will help, but that is not where this infection came from.  

 

After posting my logs last night, I downloaded Junkware Removal Tool, AdwCleaner, ComboFix (no, I didn't run it) , and one or two others so my machine is loaded and ready.  Again, I was not asked where I wished to download them to , so they went to the 'Downloads' folder, and I then moved them to a folder I created in C: drive labeled 'Software'. 

 

Quick question: I sometimes download audio-processing software ( I have an oscilloscope program I use in my class, and I also keep trying to make some decent Karaoke discs for myself) and I get a message indicating "You don't have permission to download to this location (usually my Program Files folder). Do you want to download to the --- folder instead?" .  I am the only account on the computer and it is set-up as an administrator, so why does the 'puter tell me this? 

 

I can see you've put a huge amount of work into your response, the code box, etc.   and I thank you sincerely.   I can't wait to get started and sweep this )(*&^%$#@  chinese crap out of my laptop. 

 

I'll talk to you soon.

 

PghinBKK


Life is strange......and then there's Thailand....

#8 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 AM

Posted 14 September 2015 - 07:50 PM

it's nice to meet you, and thanks for the help. I'm at work now so I'll start trying to follow these instructions tonight when

Ii get home. I'm an American but I live and work in Bangkok, so I'm ahead of you in time (12 hours ahead of the East Coast).


Nice to meet you as well. :) No problem on the schedule, we do this on the time frame that works best for you.
 

You mention to "Please download to, and run programs from, the desktop."



When I downloaded FRST last night, (and the other 'repair' programs) it did not give me the option of where to download it to, even though I'd set FireFox to do that. So it went automatically to my 'Downloads' folder. Could this malware crap have changed the FF setting about asking where to download things to? I'll try to move it tonight to the desktop and see what happens.


It's possible. Click on Tools, then Options and then click Browse or type in where you'd like to save the downloads to and see if it changes.
 

Also mentioned is "Please remove these programs..." and the list includes crossbrowse and 'any programs with Chinese characters'. I mentioned in my initial post that these programs refuse to uninstall (SOOOO infuriating!!) from the Control Panel, hence my coming to BC for assistance.


I understand. Before we remove any programs via our tools, we always like to see if they'll uninstall in anyway as they are listed in the Addition log. No worries if they don't. :thumbup2:
 

I use utorrent to download movies and music, it's one of the things that keeps me sane over here, and I've never gotten any type of infection from it.

I will uninstall it while fixing this, if it will help, but that is not where this infection came from.


That is, as I mentioned in my initial post, your choice to use this software. You don't have to uninstall it, just do not use it download anything while we are working on your machine.
 

After posting my logs last night, I downloaded Junkware Removal Tool, AdwCleaner, ComboFix (no, I didn't run it) , and one or two others so my machine is loaded and ready. Again, I was not asked where I wished to download them to , so they went to the 'Downloads' folder, and I then moved them to a folder I created in C: drive labeled 'Software'.


Do not run ComboFix unless I specifically request you to. That tool is powerful and can turn a computer into a brick if used improperly. Regarding the tools: You can download them to any folder you wish, but please transfer them to the desktop before you run them. They work the best from there. :)
 

Quick question: I sometimes download audio-processing software ( I have an oscilloscope program I use in my class, and I also keep trying to make some decent Karaoke discs for myself) and I get a message indicating "You don't have permission to download to this location (usually my Program Files folder). Do you want to download to the --- folder instead?" . I am the only account on the computer and it is set-up as an administrator, so why does the 'puter tell me this?


Hmm...we may have to run a little program later on that will reset the permissions for the account and see if that takes care of it. It could be a result of the damage done to the machine from the malware that's on it.
 

I can see you've put a huge amount of work into your response, the code box, etc. and I thank you sincerely. I can't wait to get started and sweep this )(*&^%$#@ chinese crap out of my laptop.



I'll talk to you soon.


You're quite welcome, it's my pleasure. :)

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#9 PGHinBKK

PGHinBKK
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bangkok, Thailand
  • Local time:06:07 PM

Posted 15 September 2015 - 08:12 AM

I'm having trouble replying...

Attached Files


Life is strange......and then there's Thailand....

#10 PGHinBKK

PGHinBKK
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bangkok, Thailand
  • Local time:06:07 PM

Posted 15 September 2015 - 08:20 AM

The program lets me reply once, then it logs me out and I have to log back in to do anything further.  Sorry if that log txt was jumbled...I have so many txt files on the desktop that I got a little confused...


Life is strange......and then there's Thailand....

#11 PGHinBKK

PGHinBKK
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bangkok, Thailand
  • Local time:06:07 PM

Posted 15 September 2015 - 08:23 AM

[...in best Spock voice]  "I'm awaiting your orders,  Captain..."


Edited by PGHinBKK, 15 September 2015 - 10:47 AM.

Life is strange......and then there's Thailand....

#12 PGHinBKK

PGHinBKK
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bangkok, Thailand
  • Local time:06:07 PM

Posted 15 September 2015 - 10:48 AM

It's almost 11 pm here...nighty night  


Life is strange......and then there's Thailand....

#13 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 AM

Posted 15 September 2015 - 02:30 PM

I think that's all of them, I admit I have so many text/notepads on the desktop I'm getting a little confused. I accidentally ran JRT before running FRST, so I then ran JRT a second time. The machine is better, I have FireFox back, but I still have the chinese video program on the toolbar, the one with what I thought was a white trapezoid n a green background but I got a better lok at it once and it is apparently supposed to be a piece of folded film, so it is the video player. On the control panel, and task manager, there are many less programs listed but there are still two with the chinese characters. They also give me that message when I tried to uninstall them about 'an error occured and they may have already been uninstalled', but since all their characters on their windows are in chinese, I definitely don;t trust them.

Otheerwise, the machine is better, the percentage-thing is gone, there's no more surfanonymous that opens by itself, and the FireFox opens to its own page, not that 123gopou or whatever it was.


But I want to get rid of the last vestiges of this chinese crap. What can we do to delete that chinese video-viewer thing?


BTW, you da bomb....


Thank you for the update, and thank you for your kind words. :) You did great in posting the logs, except you posted a copy of the original Addition.txt log, not the fresh one. Please look for that one, it should be on your Desktop and it will have the latest date in the header. There's a few things showing in the fresh FRST log, so let's eliminate them, and we'll also run Revo Uninstaller and see if it will remove the other Chinese programs. :thumbup2:


Step 1: Program Uninstall

One of the malicious programs on your machine was hidden from showing up in the Add/Remov Programs list. The FRST fix should have made it visible now. Please uninstall the program listed below.

globalupdate Helper


Step 2: Fix with FRST
  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste).
  • Select File and then Save as, then click on the Encoding bar located by the Save button and select UTF-8 and then save it on the desktop as fixlist.txt.


    NOTE: It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

Start
CreateRestorePoint:
CloseProcesses:
2015-09-15 18:26 - 2015-09-15 18:26 - 00000876 _____ C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\爱奇艺万能播放器.lnk
2015-09-15 18:26 - 2015-09-15 18:26 - 00000842 _____ C:\Users\David\Desktop\爱奇艺万能播放器.lnk
2015-09-15 18:26 - 2015-09-15 18:26 - 00000000 ____D C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\爱奇艺
2015-09-08 22:03 - 2015-09-15 18:12 - 00000000 ____D C:\qycache
C:\Program Files (x86)\Tencent
SearchScopes: HKU\S-1-5-21-3518043377-424418613-2629474751-1000 -> DefaultScope {A060E7FB-91F5-4c7c-BD0F-4A11A581D878} URL = hxxps://www.baidu.com/s?wd={searchTerms}&tn=96010190_dg
SearchScopes: HKU\S-1-5-21-3518043377-424418613-2629474751-1000 -> {A060E7FB-91F5-4c7c-BD0F-4A11A581D878} URL = hxxps://www.baidu.com/s?wd={searchTerms}&tn=96010190_dg
CMD: bitsadmin /reset /allusers
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
Emptytemp:
Hosts:
End


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.


Run FRST and press the Fix button just once and wait. The tool will make a log on the desktop (Fixlog.txt) please post it in your next reply.


Step 3: Revo Uninstaller
  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • When the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • When prompted click on Yes and then on next.
  • Put a check on any folders that are found and select delete
  • When prompted select yes then on next
  • Once done click Finish.
Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.

Fixlog.txt Log
Fresh Addition.txt Log
Was Revo successful in removing the programs?

Edited by pystryker, 15 September 2015 - 05:39 PM.

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#14 PGHinBKK

PGHinBKK
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bangkok, Thailand
  • Local time:06:07 PM

Posted 16 September 2015 - 06:39 AM

OK, I will once again post piecemeal (and I'm so sorry...I may be doing things wrong with the reply box...)when I paste a notepad file in the reply box seems to be when I get the error message and saying I cannot do that, but with the reply box at the bottom of the thread there is no 'Attach' (paperclip) icons and associated stuff...

 

The globalupdatehelper uninstalled   (YEAAAAA!!!)

 

Here's the addition log I ran second...I think...the time is right for the second run...

 

 

I'll do some more of the directions and post again ASAP...

Attached Files

  • Attached File  2.txt   15.17KB   1 downloads

Life is strange......and then there's Thailand....

#15 PGHinBKK

PGHinBKK
  • Topic Starter

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bangkok, Thailand
  • Local time:06:07 PM

Posted 16 September 2015 - 06:55 AM

OK, here's the latest FRST log...

Attached Files


Life is strange......and then there's Thailand....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users