Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zhudongfangyu remove - confirmation


  • This topic is locked This topic is locked
7 replies to this topic

#1 Kush1292

Kush1292

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:54 AM

Posted 02 March 2018 - 01:56 AM

Hello guys, so I am helping a friend of mine who had this chinese letters popping up on their computer. 

 

I took a look at it and saw lot of suspicious activity. 

 

I did my best into removing HitmanPro, ADWCleaner, Malwarebytes, etc. 

 

There was a software installed, something 360 (Chinese letters) etc. 

 

he genuine ZhuDongFangYu.exe file is a software component of 360安全卫士 by Qihoo 360.

 

Anyways, I am attaching few logs. 

 

After removing that software successfully as i couldnt remove it from add/remove programs because it was all in chinese or some language. Google chrome, and some of the stuff still shows up with chinese language. Thus, the logs. 

 

Thank you for your time! :)

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,187 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:54 AM

Posted 02 March 2018 - 08:36 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Windows Firewall is disabled.
Turn ON your Firewall Windows.
https://support.microsoft.com/en-us/instantanswers/c9955ad9-1239-4cb2-988c-982f851617ed/turn-windows-firewall-on-or-off
<<<>>>

Remove this program in bold via the Control Panel > Programs > Programs and Features.
DriverUpdate (HKLM\...\{9E526615-95A1-4C46-95EA-E4957264CA84}) (Version: 5.3.0 - Slimware Utilities Holdings, Inc.) Hidden
====


Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(© 2015 Microsoft Corporation) C:\Users\Administrator.I41VG7UI7G8SZ2W\AppData\Local\Microsoft\BingSvc\BingSvc.exe
HKU\S-1-5-21-403400280-2842251745-220801510-500\...\Run: [BingSvc] => C:\Users\Administrator.I41VG7UI7G8SZ2W\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-04] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-403400280-2842251745-220801510-500\...\Run: [360DesktopLite] => C:\Users\Administrator.I41VG7UI7G8SZ2W\AppData\Roaming\360DesktopLite\360DesktopLite64.exe [3329120 2018-01-17] (360.cn)
Startup: C:\Users\Administrator.I41VG7UI7G8SZ2W\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegVac.lnk [2018-03-01]
ShortcutTarget: RegVac.lnk -> C:\Program Files (x86)\RegVac Registry Cleaner\regvac.exe (No File)
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://123.itiankong.com/?2
SearchScopes: HKLM-x32 -> DefaultScope {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = hxxp://www.baidu.com/baidu?wd={searchTerms}&tn=32006098_adr&ie=utf-8
SearchScopes: HKLM-x32 -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = hxxp://www.baidu.com/baidu?wd={searchTerms}&tn=32006098_adr&ie=utf-8
SearchScopes: HKU\.DEFAULT -> DefaultScope {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = hxxp://www.baidu.com/baidu?wd={searchTerms}&tn=32006098_adr&ie=utf-8
SearchScopes: HKU\.DEFAULT -> {B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} URL = hxxp://www.baidu.com/baidu?wd={searchTerms}&tn=32006098_adr&ie=utf-8
BHO: SafeMon Class -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> C:\Program Files (x86)\360\360Safe\safemon\safemon64.dll => No File
BHO-x32: SafeMon Class -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> C:\Program Files (x86)\360\360Safe\safemon\safemon.dll => No File
FF NewTabOverride: Mozilla\Firefox\Profiles\51w8zotc.default -> Enabled: _euMembers_@free.filesendsuite.com
FF HKU\S-1-5-21-403400280-2842251745-220801510-500\...\Firefox\Extensions: [dict@www.youdao.com] - C:\Users\Administrator\AppData\Local\Youdao\Dict\Application\stable\extensions\firefox => not found
FF Plugin-x32: @360.cn/npaxlogin -> C:\Program Files (x86)\360\360Safe\Utils\npaxlogin.dll [No File]
FF Plugin-x32: @baidu.com/npxbdsetup -> C:\Windows\Downloaded Program Files\210523\npxbdsetup.dll [No File]
FF Plugin-x32: @pptv.com/plugin -> C:\Program Files (x86)\Internet Explorer\PPLite\plugin\npplugin2.dll [No File]
FF Plugin HKU\S-1-5-21-403400280-2842251745-220801510-500: @360.cn/360MMPlugin -> C:\Program Files (x86)\360\360Safe\MobileMgr\np360MMPlugIn.dll [No File]
FF Plugin HKU\S-1-5-21-403400280-2842251745-220801510-500: @360.cn/360SoftMgrPlugin -> C:\Program Files (x86)\360\360Safe\SoftMgr\np360SoftMgr.dll [No File]
FF Plugin HKU\S-1-5-21-403400280-2842251745-220801510-500: @xunlei.com/npxluser -> C:\Program Files (x86)\Thunder Network\Thunder\BHO\xluser\npxluser.dll [No File]
CHR Extension: (Bing) - C:\Users\Administrator.I41VG7UI7G8SZ2W\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2018-03-01]
CHR HKU\S-1-5-21-403400280-2842251745-220801510-500\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [aohddidmgooofkgohkbkaohadkolgejj] - C:\Users\Administrator\AppData\Local\Youdao\Dict\Application\stable\YDChromeTextExtractor.crx <not found>
S2 ZhuDongFangYu; "C:\Program Files (x86)\360\360Safe\deepscan\zhudongfangyu.exe" [X]
U3 Changer; no ImagePath
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

ShellIconOverlayIdentifiers: [       360UDiskGuard Icon Overlay] -> {CC00F81D-5262-450A-B1FA-D6BEE3406263} => C:\Program Files (x86)\360\360Safe\safemon\360UDiskGuard64.dll -> No File
ShellIconOverlayIdentifiers: [FunOverlay] -> {A5662DF9-0C2E-4A56-9FE1-BACFF6966D88} =>  -> No File
ShellIconOverlayIdentifiers-x32-x32: [AAADesktopTips] -> {4562B511-62E9-4533-B7B2-56A8BB10B482} => C:\Program Files (x86)\Common Files\Thunder Network\KanKan\xappex.1.1.1.62.(845).dll -> No File
ContextMenuHandlers1: [360Zip] -> {9179176E-B763-3200-8500-BB1B90B3D5DE} => C:\Program Files (x86)\360\360zip\360ZipExt64.dll -> No File
ContextMenuHandlers1: [Safe360Ext] -> {7C0F6D57-E799-4C8A-A319-8E2B4D724CF0} => C:\Program Files (x86)\360\360Safe\Utils\shell360ext64.dll -> No File
ContextMenuHandlers1: [SoftMgrExt] -> {5E19C0CE-C02C-46c2-98C3-A2E12EDE0E17} => C:\Program Files (x86)\360\360Safe\SoftMgr\SoftMgrExt64.dll -> No File
ContextMenuHandlers4: [Safe360Ext] -> {7C0F6D57-E799-4C8A-A319-8E2B4D724CF0} => C:\Program Files (x86)\360\360Safe\Utils\shell360ext64.dll -> No File
ContextMenuHandlers6: [Safe360Ext] -> {7C0F6D57-E799-4C8A-A319-8E2B4D724CF0} => C:\Program Files (x86)\360\360Safe\Utils\shell360ext64.dll -> No File

C:\Users\Administrator.I41VG7UI7G8SZ2W\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegVac.lnk
C:\Users\Administrator.I41VG7UI7G8SZ2W\AppData\Roaming\360DesktopLite
C:\Windows\Minidump\021518-16551-01.dmp
C:\Windows\MEMORY.DMP

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.
===

Please let me know what problem persists with this computer.

#3 Kush1292

Kush1292
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:54 AM

Posted 02 March 2018 - 11:21 PM

Hello, 

 

thanks for ur quick response. 

 

Please see the attached, I still think there's something left, because some of the functions are still in different language. 

 

When i reset'd IE to default, I can see some stuff turn language back to english. 

 

not sure, what's going on with this person's computer. 

 

After running the fixlist, computer restarted and I ran the FAR tool again and attached the logs. 

 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,187 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:54 AM

Posted 03 March 2018 - 09:01 AM



Hi,

Remove this program in bold via the Control Panel > Programs > Programs and Features.
DriverUpdate (HKLM\...\{9E526615-95A1-4C46-95EA-E4957264CA84}) (Version: 5.3.0 - Slimware Utilities Holdings, Inc.) Hidden

This is a Rogue program. Your call if you want to remove it.
https://forums.malwarebytes.com/topic/189407-removal-instructions-for-driverupdate/

===

:step1: Remove Chrome from your Computer and reinstall a fresh copy later.

:step2: Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

:step3: If you sync you account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other defices.
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/


:step4: Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en


:step5: Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

:step6: Re-install Chrome and the Bookmarks.
====

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or above, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.
===

What is suspect that the computer is being recolonized with a Chinese Operating systems and the downloads are in that language.

#5 Kush1292

Kush1292
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:54 AM

Posted 03 March 2018 - 04:01 PM

Hello, 

 

I have removed Driver SlimCleaner and DriverUpdate from the control panel and from Program Data, Program Files, everywhere. 

 

Not sure, where it is now. 

 

 

I deleted Chrome, 

 

See attached FSS.txt

Attached Files

  • Attached File  FSS.txt   2.31KB   2 downloads

Edited by Kush1292, 03 March 2018 - 04:01 PM.


#6 Kush1292

Kush1292
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:54 AM

Posted 03 March 2018 - 04:23 PM

I was trying to install C++ 2013 Redistribution, and Java on the computer.. Files download just fine, but when i run the setup it asks for security warning, press yes. but then nothing happens. .

 

also when u right click and click 'run as admin' nothing happens.. on any software. 



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,187 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:54 AM

Posted 04 March 2018 - 10:02 AM

Repair these services.

Boot with Safe Mode with Networking. Execute the following.

Please Download Tweaking.com - Windows Repair from Here
  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    10 - Remove Policies Set By Infections
    16 - Repair Windows Updates
    20 - Repair MSI (Windows Installer)
    25 - Restore Important Windows Services
    26 - Set Windows Service to Default Startup
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.
===

Restart the computer normally.

Post the log for my review.

p.s.

also when u right click and click 'run as admin' nothing happens.. on any software

Are you right clicking shortcut or the .exe program file?

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,187 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:54 AM

Posted 10 March 2018 - 08:57 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users