Malware Chinese Characters

When I asked you to access safe mode, did you do it via msconfig or via these instructions?

http://windows.microsoft.com/en-gb/windows-10/start-your-pc-in-safe-mode

 

I don't think you should access safe mode in that way. It can cause many problems. At this point Blues, you need to go post in the software forum, explain what operating system you are using, and tell them how you accessed safe mode. Ask if this could have caused a problem. Also tell them about the error message you recieve when you try and boot up. Give the exact word for word error message.

Once they get you back up and running I would like you to return here to continue on with junk removal. Best of luck!

 

It doesn't really matter which mode you stay in for now. Just make your post in s/w and see what they say. I will follow the thread, and we can continue to work here once you are done.

 

So from what I understand you did not knowingly install Baidu. It appears to be uninstalled but I see signs of it left behind.....

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now run FRST like this:

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

You need to copy ALL that is in the quote box, from REGEDIT4 to the last parenthesis.
Try running in normal mode.

 

NOTE: This script was written specifically for this user for use on this particular computer. Running this on another machine may cause damage to your operating system.
Download Fixlist.txt

Save fixlist.txt on your Desktop. Make sure you save it as a txt file.

• You should now have both fixlist.txt and FRST64.exe on your Desktop.
• Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
• Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
• Click the Fix button just once and wait.
• Your computer should reboot after the fix runs.
• Reconnect your internet connection after reboot so you can come back here to continue.
• The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• Fixlog.txt
• C:\MGlogs.zip

Please attach the above two log first before you continue with the below.
Also at this point, I want to double check the status of thingsby having you run another scan with FRST like in my last message and attach the new FRST.txt log.

Explain how things are running.

 

Hang in there Blues, I am conferring with colleagues.

 

Delete these too, Blues... (remnants)

C:\Program Files (x86)\Common Files\Baidu
C:\Program Files (x86)\Common Files\Tencent
C:\ProgramData\Tencent
C:\Program Files (x86)\Tencent

 

Just straight delete... use Windows Explorer to find them and simply right click and delete.

 

Next I'd like you to navigate to this in the same way as you found those folders I asked you to delete... BUT we won't be deleting this one....

Navigate to this:
C:\FRST\Quarantine\C\WINDOWS\run.vbs.xBAD

• I want you to right click and select rename on that file. (run.vbs.xBAD)
• Rename it to remove the .xBAD extension if there is one.... so it is just called run.vbs
• Once done, right click on the file, choose COPY then PASTE it to your desktop. Once done...right click it and send to compressed (zip) folder
• Upload that zipped file here.

 

Edited post above to COPY not CUT

 

OK I have examined the file and it belongs to a junk program called CleanBrowser. Which I have already cleaned from your machine... the removal of this junk unsteadied your system, it can do that sometimes. I will now search for any more possible remnants, which if any do come up, I'm hoping that removing the rest will shape you up again... but let's not get our hopes up with that. All will not be lost anyway, I'm conferring with colleagues about this in the background.

SystemLook

Please download SystemLook from one of the links below appropriate for your operating system and save it to your Desktop.
Download 32 Bit
Download 64 Bit

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  CleanBrowser
  Clean Browser
  :regfind
  CleanBrowser
  Clean Browser

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

I don't know about your sound...

Delete this if you see it.
C:\Program Files (x86)\CleanBrowser

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

 

Not sure, Blues, I have to try and focus on one thing at a time though, your thread has had me quite baffled.

I'd like you to download Autoruns, save it to your desktop.


Rn Autoruns ( you will have to extract the contents from the ZIP file into its a new folder you create for it ( like AutoRuns on your Desktop ) and keep the Everything tab selected in AutoRuns. Then click on the File menu selection and select Save. Save this log file in default format to your Desktop. The default format and filename should be AutoRuns.arn

Now put the AutoRuns.arn file into a ZIP file and attach this ZIP to your next message. ( you cannot attach the AutoRuns.arn file. It must be ZIP'ed ).

Let me know how you get on with the reg patch.
Happy Valentine's to you too.

 

Editing my previous post to include autoruns instructions.

 

Blues you need to follow my instructions properly. All you did here was upload the program itself in a zipped file, you did none of what I said to do.

 

Did you download and use the version of AutoRuns that Kestrel13! gave you a link to or did you use some copy you already had? You need to use the version given so that correct logs are generated. Your file is showing up as corrupted which typical happens when different version of the program are run.

 

The file is still corrupt.

 

We'll have to wait and see what Chaslang says, Blues.

 

I'm hanging in there don't you worry. Just need some guidance from the boss.

 

I think that perhaps you are not waiting for AutoRuns to complete the analysis of your PC before you are saving the log file. The file you have inside of the ZIP file is way too small to be a complete log. This is probably why it is saying the file is corrupt.

 

Yes. You just have to wait for it to finish scanning. The message at the bottom should turn to Ready. And then when you click File, Save it should default to naming to file with an AutoRuns Data (*.arn ) file extension. Your last log had a .arn extension but the file was only about 726 K or so which maybe 10% of what I would expect.