Malware Chinese Characters

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Bluesbreaker, Feb 2, 2016.

  1. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay I have a few more ideas. First an observation! I noticed that the new user account that you created is not an administrator account. It should have been an admin account. But let's not work on this right now. I want to do something in your original user account.

    • With Windows explorer ( hold down the Windows logo key and press the "e" key at the same time )
    • Click on This PC and find the C drive.
    • Navigate to the C:\Users\lil-nicky\AppData\Local folder
    • Right click on the TileDataLayer folder and select Rename
    • Change the name to TileDataLayer.BAK
      • Did it let you rename this?
        • If yes then reboot your PC and tell me if there is any change.
        • If no then just come back and tell me.
     
  2. Bluesbreaker

    Bluesbreaker Corporal

    hi did not allow the rename. said it was open or a file in it was open and in use somewhere else.

    to confirm, I was renaming TileDataLayer to TileDataLayer.bak
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes it was the folder we were trying to renamed. If the processes were not running that are related to your issues with the Start Button and Store ( and possibly Microsoft Edge ) were not not running then you should be able to rename this. Did you have your Edge browser open when you tried to rename it? If you did then close Edge and try again.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you know how to run an application as Administrator from Task Manager? If not then open Task Manager and click the More details pull down at the lower left of Task Manager so that you see all options. Then click File and select Run new task. Make sure that you first put a check in the Create this task with administrative privileges box ( this is very important to do correctly ). The type powershell into the Open: box and click OK. If done properly, you should now have a window open that has a title line showing Administrator: Windows PowerShell and you should see the PS C:\WINDOWS\system32> prompt.

    Highlight the below command line that is in red with your mouse and that click Ctrl-C to copy this into the Window clipboard. Then on the top bar of the PowerShell window, right click and select Edit, and then Paste to paste the below command into PowerShell. Make sure the full command pastes in correctly and then hit enter. That final brace } is part of the command.

    Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

    This will take a while to run and you may see some errors while it is running. Just ignore them. When it gets back to the PS C:\WINDOWS\system32> prompt it is finished. Take a quick look right now to see if the Start Button works. If not we will continue with other steps. Let me know.
     
    Kestrel13! likes this.
  5. Bluesbreaker

    Bluesbreaker Corporal

    hi...so I'm pretty sure edge browser was not running b/c its one of the apps that can't run. I didn't check if it was running in the background - the only thing that was open was firefox as I was reading the steps your provided.

    However, I will try the post above tonight and repot back.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay there are several other processes/services that could also be running that would block the ability to rename this folder.


    FYI, I have been researching this problem some more and it is an extremely widespread issue occurring in Windows 10 and there aren't any "one fix works for all" type solutions. In fact fixes that work for one person, have no effect for others. And some fixes, even cause other problems. Seems to be more of a Windows problem not a malware problem. It could happen at anytime. Some people have stated that forced power downs ( like holding down the power button to force a shutdown when/if the PC hangd ) can cause. Also some people have stated that there could be a relationship with using Avast antivirus. In general, it seems to be a Windows 10 design issue.
     
  7. Bluesbreaker

    Bluesbreaker Corporal

    I'm finding this as well. I guess the coincidence of it happening with the junkware/malware problem, the script error, etc was convenient...but I will try post #204 still, yes?
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes, give it a try.
     
  9. Bluesbreaker

    Bluesbreaker Corporal

    ok am running. interestingly enough, I was able to open powershell in task manager, however, it showed up as an icon on the toolbar and I was unable to open it up,or expand it, by clicking on it. it was just sitting there, dead. through task manager I had to expand/maximize and then it popped up.

    weird. yet firefox and task manager open up when their icon is in the toolbar.
     
  10. Bluesbreaker

    Bluesbreaker Corporal

    so ran it and no luck! start button is still silent..waiting...pensive
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay. Try booting in safe boot mode and see if you can follow the instructions in message # 201 to rename the TileDataLayer folder
     
  12. Bluesbreaker

    Bluesbreaker Corporal

    ok - does it matter how I get to safe mode (eg ms config or throught the restart screens)?
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    See if you can do it from the restart screens.
     
  14. Bluesbreaker

    Bluesbreaker Corporal

    ok tried it from safe mode and no go. same message about the folder or a file in it being open in another program.

    the only program open is firefox

    I am still in safe mode.
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's try going into the TileDataLayer folder and select the Database folder and see if you can rename it to Database.old
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you also cannot rename the Database folder then go into the Database folder and select the vedatamodel.edb file and see if you can rename it too vedatamodel.edb.old
     
  17. Bluesbreaker

    Bluesbreaker Corporal

    nope. same error message.
     
  18. Bluesbreaker

    Bluesbreaker Corporal

    same for vedatamodel.edb. asked me if I was sure, then same error message
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the + Repairs tab.
    • Then click the + Open Repairs button down on the bottom right.
    • This will automatically begin a registry backup, so wait for it to complete and when it finishes, you will see a list of many possible different repairs and they are all selected by default. At the bottom of this form there is a not so obvious Unselect All Repairs check box which is to the right of a check box with a green check mark in it. Please click the Unselect All Repairs box. The green check mark box is to Select All Repairs. The ony way you see what these boxes are is when your mouse hovers over them.
    • Now select the following repair options ( the numbers at the begin are the current repair numbers but this is subject to change.)
      • 01 - Reset Registry Permissions
      • 02 - Reset File Permissions
      • 03 - Reset Service Permissions
      • 04 - Register System Files
      • 23 - Repair File Associations (12 )
      • 26 - Restore Important Windows Services
      • 27 - Set Windows Services To Default Startup
    • Now on the right side under the When Repairs Complete title, check the box for Restart/Shutdown System and then make sure the Restart System radio button is enabled not the Shutdown System button.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start Repairs button at the lower right.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished. If it does not then reboot it yourself.
    • After reboot, is there any change.
     
    satrow likes this.
  20. Bluesbreaker

    Bluesbreaker Corporal

    ok...btw am I running this from safe mode or normal?
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It should not matter. If you are in safe boot mode run it from there but make sure you use Run As Administrator in any case.
     
  22. Bluesbreaker

    Bluesbreaker Corporal

    Chaslang, you did it! Everything seems back to normal. The start button works. The JPG open up automatically, same w some movies. Store launches and e launches. though when I launched it it opened with a chinese webpage, so I'm not opening that anytime soon.

    Anything else I need to run to make sure we're good to go?

    Thank you! And thank you Kestrel13!
     
    dr.moriarty and Kestrel13! like this.
  23. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Excellent work, Chas!!
     
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Excellent news! Which program opened with a Chinese webpage? Edge? Can you just reset your home page to what you want and does that fix it?
     
    Kestrel13! likes this.
  25. Bluesbreaker

    Bluesbreaker Corporal

    hi - ya it was the Edge program so I got alittle skittish when I saw those characters. didn't want to go back down the baidu rabbit hole...and take you and Kestrel with me...
     
    Kestrel13! likes this.
  26. Bluesbreaker

    Bluesbreaker Corporal

    But I will try and change edge settinga...and it did say Baidu on that edge him that opened. :eek:
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    ??? What are you trying to say? Please be more clear/specific on what you are seeing? Are you having redirection problems or do you just mean that your home page was not set correctly?
     
  28. Bluesbreaker

    Bluesbreaker Corporal

    Ok - let me get to my computer. I apologize I wrote that on my BB, under the weather..
     
  29. Bluesbreaker

    Bluesbreaker Corporal

    ok so I reloaded edge and it seems ok...

    so thank you, and is there anything I need to do now like a final scan/whatever or am I all good?
     
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just final instructions!

    If you are not having any other malware problems, it is time to do our final steps ( some steps may not apply if we did not have you run certain tools ):
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Press and hold the Windows key http://forums.majorgeeks.com/chaslang/images/Windows_Logo_key.gif and then press the letter R on your keyboard. This opens the Run dialog box.
      • Copy and paste the below into the Run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • For Windows 8 and 8.1 system restore see this link: Win 8 System Restore - How to enable/disable
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  31. Bluesbreaker

    Bluesbreaker Corporal

    Chaslang, one thing further. Can I keep CC Cleaner or Hitman on the computer as additional cleaners/scanners? hitman seems to be running a scan each time it comes on and I'm wondering if that's a good added preventative, including Malware.

    other than that, thanks and I'll be supporting you guys again...Kestrel13!, stay solid.
     
    Kestrel13! likes this.
  32. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    So pleased you're running nicely again now Blues. :)
     
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can keep Ccleaner but remember that it is not a malware removal tool.

    Hitman Pro's free trial expires after 30 days and then it cannot be used for cleaning unless you purchase a license. The free scan only part would need to be updated all the time for it to be an effective scanning tool, but I don't recommend having a scan run every time you boot your PC. Personally I would not leave it installed with that additional service that it requires to be running. Malwarebytes is better to keep installed and run periodic scans with it.
     
    Last edited by a moderator: Mar 16, 2016
  34. Bluesbreaker

    Bluesbreaker Corporal

    Chaslang, Kestrel13!, I just wanted to say thank you again for all your patience and for helping me work through this. I think you guys, and the site in general, are fantastic and learned a bit going through the various steps.

    I'd love to say see you again...but I think I'll couch that...
     
    Kestrel13! likes this.
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds