Elektroda.com
Elektroda.com
X
Elektroda.com
Advanced Search
Elektroda.com

[Solved] Grandfather's Laptop Redirects Chrome to Chinese Sites: Solutions for FRST, AdwCleaner & HijackThis

kg45 2478 8
This content has been translated flag-pl » flag-en View the original version here.
| New topic
  • #1
    kg45
    Level 10  
    Hello,
    some grandfather mastered a laptop, redirects the browser opened (Chrome) to Chinese sites, I've been struggling with it for a good three weeks, I used various programs, I looked through the internet, followed recommendations, the effect of "sleeping" the robot for 1-2 days, and the third day was afresh. The last attempt is Farbar Recovery Scan Tool, but here I am asking for help, in these activities I am green, I used to use HIJACKTHIS there but it was a long time ago. In the attached FRST and Addition reports, before I generated the reports, I used Adwcleaner in advance, thank you for your interest and help, best regards
    Attachments:
  • #2
    Kolobos
    IT specialist
    Zrob kopie zakladek z Chrome, skrypt usunie katalog profilu przegladarki utworzony przez infekcje.
    Usun tez dane synchronizacji Chrome z konta google:
    https://support.google.com/chrome/answer/6386691?hl=pl

    Sprobuj uruchomic z prawami administratora uninstaller z katalogu C:\Program Files (x86)\Tencent\

    Odinstaluj:
    1kboCfEipURW Updater version 1.2.0.4
    initialpage123 - Uninstall
    PPTV V4.0.3.0056
    QQ浏览器
    暴风影音5
    电脑管家11.5

    Obok frst.exe utworz plik Fixlist.txt z zawartoscia:
    CloseProcesses:
    CreateRestorePoint:
    Online Application Installer (x32 Version: 2.0.0 - Microleaves) Hidden pcalua.exe -a "C:\Windows\system32\SupportAppPBHostless Modem\Setup.exe" -c /uninstall
    Task: {806E8565-07C5-4C29-8117-5683FCE988BC} - System32\Tasks\Trojan Remover => C:\Program Files\Loaris Trojan Remover\ltr.exe
    Task: {9409D5A5-4396-4672-A08D-584CC38BF4C0} - System32\Tasks\{31DDBD37-5DB7-4030-8064-10B0CAA806C3} => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [2017-04-06] (COMODO)
    Task: C:\WINDOWS\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe C:\Program Files (x86)\Tencent\QQBrowser\qqbrowser.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=hcjadopoenpcjhdnknblbddcmlnlefid
    2017-04-18 11:29 - 2017-04-18 09:10 - 00313344 _____ () C:\Program Files (x86)\1kboCfEipURW Updater\1kboCfEipURW Updater.exe
    2017-04-18 10:43 - 2017-04-18 10:43 - 00088416 _____ () C:\Program Files (x86)\Tencent\QQPCMgr\11.5.17499.219\zlib.dll
    2017-04-18 10:42 - 2017-04-18 10:42 - 00115904 _____ () C:\Program Files (x86)\Tencent\QQPCMgr\11.5.17499.219\QMAntiInject.dll
    2017-04-18 10:43 - 2017-04-18 10:43 - 00488640 _____ () C:\Program Files (x86)\Tencent\QQPCMgr\11.5.17499.219\sqlite.dll
    2017-04-18 10:43 - 2017-04-18 10:43 - 00100704 _____ () C:\Program Files (x86)\Tencent\QQPCMgr\11.5.17499.219\tinyxml.dll
    2017-04-18 10:43 - 2017-04-18 10:43 - 00046784 _____ () C:\Program Files (x86)\Tencent\QQPCMgr\11.5.17499.219\plugins\sysspeeduprtpplugin\SysSpeedupRtpPlugin.dll
    2017-04-18 10:43 - 2017-04-18 10:43 - 00070848 _____ () C:\Program Files (x86)\Tencent\QQPCMgr\11.5.17499.219\plugins\qmiemalrtpplugin\qmiemalrtpplugin.dll
    2017-04-18 10:43 - 2017-04-18 10:43 - 00128192 _____ () c:\program files (x86)\tencent\qqpcmgr\11.5.17499.219\qmrtpcontroller.dll
    2017-04-18 10:42 - 2016-02-28 00:55 - 00036128 _____ () C:\Program Files (x86)\Tencent\QQPCMgr\11.5.17499.219\oDayProtect.dll
    AlternateDataStreams: C:\WINDOWS\system32\drivers:ucdrv-x64.sys [0]
    AlternateDataStreams: C:\WINDOWS\system32\drivers:x64 [0]
    AlternateDataStreams: C:\WINDOWS\system32\drivers:x86 [0]
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\QQPCRTP => ""="service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\QQPCRTP => ""="service"
    () C:\Program Files (x86)\1kboCfEipURW Updater\1kboCfEipURW Updater.exe
    (Tencent) C:\Program Files (x86)\Tencent\QQPCMgr\11.5.17499.219\QQPCRTP.exe
    (Tencent Inc.) C:\Program Files (x86)\Tencent\QQBrowser\TsService.exe
    (Tencent) C:\Program Files (x86)\Tencent\QQBrowser\qqbrowser.exe
    (Tencent) C:\Program Files (x86)\Tencent\QQBrowser\qqbrowser.exe
    (Tencent) C:\Program Files (x86)\Tencent\QQBrowser\qqbrowser.exe
    HKLM\...\Run: [vnlgp] => C:\Users\Jan\AppData\Roaming\vnlgp\vnlgp.exe [1538048 2017-02-06] () C:\Program Files (x86)\Tencent\QQPCMgr\11.5.17499.219\QQPCTRAY.EXE [362304 2017-04-18] (Tencent)
    HKLM-x32\...\Winlogon: [Shell] x [ ] () "C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe"\UUC0789.exe
    HKU\S-1-5-21-290543488-3704001229-2161073828-1001\...\Run: [apphide] => C:\Program Files (x86)\sss\uc.exe [159744 2017-04-13] ()
    HKU\S-1-5-21-290543488-3704001229-2161073828-1001\...\Run: [PPLiveAP] => C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP_startup.exe [181336 2017-03-10] (PPLive Corporation)
    HKU\S-1-5-18\...\Run: [] => [X]
    HKLM\...\Providers\n6olq5b5: C:\Program Files (x86)\Grakerghstertecult Reports\local64spl.dll [311808 2017-04-18] ()
    ShellExecuteHooks: Brak nazwy - {D404EF92-20EB-11E7-8685-64006A5CFC23} - C:\Users\Jan\AppData\Roaming\Plerserserofecult\Pretuiedsiherty.dll [148480 2017-04-18] ()
    ShellIconOverlayIdentifiers: [.QMDeskTopGCIcon] -> {B7667919-3765-4815-A66D-98A09BE662D6} => C:\Program Files (x86)\Tencent\QQPCMgr\11.5.17499.219\QMGCShellExt64.dll [2017-04-18] (Tencent)
    ShellIconOverlayIdentifiers: [BFDLinkIconOverlay] -> {F9D0EFE7-1939-4156-B6E9-0006A5FDDC4E} => C:\Program Files (x86)\Baofeng\StormPlayer\BFDesktopShell64.dll [2017-02-27] (暴风集团股份有限公司)
    ShellIconOverlayIdentifiers: [QBOverlayIcon] -> {96959DE7-C855-42BD-8382-2AAABF2A8F52} => C:\Users\Jan\AppData\Local\Tencent\QQBrowser\User Data\IconOverlay\QBShellIcon40be18.dll [2017-04-18] (Tencent)
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PPLive.lnk [2017-04-18]
    ShortcutTarget: PPLive.lnk -> C:\Program Files (x86)\PPLive\PPTV\PPLive_startup.exe (PPLive Corporation)
    BHO-x32: °®ĆćŇŐÖúĘÖ -> {FB4F6285-4C32-49F2-950F-A5998F9CEC6C} -> C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\Accelerator\IEHelper.dll => Brak pliku
    FF Plugin-x32: @Baofeng.com/npBFWebBrowserPlugin -> C:\Program Files (x86)\Baofeng\StormPlayer\npBFWebBrowserPlugin.dll [2017-02-27] (Beijing Baofeng Inc.)
    FF Plugin-x32: @iqiyi.com/npclient -> C:\Program Files (x86)\IQIYI Video\LStyle\5.5.33.3550\npclient.dll [2016-11-08] ()
    FF Plugin-x32: @pptv.com/plugin -> C:\Program Files (x86)\Internet Explorer\PPLite\plugin\4.0.3.0056\nppluginEx.dll [2017-03-10] (PPLive Corporation)
    FF Plugin-x32: @QQ.com/QQPCMgr -> C:\Program Files (x86)\Tencent\QQPCMgr\11.5.17499.219\npQMExtensionsMozilla.dll [2017-04-18] (Tencent Technology (Shenzhen) Company Limited)
    CHR DefaultProfile: ChromeDefaultData2
    CHR HomePage: ChromeDefaultData2 -> hxxp://www.initialpage123.com/?z=6b4fa8ddafc9db73f8cc01bgaz0tao1w5e3m3waeet&from=wak&uid=3219913727_263875_1EB28618&type=hp
    CHR StartupUrls: ChromeDefaultData2 -> "hxxp://www.initialpage123.com/?z=6b4fa8ddafc9db73f8cc01bgaz0tao1w5e3m3waeet&from=wak&uid=3219913727_263875_1EB28618&type=hp"
    CHR DefaultSearchURL: ChromeDefaultData2 -> hxxp://www.initialpage123.com/search/?q={searchTerms}&z=6b4fa8ddafc9db73f8cc01bgaz0tao1w5e3m3waeet&from=wak&uid=3219913727_263875_1EB28618&type=sp
    CHR DefaultSearchKeyword: ChromeDefaultData2 -> 28initialpage123
    CHR Profile: C:\Users\Jan\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2 [2017-04-18]
  • #3
    kg45
    Level 10  
    I started the game and on the second step zonk - I can not find the file C: \ Program Files (x86) \ Tencent \ and these programs
  • #4
    Kolobos
    IT specialist
    This is a directory and you do not need to search for it if you have a path. You can even paste in the boot and it will open, but if there is no uninstall then skip this step and do the rest.
  • #5
    kg45
    Level 10  
    I did, except for uninstalling programs, it lasted a long time but I was a little educated and later I did not have access to a laptop (work),
    successively: Fixlist from WinRe level, drweb scan report, logs from FRST scan.
    ps. I'm at the computer until 4:00 PM, then :( again, I greet
    Attachments:
  • Helpful post
    #6
    Kolobos
    IT specialist
    Uninstall Loaris Trojan Remover 2.0.28

    New Fixlist.txt for FRST:
    ShortcutWithArgument: C: \ Users \ Jan \ Desktop \ chrome - shortcut .lnk -> C: \ Program Files (x86) \ Google \ Chrome \ Application \ chrome.exe (Google Inc.) -> hxxp: //hao.169x .cn /? v = 108
    ShortcutWithArgument: C: \ Users \ Jan \ Desktop \ mail.lnk -> C: \ Program Files (x86) \ Google \ Chrome \ Application \ chrome.exe (Google Inc.) -> hxxp: //hao.169x.cn /? v = 108
    ShortcutWithArgument: C: \ Users \ Jan \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Chrome Apps \ email.lnk -> C: \ Program Files (x86) \ Google \ Chrome \ Application \ chrome.exe (Google Inc.) -> --profile-directory = Default --app-id = hcjadopoenpcjhdnknblbddcmlnlefid
    CHR DefaultSearchURL: Default -> hxxps: //ssl.gstatic.com/ui/v1/icons/mail/images/favicon5.ico
    R1 ucdrv; C: \ Program Files (x86) \ UCBrowser \ Security: ucdrv-x64.sys [25444] (UC Web Inc.)
  • Helpful post
    #8
    Kolobos
    IT specialist
    Delete the C: \ FRST directory and that's all.
  • #9
    kg45
    Level 10  
    problem solved thanks to Kolobos' advice, thank you again
| New topic