Urgent help with persistent Chinese computer virus

[Function]

Hello everyone

 

Trying to download a programme, I encountered a very persistent Chinese virus which made doing practically anything impossible. When I came back from lunch, I saw that it had been installing about 10 programmes and a browser which would spontaneously open itself and redirect me to other stuff that would be downloaded and installed.

 

It also hijacked Google Chrome in that way that it would automatically change my startup page to some Chinese website (fanli90.cn) (to be sure: don't click it or don't go to it for your own safety).

 

The acute phase is over: I've ran several antimalware programmes and have managed to delete most malicious files and programmes, but the Google Chrome problem persists. I've managed to remove the fanli90.cn redirect in the shortcut goal of Google Chrome, and have reset Chrome itself, but upon reboot, when I then start Google Chrome again, it will once again redirect me to the malign Chinese website.

 

Above all, there's this folder in program files (x86) from that strange Chinese browser that managed to install itself on my computer:

 

C:\Program Files (x86)\UCBrowser

 

It holds another folder "Security".

 

All contents were deleted manually or with brute force file/folder removal programmes.

 

However, whatever I try, I can't manage to delete the folder "Security", since the message pops up that I am not allowed to, that I do not have the administrator rights blah blah, and I've tried everything that's stated online about giving yourself those administrative rights, but it won't help. And brute force folder removal programmes won't succeed in deleting it either.

 

Anyone an idea on both problems?

 

Thanks

 

F

Edit: after a while, the next command is always added again to the goal path of the Google Chrome shortcut:

 

(DO NOT CLICK THE LINK BELOW)

 

--load-extension="C:\Users\USERNAME\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" http://fanli90.cn/

 

(DO NOT CLICK THE LINK ABOVE)

 

Can anyone help me?

Edited February 6, 2017 by Function

[Sensei]

When something like this happens, unplug Ethernet cable, turn off wifi etc. prior starting cleaning.

 

Good old trick is to rename folder/file, if folder/file is inaccessible because of privileges and/or it's already in use.

Might be needed to do this in safe mode.

 

After rename, create folder with the same name, as used by virus.

 

Then create empty file(s) with the same name as executable that's started (in text editor, File > Save As.. empty file, then rename to .exe),

but change its/their privileges and switch off file Writeable flag.

Then restart computer.

 

Hard to remove virus typically has couple executables.

One executable is restarting other,

and other executable is starting the first one.

So if somebody try to shutdown 1st one, 2nd one is restarting it, and vice versa.

1st one is blocking write access to 2nd file,

2nd one is blocking write access to 1st file.

It's protection against being deleted.

 

Making fake folder with fake files, with blocked access, blocked overwrite, will disallow restart.

Edited February 6, 2017 by Sensei

[Strange]

Have you tried rebooting in safe mode and then deleting the folder? If that doesn't work, then you might be to take the disk out and mount it as a drive on another computer and delete the file from there (perhaps using an external drive USB adaptor).

 

I don't know which anti malware programs you have tried; Malwarebytes has a good reputation for handling difficult cases.

 

You could also (if you are comfortable doing this sort of thing) try searching the Windows Registry for the string "fanli" and deleting any registry keys that mention it (making a backup of the registry first).

[Function]

Hmm I did something and it helped practically, but I don't know if it's ... gone:

 

On this random website they told a user with a comparable problem to paste this into a txt file:

 

Start
CreateRestorePoint:
CloseProcesses:
ShellExecuteHooks: No Name - {036CBE24-DE3B-11E6-95A0-64006A5CFC23} - C:\Users\Santos\AppData\Roaming\Vvuckchvosh\Jujutshnile.dll -> No File
SearchScopes: HKU\S-1-5-21-4063383439-142346386-2490566706-1000 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
S2 GoogleChromeUpService; C:\ProgramData\service.exe /s GoogleChromeUpService /uid:51495 /local:br [X] <==== ATTENTION
S3 gkernel; \??\C:\Users\Santos\AppData\Local\Temp\gkernel.sys [X]
S3 gkernel; C:\Users\Santos\AppData\Local\Temp\gkernel.sys [X]
S1 ucdrv; \??\C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [X] <==== ATTENTION
S1 ucdrv; C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [X] <==== ATTENTION
WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION
ShortcutWithArgument: C:\Users\Santos\Desktop\Google Chrome.lnk -> C:\Users\Santos\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Santos\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://fanli90.cn/
ShortcutWithArgument: C:\Users\Santos\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Users\Santos\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Santos\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://fanli90.cn/
ShortcutWithArgument: C:\Users\Santos\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Users\Santos\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Santos\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://fanli90.cn/
FirewallRules: [{AE855DE7-B878-49B8-BFA9-55C39F8D9FAC}] => C:\Users\Santos\AppData\Local\Temp\is-2DK4K.tmp\download\MiniThunderPlatform.exe
EmptyTemp:
End

 

And put it on desktop, then run FRST.

 

I changed Santos to my own username and then ran FRST64 ... Rebooted and no fanli90.cn on startup of chrome, but it however still appeared in the shortcut goal ... Though its redirection seemed to have been blocked by FRST.

 

Anyone an idea what I just did?

 

I ran through the registry multiple times, and deleted everything with fanli90 and some other dll files that had been installing themselves on my computer since lunchtime. However, after some time, the fanli90 string still adds itself in the shortcut goal of Google Chrome

 

And thanks, I might want to check out safe mode once in my life lol

Update 16:43 - I've removed the string from the goal of the shortcut once more, rebooted, and it appears that the fanli90 string hasn't put itself in the goal anymore: it's gone and my Google Chrome browser seems healthy now.

Update 16:58 - Safe mode did the trick. The folders are gone. Thanks guys

Edited February 6, 2017 by Function

[StringJunky]

If you can:

 

Download Adwcleaner and run it. Click Scan > Get rid of everything it finds > It will ask to reboot. It will do all the registry searching.

 

https://www.bleepingcomputer.com/download/adwcleaner/

 

Another option: You can get into the Administrator account by typing cmd in Search > Right-click Command Prompt > Select Run As Administrator > Type: net user administrator /active:yes Press Enter It will say "The command was completed successfully" Reboot and you should have an Administrator account to choose to login into - no password needed first time and it will set up first. You can find the files in your account from there or run adwcleaner after installing there.

 

For future reference, make your account 'Standard User' and use the admin account for emergencies. You can still have admin rights in Standard mode but Windows will ask for the admin password first. The idea is that if you don't have automatic elevated priveleges in your normal account nor does malware and any problems remain confined just to that account and not the whole system. This is what I do. Remember to put a password in the admin account when you first get in there or else you won't be able to elevate your privileges in your normal account.

Edited February 6, 2017 by StringJunky

[Function]

If you can:

 

Download Adwcleaner and run it. Click Scan > Get rid of everything it finds > It will ask to reboot. It will do all the registry searching.

 

https://www.bleepingcomputer.com/download/adwcleaner/

 

Tried that one too, didn't do the trick.

 

All seems solved now, but I'll keep you updated on long-term effects.

[StringJunky]

 

Tried that one too, didn't do the trick.

 

All seems solved now, but I'll keep you updated on long-term effects.

Quite a naughty one then.

[Function]

Quite a naughty one then.

 

Communist, probably.

[studiot]

If you haven't already done so, delete all non Microsoft browsers, especially Chrome, restart and then reinstall after the full cleanup.

 

Some further tips.

 

Revo Uninstaller is better than Microsoft uninstaller

 

If possible run CCleaner as soon as you have enough control of an infected machine.

This substantially reduces the amount of crap malware scanners have to wade through, speeding them up.

Run it again last thing after everything else.

 

Run HitmanPro as well as adw cleaner. You will have to manually delete anything it finds or pay for the autodelete.

 

The french program JRT.exe is also a good rogue finde in the early stages to help regain control of an infected machine.

[Function]

If you haven't already done so, delete all non Microsoft browsers, especially Chrome, restart and then reinstall after the full cleanup.

 

If possible run CCleaner as soon as you have enough control of an infected machine.

 

Run HitmanPro as well as adw cleaner. You will have to manually delete anything it finds or pay for the autodelete.

 

I did these steps too, and the virus persisted. But it's over now. I can finally breathe again.

 

Keep you informed.

[studiot]

Also make offline backup copies of all your datafiles now in case the virus also introduced one of those ransomwares that become active after a month.

Edited February 6, 2017 by studiot

[Function]

Also make offline backup copies of all your datafiles now in case the virus also introduced one of those ransomwares that become active after a month.

 

Thanks for the advice, Eric. On it.

[Manticore]

Get rid of all Microsoft products. Upgrade to Linux - or BSD - or almost anything else.

[Function]

Get rid of all Microsoft products. Upgrade to Linux - or BSD - or almost anything else.

 

Thinking of buying a Macbook when I - finally - get some money by summer job. I've never heard owners complain of it (perhaps some Festinger or chauvinism?) and I've always seen it run quite smoothly ...

 

And I don't feel the need to game so yeah ... Contra-indications? Anyone?

[StringJunky]

Whatever ever you use, have a good backup routine and never store your data on the same drive as your OS.

[Function]

Whatever ever you use, have a good backup routine and never store your data on the same drive as your OS.

 

OneDrive

[StringJunky]

 

OneDrive

Whatever works for you. i've got a persistent prospective hijacker on this site that won't f- off but it won't cause me any loss because my stuff is not accessible. i treat any iteration of my Windows drive as disposable and distinct from my data and can be re-maged, on a whim, in minutes. To me, Windows is a workspace, not a storage space.

[Sensei]

 

Whatever ever you use, have a good backup routine and never store your data on the same drive as your OS.

OneDrive

 

 

He rather meant partition.

Although, having multiple HDD/SDD, would help with hardware failure (especially when they are set up as RAID in copy mode).

Unfortunately it won't work with really nasty viruses/Trojans, as they simply might scan entire system drives, and encode the all files, regardless whether they are on C:\ or D:\ or Z:\ ...

 

 

Whatever ever you use, have a good backup routine and never store your data on the same drive as your OS.

 

The real backup must be on external, not readily accessible, medium..

Edited March 8, 2017 by Sensei

[StringJunky]

 

He rather meant partition.

Although, having multiple HDD/SDD, would help with hardware failure (especially when they are set up as RAID in copy mode).

Unfortunately it won't work with really nasty viruses/Trojans, as they simply might scan entire system drives, and encode the all files, regardless whether they are on C:\ or D:\ or Z:\ ...

 

 

 

The real backup must be on external, not readily accessible, medium..

I thought he meant MS One Drive, the cloud-based solution.

 

I meant external... there wants to be air gap, except when backing up.

[studiot]

 

Thinking of buying a Macbook when I - finally - get some money by summer job. I've never heard owners complain of it (perhaps some Festinger or chauvinism?) and I've always seen it run quite smoothly ...

 

And I don't feel the need to game so yeah ... Contra-indications? Anyone?

 

 

I helped a Doctor get and setup a macbook for an online Masters in Clinical Pharmacology recently.

 

It was a real pig to get running and the University IT department were very unhelpful about it because it is a Mac.

 

Linux or other systems would be even worse.

 

So, unless you are willing to become your own expert you will need to keep up with a Microsoft machine to interact with the powers that be.

 

Sorry.

[Sensei]

I thought he meant MS One Drive, the cloud-based solution.

I am confused.. Sending data to cloud drive, is equal to releasing these data to everybody, starting from CIA, NSA, KGB, FSB etc.

 

Can somebody bothering about his/her privacy do something the more stupid.. ?

 

I meant external... there wants to be air gap, except when backing up.

Or simply CD/DVD. They're write only. Once written data is there for a long time. And not being able to be overwritten/changed.

Edited March 9, 2017 by Sensei

[Manticore]

 

Linux or other systems would be even worse.

 

 

Most of the end users I know use Mint Linux precisely because it is amazingly simple to set up and use. The pros all seem to use openSUSE - almost as easy to set up but mind-buggeringly powerful (especially if you want to run your network as a supercomputer when all the users have gone home.)