C:\Program Files\gssoft\gswb\2.8.1.0113 Keep Install

[TokeiLampin]

Nop...still install and that dos also popup

[TokeiLampin]

And this

[essexboy]

OK did that return today straight after the OTL fix or was it a time later ?

Run a fresh OTL please

[TokeiLampin]

Later aroud 3 -4 hours i thing ...if that i need put script or just run

[essexboy]

No need for the script just ensure all users is selected and there is a tick in lop and purity

[TokeiLampin]

Ops just run it with script and click run scan...i will post new after this like you said

[TokeiLampin]

Ok this one with no script like picture below

[essexboy]

OK prior to this re-installing what were you doing ?  Were you visiting a specific website ?

I would like you to set Avast hardened mode to aggressive to see if we can catch the dropper in action



Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
SRV - [2013/12/23 09:57:14 | 001,336,768 | ---- | M] (www.guangsu.cn) [Auto | Stopped] -- C:\Program Files\gssoft\gswb\2.8.1.0113\Config.exe -- (GuangSuServer)
O4 - HKU\S-1-5-21-1801674531-682003330-839522115-1003..\Run: [Google+ Auto Backup] "C:\Program Files\Google\Google+ Auto Backup\Google+ Auto Backup.exe" /autostart File not found
O4 - HKLM..\RunOnce: [GSMutualRunOne] C:\Program Files\gssoft\gswb\2.8.1.0113\Mutual.exe (www.guangsu.cn)
[2014/01/28 22:33:48 | 001,430,976 | ---- | C] (www.guangsu.cn) -- C:\WINDOWS\System32\gswb.ime
[2014/01/28 22:33:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Seven By Four\Application Data\gssoft
[2014/01/28 22:33:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\gssoft
[2014/01/28 22:33:15 | 000,000,000 | ---D | C] -- C:\Program Files\gssoft
[2014/01/28 22:33:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Seven By Four\Application Data\gssoft
[2014/01/28 22:33:48 | 000,000,000 | ---D | C](C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\????) -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\????

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[TokeiLampin]

Ok already set that ...and i thing already delete that popup registry using this method found on internet

Folder Delete:
C: \ ProgramFiles \ Common Files \ JHKCSign (difficult to remove, first directory dll file restart after a change of name to delete.)
Delete the registry:
Delete: HKEY_CLASSES_ROOT \ CLSID \ {13F2CBB7-8754-4dc2-98E4-BF42423EF9A3}
Delete: HKEY_CLASSES_ROOT \ ConMenu.ConMenu
Delete: HKEY_CLASSES_ROOT \ Interface \ {28BAA3FB-E763-4CD8-8EDB-0AE875079802}
Delete: HKEY_CLASSES_ROOT \ TypeLib \ {88D5328E-895E-4391-A3F9-DF15EC9F343B}
Delete: HKEY_LOCAL_MACHINE \ SOFTWARE \ JHKCSign
Delete: HKEY_LOCAL_MACHINE \ SOFTWARE \ JHKCSign-SETUP
Delete: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ ShellIconOverlayIdentifiers \ __ JHKCSign
Delete: HKEY_LOCAL_MACHINE \ SOFTWARE \ uusee_config

and found about that stupid gssoft from this link

http://www.threatexpert.com/report.aspx?md5=63404e559fbc7fca3f555db3715fff6b

[TokeiLampin]

Here

[TokeiLampin]

So far only this popup out

[essexboy]

I believe that warning is to do with your weatherbug programme.  You may need to uninstall and then reinstall it

Is it still staying gone ?

[TokeiLampin]

Any suggest how to make that weatherbug ..

Still Got

[essexboy]

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.
  

[TokeiLampin]

Your log sir