Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I am infected by some chinese malware


  • This topic is locked This topic is locked
8 replies to this topic

#1 subsupsre

subsupsre

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 24 June 2015 - 09:05 AM

My computer suddenly corrupted with a chinese malware (!) which is shown in the icon tray and desktop. I could not remove it by running AVAST antivirus software. I am attaching the log file for help.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 subsupsre

subsupsre
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 25 June 2015 - 01:30 PM

I have done further scan with spybot. After fixing the issues with spybot, I am attaching again the log files. 

Attached Files



#3 shelf life

shelf life

  • Malware Response Team
  • 2,645 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:33 AM

Posted 27 June 2015 - 01:22 PM

hi,

 

If you still need help you can try this.

 

I dont see it listed in the add/remove programs panel. If you look in Start>All programs and click on a Baidu folder do you see a uninstall option listed?  Or you can navigate to each of these and check the Baidu folder for a uninstaller.

 

C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe
(百度在线网络技术(北京)有限公司) C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe

 

You might also download and try the free version of Revo and see if a uninstaller shows up there.

http://www.revouninstaller.com/revo_uninstaller_free_download.html

 

See if one of those works. Iam only on the site once or twice per day so you may not get a reply from me until the following day.


How Can I Reduce My Risk to Malware?


#4 subsupsre

subsupsre
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 28 June 2015 - 02:50 AM

Thanks for your help. In between, I tried to restore windows 7 to some earlier dates. It seems I could restore it before that 'baidu' infection. Anyway, I am attaching the logs  again. Do you think I have some malware still present in my computer?

Attached Files


Edited by subsupsre, 28 June 2015 - 02:51 AM.


#5 shelf life

shelf life

  • Malware Response Team
  • 2,645 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:33 AM

Posted 28 June 2015 - 10:17 AM

Logs look ok as far as malware goes. We can use FRST to remove some leftovers

 

copy/paste whats between the two lines below into notepad. Save it as fixlist.txt in the same location that you have FRST. (Your desktop)

 

Start FRST like you did before except this time click on the Fix button once. Machine may reboot to finish the process. When done you will find a fixlist.txt on your desktop.

Please copy/paste the fixlist.txt in your reply

 

--------------------------------------------------------------

 

HKLM-x32\...\Run: [] => [X]

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]

HKU\S-1-5-21-2393000477-3706113067-1561786205-1000\...\Run: [ISM] => [X]

HKU\S-1-5-21-2393000477-3706113067-1561786205-1000\...\Run: [] => [X]

AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll File not found
AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll => "C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll" File not found

SearchScopes: HKU\S-1-5-21-2393000477-3706113067-1561786205-1000 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://in.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2393000477-3706113067-1561786205-1000 -> {D88EEA48-88E0-407E-99F0-EE5B5FBC5CF0} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289075&CUI=UN21158805082834976&UM=1
BHO: No Name -> {4F524A2D-5637-4300-76A7-7A786E7484D7} ->  No File

BHO-x32: No Name -> {1b0cf41e-334a-4984-a8a0-aa5affeb5482} ->  No File

SearchScopes: HKU\S-1-5-21-2393000477-3706113067-1561786205-1000 -> {8BF42771-2383-401D-BEBB-E15BB925F1E3} URL = http://www.search.ask.com/web?tpid=ORJ-V7C&o=APN11406&pf=V7&p2=%5EBBE%5EOSJ000%5EYY%5EIN&gct=&itbv=12.7.0.15&apn_uid=6AFB792B-0B97-486F-9B3E-A2D55EBA980D&apn_ptnrs=BBE&apn_dtid=%5EOSJ000%5EYY%5EIN&apn_dbr=ie_10.0.9200.16635&doi=2014-01-22&trgb=IE&q={searchTerms}&psv=

BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll No File

Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {4F524A2D-5637-4300-76A7-7A786E7484D7} -  No File
Toolbar: HKLM - No Name - {ccb24e92-62c4-4c53-95d2-65f9eed476bc} -  No File

Toolbar: HKLM-x32 - No Name - {4F524A2D-5637-4300-76A7-7A786E7484D7} -  No File

Toolbar: HKLM-x32 - No Name - {ccb24e92-62c4-4c53-95d2-65f9eed476bc} -  No FileS2 SearchDonkey; "C:\ProgramData\SearchDonkey\SearchDonkeyService.exe" "C:\ProgramData\SearchDonkey\SearchDonkey.exe"

Task: {C20775EB-A095-4308-BD83-A5BE847298B1} - System32\Tasks\FileAssociationManagerUpdater => C:\Program Files (x86)\FileAssociationManager\Updater.exe

AlternateDataStreams: C:\ProgramData\Microsoft:4YigVGcYzE5eLo0KRsviO81
AlternateDataStreams: C:\ProgramData\Microsoft:8mUwB8CfdB9AZ7u9XikMZSdYH
AlternateDataStreams: C:\Users\USER\Local Settings:nrvnFS6qyhdE5DIb1MOrYdlSwZLm
AlternateDataStreams: C:\Users\USER\AppData\Local:nrvnFS6qyhdE5DIb1MOrYdlSwZLm
AlternateDataStreams: C:\Users\USER\AppData\Local\Application Data:nrvnFS6qyhdE5DIb1MOrYdlSwZLm
AlternateDataStreams: C:\Users\USER\AppData\Local\Temp:ySY00dWYwXYuSlDyTL
S2 Update ResultsBay; "C:\Program Files (x86)\ResultsBay\updateResultsBay.exe" [X]
S2 Util ResultsBay; "C:\Program Files (x86)\ResultsBay\bin\utilResultsBay.exe" [X]

U3 a7pzuhbn; C:\Windows\System32\Drivers\a7pzuhbn.sys [0 ] (Advanced Micro Devices) <==== ATTENTION (zero byte File/Folder)
U3 a8a2fksx; C:\Windows\System32\Drivers\a8a2fksx.sys [0 ] (Advanced Micro Devices) <==== ATTENTION (zero byte File/Folder)
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 SPPD; \??\C:\Windows\system32\drivers\SPPD.sys [X]

C:\Program Files (x86)\FileAssociationManager\Updater.exe

2015-06-22 22:50 - 2015-06-22 22:50 - 00000000 ____D C:\Program Files\Common Files\Tencent
2015-06-22 22:49 - 2015-06-28 11:04 - 00000000 ____D C:\Users\USER\AppData\Roaming\Tencent
2015-06-22 22:49 - 2015-06-28 11:03 - 00000000 ____D C:\ProgramData\Tencent
2015-06-22 22:49 - 2015-06-28 11:02 - 00000000 ____D C:\Program Files (x86)\Tencent

2015-06-22 22:37 - 2015-06-28 12:14 - 00000000 ____D C:\ProgramData\Baidu
2015-06-22 22:37 - 2015-06-23 10:27 - 00000000 ____D C:\Users\USER\AppData\Roaming\Baidu
2015-06-22 22:37 - 2015-06-22 22:37 - 00000000 ____D C:\Program Files (x86)\Baidu
2015-06-22 22:32 - 2015-06-28 12:14 - 00000000 ____D C:\ProgramData\Rising
2015-06-22 22:31 - 2015-06-28 11:02 - 00000000 ____D C:\Program Files (x86)\Rising

2015-06-22 22:47 - 2015-06-28 12:16 - 00000000 ____D C:\ProgramData\WindowsMangerProtect

2015-06-22 22:47 - 2015-06-28 12:15 - 00000000 ____D C:\Program Files (x86)\MiuiTab
2015-06-22 22:47 - 2015-06-22 22:47 - 00000000 ____D C:\ProgramData\IHProtectUpDate

2013-04-25 10:15 - 2013-02-10 03:25 - 0114176 _____ () C:\Users\USER\AppData\Roaming\BabMaint.exe
2015-01-07 21:49 - 2015-01-07 21:49 - 0000162 _____ () C:\Users\USER\AppData\Roaming\ICARE_ACTIVITY.LOG

2014-07-28 10:04 - 2014-07-28 10:06 - 0000000 _____ () C:\Users\USER\AppData\Local\{0D3170AB-8140-4D94-9289-67FF19CC1DCB}
2014-05-31 11:11 - 2014-05-31 11:11 - 0000000 _____ () C:\Users\USER\AppData\Local\{7A251976-060F-4CC3-8AB3-B2B7877C400B}
2014-07-22 12:00 - 2014-07-22 12:05 - 0000000 _____ () C:\Users\USER\AppData\Local\{7A718907-6398-49F4-BE5D-6090457EF3E4}
2014-08-03 09:57 - 2014-08-03 09:57 - 0000000 _____ () C:\Users\USER\AppData\Local\{F96E0058-7518-4A6F-8D20-43E6F5D4BB87}

2013-11-24 19:24 - 2013-11-24 19:24 - 0000057 _____ () C:\ProgramData\Ament.ini

Task: {C20775EB-A095-4308-BD83-A5BE847298B1} - System32\Tasks\FileAssociationManagerUpdater => C:\Program Files (x86)\FileAssociationManager\Updater.exe
EmptyTemp:

 

---------------------------------------------------------------------

 


How Can I Reduce My Risk to Malware?


#6 subsupsre

subsupsre
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 29 June 2015 - 09:54 AM

Thanks. Here is the log file after fixing.

Attached Files



#7 shelf life

shelf life

  • Malware Response Team
  • 2,645 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:33 AM

Posted 29 June 2015 - 05:09 PM

ok. Good. I think your all set. You can delete the FRST icon and the txt files. Theres also a FRST folder located @ Local Disk C: which you can delete.

 

You can get one more download if you want. Its a antimalware app. Theres a free version, Its called Malwarebytes. Below are directions. Dont worry about posting its log.

Just remember the free version must be updated manually and a  scan started manually. It dosnt run in the background.

 

Please download Malwarebytes Anti-Malware 2.0.3.1025 Final to your desktop.

     http://data-cdn.mbamupdates.com/v2/mbam/consumer/data/mbam-setup-2.0.3.1025.exe
 

    Double-click mbam-setup-2.0.3.1025.exe and follow the prompts to install the program.
    At the end, be sure a checkmark is placed next to the following:
        Launch Malwarebytes Anti-Malware
        A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish  the scanning and removal capabilities of the program.
    Click Finish.
    On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
    Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
    A Threat Scan will begin.
    With some infections, you may see this message box.
        'Could not load DDA driver'
    Click 'Yes' to this message, to allow the driver to load after a restart.
    Allow the computer to restart. Continue with the rest of these instructions.
    When the scan is complete, click Apply Actions.
    Wait for the prompt to restart the computer to appear, then click on Yes.
    After the restart once you are back at your desktop, open MBAM once more.
    Click on the History tab > Application Logs.
    Double click on the scan log which shows the Date and time of the scan just performed.
    Click 'Copy to Clipboard'
    Paste the contents of the clipboard into your reply.

 

So if all is good on your end, theres some general good practice tips in link below. Happy Safe Surfing out there
 


How Can I Reduce My Risk to Malware?


#8 subsupsre

subsupsre
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 30 June 2015 - 12:12 PM

Thanks a lot for your help. My PC is now malware free.



#9 shelf life

shelf life

  • Malware Response Team
  • 2,645 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:33 AM

Posted 30 June 2015 - 04:51 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users