Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mbam found "Chin.Ad"


  • Please log in to reply
13 replies to this topic

#1 Gorbulan

Gorbulan

  • Members
  • 832 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 10 November 2015 - 07:05 PM

Malwarebytes premium ran at boot and found adware known as Chin.Ad. I can't think of any installer I have run recently that would include adware, but hey, you can't even trust java installers anymore. I scanned with Adwcleaner and Panda AV (free version) and they found nothing. I can run Malwarebytes and get rid of the adware, but where did it come from? My operating system is Windows 7 Pro 64 bit.

 



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 10 November 2015 - 07:26 PM

Hi Gorbulan :)

Is it possible for you to post the latest Malwarebytes scan log, where it got rid of that Chin.Ad detection? It's really hard to say where these come from since there's as many possibilities as there's websites on the whole Internet.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Gorbulan

Gorbulan
  • Topic Starter

  • Members
  • 832 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 10 November 2015 - 07:50 PM

Oh yeah I forgot to do that.

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 11/10/2015
Scan Time: 3:23 PM
Logfile: mbam_adware.txt
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2015.11.10.08
Rootkit Database: v2015.11.04.02
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: gio
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 390625
Time Elapsed: 18 min, 44 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 3
PUP.Optional.ChinAd, C:\Users\Public\Documents\Baidu, , [560aaece7e0d1521073fdea32fd36898], 
PUP.Optional.ChinAd, C:\Users\Public\Documents\Baidu\Common, , [560aaece7e0d1521073fdea32fd36898], 
PUP.Optional.ChinAd, C:\Users\Public\Documents\Baidu\Common\I18N, , [560aaece7e0d1521073fdea32fd36898], 
 
Files: 1
PUP.Optional.ChinAd, C:\Users\Public\Documents\Baidu\Common\I18N\conf.db, , [560aaece7e0d1521073fdea32fd36898], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 10 November 2015 - 07:54 PM

Alright, follow the instructions below please.

3Al62Pm.pngMiniToolBox
  • Download MiniToolBox and move the executable file to your Desktop;
  • Right-click on MiniToolBox.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options:
    • Flush DNS;
    • Report IE Proxy Settings;
    • Reset IE Proxy Settings;
    • Report FF Proxy Settings;
    • Reset FF Proxy Settings;
    • List content of Hosts;
    • List IP Configuration;
    • List Last 10 Event Viewer Errors;
    • List Installed Programs;
    • List Devices - Only Problems;
    • List Users, Partitions and Memory size;
      B8oLpa3.png
  • Once this is done, click on Go and wait for the scan to complete;
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Gorbulan

Gorbulan
  • Topic Starter

  • Members
  • 832 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 10 November 2015 - 10:25 PM

MiniToolBox by Farbar  Version: 02-11-2015
Ran by gio (administrator) on 10-11-2015 at 19:21:58
Running from "C:\Users\gio\Downloads"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Model: All Series Manufacturer: ASUS
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
 
========================= FF Proxy Settings: ============================== 
 
 
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
 
========================= Hosts content: =================================
========================= IP Configuration: ================================
 
Intel® Ethernet Connection I217-V = Local Area Connection (Connected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : Gio-Desktop
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel® Ethernet Connection I217-V
   Physical Address. . . . . . . . . : 74-D0-2B-2C-AE-58
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b031:48aa:e5e9:b17d%11(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.0.102(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, November 10, 2015 7:19:35 PM
   Lease Expires . . . . . . . . . . : Tuesday, November 10, 2015 9:19:34 PM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 242536491
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-43-80-07-74-D0-2B-2C-AE-58
   DNS Servers . . . . . . . . . . . : 192.168.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.{41BBFF3D-FBFF-4C10-90D3-BABA98AC93BC}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
1.0.168.192.in-addr.arpa
primary name server = localhost
responsible mail addr = nobody.invalid
serial  = 1
refresh = 600 (10 mins)
retry   = 1200 (20 mins)
expire  = 604800 (7 days)
default TTL = 10800 (3 hours)
Server:  UnKnown
Address:  192.168.0.1
 
Name:    google.com
Addresses:  2607:f8b0:4007:802::1005
 216.58.216.14
 
 
Pinging google.com [216.58.216.14] with 32 bytes of data:
Reply from 216.58.216.14: bytes=32 time=15ms TTL=53
Reply from 216.58.216.14: bytes=32 time=13ms TTL=53
 
Ping statistics for 216.58.216.14:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 13ms, Maximum = 15ms, Average = 14ms
1.0.168.192.in-addr.arpa
primary name server = localhost
responsible mail addr = nobody.invalid
serial  = 1
refresh = 600 (10 mins)
retry   = 1200 (20 mins)
expire  = 604800 (7 days)
default TTL = 10800 (3 hours)
Server:  UnKnown
Address:  192.168.0.1
 
Name:    yahoo.com
Addresses:  2001:4998:44:204::a7
 2001:4998:c:a06::2:4008
 2001:4998:58:c02::a9
 98.139.183.24
 206.190.36.45
 98.138.253.109
 
 
Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
Reply from 98.138.253.109: bytes=32 time=52ms TTL=44
Reply from 98.138.253.109: bytes=32 time=53ms TTL=44
 
Ping statistics for 98.138.253.109:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 52ms, Maximum = 53ms, Average = 52ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 11...74 d0 2b 2c ae 58 ......Intel® Ethernet Connection I217-V
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.102     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link     192.168.0.102    266
    192.168.0.102  255.255.255.255         On-link     192.168.0.102    266
    192.168.0.255  255.255.255.255         On-link     192.168.0.102    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.0.102    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.0.102    266
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 11    266 fe80::/64                On-link
 11    266 fe80::b031:48aa:e5e9:b17d/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (11/10/2015 07:20:36 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/10/2015 06:55:30 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/10/2015 03:23:08 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/09/2015 10:20:33 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 9999
 
Error: (11/09/2015 10:20:33 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 9999
 
Error: (11/09/2015 10:20:33 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (11/09/2015 10:20:28 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4992
 
Error: (11/09/2015 10:20:28 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 4992
 
Error: (11/09/2015 10:20:28 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (11/09/2015 03:25:27 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
System errors:
=============
Error: (11/10/2015 07:20:11 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
%%5
 
Error: (11/10/2015 06:55:22 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
%%5
 
Error: (11/10/2015 03:22:55 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
%%5
 
Error: (11/09/2015 03:25:19 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
%%5
 
Error: (11/09/2015 07:57:09 AM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
%%5
 
Error: (11/08/2015 01:10:31 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
%%5
 
Error: (11/08/2015 08:47:34 AM) (Source: NetBT) (User: )
Description: The name "WORKGROUP      :1d" could not be registered on the interface with IP address 192.168.0.102.
The computer with the IP address 192.168.0.104 did not allow the name to be claimed by
this computer.
 
Error: (11/08/2015 08:47:19 AM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
%%5
 
Error: (11/08/2015 07:20:14 AM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
%%5
 
Error: (11/07/2015 08:56:48 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error: 
%%5
 
 
Microsoft Office Sessions:
=========================
Error: (11/10/2015 07:20:36 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/10/2015 06:55:30 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/10/2015 03:23:08 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/09/2015 10:20:33 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 9999
 
Error: (11/09/2015 10:20:33 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 9999
 
Error: (11/09/2015 10:20:33 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (11/09/2015 10:20:28 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4992
 
Error: (11/09/2015 10:20:28 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 4992
 
Error: (11/09/2015 10:20:28 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (11/09/2015 03:25:27 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
=========================== Installed Programs ============================
 
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 19.0.0.213 - Adobe Systems Incorporated)
Adobe Flash Player 18 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 18.0.0.194 - Adobe Systems Incorporated)
Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.2 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.2.0.162 - Adobe Systems, Inc.)
Alien Swarm (HKLM-x32\...\Steam App 630) (Version:  - Valve)
AlternateMceIrService (HKLM\...\{5ED7F8F0-8796-11DE-8A39-0800200C9A66}) (Version: 1.0.0.0 - Satori-Project)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Asmedia ASM106x SATA Host Controller Driver (HKLM-x32\...\{61942EF5-2CD8-47D4-869C-2E9A8BB085F1}) (Version: 1.3.4.001 - Asmedia Technology)
AviSynth 2.6 (HKLM-x32\...\AviSynth) (Version: 2.6.0.5 - GPL Public release.)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Besiege (HKLM-x32\...\Steam App 346010) (Version:  - Spiderling Studios)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Broforce (HKLM-x32\...\Steam App 274190) (Version:  - Free Lives)
Command & Conquer™ Red Alert 2 and Yuri’s Revenge (HKLM-x32\...\{F5275D1C-D133-486D-8F07-D6C571F0A8EC}) (Version: 1.0.0.0 - Electronic Arts, Inc.)
CPUID CPU-Z 1.70 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
CPUID HWMonitor 1.25 (HKLM\...\CPUID HWMonitor_is1) (Version:  - )
Delver (HKLM-x32\...\Steam App 249630) (Version:  - Priority Interrupt)
Deus Ex (HKLM-x32\...\Deus Ex) (Version:  - )
Diablo III (HKLM-x32\...\Diablo III) (Version:  - Blizzard Entertainment)
Diablo III Public Test (HKLM-x32\...\Diablo III Public Test) (Version:  - Blizzard Entertainment)
Drax (HKLM-x32\...\{86BCB839-18FE-4A1E-B24B-7884ACFBF701}) (Version: 1.6.5 - Drax)
Dropbox (HKCU\...\Dropbox) (Version: 3.10.11 - Dropbox, Inc.)
Euro Truck Simulator 2 (HKLM-x32\...\Steam App 227300) (Version:  - SCS Software)
EventGhost 0.4.1.r1687 (HKLM-x32\...\EventGhost_is1) (Version: 0.4.1.r1687 - EventGhost Project)
FileMenu Tools (HKLM\...\FileMenu Tools_is1) (Version: 6.7.1 - LopeSoft)
FTL: Faster Than Light (HKLM-x32\...\Steam App 212680) (Version:  - Subset Games)
GameMaker-Studio 1.2 (HKCU\...\GameMaker-Studio12) (Version:  - YoYo Games Ltd.)
Gone Home (HKLM-x32\...\Steam App 232430) (Version:  - The Fullbright Company)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 46.0.2490.80 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.28.15 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
Half-Life 2 (HKLM-x32\...\Steam App 220) (Version:  - Valve)
Half-Life 2: Episode One (HKLM-x32\...\Steam App 380) (Version:  - Valve)
Half-Life 2: Episode Two (HKLM-x32\...\Steam App 420) (Version:  - Valve)
headus UVLayout v2 Professional (HKLM-x32\...\{A1086DA0-903E-4DEA-A83F-6317923CC63D}) (Version: 2.06.03 - headus)
Heavy Weapon Deluxe (HKLM-x32\...\Steam App 3410) (Version:  - PopCap Games, Inc.)
Heroes of the Storm (HKLM-x32\...\Heroes of the Storm) (Version:  - Blizzard Entertainment)
Hybrid (remove only) (HKLM-x32\...\Hybrid) (Version: 2015.5.10.1 - Selur´s Hybrid)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.14.1724 - Intel Corporation)
Intel® Network Connections 18.5.54.0 (HKLM\...\PROSetDX) (Version: 18.5.54.0 - Intel)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 2.5.0.19 - Intel Corporation)
iRotate (HKLM-x32\...\iRotate) (Version:  - )
ISO to USB (HKLM-x32\...\{D08A30AC-A663-4EA8-8D81-B98E17F19F1C}_is1) (Version:  - isotousb.com)
Java 8 Update 60 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418060F0}) (Version: 8.0.600.27 - Oracle Corporation)
Java 8 Update 60 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218060F0}) (Version: 8.0.600.27 - Oracle Corporation)
KeyTweak - Keyboard Remapper (remove only) (HKLM-x32\...\KeyTweak) (Version:  - )
Launchy 2.5 (HKLM-x32\...\Launchy_21344213_is1) (Version:  - Code Jelly)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Mayflash WIIMote PC Adapter (HKLM-x32\...\{1DD370B2-DA27-4CDE-AB4F-AE48D4D6242A}) (Version: 3.85 - My Company Name)
MDF to ISO version 1.0 (HKLM-x32\...\{79DDA36F-B19E-4293-A4F2-FA3EC1C06E6E}_is1) (Version: 1.0 - mdftoiso.com)
mental ray renderer for Autodesk Maya 2014 (HKLM\...\{AD061F19-1A27-4415-A8FE-A2FDF1E8BACB}) (Version: 13.0.1.0 - mental ray)
Microsoft .NET Framework 4.6 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.00081 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM-x32\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.7969.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40728.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 3.1 (HKLM-x32\...\{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}) (Version: 3.1.10527.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 (HKLM-x32\...\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}) (Version: 4.0.20823.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 Refresh (HKLM-x32\...\{D69C8EDE-BBC5-436B-8E0E-C5A6D311CF4F}) (Version: 4.0.30901.0 - Microsoft Corporation)
MKVToolNix 7.1.0 (64bit) (HKLM-x32\...\MKVToolNix) (Version: 7.1.0 - Moritz Bunkus)
Mozilla Firefox 39.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 39.0 (x86 en-US)) (Version: 39.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 39.0 - Mozilla)
Nexus 14.11 (HKLM-x32\...\Winstep Xtreme_is1) (Version:  - )
Nostromo (HKLM-x32\...\{548C7B77-8B04-427E-ACD0-D0E6E6E59BCF}) (Version: 3.2.4 - Belkin International)
NVIDIA 3D Vision Controller Driver 347.09 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 347.09 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 347.88 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 347.88 - NVIDIA Corporation)
NVIDIA Graphics Driver 347.88 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 347.88 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.33.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.33.0 - NVIDIA Corporation)
NVIDIA PhysX (HKLM-x32\...\{B455E95A-B804-439F-B533-336B1635AE97}) (Version: 9.14.0702 - NVIDIA Corporation)
One Way Heroics (HKLM-x32\...\Steam App 266210) (Version:  - Smoking WOLF)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
Origin (HKLM-x32\...\Origin) (Version: 9.5.5.2850 - Electronic Arts, Inc.)
Panda Devices Agent (HKLM-x32\...\{949F1EA1-D3E2-472E-BC7C-CB72374C0E55}) (Version: 1.05.00 - Panda Security) Hidden
Panda Devices Agent (HKLM-x32\...\Panda Devices Agent) (Version: 1.03.04 - Panda Security)
Panda Free Antivirus (HKLM\...\{3EFFD82C-5F18-4494-A4B8-FBB045DA68A3}) (Version: 7.82.00.0000 - Panda Security) Hidden
Panda Free Antivirus (HKLM-x32\...\Panda Universal Agent Endpoint) (Version: 15.1.0 - Panda Security)
Pandora (HKLM-x32\...\{CAC6BC93-D73B-327E-AB0C-791E74A24111}) (Version: 2.0.9 - PANDORA MEDIA, INC.) Hidden
Pandora (HKLM-x32\...\com.pandora.desktop.E7C14276FFE9EEF0BC7DCE654C467D9A299EFD21.1) (Version: 2.0.9 - PANDORA MEDIA, INC.)
Papers, Please (HKLM-x32\...\Steam App 239030) (Version:  - 3909)
PCSX2 - Playstation 2 Emulator (HKLM-x32\...\pcsx2-r5875) (Version:  - )
PDF Settings CS6 (HKLM-x32\...\{BFEAAE77-BD7F-4534-B286-9C5CB4697EB1}) (Version: 11.0 - Adobe Systems Incorporated) Hidden
Project64 1.6 (HKLM-x32\...\{9559F7CA-5E34-4237-A2D9-D856464AD727}) (Version: 1.6 - Project64)
QNAP Qfinder (HKLM-x32\...\QNAP_FINDER) (Version: 4.2.3.1031 - QNAP Systems, Inc.)
QNAP Qsync Client (HKLM-x32\...\Qsync) (Version: 2.0.1.0807 - QNAP Systems, Inc.)
Quake (HKLM-x32\...\Steam App 2310) (Version:  - id Software)
Quake III Arena (HKLM-x32\...\Steam App 2200) (Version:  - id Software)
QuickTime (HKLM-x32\...\{7BE15435-2D3E-4B58-867F-9C75BED0208C}) (Version: 7.71.80.42 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7023 - Realtek Semiconductor Corp.)
Relic Hunters Zero (HKLM-x32\...\Steam App 382490) (Version:  - Rogue Snail)
ReNamer (HKLM-x32\...\ReNamer_is1) (Version: 5.60 - Denis Kozlov)
Rise of Nations: Extended Edition (HKLM-x32\...\Steam App 287450) (Version:  - SkyBox Labs)
Rocket League (HKLM-x32\...\Steam App 252950) (Version:  - Psyonix)
Rogue Legacy (HKLM-x32\...\Steam App 241600) (Version:  - Cellar Door Games)
Roundabout (HKLM-x32\...\Steam App 303430) (Version:  - No Goblin)
Safari (HKLM-x32\...\{C779648B-410E-4BBA-B75B-5815BCEFE71D}) (Version: 5.34.57.2 - Apple Inc.)
Sculptris Alpha 6 (HKLM-x32\...\{D2883AB6-09B4-4981-AAF8-E695411EEC9A}) (Version: 0.6 - Pixologic) Hidden
Sculptris Alpha 6 (HKLM-x32\...\InstallShield_{D2883AB6-09B4-4981-AAF8-E695411EEC9A}) (Version: 0.6 - Pixologic)
Shovel Knight (HKLM-x32\...\Steam App 250760) (Version:  - Yacht Club Games)
SimCity™ (HKLM-x32\...\{F70FDE4B-8F86-4eb6-8C8E-636EC89F6419}) (Version: 4.0.86.0859 - Electronic Arts)
Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Syndicate (HKLM-x32\...\{64CFBAAB-46F7-4628-8D9B-E656A8C11CDB}) (Version: 2.0.0.3 - Electronic Arts)
Theme Hospital (HKLM-x32\...\{5118A4C2-C8A4-4CE5-AC37-F3E51C25402F}) (Version: 3.0.0.2 - Electronic Arts)
Ultima 8 (HKLM-x32\...\{428C6B01-D292-46F9-9321-75668ED17DA2}) (Version: 1.0.0.1 - Electronic Arts)
Uplay (HKLM-x32\...\Uplay) (Version: 2.1 - Ubisoft)
VC_CRT_x64 (HKLM\...\{54F2237F-018C-483B-8884-9FC0D88840C3}) (Version: 1.02.0000 - Intel Corporation) Hidden
VLC media player 1.1.11 (HKLM-x32\...\VLC media player) (Version: 1.1.11 - VideoLAN)
Wacom Tablet (HKLM\...\Wacom Tablet Driver) (Version: 6.3.6w3 - Wacom Technology Corp.)
WebTablet FB Plugin 32 bit (HKLM-x32\...\Wacom WebTabletPlugin for Internet Explorer and Netscape) (Version: 2.1.0.3 - Wacom Technology Corp.)
WebTablet FB Plugin 64 bit (HKLM\...\Wacom WebTabletPlugin for Internet Explorer and Netscape) (Version: 2.1.0.3 - Wacom Technology Corp.)
WestwoodOnline (HKLM-x32\...\{BBCD6D56-8A26-4DDE-9482-DBC9C7B7341D}) (Version: 1.0.0.0 - WestwoodOnline)
WinCDEmu (HKLM-x32\...\WinCDEmu) (Version: 3.6 - Bazis)
Windows 7 USB/DVD Download Tool (HKLM-x32\...\{CCF298AF-9CE1-4B26-B251-486E98A34789}) (Version: 1.0.30 - Microsoft Corporation)
WinRAR 4.01 (64-bit) (HKLM\...\WinRAR archiver) (Version: 4.01.0 - win.rar GmbH)
XBMC (HKCU\...\XBMC) (Version:  - Team XBMC)
ZBrush 4R7 (HKLM-x32\...\ZBrush 4R7 4R7) (Version: 4R7 - Pixologic)
Zumas Revenge (HKLM-x32\...\{0B153CAB-792B-4CA2-B2A5-AB0BBAF2FFA9}) (Version: 1.0.5.600 - PopCap Games)
 
========================= Devices: ================================
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 17%
Total physical RAM: 16322.53 MB
Available physical RAM: 13498.36 MB
Total Virtual: 32643.26 MB
Available Virtual: 29548.27 MB
 
========================= Partitions: =====================================
 
1 Drive c: () (Fixed) (Total:465.66 GB) (Free:296.94 GB) NTFS
3 Drive e: () (Fixed) (Total:372.61 GB) (Free:248.22 GB) NTFS
4 Drive f: (1TBGREEN) (Fixed) (Total:931.51 GB) (Free:87.87 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\GIO-DESKTOP
 
Administrator            gio                      Guest                    
 
 
**** End of log ****


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 10 November 2015 - 10:26 PM

I don't see any software by Baidu on your computer. Did you install any software from Chinese companies lately? Like Qihoo 360, Baidu, Tencent, etc.?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Gorbulan

Gorbulan
  • Topic Starter

  • Members
  • 832 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 10 November 2015 - 10:48 PM

Nope.



#8 Gorbulan

Gorbulan
  • Topic Starter

  • Members
  • 832 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 10 November 2015 - 10:53 PM

Here is the software I installed in the past few weeks.

 

ePSXe

PakkISO

ecm tools

yabause

pcsx2



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 11 November 2015 - 06:22 AM

I can install them today in a VM and see if they bundle anything related to Baidu. Other than that, to know exactly where it comes from, I guess it's just impossible to know.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 Gorbulan

Gorbulan
  • Topic Starter

  • Members
  • 832 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 11 November 2015 - 10:38 AM

Okay, try it out. Let's see what happens.



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 11 November 2015 - 10:43 AM

Well I was only able to install yabause on my VM at work, since I cannot access the other websites because they are blocked in the proxy ("Games" category). I'll install the rest tonight when I get home, but the yabause installer wasn't bundled.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 Gorbulan

Gorbulan
  • Topic Starter

  • Members
  • 832 posts
  • OFFLINE
  •  
  • Local time:10:33 AM

Posted 11 November 2015 - 10:48 AM

Thanks for all of your help Aura! :)



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 11 November 2015 - 09:46 PM

Alright so I downloaded and installed all of the programs you listed in my VM, and Baidu wasn't dropped or anything. It's hard to say what happened when we don't know when the files/folders were created as well, otherwise we could have associated it with an event.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 12 November 2015 - 10:28 AM

I found these threads (really recent, from yesterday and today) on Malwarebytes Forums. I'll monitor them since I find it suspicious that three people at once starts thread about ChinAd, when it might not have been that spread before.

https://forums.malwarebytes.org/index.php?/topic/175017-pupoptionalchinad-virus/
https://forums.malwarebytes.org/index.php?/topic/174979-pupoptionalchinad-keeps-coming-back/

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users