I have been getting the following malware popup since yesterday (popup 1 to 7 times):
hxxp://c.dsp.banma-inc.com/chk/b/wn?mid=2014051184&aid=400094&ptid=1&reqid=9233edd11eeb9fcd&price=VB22-QAAT2h7jEpgW5IA8gvujcA6PWT0jA6ZkA&ext_data=p__1___domain__tieba.baidu.com___baidu_user_id__null___site_category__408___page_vertical__607___page_type__0___detected_language__zh-TW___slot_visibility__2___adslot_type__0___oid__10055
URL:Mal
It happen usually when I am using IE. It popup up irregularly.
log attached. aswmbr lock up the computer at scanning the file “apisetschema.dll”.
Let me know if this stops the alerts
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
SearchScopes: HKLM - DefaultScope value is missing. FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\creativecommons.xml EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
There are two log for AdwCleaner. Don’t know which one is correct so attached both.
Are you still getting the alerts ?
It look like the alert has stopped. I haven’t get any alert for around 1 hour using IE.
Nope, there is more popup
hxxp://c.dsp.banma-inc.com/chk/b/wn?mid=2014051184&aid=400094&ptid=1&reqid=3f3a978f1f39af0a&price=VB7fTAANYoR7jEpgW5IA8u5LkgqMhk2nIB8SGQ&ext_data=p__1___domain__tieba.baidu.com___baidu_user_id__null___site_category__408___page_vertical__607___page_type__0___detected_language__zh-TW___slot_visibility__2___adslot_type__0___oid__10055
URL:Mal
I am starting to think that this one is a false positive for one of the banner ads in hxxp://tieba.baidu.com judging by the fact that every time this popup show, I am in one of the baidu forum thread.
For example, the above url popup when I am in hxxp://tieba.baidu.com/p/3306225778 and the first group of 7 popups when I am in hxxp://tieba.baidu.com/p/3172730216
In that case it would suggest a poisoned banner within that website
http://cybercoyote.org/weblog/?page_id=3333
No site is immune from this so I would err on the side of caution and call it a good detection
Now I am getting this popup from Malwarebytes when I am idling on tieba.baidu.com
Malicious Website Blocked
Domain:
IP: 93.174.95.73
Port: 49152
Type: Inbound
Process: C:\Windows\System32\wininit.exe
Hmm… that is not from IE. Is this real malware issue?
Malwarebytes blog
Oh, the Sites You Will Never See https://blog.malwarebytes.org/development/2013/05/oh-the-sites-you-will-never-see/
IP 93.174.95.73 check https://www.metascan-online.com/en/ipscan/OTMuMTc0Ljk1Ljcz