Jump to content

down.baidu2016.com


Recommended Posts

I used Process Hacker to check the network connections and found six opne to      down.baidu2016.com

That is, when Firefox is closed, when it is open, like now, then are literally hundreds on different ports, státus: Time wait

I searched the net for     down.baidu2016.com , but could not find any real information, virustotal soemtiomes finds malware, sometimes not when I search their site. I used mbam's Junk Removal Tool, but it remains unchanged

 

Is    down.baidu2016.com    malware?

How do I remove it?

 

THank you

baidu.jpg

Link to post
Share on other sites

Hello rossdorn and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Change the download folder setting in the default Browser so all tools we may use are saved to the Desktop:

user posted imageGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. user posted image
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

user posted imageMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. user posted image Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

user posted imageInternet Explorer - Click the Tools menu in the upper right-corner of the browser. user posted image Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

user posted imageChange default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties"

In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK"

Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location.....

Next,

Follow the instructions in the following link to show hidden files:

http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Next,

Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

There are three buttons to choose from with different names on, select the first one and save it to your desktop.
 
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7/8/10, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.


Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…



If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish. Follow the instructions above....


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach those logs to your reply.


Let me see those logs in your reply...

Thank you,

Kevin...
Link to post
Share on other sites

Hello, Kevin, thank you for your fast response.

No hidden files, I always show all files. But when I used Process Hacker, two so far unknown hidden files turned up. I can send a few screenshots with the details if that might help....?

 

I downloaded and used rkill, log will be attached before sending.

I always use malwarebytes, ran it yesterday without result, run it right now again , log will be attached.

Did the FRST and will now upload both attachments  from thatone also and then  mail it.

 

Thanks again

Rkill.txt

mbam log.doc

FRST.txt

Addition.txt

Link to post
Share on other sites

You`ve posted the wrong log from Malwarebytes, I ask for a log from the latest scan, you`ve posted a "Protection" log. Run one more scan and post that log please...

Next,

Your hosts file is corrupt and exploited, ive attached hosts-perm.zip to this reply. Download and unzip that folder to your Desktop, you should now have hosts-perm.bat on your Desktop. Right click on that file and select "Run as Administrator" agree any alerts. Re-boot when complete.

Next,

RKill indicates a missing service, ive attached TPM_Base_Services.zip to this reply. Download and unzip that folder to your Desktop, you will then have TPM_Base_Services.reg on your Desktop. Double click that reg file to run, agree any merges or alerts. Reboot when complete. Run RKill one more tim and post that log.

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

In your reply post the following:

Log from Malwarebytes fresh scan.

Log from RKill fresh scan.

FRST.txt and Addition.txt from FRST fresh scan


Also let me know if you have any remaining issues or concerns....

Thank you,

Kevin.

hosts-perm.zip

TPM_Base_Services.zip

Link to post
Share on other sites

Kevin, thank you once more for your help.

Mbam is running, after I have done everything else and I hope I will attach the right log this time. My settings are always on "custom scan", I did not notice that a threat scan is something different. I assumed every scan ought to be a threat scan.

Scan is finished, but I am afraid the result is the same. There is only a Protection Log..... and it is this:

Application Logs.jpg

This is the log :

Malwarebytes Anti-Malware
www.malwarebytes.org

Update, 26/08/2016 7:59, SYSTEM, TDV-PC, Manual, IP Database, 2016.8.25.1, 2016.8.26.1,
Update, 26/08/2016 7:59, SYSTEM, TDV-PC, Manual, Domain Database, 2016.8.25.3, 2016.8.26.1,
Update, 26/08/2016 7:59, SYSTEM, TDV-PC, Manual, Malware Database, 2016.8.25.8, 2016.8.26.6,
Scan, 26/08/2016 8:23, SYSTEM, TDV-PC, Manual, Start:26/08/2016 7:59, Duration:23 min 30 sec, Custom Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,
Scan, 26/08/2016 8:40, SYSTEM, TDV-PC, Manual, Start:26/08/2016 8:36, Duration:3 min 11 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,

(end)

 

 

Windows update is disabled on purpose, I am using simplex update from mdl, which prevents telemetry and forced Win10 updates.

 

In additional Text I see this:

Faulty Device Manager Devices

Name:

Description:

Class Guid:

Manufacturer:

Service:

Problem: : This device is disabled. (Code 22)

Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

 

There is no device that is connected and disabled.

I use a tablet and an mp3 player, and they work perfectly when USB connected. There is no device identified…. ???

So, what will happen if I enable Device wizard?

 

When I run process hacker, my main questions are still:

Who or what is Baidu and what are unknown processes.

Baidu is a huge Chinese internet company, what are they doing on my computer?

There are still 8 connections on 8 different ports, 4 are "Established", the others are "listen".

THere are still two hidden processes running , both "unknown", picture attached.

 

Hidden processes.jpg

 

When I double click on  them I get the info, pictures attached "unknown520" and "unknown 608" both with the complete command line inserted.

 

unknown 608.jpg

unknown 520.jpg

Rkill.txt

Addition.txt

FRST.txt

Link to post
Share on other sites

Quote

I use a tablet and an mp3 player, and they work perfectly when USB connected. There is no device identified…. ???
So, what will happen if I enable Device wizard?


I see no reason to enable Device wizzard, there are no entries listed to check....

Next,

Did you run the batch file to reset Hosts, I see from Addition.txt that hosts is still exploited...

Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the Scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/
 
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.
  • Close the program > Don't Fix anything!

 

 

Link to post
Share on other sites

I have used all the software you suggested, exactly as you suggested. With mbam I did it twice and sent all there, there just is no more. I now ran rogue killer, got these results, and so far did not remove anything. There are six registry entries and one browser(?) I attach the report for you.

 

But I still have the question, why you give me good advice which I appreciate and follow, but is there a reason why you always neglect to answer the questions I am actually asking?

rogue.txt

Link to post
Share on other sites

Baidu entries on your system and hosts are actions of a Browser Hijacker, not really sure how or why you have them. Browser redirects are not something new, Malware writers have been using that technique to generate traffic to their sites, gathering search terms and redirect users to websites from where they’ll receive a a financial comission or some kind of revenue.

Next,

Double-click RogueKiller.exe to run again. (Vista/7/8/10 right-click and select Run as Administrator)

When "initializing/pre-scan” completes press the Scan button, this may take a few minutes to complete.

When the scan completes open the Registry tab and locate the following detections:

[PUP] HKEY_USERS\S-1-5-21-1025468655-1950445921-1972612005-1000\Software\Conduit -> Found

Make sure that entry is Checkmarked (ticked) also ensure that all other entries are not Checkmarked

Hit the Delete button, when complete select "Report" in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference.
 
Next,
 
Go here: https://www.zemana.com/Download download and install Zemana Anti-malware. Allow a shortcut to be saved to your Desktop.. The tool will be active with a 15 day trial....

Right click on user posted image Zemana Antimalware and select "Run as Administrator"

From the GUI select "Settings"

user posted image

In the new window Select 1. Updates, when complete Select 2. Real Time Protection.

user posted image

In the next window make sure 1. all boxes are checkmarked and the action is "Quarantine" and then " 2. Select the home icon.

user posted image

In the new window select "Scan"

user posted image

When the scan completes check each found entry (if any). For "Suspicious Browser Settings" choose REPAIR for all other entries choose QUARANTINE then select the "Next" tab


The action complete window will open, from there select the "Back" tab. That will take you back to the home screen...

On that screen select the "Reports" tab. (Looks like 3 chimneys)

user posted image

On that screen select and highlite the scan details line, then select "Open Report"

user posted image

Copy and paste that log to your reply...

 

Link to post
Share on other sites

My version screenshot was taken when Zemana was in Beta, maybe i`ll update my canned instructions when I have time... do you still have the issue with the browser hijacker...

Continue as follows:

Please download Junkware Removal Tool to your desktop.
 
  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

 

 

Link to post
Share on other sites

Thanks for those logs, the hosts file is still showing as patched. Run the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

What is the current status of the operating system, are there any remaining issues or concerns.. One point of note, I do not see any Antivirus protection. There are remnants of McAfee, was that uninstalled recently, do you intend reinstalling...

Thank you,

Kevin

 

 

 

Fixlist.txt

Link to post
Share on other sites

The name of the file is correct Fixlist.txt its content is also listed correctly... Did you save the file to the same folder that FRST is running from, also the file must not be opened.

FRST is saved to and running from the following address:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-08-2016
Ran by tdv (administrator) on TDV-PC (27-08-2016 21:58:56)
Running from C:\Users\tdv\Desktop\Computer\not installed

 

 

Link to post
Share on other sites

That choice to wipe and reinstall is yours, Your system is clean and should be alright to continue..... Clean up as follows:

Any fully install tools can be fully uninstalled with the following Uninstall tool:

Download GeekUninstaller from here: http://www.geekuninstaller.com/download (Choose free version) Save Geek.zip to your Desktop. (Visit the Home page at that link for necessary information)

Extract Geek Uninstaller and save to your Desktop. There is no need to install, the executable is portable and can also be run from a USB if required.

Run the tool, the main GUI will populate with installed programs list,

Left click on Program name to highlight that entry.

Select Action from the Menu bar, then Uninstall from there follow the prompts.

If Uninstall fails open the "Action" menu one more time and use "Force Removal" option

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

 

 

Link to post
Share on other sites

2 hours ago, kevinf80 said:

 

Thank you once more, I like the

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

makes for very interesting reading, I did all the cleaning up you suggested and will wait and watch if the computer keeps running smoothly, If it does, no need for fresh install here.

 

 

 

 

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.