Adware.ChinAd

Short bio

This is Malwarebytes’ generic detection for a family that consists mostly of bundlers containing Chinese adware.

Symptoms

Systems affected with Adware.ChinAd will display advertisements not originating from the sites they are visiting, often oriented toward the Chinese market.

Type and source of infection

Bundlers like Adware.ChinAd often contain one program that is appealing and combine it during install with adware and PUPs.

Protection

Malwarebytes protects users from Adware.ChinAd with its real-time protection technology.

block ChinAd

Malwarebytes blocks Adware.ChinAd

Remediation

Malwarebytes can detect and remove Adware.ChinAd without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  3. Then click Finish.
  4. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  5. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  6. When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  7. Restart your computer when prompted to do so.

Malwarebytes removal log

An example of a removal log is this one for a member of this family called EnjoyWifi:

Malwarebytes log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 9/27/17
Scan Time: 10:38 AM
Log File: 36880759-a35f-11e7-bf1d-080027750297.json
Administrator: Yes

-Software Information-
Version: 3.2.2.2018
Components Version: 1.0.188
Update Package Version: 1.0.2896
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 321581
Threats Detected: 23
Threats Quarantined: 23
Time Elapsed: 1 min, 14 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
PUP.Optional.EnjoyWiFi, C:\Program Files (x86)\EnjoyWiFi\EnjoyWiFi.exe, Quarantined, [8686], [417507],1.0.2896

Module: 4
PUP.Optional.EnjoyWiFi, C:\Program Files (x86)\EnjoyWiFi\EnjoyWiFi.exe, Quarantined, [8686], [417507],1.0.2896
PUP.Optional.EnjoyWiFi, C:\Program Files (x86)\EnjoyWiFi\sciter32.dll, Quarantined, [8686], [417507],1.0.2896
PUP.Optional.EnjoyWiFi, C:\Program Files (x86)\EnjoyWiFi\wfcrecf.dll, Quarantined, [8686], [417507],1.0.2896
PUP.Optional.EnjoyWiFi, C:\Program Files (x86)\EnjoyWiFi\zlib.dll, Quarantined, [8686], [417507],1.0.2896

Registry Key: 2
PUP.Optional.EnjoyWiFi, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{8948C1BE-92B8-4276-8803-DC71CC78203A}, Delete-on-Reboot, [8686], [417507],1.0.2896
PUP.Optional.ChinAd, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\wfcre, Delete-on-Reboot, [96], [417524],1.0.2896

Registry Value: 1
PUP.Optional.EnjoyWiFi, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{8948C1BE-92B8-4276-8803-DC71CC78203A}|DISPLAYNAME, Delete-on-Reboot, [8686], [417521],1.0.2896

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 2
PUP.Optional.EnjoyWiFi, C:\PROGRAM FILES (X86)\ENJOYWIFI, Delete-on-Reboot, [8686], [417507],1.0.2896
PUP.Optional.EnjoyWiFi, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ENJOYWIFI, Delete-on-Reboot, [8686], [417508],1.0.2896

File: 13
PUP.Optional.EnjoyWiFi, C:\USERS\PUBLIC\DESKTOP\ENJOYWIFI.LNK, Delete-on-Reboot, [8686], [417518],1.0.2896
PUP.Optional.EnjoyWiFi, C:\PROGRAM FILES (X86)\ENJOYWIFI\ENJOYWIFI.SSF, Delete-on-Reboot, [8686], [417507],1.0.2896
PUP.Optional.EnjoyWiFi, C:\Program Files (x86)\EnjoyWiFi\EnjoyWiFi.exe, Delete-on-Reboot, [8686], [417507],1.0.2896
PUP.Optional.EnjoyWiFi, C:\Program Files (x86)\EnjoyWiFi\inst.db, Delete-on-Reboot, [8686], [417507],1.0.2896
PUP.Optional.EnjoyWiFi, C:\Program Files (x86)\EnjoyWiFi\sciter32.dll, Delete-on-Reboot, [8686], [417507],1.0.2896
PUP.Optional.EnjoyWiFi, C:\Program Files (x86)\EnjoyWiFi\uninst.exe, Delete-on-Reboot, [8686], [417507],1.0.2896
PUP.Optional.EnjoyWiFi, C:\Program Files (x86)\EnjoyWiFi\wfcrecf.dll, Delete-on-Reboot, [8686], [417507],1.0.2896
PUP.Optional.EnjoyWiFi, C:\Program Files (x86)\EnjoyWiFi\wftinst.dll, Delete-on-Reboot, [8686], [417507],1.0.2896
PUP.Optional.EnjoyWiFi, C:\Program Files (x86)\EnjoyWiFi\zlib.dll, Delete-on-Reboot, [8686], [417507],1.0.2896
PUP.Optional.EnjoyWiFi, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ENJOYWIFI\ENJOYWIFI.LNK, Delete-on-Reboot, [8686], [417508],1.0.2896
PUP.Optional.EnjoyWiFi, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnjoyWiFi\uninstall EnjoyWiFi.lnk, Delete-on-Reboot, [8686], [417508],1.0.2896
PUP.Optional.ChinAd, C:\WINDOWS\SYSTEM32\DRIVERS\WFCRE.SYS, Delete-on-Reboot, [96], [417524],1.0.2896
PUP.Optional.EnjoyWiFi, C:\USERS\{username}\DESKTOP\SETUP.4.22.EXE, Delete-on-Reboot, [8686], [417533],1.0.2896

Physical Sector: 0
(No malicious items detected)


(end)

Related blog content

How to remove adware from your PC

Debunking the hacker stereotype: Who are the real monsters?

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language