How do I remove Baidu Bar?

[Terry Reynolds]

Quote:

Originally Posted by jvandecar

Well, I couldn't tell you for sure but I believe it was my error in checking a box that I couldn't read.

Have you locked down your browser?

Read through the "Securing Windows XP" article. Links to various versions are at "Securing Windows XP" Links.

Also, get HTAStop, DSOStop, and SockLock from http://www.nsclean.com/freebies.html to disable some Microsoft features.

The nice thing about all three is that they have ON and OFF buttons.

HTAStop turns on and off "Hypertext Application", a nice expansion on HTML that lets web-sites run programs directly on your computer. (It's to better integrate you with the web.) You may need HTA (in fact a couple of the Windows Control Panel functions were written in it. But, the ON button works as well as the OFF button.

DSOStop blocks DSO exploits using a well known registry hack. For some reason, Microsoft doesn't want think the DSO vulnerability needs fixing. But if they ever do, well DSOStop will also undo the hack.

SockLock locks down your Winsock to prevent SKS trojans from installing. You need to undo this when running Windows Update or making network changes, so ... again ON and OFF buttons.

[PCBruiser]

Try The Ultimate BootCD. Here:

http://ubcd4win.com/

And, it even has tools for editing the registry.

None of this may work, because I'm getting the feeling that this one is a bad one like an iceburg, and that there are several other hidden files that recreate anything you delete. Findng them all may be imposssible. I would start planning for a complete low level reformat (I do mean low level because some of these devils hide in the boot track and simply deleting the partition and reformating won't work) or a reformat using a Linux installer followed by a Windows repartition and reformat.

[frozenasset]

Quote:

Originally Posted by PCBruiser

Try The Ultimate BootCD. Here:

http://ubcd4win.com/

And, it even has tools for editing the registry.

None of this may work, because I'm getting the feeling that this one is a bad one like an iceburg, and that there are several other hidden files that recreate anything you delete. Findng them all may be imposssible. I would start planning for a complete low level reformat (I do mean low level because some of these devils hide in the boot track and simply deleting the partition and reformating won't work) or a reformat using a Linux installer followed by a Windows repartition and reformat.

Low Level, like using Debug?

I don't know about all that, I have never used debug.exe to clear the CMOS and erase the HDD on an array.

Back when I did tech support for Hewlett Packard, as a last resort I'd refer or walk them through http://www.computerhope.com/rdebug.htm#5 but I'm quite scared to do that on my array.

[PCBruiser]

No, by low level I mean using the hard drive manufacturer's DOS based diagnostics and utilities. Go to the manufacturer's site, download their floppy or CD based diagnostics, and there will be a low level formatter there that clears everything on the hard drive including the boot sectors.

[frozenasset]

Going to give the UBCD a shot, prior to formatting.

If that doesn't work, I'm going to take a break, watch a movie, and then hit the rack for a few zzzz's.

Tried regsvr32 /u to unregister the .sys file. No go.



Thanks for all the suggestions so far!

James

[Tapir]

Have you tried the delete method in safe mode. also if you can identify the paths, right them down and boot with a start up disk and change directories until you get the the directory where files sit and delete from there. run a registry cleaner after you reboot.

[Griff]

Try this one I have had really good luck wirh it. Don't know if it will remove the one you have or not.

http://adwarealert.com

[frozenasset]

At this point I think no spyware program out there can help, this thing is either too new, or just too deep in the system.

I tried booting into Safe Mode Command Prompt, and noticed the string of drivers that it loads line by line happens to have the BDGUARD.SYS file as one of them.

I can delete the files in safe mode command prompt but they come right back instantly.

I found this in my Add/Remove but cannot use it.

I found a suspect service but it wasn't started. I changed it to Disable anyway, I'm sure the qqfaceclient.exe has something to do with this issue.

[frozenasset]

Issue resolved.

I'm pleased to say my issue with Baidu Bar has been resolved. Thank you all for your help.

I evidently installed a program that installed Baidu Bar along side it. This seems to be a common method of dispersing toolbars. Biadu Bar seems to be a toolbar not unlike the Google Bar for IE, search capability wise. However, I found it troubling that it was so difficult to uninstall. What it was designed to do along side of searching, I cannot say. I did submit several of the files to Eset for analysis, though I doubt they will be classified as a virus.

When the bar showed up in Internet Explorer (Firefox was NOT affected), I clicked on Tools (within IE) and went to Manage Addons. I disabled both Baidu Bar Addons, resulting in the physical toolbar removing itself from IE. However, all files associated with it remained on the hard drive.

I then went to the directory C:\Program Files and looked at what had shown up in the last day, (by viewing details and sorting by date) I found Baidu and CNNIC. I also found a folder that had qqfaceclient.exe within it in the Program Files directory, but I fail to remember the name of the directory it was inside. Additionally, there was a folder located at C:\Program Files\Common Files\COMM\.

I was able to successfully delete the directory that had qqfaceclient.exe within it, and several of the files within both Baidu and CNNIC. I was also able to delete C:\Program Files\Common Files\COMM\ and all files within.

I was unable to permanently delete 2 .bmp files within a subdirectory, 2 .dll files and a .sys file within the directory Baidu. Those files would return instantly after refreshing the screen.

I was unable to delete a file within the directory CNNIC. (Seemed it was in use)

I installed several Spyware programs. Some detected this malware, some did not. None were able to remove the program. The program located and sold at http://www.scanspyware.net found the locations of the malware on the harddrive as well as in the registry. It was with this program that I was able to locate the locations of the key files. But again, this program was unable to remove the malware.

I knew the locations of registry entries, but when I tried to modify the registry, REGEDIT locked up and I was forced to end the task. This behavior is associated with Baidu Bar.

I located a suspicious service that pointed to C:\Program Files\Common Files\Comm\qqfaceclient.exe. This service is cleverly disguised as Windows Print Controller. I set this service to Disable.

At this point, I knew the locations of several files that I needed to removed from my system.

I knew of the two directories within c:\program files as discussed above, and I knew there were two definate files within the C:\windows\system32 directory called bdguard.dat and bdguards.dat that I needed to remove.

I also knew of the bdguard.sys file within c:\windows\system32\drivers that was probably the main .dll file of the malware. This file loaded in both Safe Mode and Normal Mode. Once loaded, this file was immune to deletion and even modification through notepad.exe or a hex editing program. I was also unable to unregister the .dll using a command prompt and "regsvr32.dll /u".

Since the locations of the files were known, as well as thier names, I booted to my windows installation cd, entered the recovery console mode and navigated to c:\windows\system32 and deleted the first two files, then into c:\windows\system32\drivers and removed the bdguard.sys file.

A simple reboot into normal mode of windows and a check of the locations proved the deletion successful. At this point it was possible to remove the directories within C:\program files and edit my registry without REGEDIT locking up.

Again, thank you all for you help, and I hope this thread helps anyone who needs it in the future.


___________

Edit: I found two IP addresses within the registry key HKEY_CURRENT_USER\Software\Baidu of 202.108.22.56 and 220.181.18.3. Both go to http://bar.baidu.com/sobar/promotion.html



EDIT: Adding registry entries that I cleaned.

HKEY_CLASSES_ROOT\MimeFilter.AdFilter
HKEY_CLASSES_ROOT\MimeFilter.AdFilter.1
HKEY_CLASSES_ROOT\BaiduBar.Baidu
HKEY_CLASSES_ROOT\BaiduBar.Baidu.1
HKEY_CLASSES_ROOT\BaiduBar.Tool
HKEY_CLASSES_ROOT\BaiduBar.Tool.1
HKEY_CLASSES_ROOT\BaiduBarEx.BandIE
HKEY_CLASSES_ROOT\BaiduBarEx.BandIE.1
HKEY_CLASSES_ROOT\BaiduBarEx.DropTarget
HKEY_CLASSES_ROOT\BaiduBarEx.DropTarget.1
HKEY_CLASSES_ROOT\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}
HKEY_CLASSES_ROOT\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}
HKEY_CLASSES_ROOT\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}
HKEY_LOCAL_MACHINE\SOFTWARE\Baidu
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\sobar
HKEY_CURRENT_USER\Software\Baidu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B580CF65-E151-49C3-B73F-70B13FCA8E86}
HKEY_LOCAL_MACHINE\SOFTWARE\media
HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs
HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86}


HKEY_CLASSES_ROOT\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}
HKEY_CLASSES_ROOT\CLSID\{7C76C055-ED6E-4535-A70F-CD476E727F67}
HKEY_CLASSES_ROOT\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}
HKEY_CLASSES_ROOT\TypeLib\{6AFC2761-1253-427C-9A56-385B4609BE1D}
HKEY_CLASSES_ROOT\CLSID\{EED92A43-CFCE-4548-BD73-B0A405470ED5}
HKEY_CLASSES_ROOT\TypeLib\{571302BD-937F-44C6-8823-38F7A835D66B}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Universal Disk Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Universal Disk Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Universal Disk Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Universal Disk Manager



qqfaceclient.exe
C:\DOCUME~1\Pacifico\LOCALS~1\Temp\QQNewVer\QQUpdate.DAT:*:Enabled:QQUpdate.DAT
C:\Program Files\CNNIC\Cdn\cdnup.exe
C:\Program Files\CNNIC\Cdn\cdnprot.dat
C:\Program Files\Baidu\bar\BaiduBar.DLL
C:\Program Files\Baidu\bar\bdgdins.dll

[Griff]

Glad to hear you got rid of it.

[Markim]

That was a nasty little bugger.
You have way more patients than I do.
I would have did a 000 format long ago.
Glad you got rid of it though, now I know where not to go on the net.
Good thing my wife reads Chinese, I can just ask her which one to/not to click.

[Zeppelin]

Quote:

Originally Posted by Markim

That was a nasty little bugger.
You have way more patients than I do.
I would have did a 000 format long ago.
<snip>

Nice job! Congrats!

Tried to translate page with Babelfish and all I could come up with was "National Disgrace"???