ABXZone Computer  Forums



Reply
 
Thread Tools Display Modes
Old 01-11-2006, 01:49 PM   #1
frozenasset
He who checks Signal 3
 
Join Date: Jan 2003
Location: Kentucky
Posts: 238
How do I remove Baidu Bar?

I haven't had this much trouble since I had netdc.exe issues.

Seems I always miss the easy fixes, and get the nukers.

How I got it, some chinese site. And Process guard won't work with punkbuster so it's either one or the other. /cry. Yes, this time it was gaming over security.

What I know about it: Very little, Baidu is supposedly the chinese version of google?

How I know it's there:

C:\Program Files\Baidu
C:\CNNIC

I cannot delete the Baidu folder without it automatically reappearing after pressing F5. I cannot delete the CNNIC folder period. I had an odd task in the Task Manager called qqfaceclient.exe. I can't find the damn thing to remove.

What I've tried.

Pest Patrol - Found cookies...... that's it. whooooooooo /shiver
ScanSpyware - Sees all the registry entries but wont' remove em unless I pay for it.
SpySweeper - removes cookies, but can't touch the dlls for baidu.
Regedit to manually remove the registry entries - first entry I try and remove, locks Regedit up.....
Hijackthis. - sees the problems, lets me remove them but they come back in next scan.

Safe mode with all the above....

Figured screw it, I'll lock it down, installed ProcessGuard rebooted and can now prevent qqfaceclient.exe from running, but still cannot remove registry entries or the elusive folders in C:\Program Files.

Running a Rootkitrevealer right now, going to follow with Adaware and Spybot Search and Destroy then a dose of Spyware Blaster.




Help me.
(Offline)   Reply With Quote

Advertisement [Remove Advertisement]
Old 01-11-2006, 02:28 PM   #2
Rickwell
Last user turn off lights
 
Rickwell's Avatar
 
Join Date: Jun 2002
Location: Iowa
Posts: 1,814
Try System Restore to a date before you got it.
__________________
Asus X48 DDR2 Rampage Formula
Core 2 Extreme qx9650 @ 4.00 Ghz
Water Cooled with Apogee GTZ
EVGA 295 GTX,Koolance water block
4GB Corsair Twin 2X4096-8500C5DF
4 x 256 GB Raid 0 / Crucial M4 SSD
Areca ARC-1000B LCD Pannel
Areca 1880ix RAID Card / 4GB cache
Lamptron FC5 Fan Controller
Corsair CMPSU-1000HX PSU
Win7 x64/SP1
(Offline)   Reply With Quote
Old 01-11-2006, 02:48 PM   #3
frozenasset
He who checks Signal 3
 
Join Date: Jan 2003
Location: Kentucky
Posts: 238
Well, no progress with Rootkit Revealer, Adaware or Spybot Search and Destroy. For craps and giggles I tried Microsoft's Anti Spyware program too, no luck.

Spyware Blaster seems to be a good preventative program, but since I hadn't had it installed prior to, I don't know if it's effective to prevent what I've got.

Baidu you are

Rickwell I thank you for your prompt reply, but unfortunately I tend to turn system restore off after installation of windows. So that didn't work either.

I smell a format and reinstall coming.
(Offline)   Reply With Quote
Old 01-11-2006, 03:41 PM   #4
Terry Reynolds
Premium Member
 
Join Date: May 2005
Location: Orlando Area Florida
Posts: 121
Did you know that ScanSpyware's page on that hijacker has instructions for manual removal?

http://www.scanspyware.net/info/BDHelper.htm

Last edited by Terry Reynolds; 01-11-2006 at 03:56 PM..
(Offline)   Reply With Quote
Old 01-11-2006, 03:44 PM   #5
frozenasset
He who checks Signal 3
 
Join Date: Jan 2003
Location: Kentucky
Posts: 238
Yes I did, but unfortunately I cannot simply use regedit to remove the registry entries. For some reason, regedit.exe will lock as soon as I try and remove a baidu entry.

I have made some progress, I have identified a .dll that seems to be the mastermind behind the entire plot, "bdguard.sys" by using Process Explorer by Sysinternals.com.

If I can kill that DLL I'll wager I can remove the directories and kill the keys in the registry.

I can remove all but the following by deleting:
Attached Images
File Type: png a.png (47.4 KB, 14 views)
File Type: png b.PNG (42.7 KB, 13 views)

Last edited by frozenasset; 01-11-2006 at 03:51 PM..
(Offline)   Reply With Quote
Old 01-11-2006, 03:53 PM   #6
frozenasset
He who checks Signal 3
 
Join Date: Jan 2003
Location: Kentucky
Posts: 238
I need to figure out how to kill this:
Attached Images
File Type: png c.PNG (63.2 KB, 23 views)
(Offline)   Reply With Quote
Old 01-11-2006, 03:57 PM   #7
Terry Reynolds
Premium Member
 
Join Date: May 2005
Location: Orlando Area Florida
Posts: 121
Supposedly, XBlock X-Cleaner will also remvove it, but you have to pay for it.

Webroot's Spy Sweeper should remove it, and I believe the trial version will go as far as removal.
(Offline)   Reply With Quote
Old 01-11-2006, 03:58 PM   #8
Terry Reynolds
Premium Member
 
Join Date: May 2005
Location: Orlando Area Florida
Posts: 121
Did you actually say yes to installing the toolbare? Or, did it install automatically when you visited the bad guys' web site?

From what I've been able to quick search on the BDGuard file, this one looks fairly new, and it may be a matter of waiting for the Anti-Spyware companies to update for it.

Last edited by Terry Reynolds; 01-11-2006 at 04:05 PM..
(Offline)   Reply With Quote
Old 01-11-2006, 04:00 PM   #9
PCBruiser
Registered User
 
Join Date: Nov 2003
Posts: 13,497
Answer, MoveOnBoot. Install it, right click on the malware file, chose to delete it next boot, reboot, it is gone. Available here (free):

http://www.snapfiles.com/reviews/Mov...oveonboot.html

Also remove each of the files in those folders the same way, after they are gone the folders can be deleted, then you should be able to clean the entries in the registry once the files are gone (you may need to take ownership of the keys).
(Offline)   Reply With Quote
Old 01-11-2006, 04:10 PM   #10
Terry Reynolds
Premium Member
 
Join Date: May 2005
Location: Orlando Area Florida
Posts: 121
Now that looks to be a really good one that I missed. This is surpriing since WebAttack's been my first-stop download site for years, and I visit it regularly. (I can't get used to the new name.)
(Offline)   Reply With Quote
Old 01-11-2006, 04:22 PM   #11
frozenasset
He who checks Signal 3
 
Join Date: Jan 2003
Location: Kentucky
Posts: 238
Quote:
Originally Posted by Terry Reynolds
Did you actually say yes to installing the toolbare? Or, did it install automatically when you visited the bad guys' web site?
Well, I couldn't tell you for sure but I believe it was my error in checking a box that I couldn't read.

Quote:
Originally Posted by Terry Reynolds
From what I've been able to quick search on the BDGuard file, this one looks fairly new, and it may be a matter of waiting for the Anti-Spyware companies to update for it.
I agree with you, I can't seem to find much information about it that is in english, so I'm flying blind. I'm 99% sure it's self inflicted though Stupidity, I should have KNOWN better than to check a box that I couldn't read as it was in mandarin.
(Offline)   Reply With Quote
Old 01-11-2006, 04:27 PM   #12
frozenasset
He who checks Signal 3
 
Join Date: Jan 2003
Location: Kentucky
Posts: 238
Quote:
Originally Posted by PCBruiser
Answer, MoveOnBoot. Install it, right click on the malware file, chose to delete it next boot, reboot, it is gone. Available here (free):

http://www.snapfiles.com/reviews/Mov...oveonboot.html

Also remove each of the files in those folders the same way, after they are gone the folders can be deleted, then you should be able to clean the entries in the registry once the files are gone (you may need to take ownership of the keys).
I hope this works better than Hijackthis' "Delete a file on reboot" tool. That didn't do anything
(Offline)   Reply With Quote
Old 01-11-2006, 04:29 PM   #13
PCBruiser
Registered User
 
Join Date: Nov 2003
Posts: 13,497
It always works for me! Now, it is possible that this is a self-morphing malware, and that means there is another hidden file somewhere that checks to see if this file is there and if it isn't recreates it again. That could be why HijackThis is failing.
(Offline)   Reply With Quote
Old 01-11-2006, 04:41 PM   #14
frozenasset
He who checks Signal 3
 
Join Date: Jan 2003
Location: Kentucky
Posts: 238
No dice. I tried deleting just the one .sys (dll) file. Then tried deleting all the baidu files that I know of by (I think queing) them one after the other.

Man I really do miss DOS right about now.

Maybe I could make an NT Boot Disk, that I could use to boot with, then go over to the C:\ drive, and delete them manually.

Is there a way to "unregister" a dll file?
(Offline)   Reply With Quote
Old 01-11-2006, 04:42 PM   #15
frozenasset
He who checks Signal 3
 
Join Date: Jan 2003
Location: Kentucky
Posts: 238
Quote:
Originally Posted by Terry Reynolds
Supposedly, XBlock X-Cleaner will also remvove it, but you have to pay for it.

Webroot's Spy Sweeper should remove it, and I believe the trial version will go as far as removal.
Have the full version, bought it but no dice. Afraid to keep pouring money into the issue, when it's so easy to FDISK, format and reinstall.
(Offline)   Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



Powered by vBulletin® Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
vBulletin Skin developed by: vBStyles.com

© 2006 - 2014 ABXZone Forums | About ABX Zone Forums | Advertisers | Investors | Legal | A member of the Crowdgather Forum Community