Anti-Spyware Forums


Reply
Thread Tools Display Modes

Remove Forced Install Of Baidu.com Sobar Toolbar

 
 
Sign Generator
Guest
Posts: n/a

 
      28-08-2006, 07:40 PM
Antivirus software running on Micrososft Windows XP find
%sysdir%\drivers\bdguard.sys is a Trojan/Backdoor but cannot remove it.
Ad-Aware, Pestpatrol and ScanSpyware cant remove it either (but detect
intrusions), and neither can Windows Defender (although it tries to
remove bdguard.sys). Nothing seems to be able to remove this but the
actual Uninstaller made by Baidu.com (just everything is in Chinese and
use English people have no idea what's going on or being said). Even
deleting files manually, they magically reappear (computer system gets
modified by BDguard.sys to protect deleting).

If you are lucky to have a previous state to restore (Windows Restore
feature) to (I did not), reboot your computer into Safe Mode (push F8
during boot) and use the restore feature once running.

It isn't really a virus, but it is a nasty malware that messes with
your head.

BASICALLY HOW I REMOVED BDGuard.sys SUCCESSFULLY WITHOUT RESTORING XP:

1. Goto bar.baidu.com and reinstall the toolbar from there to make sure
all removed stuff is back.

2. Now you will be able to uninstall the toolbar.

3. Goto Start>Settings/Control Panel/Add or Remove Software

4. Probably the first thing on the list is in Chinese, that's what you
want to remove.

5. You will be shown a web page in Chinese asking why to unistall, the
last clickable radio button is "I was forced to install" as your
unistall excuse, click it!

7. You will be directed to antoher chinese page that says that when you
reboot the files (even BDguard.sys) will be gone.

8. REBOOT!

PS: I translated the Chinese text to English as I needed with
http://translate.google.com

DETAILS ABOUT THE INITIAL INTRUSTION:

Resources:
regkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXP LORER\BROWSER HELPER
OBJECTS\{77FEF28E-EB96-44FF-B511-3185DEA48697}

regkey:
HKLM\SOFTWARE\CLASSES\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}

regkey:
HKLM\SYSTEM\CurrentControlSet\Services\BdGuard

regkey:
HKLM\Software\microsoft\windows\currentversion\uni nstall\sobar

regkey:
HKLM\Software\Classes\MimeFilter.AdFilter.1

regkey:
HKLM\Software\Classes\MimeFilter.AdFilter

regkey:
HKLM\Software\Classes\BaiduBarEx.DropTarget.1

regkey:
HKLM\Software\Classes\BaiduBarEx.DropTarget

regkey:
HKLM\Software\Classes\BaiduBarEx.BandIE.1

regkey:
HKLM\Software\Classes\BaiduBarEx.BandIE

regkey:
HKLM\Software\Classes\BaiduBar.Tool.1

regkey:
HKLM\Software\Classes\BaiduBar.Tool

regkey:
HKLM\Software\Classes\BaiduBar.Baidu.1

regkey:
HKLM\Software\Classes\BaiduBar.Baidu

ietoolbar:
HKLM\SOFTWARE\MICROSOFT\INTERNET
EXPLORER\TOOLBAR\\{B580CF65-E151-49C3-B73F-70B13FCA8E86}

regkey:
HKLM\SOFTWARE\MICROSOFT\INTERNET
EXPLORER\TOOLBAR\\{B580CF65-E151-49C3-B73F-70B13FCA8E86}

bho:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXP LORER\BROWSER HELPER
OBJECTS\{77FEF28E-EB96-44FF-B511-3185DEA48697}

clsid:
HKLM\SOFTWARE\CLASSES\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}

clsid:
HKLM\SOFTWARE\CLASSES\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}

regkey:
HKLM\SOFTWARE\CLASSES\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}


clsid:
HKLM\SOFTWARE\CLASSES\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}

regkey:
HKLM\SOFTWARE\CLASSES\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}

clsid:
HKLM\SOFTWARE\CLASSES\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}

regkey:
HKLM\SOFTWARE\CLASSES\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}

clsid:
HKLM\SOFTWARE\CLASSES\CLSID\{7C76C055-ED6E-4535-A70F-CD476E727F67}

regkey:
HKLM\SOFTWARE\CLASSES\CLSID\{7C76C055-ED6E-4535-A70F-CD476E727F67}

regkey:
HKLM\SOFTWARE\CLASSES\TYPELIB\{6AFC2761-1253-427C-9A56-385B4609BE1D}\1.0


typelibversion:
HKLM\SOFTWARE\CLASSES\TYPELIB\{6AFC2761-1253-427C-9A56-385B4609BE1D}\1.0


driver:
BdGuard

typelib:
HKLM\SOFTWARE\CLASSES\TYPELIB\{6AFC2761-1253-427C-9A56-385B4609BE1D}

file:
C:\WINDOWS\system32\drivers\BDGuard.SYS

file:
C:\Program Files\Baidu\bar\BaiDuBar.dll

folder:
C:\Program Files\baidu\bar\img\

folder:
C:\Program Files\baidu\bar\

------

www.WHAK.com edy!
www.Nerdful.com
www.Txt2Pic.com

 
Reply With Quote
 
 
 
 
Sign Generator
Guest
Posts: n/a

 
      28-08-2006, 07:53 PM
Also, http:// dl.jiangmin.com/suc.htm seems to be one site that forces
an install? Cannot verify by replication, but I do see suspicious
Javascript code on that page that looks kinda like:

<SCRIPT language=javascript>
function GetBar()
{
document.write("<object id=bar
classid=\"clsid:A7F05EE4-0426-454F-8013-C41E3596E9E9\"></object>");
}
</SCRIPT>

<SCRIPT language=javascript>
GetBar();
<!--
function checkform()
{
if (document.form1.checkbox.checked == "")
{
alert("dumb");
document.form1.checkbox.focus();
return false;
}
else
{
return true;
}
}

function pageLoad()
{
// window.open("http://www2.baiduxx.com/dg/poll/assitant.php",
'newwindow', 'height=500, width=400, top=0, left=0, toolbar=no,
menubar=no, scrollbars=yes,resizable=no,location=no, status=no');
}

function GetAutoClearState()
{
return bar.optEnableAutoClean;
}

function GetFilterADState()
{
return bar.optFilter;
}

//-->
</SCRIPT>

<SCRIPT language=javascript>
<!--
function my_submit(form){
form.sr.value=1;
form.action='/baidu?tn=baidu&ct=0&ie=gb2312&cl=3&f=8&bs=mp3&word =mp3&sr=1';
form.submit();
return true;
}

 
Reply With Quote
 
 
 
 
Sign Generator
Guest
Posts: n/a

 
      28-08-2006, 07:58 PM
I put the two Xs in the URLs above (baiduxx.com).

Please Microsost, make it so this cannot be done to my computer again,
I fought for days to figure this out and your solutions didn't stop it
to date, I had much downtime in my small new business (cannot afford
delays).

I got very upset the other night fighting with RegEdit (any keys and
values I removed reappeared next reboot).

 
Reply With Quote
 
Malke
Guest
Posts: n/a

 
      28-08-2006, 09:30 PM
Sign Generator wrote:

> I put the two Xs in the URLs above (baiduxx.com).
>
> Please Microsost, make it so this cannot be done to my computer again,
> I fought for days to figure this out and your solutions didn't stop it
> to date, I had much downtime in my small new business (cannot afford
> delays).
>
> I got very upset the other night fighting with RegEdit (any keys and
> values I removed reappeared next reboot).


This is not Microsoft and so your lengthy posts and requests will not
get to them. This is a peer-to-peer newsgroup where, although MS
employees occasionally post here, the majority of the regular helpers
are volunteers who do not work for Microsoft.

Looking briefly over your other two posts, my guess is that you didn't
have the most recent version of Java installed. However, there really
is no way for me to know how you got infected.

http://www.wilderssecurity.com/showthread.php?t=27971 - So How Did I Get
Infected Anyway?
http://wiki.castlecops.com/Malware_R...:_Introduction
http://www.claymania.com/safe-hex.html
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://msmvps.com/blogs/harrywaldron.../05/82584.aspx - MVP
Harry Waldron - The Family PC - How to stay safe on the Internet
http://www.spywarewarrior.com/rogue_anti-spyware.htm - Eric Howes on
Rogue Antispyware Programs
http://www.microsoft.com/security/protect/default.asp - Protect Your PC

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Forced autodownload reboots - NOT LEGAL! Security Software 7 17-09-2004 02:45 PM
Forced Log Off thegecko Security Software 5 14-12-2003 01:39 AM
forced program install Glenda Wilson Security Software 4 03-12-2003 05:09 AM
Forced Log Off Kelly Security Software 0 01-09-2003 12:49 AM
Forced website Joe Security Software 0 15-08-2003 08:47 PM


All times are GMT. The time now is 04:27 PM.