Trojan.Generic.12858518_3114ea8efd

by malwarelabrobot on April 12th, 2015 in Malware Descriptions.

Trojan.Generic.12858518 (AdAware), mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3114ea8efd988f5c96f975994a37d08d
SHA1: 2eae1f9fbc6113f460393e6222c287460f951526
SHA256: dc03897212f18f15a81b0bd3abc36dd267df90519d67040170dab276861442ff
SSDeep: 49152:OTOttQRAfhx yajEB7VVRsZr8zIM3Suq mBbRER zfH7xP2hQYGUoK5TOArBEgWm:HttmyMy6EB7VVRsZrvxRVzPN2KYGYCwF
Size: 2732016 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

BarBroker.exe:336
BarBroker.exe:2148
Baidu_Addressbar_47078044_1_oem_dg_1.2.10.15.exe:1140
ASBarBroker.exe:1756
%original file name%.exe:980
Baidu_Toolbar_4:2012
tbservice.exe:1260

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Baidu_Addressbar_47078044_1_oem_dg_1.2.10.15.exe:1140 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Baidu\{9A6E096E-4588-3E32-F06C-69F6B8784825}\ASBarBroker.exe (673 bytes)
%Program Files%\Baidu\conf.xml (468 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度地址栏1.0\卸载百度地址栏.lnk (1 bytes)
%Program Files%\Baidu\{9A6E096E-4588-3E32-F06C-69F6B8784825}\addressbar.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr12.tmp (28640 bytes)
%Program Files%\Baidu\{9A6E096E-4588-3E32-F06C-69F6B8784825}\conf.xml (468 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度地址栏1.0\百度地址栏官网.url (158 bytes)
%Program Files%\Baidu\AddressBar.dll (34561 bytes)
%Program Files%\Baidu\ASBarBroker.exe (5064 bytes)

The Trojan deletes the following file(s):

%Program Files%\Baidu\AddressBar\AddressBar_Tmp (0 bytes)
%Program Files%\Baidu\conf.xml (0 bytes)
%Program Files%\Baidu\{9A6E096E-4588-3E32-F06C-69F6B8784825}\conf.xml (0 bytes)
%Program Files%\Baidu\AddressBar.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc10.tmp (0 bytes)
%Program Files%\Baidu\ASBarBroker.exe (0 bytes)
%Program Files%\Baidu\AddressBar (0 bytes)
%Documents and Settings%\%current user%\Application Data\9A6E096E-4588-3E32-F06C-69F6B8784825 (0 bytes)

The process %original file name%.exe:980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nspE.tmp (84037 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu_Addressbar_47078044_1_oem_dg_1.2.10.15.exe (19592 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu_Toolbar_47078044_5_cb_2.0.400.80.exe (66604 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nskD.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu_Addressbar_47078044_1_oem_dg_1.2.10.15.exe (0 bytes)

The process Baidu_Toolbar_4:2012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Baidu\Toolbar\BaiduBarX.dll (19686 bytes)
%Program Files%\Baidu\Toolbar\BaiduBarX_Tmp\rc.dll (37025 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x64\TBEnhance.sys (102 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\BDArKit.sys (673 bytes)
%Program Files%\Baidu\Toolbar\BrowserDownload.dll (673 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\10000102.dat (1 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\垃圾清理.url (63 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\bduniptk.sys (1281 bytes)
%System%\drivers\bduniptk.sys (1281 bytes)
%Program Files%\Baidu\Toolbar\BarBroker.exe.N1 (1281 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Toolbar\tmp\bd_13.tmp (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\广告拦截.url (60 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\DownloadDll.dll (103 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
%Program Files%\Baidu\Toolbar\BaiduBarX_Tmp\Update.dll (13584 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\隐私保护.url (63 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\ReportRecordDll.dll (111 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x64\bd0001.sys (181 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Program Files%\Baidu\Toolbar\BDToolbarProxy.cab (1922 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%System%\drivers\TBEnhance.sys (673 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\microsoft.vc80.crt\msvcm80.dll (1760 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\自定义按钮.url (171 bytes)
%Program Files%\Baidu\Toolbar\Report.dll (1281 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\config.xml (456 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\TBEnhance.sys (673 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\BDKitUtils.dll (62 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\10000101.dat (1 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%System%\drivers\bd0001.sys (601 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\microsoft.vc80.crt\msvcr80.dll (3705 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\10000102_ad.dat (165 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\BDKitUtils.dll (70 bytes)
%Program Files%\Baidu\Toolbar\BugReport.exe.N1 (1425 bytes)
%Program Files%\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll (86996 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\ArKit.dll (37 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\屏蔽列表.url (60 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
%Program Files%\Baidu\Toolbar\BarBroker.exe (1281 bytes)
%Program Files%\Baidu\Toolbar\rc.dll.N1 (8281 bytes)
%Program Files%\Baidu\Toolbar\rc.dll (8281 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\10000101_ad.dat (236 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\microsoft.vc80.crt\microsoft.vc80.crt.manifest (1 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\ReportDll.dll (140 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\microsoft.vc80.crt\msvcp80.dll (1835 bytes)
%Program Files%\Baidu\Toolbar\Report.dll.N1 (1281 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\FileRecov.dll (168 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\IPC.dll (39 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\APIMgr.dll (197 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\uninst.exe (227 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x86\TBEnhance.sys (145 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\bdxcore.dll (1826 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\修复功能.url (63 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\toolbarsvc.dll.bdtmp (75523 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\BugReport.exe (304 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\PluginFrame.dll (3696 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\bd0001.sys (601 bytes)
%Program Files%\Baidu\Toolbar\Update.dll.N1 (2321 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
%Program Files%\Baidu\Toolbar\BaiduBarX_Tmp\BarBroker.exe (9320 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\UtilsDll.dll (82 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\伴侣导航.url (63 bytes)
%Program Files%\Baidu\Toolbar\BrowserDownload.dll.N1 (673 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\ProtocolDll.dll (3876 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\microsoft.vc80.atl\microsoft.vc80.atl.manifest (466 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x86\bd0001.sys (72 bytes)
%Program Files%\Baidu\Toolbar\BaiduBarX_Tmp\Report.dll (8560 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc11.tmp (141446 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\卸载百度工具栏.lnk (1 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
%Program Files%\Baidu\Toolbar\BaiduBarX_Tmp\BugReport.exe (11344 bytes)
%Program Files%\Baidu\Toolbar\BaiduBarX.dll.N1 (19686 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\BaseDll.dll (7386 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\microsoft.vc80.atl\atl80.dll (97 bytes)
%System%\drivers\BDArKit.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ohz\LKHelper.7z (12289 bytes)
%Program Files%\Baidu\Toolbar\BDToolbarProxy.dll (12280 bytes)
%Program Files%\Baidu\Toolbar\BaiduBarX_Tmp\BrowserDownload.dll (6360 bytes)
%Program Files%\Baidu\Toolbar\BaiduBarX_Tmp\Protocol.dll (19096 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\fileverify.xml (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\个性化首页.url (183 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\帮助指南.url (64 bytes)
%Program Files%\Baidu\Toolbar\BugReport.exe (1425 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\DriverManager.dll (160 bytes)
%Program Files%\Baidu\Toolbar\Protocol.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bdzc_Setup_2[1].0.1.183.dll (75523 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x64\bduniptk.sys (284 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x64\BDArKit.sys (151 bytes)
%Program Files%\Baidu\Toolbar\Update.dll (2321 bytes)
%Program Files%\Baidu\Toolbar\Protocol.dll.N1 (3361 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\tbservice.exe (242 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x86\bduniptk.sys (258 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x86\BDArKit.sys (140 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x86\TBEnhance.sys (0 bytes)
%Program Files%\Baidu\Toolbar\BaiduBarX.dll.N1 (0 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x64\bd0001.sys (0 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x64\BDArKit.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ohz\LKHelper.7z (0 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x64\TBEnhance.sys (0 bytes)
%Program Files%\Baidu\Toolbar\BarBroker.exe.N1 (0 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Toolbar\tmp\bd_13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswF.tmp (0 bytes)
%Program Files%\Baidu\Toolbar\BugReport.exe.N1 (0 bytes)
%Program Files%\Baidu\Toolbar\Update.dll.N1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bdzc_Setup_2[1].0.1.183.dll (0 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x64\bduniptk.sys (0 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x86 (0 bytes)
%Program Files%\Baidu\Toolbar\BDToolbarProxy.cab (0 bytes)
%Program Files%\Baidu\Toolbar\Protocol.dll.N1 (0 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x86\BDArKit.sys (0 bytes)
%Program Files%\Baidu\Toolbar\rc.dll.N1 (0 bytes)
%Program Files%\Baidu\Toolbar\BrowserDownload.dll.N1 (0 bytes)
%Program Files%\Baidu\Toolbar\Report.dll.N1 (0 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x86\bd0001.sys (0 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x86\bduniptk.sys (0 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x64 (0 bytes)

The process tbservice.exe:1260 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\apps.db (8171 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJV9VX VcdV2lU=\6FXLVcNVzlXfVehVy1XYVfJVhFXOVcZVxlU= (19686 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJV9VX VcdV2lU=\6FXLVdhV6FXYVcVVwVXPVdhVhFXPVdJVz1U= (1281 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\filerecov.dat (96 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXYVcVV3VXZVc9V2FXuVcVV3VXEVcZVxVXLVc5VhFXOVcZVxlU= (673 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJV9VX VcdV2lU=\6FXYVcVV3VXZVc9V2FXuVcVV3VXEVcZVxVXLVc5VhFXOVcZVxlU= (673 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJVhFXOVcZVxlU= (19686 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXfVc1V FXPVdpVxVXYVd5VhFXPVdJVz1U= (1425 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJV9VX VcdV2lU=\ lXYVcVV3lXFVclVxVXGVYRVzlXGVcZV (3361 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJV9VX VcdV2lU=\_1XaVc5Vy1XeVc9VhFXOVcZVxlU= (2321 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVdhV6FXYVcVVwVXPVdhVhFXPVdJVz1U= (1281 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\ FXPVdpVxVXYVd5VhFXOVcZVxlU= (1281 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\apps.db-journal (56054 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\_1XaVc5Vy1XeVc9VhFXOVcZVxlU= (2321 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\2FXJVYRVzlXGVcZV (8281 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJV9VX VcdV2lU=\ FXPVdpVxVXYVd5VhFXOVcZVxlU= (1281 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\ lXYVcVV3lXFVclVxVXGVYRVzlXGVcZV (3361 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJV9VX VcdV2lU=\6FXfVc1V FXPVdpVxVXYVd5VhFXPVdJVz1U= (1425 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJV9VX VcdV2lU=\2FXJVYRVzlXGVcZV (8281 bytes)
%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXuVf5VxVXFVcZVyFXLVdhV lXYVcVV0lXTVYRVzlXGVcZV (4545 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\apps.db-journal (0 bytes)

Registry activity

The process BarBroker.exe:336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}]
"Policy" = "3"

[HKCR\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}]
"AppID" = "{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}"
"(Default)" = "BDBroker Class"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}]
"AppName" = "BarBroker.exe"

[HKCR\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\0\win32]
"(Default)" = "%Program Files%\Baidu\Toolbar\BarBroker.exe"

[HKCR\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib]
"Version" = "1.0"
"(Default)" = "{3A8C9D89-3271-45F4-98C0-56B0F5A16172}"

[HKCR\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\HELPDIR]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}]
"AppPath" = "%ProgramFiles%\Baidu\Toolbar"

[HKCR\AppID\BarBroker.EXE]
"AppID" = "{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}"

[HKCR\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\LocalServer32]
"(Default)" = "%Program Files%\Baidu\Toolbar\BarBroker.exe"

[HKCR\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\VersionIndependentProgID]
"(Default)" = "BarBroker.BDBroker"

[HKCR\BarBroker.BDBroker\CLSID]
"(Default)" = "{5BECD27B-DCF5-4DEF-B066-486A47245C03}"

[HKCR\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\ProgID]
"(Default)" = "BarBroker.BDBroker.1"

[HKCR\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\BarBroker.BDBroker.1\CLSID]
"(Default)" = "{5BECD27B-DCF5-4DEF-B066-486A47245C03}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 E4 3B B3 B8 58 01 DF 40 E1 00 59 C5 94 65 A8"

[HKCR\Interface\{2923508C-9425-4A61-B9CE-A98239055916}]
"(Default)" = "IBDBroker"

[HKCR\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\TypeLib]
"(Default)" = "{3A8C9D89-3271-45F4-98C0-56B0F5A16172}"

[HKCR\AppID\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}]
"(Default)" = "BarBroker"

[HKCR\BarBroker.BDBroker\CurVer]
"(Default)" = "BarBroker.BDBroker.1"

[HKCR\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\BarBroker.BDBroker]
"(Default)" = "BDBroker Class"

[HKCR\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0]
"(Default)" = "BarBroker 1.0 Type Library"

[HKCR\BarBroker.BDBroker.1]
"(Default)" = "BDBroker Class"

The process BarBroker.exe:2148 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 0B B5 A9 B1 4B 49 BF 71 B6 21 A7 4B B7 62 61"

The process Baidu_Addressbar_47078044_1_oem_dg_1.2.10.15.exe:1140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\ProgID]
"(Default)" = "AddressSearch.SnavHttpProtocol.1"

[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}\iexp]
"AppPath" = "baiduAddr"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\9A6E096E-4588-3E32-F06C-69F6B8784825.Addr.1\CLSID]
"(Default)" = "{9A6E096E-4588-3E32-F06C-69F6B8784825}"

[HKCR\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9A6E096E-4588-3E32-F06C-69F6B8784825}]
"URLUpdateInfo" = "http://dzl.baidu.com"

[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}\iexp]
"IERepair" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9A6E096E-4588-3E32-F06C-69F6B8784825}]
"UninstallString" = "c:\PROGRA~1\baidu\{9A6E0~1\ASBarBroker.exe -runasAdmin -SVCUninstall -addressbar.dll"

[HKCR\AddressSearch.JsObject.1\CLSID]
"(Default)" = "{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}"

[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}\iexp]
"CH" = "33"

[HKCR\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\TypeLib]
"(Default)" = "{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}"

[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}\iexp]
"UniControlPanel" = "1"

[HKCR\AddressSearch.JsObject.1]
"(Default)" = "JsObject Class"

[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}\iexp]
"SugSwitchKey" = "{333C79E5-5E49-498b-B048-5F573FE56EA6}"
"AutoUpdate" = "1"

[HKCR\CLSID\{9A6E096E-4588-3E32-F06C-69F6B8784825}\VersionIndependentProgID]
"(Default)" = "9A6E096E-4588-3E32-F06C-69F6B8784825.Addr"

[HKCR\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\VersionIndependentProgID]
"(Default)" = "AddressSearch.SnavHttpProtocol"

[HKCR\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\9A6E096E-4588-3E32-F06C-69F6B8784825.Addr]
"(Default)" = "9A6E096E-4588-3E32-F06C-69F6B8784825 Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\PROGRA~1\baidu\{9A6E0~1]
"ASBarBroker.exe" = "地址栏辅助应用程序。"

[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}\iexp]
"AutoSug" = "1"

[HKCR\CLSID\{9A6E096E-4588-3E32-F06C-69F6B8784825}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\TypeLib]
"(Default)" = "{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\VersionIndependentProgID]
"(Default)" = "AddressSearch.JsObject"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}]
"(Default)" = "ISearchHook"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}]
"(Default)" = ""

[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]
"url1" = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=1"
"url2" = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=2"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\c:\program files\baidu\addressbar\,"

[HKLM\SOFTWARE\baidutoolbarinstall]
"silent" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9A6E096E-4588-3E32-F06C-69F6B8784825}]
"EstimatedSize" = "1299"

[HKCR\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9A6E096E-4588-3E32-F06C-69F6B8784825}]
"DisplayName" = "百度地址栏"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCR\CLSID\{9A6E096E-4588-3E32-F06C-69F6B8784825}]
"(Default)" = "9A6E096E-4588-3E32-F06C-69F6B8784825 Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}]
"(Default)" = "IJsObject"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\Programmable]
"(Default)" = ""

[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}\iexp]
"RegPath" = "baiduAddr"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}]
"URL" = "http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=47078044_1_oem_dg&ch=33"

[HKCR\AddressSearch.JsObject]
"(Default)" = "JsObject Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}\iexp]
"qdmcmc" = "E4 18 5C E4 48 8D 68 A8 43 AE AB 48 C8 0D 92 4B"

[HKCR\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}]
"(Default)" = "ISnavHttpProtocol"

[HKCR\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\TypeLib]
"(Default)" = "{F9BC0421-BB5C-447d-8547-BB45AFA80A4D}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 28 73 D0 23 CC 53 AF CB F4 0A 62 D3 D4 FF A2"

[HKCR\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\ProgID]
"(Default)" = "AddressSearch.JsObject.1"

[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}\iexp]
"SettingBtn" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}]
"(Default)" = "JsObject Class"

[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}\iexp]
"AddressRepair" = "1"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}]
"SuggestionsURL_JSON" = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie={inputEncoding}&from=ie8"

[HKCR\9A6E096E-4588-3E32-F06C-69F6B8784825.Addr\CLSID]
"(Default)" = "{9A6E096E-4588-3E32-F06C-69F6B8784825}"

[HKCR\CLSID\{9A6E096E-4588-3E32-F06C-69F6B8784825}\InprocServer32]
"(Default)" = "c:\program files\baidu\{9a6e096e-4588-3e32-f06c-69f6b8784825}\addressbar.dll"

[HKCR\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\TypeLib]
"Version" = "1.0"

[HKCR\9A6E096E-4588-3E32-F06C-69F6B8784825.Addr.1]
"(Default)" = "9A6E096E-4588-3E32-F06C-69F6B8784825 Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}\iexp]
"AutoSugBand" = "1"

[HKCR\CLSID\{9A6E096E-4588-3E32-F06C-69F6B8784825}\Programmable]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9A6E096E-4588-3E32-F06C-69F6B8784825}]
"DisplayVersion" = "1.0"

[HKCR\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AddressSearch.SnavHttpProtocol\CLSID]
"(Default)" = "{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9A6E096E-4588-3E32-F06C-69F6B8784825}]
"Publisher" = "百度"

[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}\iexp]
"LocalNetSugShow" = "1"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}]
"DisplayName" = "百度一下,你就知道"

[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}\iexp]
"StartupMenu" = "1"

[HKCR\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "0"

[HKCR\AddressSearch.SnavHttpProtocol]
"(Default)" = "SnavHttpProtocol Class"

[HKCR\9A6E096E-4588-3E32-F06C-69F6B8784825.Addr\CurVer]
"(Default)" = "9A6E096E-4588-3E32-F06C-69F6B8784825.Addr.1"

[HKCR\AddressSearch.JsObject\CLSID]
"(Default)" = "{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}"

[HKCR\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}]
"(Default)" = "SnavHttpProtocol Class"

[HKCR\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\InprocServer32]
"(Default)" = "c:\program files\baidu\{9a6e096e-4588-3e32-f06c-69f6b8784825}\addressbar.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{9A6E096E-4588-3E32-F06C-69F6B8784825}" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCR\CLSID\{9A6E096E-4588-3E32-F06C-69F6B8784825}\ProgID]
"(Default)" = "9A6E096E-4588-3E32-F06C-69F6B8784825.Addr.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0]
"(Default)" = "AddressBar 1.0 Type Library"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9A6E096E-4588-3E32-F06C-69F6B8784825}]
"DisplayIcon" = "c:\program files\baidu\{9a6e096e-4588-3e32-f06c-69f6b8784825}\addressbar.dll,2"

[HKCR\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\TypeLib]
"(Default)" = "{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}]
"FaviconURL" = "http://www.baidu.com/favicon.ico"

[HKCR\AddressSearch.JsObject\CurVer]
"(Default)" = "AddressSearch.JsObject.1"

[HKCR\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\Programmable]
"(Default)" = ""

[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}\iexp]
"SearchWnd" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCR\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\InprocServer32]
"(Default)" = "c:\program files\baidu\{9a6e096e-4588-3e32-f06c-69f6b8784825}\addressbar.dll"

[HKCR\AddressSearch.SnavHttpProtocol.1]
"(Default)" = "SnavHttpProtocol Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}\iexp]
"NavWnd" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCR\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\0\win32]
"(Default)" = "c:\program files\baidu\{9a6e096e-4588-3e32-f06c-69f6b8784825}\addressbar.dll"

[HKCR\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\TypeLib]
"(Default)" = "{F9BC0421-BB5C-447d-8547-BB45AFA80A4D}"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\CLSID\{9A6E096E-4588-3E32-F06C-69F6B8784825}\TypeLib]
"(Default)" = "{F9BC0421-BB5C-447d-8547-BB45AFA80A4D}"

[HKCR\AddressSearch.SnavHttpProtocol\CurVer]
"(Default)" = "AddressSearch.SnavHttpProtocol.1"

[HKCR\AddressSearch.SnavHttpProtocol.1\CLSID]
"(Default)" = "{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}"

[HKCR\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}\iexp]
"UniUI" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A6E096E-4588-3E32-F06C-69F6B8784825}]
"NoExplorer" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}\iexp]
[HKLM\SOFTWARE\{78302E8C-3C6F-267C-2E0D-1D37BF7E3D64}]
[HKLM\SOFTWARE\baidutoolbarinstall]

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AddressBarUpdate"

"{9A6E096E-4588-3E32-F06C-69F6B8784825}"

The process ASBarBroker.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}]
"(Default)" = "BDBroker Class"

[HKCR\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}]
"(Default)" = "IBDBroker"

[HKCR\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\VersionIndependentProgID]
"(Default)" = "ASBarBroker.BDBroker"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}]
"AppName" = "ASBarBroker.exe"

[HKCR\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\LocalServer32]
"(Default)" = "c:\PROGRA~1\baidu\{9A6E0~1\ASBarBroker.exe"

[HKCR\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}]
"AppID" = "{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}"

[HKCR\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0]
"(Default)" = "ASBarBroker 1.0 Type Library"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}]
"AppName" = "ASBarBroker.exe"

[HKCR\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\TypeLib]
"(Default)" = "{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}"

[HKCR\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}]
"AppPath" = "c:\Program Files\Baidu\{9A6E096E-4588-3E32-F06C-69F6B8784825}"

[HKCR\ASBarBroker.BDBroker]
"(Default)" = "BDBroker Class"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}]
"Policy" = "3"

[HKCR\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}]
"AppPath" = "%ProgramFiles%\Baidu\AddressBar"

[HKCR\ASBarBroker.BDBroker.1\CLSID]
"(Default)" = "{91878E42-FC03-4785-B513-1F9E613D1027}"

[HKCR\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0\0\win32]
"(Default)" = "c:\PROGRA~1\baidu\{9A6E0~1\ASBarBroker.exe"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}]
"Policy" = "3"

[HKCR\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\TypeLib]
"(Default)" = "{D02E3AB9-7796-40cb-BDFC-20D834FE1F75}"

[HKCR\AppID\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}]
"(Default)" = "ASBarBroker"

[HKCR\ASBarBroker.BDBroker\CLSID]
"(Default)" = "{91878E42-FC03-4785-B513-1F9E613D1027}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 80 8F E7 7C 0E 53 08 99 15 FB 3C 1D 8A B0 97"

[HKCR\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\ASBarBroker.BDBroker.1]
"(Default)" = "BDBroker Class"

[HKCR\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\ProgID]
"(Default)" = "ASBarBroker.BDBroker.1"

[HKCR\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\AppID\ASBarBroker.EXE]
"AppID" = "{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}"

[HKCR\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\TypeLib]
"Version" = "1.0"

[HKCR\ASBarBroker.BDBroker\CurVer]
"(Default)" = "ASBarBroker.BDBroker.1"

The process %original file name%.exe:980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 77 CD 88 B8 58 0E 0E 48 32 EF 26 CC BA DC 95"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process Baidu_Toolbar_4:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\BaiduBarX.ToolBand\CurVer]
"(Default)" = "BaiduBarX.ToolBand.1"

[HKCR\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\TypeLib]
"(Default)" = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}"

[HKCR\BaiduBarEx.BDHomePage.2]
"(Default)" = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\baidu\BaiduToolbar\NoAD]
"AllPic_State" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
"{D9D54F49-E51C-445e-92F2-1EE3C2313240}" = ""

[HKCR\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\ProgID]
"(Default)" = "BaiduBar.Tool.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBarX]
"Publisher" = "百度公司"

[HKCR\BaiduBarX.BDLogin.1\CLSID]
"(Default)" = "{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}"

[HKCR\BaiduBarX.ToolBand.1]
"(Default)" = "°Ù¶È¹¤¾ßÀ¸"

[HKCR\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\ProgID]
"(Default)" = "BaiduBarEx.BDHomePage.5"

[HKLM\SOFTWARE\Baidu\BaiduToolbar]
"idtmp" = "47078044_5_cb"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B580CF65-E151-49C3-B73F-70B13FCA8E86}" = "12"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\baidu\BaiduToolbar\NoAD]
"AllVoice_State" = "0"

[HKLM\SOFTWARE\Baidu\tbservice]
"INSTLANG" = "2052"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Group" = "bddriver"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Type" = "1"

[HKCR\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}]
"(Default)" = "Baidu Toolbar BHO"

[HKLM\System\CurrentControlSet\Services\TBEnhance]
"ErrorControl" = "0"

[HKCR\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}]
"(Default)" = "BDLogin Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBarX]
"UninstallString" = "%Program Files%\Baidu\Toolbar\BarBroker.exe -runasAdmin -SVCUninstall"

[HKCR\BaiduBarX.BDLogin]
"(Default)" = "BDLogin Class"

[HKCR\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\Toolbar\BaiduBarX.dll"

[HKCR\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\VersionIndependentProgID]
"(Default)" = "BaiduBarX.ToolBand"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Tag" = "4"

[HKCR\BaiduBarX.BandIE\CurVer]
"(Default)" = "BaiduBarX.BandIE.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCR\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\Toolbar\BaiduBarX.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBarX]
"URLUpdateInfo" = "http://toolbar.baidu.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCR\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32]
"ThreadingModel" = "both"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Tag" = "2"

[HKCR\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\VersionIndependentProgID]
"(Default)" = "BaiduBar.Tool"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ErrorControl" = "0"

[HKCR\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\Toolbar\BaiduBarX.dll"

[HKCU\Software\baidu\BaiduToolbar\NoAD\Page_Block]
"5" = "*doubleclick.*"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Description" = "BDArKit"

[HKLM\SOFTWARE\Baidu\tbservice]
"SupplyID" = "10000102"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\baidu\BaiduToolbar]
"HasSCInstall" = "0"

[HKCR\BaiduBarEx.BDHomePage.5]
"(Default)" = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Baidu\Toolbar]
"BarBroker.exe" = "百度工具栏辅助应用程序。"

[HKCU\Software\baidu\BaiduToolbar\NoAD\Page_Block]
"0" = "*/ad.*"

[HKCR\BaiduBarX.BandIE\CLSID]
"(Default)" = "{77FEF28E-EB96-44FF-B511-3185DEA48697}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCR\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\Toolbar\BaiduBarX.dll"

[HKCR\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\TypeLib]
"(Default)" = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}"

[HKCR\BaiduBarX.ToolBand]
"(Default)" = "°Ù¶È¹¤¾ßÀ¸"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}]
"(Default)" = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Description" = "bduniptk"

[HKLM\SOFTWARE\Baidu\BaiduToolbar]
"qdmcmc" = "EE D2 4B B6 9F 8A CF D9 32 12 FE 31 66 3B D0 2D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\BaiduBarX.ToolBand\CLSID]
"(Default)" = "{B580CF65-E151-49C3-B73F-70B13FCA8E86}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBarX]
"DisplayIcon" = "%Program Files%\Baidu\Toolbar\rc.dll,0"

[HKCR\BaiduBar.Tool.1\CLSID]
"(Default)" = "{A7F05EE4-0426-454F-8013-C41E3596E9E9}"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "yes"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}]
"URL" = "http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&bar=13&tn=47078044_5_cb"

[HKLM\SOFTWARE\Baidu\tbservice]
"RtpFlag" = "273"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Services\TBEnhance]
"Description" = "TBEnhance"

[HKCU\Software\baidu\BaiduToolbar\NoAD\Page_Block]
"9" = "*cnsmin.3721.com/*"

[HKCR\BaiduBarEx.BDHomePage.1]
"(Default)" = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ"

[HKLM\SOFTWARE\Baidu\BaiduToolbar]
"istsign" = "1"

[HKCR\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\TypeLib]
"(Default)" = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 45 1B 52 19 4A 7C 4B 2D 88 B8 6A D2 AA DC 4D"

[HKCU\Software\baidu\BaiduToolbar\NoAD\Page_Block]
"16" = "*/adImages/*"

[HKCR\BaiduBarEx.BDHomePage.1\CLSID]
"(Default)" = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}"

[HKCR\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}]
"(Default)" = "°Ù¶È¹¤¾ßÀ¸"

[HKCR\BaiduBarEx.BDHomePage]
"(Default)" = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DisplayName" = "bd0001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\BaiduBarEx.BDHomePage\CurVer]
"(Default)" = "BaiduBarEx.BDHomePage.5"

[HKCU\Software\baidu\BaiduToolbar]
"HomePageSetEnabled" = "0"

[HKCU\Software\baidu\BaiduToolbar\NoAD\Page_Allow]
"30" = "*.hao123.com*"

[HKCR\BaiduBarX.BandIE]
"(Default)" = "Baidu Toolbar BHO"

[HKCR\BaiduBar.Tool]
"(Default)" = "°Ù¶È¹¤¾ßÀ¸¸¨Öú¶ÔÏó"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"ErrorControl" = "0"

[HKCR\BaiduBarX.BDLogin\CLSID]
"(Default)" = "{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCR\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\Toolbar\BaiduBarX.dll"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Group" = "bddriver"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\BaiduBarEx.BDHomePage.4]
"(Default)" = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DisplayName" = "BDArKit"

[HKLM\System\CurrentControlSet\Services\TBEnhance]
"Tag" = "5"

[HKCR\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\VersionIndependentProgID]
"(Default)" = "BaiduBarX.BDLogin"

[HKCR\BaiduBarEx.BDHomePage.3]
"(Default)" = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ"

[HKCR\BaiduBarX.BDLogin\CurVer]
"(Default)" = "BaiduBarX.BDLogin.1"

[HKCR\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBarX]
"DisplayVersion" = "2.0.400.80"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Tag" = "1"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ImagePath" = "system32\DRIVERS\BDArKit.sys"

[HKCU\Software\baidu\BaiduToolbar]
"ForceShow" = "1"

[HKLM\SOFTWARE\Baidu\BaiduToolbar]
"CH" = ""

[HKLM\SOFTWARE\Baidu\tbservice]
"Version" = "2.0.1.183"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}]
"DisplayName" = "百度一下,你就知道"

[HKCR\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKCR\BaiduBarX.ToolBand.1\CLSID]
"(Default)" = "{B580CF65-E151-49C3-B73F-70B13FCA8E86}"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Type" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"ImagePath" = "system32\DRIVERS\bduniptk.sys"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBarX]
"HelpLink" = "http://www.baidu.com/search/sobar.html"

[HKCU\Software\baidu\BaiduToolbar]
"IEDefaultSearch" = "1"

[HKLM\System\CurrentControlSet\Control\ServiceGroupOrder]
"List" = "System Reserved, Boot Bus Extender, System Bus Extender, SCSI miniport, Port, Primary Disk, SCSI Class, SCSI CDROM Class, FSFilter Infrastructure, FSFilter System, FSFilter Bottom, FSFilter Copy Protection, FSFilter Security Enhancer, FSFilter Open File, FSFilter Physical Quota Management, FSFilter Encryption, FSFilter Compression, FSFilter HSM, FSFilter Cluster File System, FSFilter System Recovery, FSFilter Quota Management, FSFilter Content Screener, FSFilter Continuous Backup, FSFilter Replication, FSFilter Anti-Virus, FSFilter Undelete, bddriver, FSFilter Activity Monitor, FSFilter Top, Filter, Boot File System, Base, Pointer Port, Keyboard Port, Pointer Class, Keyboard Class, Video Init, Video, Video Save, File System, Event Log, Streams Drivers, NDIS Wrapper, COM Infrastructure, UIGroup, LocalValidation, PlugPlay, PNP_TDI, NDIS, TDI, NetBIOSGroup, ShellSvcGroup, SchedulerGroup, SpoolerGroup, AudioGroup, SmartCardGroup, NetworkProvider, RemoteValidation, NetDDEGroup, Parallel arbitrator, Extended Base, PCI Configuration, MS Transactions"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ImagePath" = "system32\DRIVERS\bd0001.sys"

[HKLM\SOFTWARE\Baidu\tbservice]
"InstallDir" = "%Documents and Settings%\All Users\Baidu\tbservice"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"DisplayName" = "bduniptk"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Type" = "1"

[HKLM\System\CurrentControlSet\Services\TBEnhance]
"Group" = "bddriver"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBarX]
"EstimatedSize" = "11850"

[HKLM\System\CurrentControlSet\Services\TBEnhance]
"Type" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\BaiduBar.Tool.1]
"(Default)" = "°Ù¶È¹¤¾ßÀ¸¸¨Öú¶ÔÏó"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ErrorControl" = "0"

[HKLM\SOFTWARE\Baidu\tbservice]
"InstallDate" = "2015-4-11"

[HKLM\System\CurrentControlSet\Services\TBEnhance]
"ImagePath" = "system32\DRIVERS\TBEnhance.sys"

[HKCU\Software\baidu\BaiduToolbar\NoAD]
"AllFlash_State" = "0"

[HKCR\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\TypeLib]
"(Default)" = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCR\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\TypeLib]
"(Default)" = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}"

[HKCR\BaiduBar.Tool\CLSID]
"(Default)" = "{A7F05EE4-0426-454F-8013-C41E3596E9E9}"

[HKCR\BaiduBarX.BandIE.1\CLSID]
"(Default)" = "{77FEF28E-EB96-44FF-B511-3185DEA48697}"

[HKCR\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\ProgID]
"(Default)" = "BaiduBarX.BandIE.1"

[HKLM\System\CurrentControlSet\Services\TBEnhance]
"DisplayName" = "TBEnhance"

[HKCR\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}]
"(Default)" = "°Ù¶È¹¤¾ßÀ¸¸¨Öú¶ÔÏó"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\baidu\BaiduToolbar\NoAD\Page_Block]
"17" = "*.swf[a-z]*"
"14" = "*/banner*"
"15" = "http://ad.*"

"13" = "*/advlink/*"
"10" = "*/adv/*"
"11" = "*/images_ad/*"

[HKCR\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\baidu\BaiduToolbar\NoAD\Page_Block]
"18" = "*images.sohu.com/cs/button/*"

[HKCR\BaiduBarX.BandIE.1]
"(Default)" = "Baidu Toolbar BHO"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBarX]
"DisplayName" = "百度工具栏"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCR\BaiduBarEx.BDHomePage.2\CLSID]
"(Default)" = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\BaiduBarEx.BDHomePage.4\CLSID]
"(Default)" = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}"

[HKCR\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\VersionIndependentProgID]
"(Default)" = "BaiduBarEx.BDHomePage"

[HKCR\BaiduBarX.BDLogin.1]
"(Default)" = "BDLogin Class"

[HKCU\Software\baidu\BaiduToolbar\NoAD\Page_Block]
"4" = "*/advpic*"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope" = "{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}"

[HKCU\Software\baidu\BaiduToolbar\NoAD\Page_Block]
"6" = "*/ad/*"
"7" = "*/banner_img/*"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\baidu\BaiduToolbar\NoAD\Page_Block]
"1" = "http://ad[0-9].*"
"2" = "http://ads."
"3" = "*banner.*"

[HKCU\Software\baidu\BaiduToolbar\NoAD\Page_Allow]
"34" = "*.skycn.net*"
"35" = "*.baifubao.com*"

[HKCU\Software\baidu\BaiduToolbar\NoAD\Page_Block]
"8" = "*/adbanners*"

[HKCU\Software\baidu\BaiduToolbar\NoAD\Page_Allow]
"31" = "*.baidu.com*"
"32" = "*.youa.com*"
"33" = "*.skycn.com*"

[HKCR\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\VersionIndependentProgID]
"(Default)" = "BaiduBarX.BandIE"

[HKCR\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID]
"(Default)" = "BaiduBarX.ToolBand.1"

[HKCR\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\ProgID]
"(Default)" = "BaiduBarX.BDLogin.1"

[HKCR\BaiduBarEx.BDHomePage\CLSID]
"(Default)" = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}"

[HKCU\Software\baidu\BaiduToolbar\NoAD\Page_Block]
"12" = "*/ads/*"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\baidu\BaiduToolbar]
"itdate" = "32 EE 15 00 6C 38 29 55 6C 38 29 55"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Group" = "bddriver"

[HKCR\BaiduBarEx.BDHomePage.5\CLSID]
"(Default)" = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBarX]
"InstallLocation" = "%Program Files%\Baidu\Toolbar"

[HKCR\BaiduBarEx.BDHomePage.3\CLSID]
"(Default)" = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCR\BaiduBar.Tool\CurVer]
"(Default)" = "BaiduBar.Tool.1"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Description" = "bd0001"

[HKCU\Software\baidu\BaiduToolbar]
"FirstRun" = "1"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\TBEnhance]
"Start" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}]
"ID" = "bdbar"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Start" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}]
"NoExplorer" = "1"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Start" = "2"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0001]
"Start" = "1"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\VersionIndependentProgID]
[HKCR\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\TypeLib]
[HKCR\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}]
[HKCR\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID]
[HKCR\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\InprocServer32]
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}]

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\TBEnhance]
"DeleteFlag"

[HKLM\SOFTWARE\Baidu\tbservice]
"RtpFlag"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"DeleteFlag"

[HKLM\SOFTWARE\Baidu\BaiduToolbar]
"istsign"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{77FEF28E-EB96-44FF-B511-3185DEA48697}"
"{B580CF65-E151-49C3-B73F-70B13FCA8E86}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DeleteFlag"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"BaidubarXRemove"

"BaidubarXUpdate"

The process tbservice.exe:1260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\bduniptk]
"ErrorControl" = "0"

[HKLM\System\CurrentControlSet\Services\TBEnhance]
"ImagePath" = "system32\DRIVERS\TBEnhance.sys"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"Description" = "BDArKit"
"Type" = "1"
"Group" = "bddriver"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\System\CurrentControlSet\Services\TBEnhance]
"Tag" = "5"
"DisplayName" = "TBEnhance"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\System\CurrentControlSet\Services\TBEnhance]
"ErrorControl" = "0"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Tag" = "1"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ImagePath" = "system32\DRIVERS\BDArKit.sys"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Description" = "bduniptk"

[HKLM\System\CurrentControlSet\Services\TBEnhance]
"Group" = "bddriver"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Type" = "1"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Type" = "1"
"ImagePath" = "system32\DRIVERS\bduniptk.sys"

[HKLM\System\CurrentControlSet\Services\TBEnhance]
"Description" = "TBEnhance"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ImagePath" = "system32\DRIVERS\bd0001.sys"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Group" = "bddriver"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DisplayName" = "BDArKit"
"Tag" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 7F 48 2C 8E E4 33 34 D0 C3 23 1F 6C C6 7D 04"

[HKLM\System\CurrentControlSet\Services\TBEnhance]
"Type" = "1"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Group" = "bddriver"
"DisplayName" = "bd0001"
"ErrorControl" = "0"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"DisplayName" = "bduniptk"
"Tag" = "2"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Description" = "bd0001"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ErrorControl" = "0"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Start" = "2"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\TBEnhance]
"Start" = "1"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Start" = "1"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Start" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\TBEnhance]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DeleteFlag"

Dropped PE files

MD5 File path
b6268095a823fde84c33961509172f55 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Baidu\Baidu_Toolbar_47078044_5_cb_2.0.400.80.exe
bd74f110381113e178e30b8d391e2205 c:\Program Files\Baidu\Toolbar\BDToolbarProxy.dll
56801ffbc71b78655be6754f927d2d7e c:\Program Files\Baidu\Toolbar\BaiduBarX.dll
56801ffbc71b78655be6754f927d2d7e c:\Program Files\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll
5e80ae127bb46259b2b7214cc48bb43f c:\Program Files\Baidu\Toolbar\BaiduBarX_Tmp\BarBroker.exe
1a1eb68a95790c9ef0a6d02f09b13ece c:\Program Files\Baidu\Toolbar\BaiduBarX_Tmp\BrowserDownload.dll
7fc0b42cec5032dfb5231317dfb15ab4 c:\Program Files\Baidu\Toolbar\BaiduBarX_Tmp\BugReport.exe
0d768d549b85657a57903b30d600ed56 c:\Program Files\Baidu\Toolbar\BaiduBarX_Tmp\Protocol.dll
0e1cc638036f862c04b78c3abbda8bfc c:\Program Files\Baidu\Toolbar\BaiduBarX_Tmp\Report.dll
3363feb29743d48ecdd46387a56e26b5 c:\Program Files\Baidu\Toolbar\BaiduBarX_Tmp\Update.dll
4643ebd74829d3b05395d125e44ae8df c:\Program Files\Baidu\Toolbar\BaiduBarX_Tmp\rc.dll
5e80ae127bb46259b2b7214cc48bb43f c:\Program Files\Baidu\Toolbar\BarBroker.exe
1a1eb68a95790c9ef0a6d02f09b13ece c:\Program Files\Baidu\Toolbar\BrowserDownload.dll
7fc0b42cec5032dfb5231317dfb15ab4 c:\Program Files\Baidu\Toolbar\BugReport.exe
0d768d549b85657a57903b30d600ed56 c:\Program Files\Baidu\Toolbar\Protocol.dll
0e1cc638036f862c04b78c3abbda8bfc c:\Program Files\Baidu\Toolbar\Report.dll
3363feb29743d48ecdd46387a56e26b5 c:\Program Files\Baidu\Toolbar\Update.dll
4643ebd74829d3b05395d125e44ae8df c:\Program Files\Baidu\Toolbar\rc.dll
c26ddd15a55ccca2d4d65839d068324d c:\Program Files\Baidu\{9A6E096E-4588-3E32-F06C-69F6B8784825}\ASBarBroker.exe
0d98fbbd0c5c79ab6a82a6a68e39adce c:\Program Files\Baidu\{9A6E096E-4588-3E32-F06C-69F6B8784825}\addressbar.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\DRIVERS\bd0001.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\DRIVERS\bd0001.sys" the Trojan controls creation and closing of threads by installing the thread notifier.
Using the driver "%System%\DRIVERS\bd0001.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
The Trojan installs the following kernel-mode hooks:

ZwUnloadKey

Propagation

VersionInfo

Company Name:
Product Name: Baidu Toolbar_Addressbar
Product Version: 1.0.0.1
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.1
File Description: Baidu Toolbar_Addressbar Installer
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23130 23552 4.44841 0bc2ffd32265a08d72b795b18265828d
.rdata 28672 4496 4608 3.59163 f179218a059068529bdb4637ef5fa28e
.data 36864 110488 1024 3.26405 975304d6dd6c4a4f076b15511e2bbbc0
.ndata 147456 36864 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 184320 25552 25600 3.78666 c2ec1f9f02b9be29302d751729d05d4c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://brwebapi.n.shifen.com/v1/t/full/p/bdzc/tn/10000102/ch_dl_url
hxxp://drbr.n.shifen.com/
hxxp://baidubrs.dlmix.glb0.lxdns.com/client1/common/install/46417496506/bdzc_Setup_2.0.1.183.dll
hxxp://dr.toolbar.baidu.com/ 61.135.186.213
hxxp://dl1sw.baidu.com/client1/common/install/46417496506/bdzc_Setup_2.0.1.183.dll 59.56.26.45
hxxp://j.br.baidu.com/v1/t/full/p/bdzc/tn/10000102/ch_dl_url 111.206.37.114


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

HEAD /client1/common/install/46417496506/bdzc_Setup_2.0.1.183.dll HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0
Host: dl1sw.baidu.com
Content-Length: 0
Cache-Control: no-cache
Connection: Keep-Alive


HTTP/1.0 200 OK
Expires: Sun, 12 Apr 2015 22:04:22 GMT
Date: Fri, 13 Mar 2015 22:04:22 GMT
Server: nginx
Content-Type: application/octet-stream
Content-Length: 2548504
Last-Modified: Fri, 13 Mar 2015 03:31:36 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
Age: 2480524
Via: 1.0 yichang50:8103 (Cdn Cache Server V2.0), 1.0 fzh15:5011 (Cdn Cache Server V2.0)
Connection: close
Content-Disposition: attachment;filename="bdzc_Setup_2.0.1.183.dll"
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS,HEAD



POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 117
Content-Type: application/octet-stream
Host: dr.toolbar.baidu.com
Keep-Alive: timeout=600,max=1000

...A........" da74c0ca2d462aed95993e8c9f81051a([email protected].` ...(...=.TZ>..a.'..
.*....JT...s....}.iI[.6..U
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 93
...A........" da74c0ca2d462aed95993e8c9f81051a([email protected].`
 ......}...f......#p.n.....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 109
Content-Type: application/octet-stream
Host: dr.toolbar.baidu.com
Keep-Alive: timeout=600,max=1000

...A........" da74c0ca2d462aed95993e8c9f81051a([email protected].` ... ....w.9.D...?2...=OF.y......S0..a.
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 93
...A........" da74c0ca2d462aed95993e8c9f81051a([email protected].`
 .........i'..V&....m......


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 117
Content-Type: application/octet-stream
Host: dr.toolbar.baidu.com
Keep-Alive: timeout=600,max=1000

...A........" da74c0ca2d462aed95993e8c9f81051a([email protected].` ...(..D|...G.........[...2..(...Vgut9.].......
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 93
...A........" da74c0ca2d462aed95993e8c9f81051a([email protected].`
 ........9-.....A...X....



HEAD /v1/t/full/p/bdzc/tn/10000102/ch_dl_url HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0
Host: j.br.baidu.com
Content-Length: 0
Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.1
Date: Sat, 11 Apr 2015 15:06:23 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.4.22
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Location: hXXp://dl1sw.baidu.com/client1/common/install/46417496506/bdzc_Setup_2.0.1.183.dll
HTTP/1.1 301 Moved Permanently..Server: nginx/1.4.1..Date: Sat, 11 Apr
 2015 15:06:23 GMT..Content-Type: text/html..Connection: keep-alive..X
-Powered-By: PHP/5.4.22..Cache-Control: no-cache, must-revalidate..Exp
ires: Sat, 26 Jul 1997 05:00:00 GMT..Location: hXXp://dl1sw.baidu.com/
client1/common/install/46417496506/bdzc_Setup_2.0.1.183.dll....
..


GET /v1/t/full/p/bdzc/tn/10000102/ch_dl_url HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0
Host: j.br.baidu.com
Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.1
Date: Sat, 11 Apr 2015 15:06:27 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.22
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Location: hXXp://dl1sw.baidu.com/client1/common/install/46417496506/bdzc_Setup_2.0.1.183.dll
0..HTTP/1.1 301 Moved Permanently..Server: nginx/1.4.1..Date: Sat, 11 
Apr 2015 15:06:27 GMT..Content-Type: text/html..Transfer-Encoding: chu
nked..Connection: keep-alive..X-Powered-By: PHP/5.4.22..Cache-Control:
 no-cache, must-revalidate..Expires: Sat, 26 Jul 1997 05:00:00 GMT..Lo
cation: hXXp://dl1sw.baidu.com/client1/common/install/46417496506/bdzc
_Setup_2.0.1.183.dll..0..



GET /client1/common/install/46417496506/bdzc_Setup_2.0.1.183.dll HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0
Connection: Keep-Alive
Cache-Control: no-cache
Host: dl1sw.baidu.com


HTTP/1.0 200 OK
Expires: Sun, 12 Apr 2015 22:04:23 GMT
Date: Fri, 13 Mar 2015 22:04:23 GMT
Server: nginx
Content-Type: application/octet-stream
Content-Length: 2548504
Last-Modified: Fri, 13 Mar 2015 03:31:36 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
Age: 2480525
Via: 1.0 yichang50:8103 (Cdn Cache Server V2.0), 1.0 fzh15:5011 (Cdn Cache Server V2.0)
Connection: close
Content-Disposition: attachment;filename="bdzc_Setup_2.0.1.183.dll"
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS,HEAD
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..........k...8...8
...8..48...8.w.8...8Qu.8...8.w.8...8.w.8h..8...8...8...8...8...8,..8.w
.8...8.w.8...8.w.8...8...8...8.w.8...8Rich...8........................
PE..L....D.U...........!.....P....".....0........`....................
............'.......&..............................^..h...,O..........
.. ...........&..#....&..0...c......................0...........@.....
.......`[email protected]..............
.... ..`.rdata..8....`.......`..............@[email protected]...`...0...`
[email protected][email protected]..... .
...... .................@[email protected]`[email protected]..
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







tbservice.exe_1260:




.text
`.rdata
@.data
.rsrc
@.reloc
.\BDZCInstallConfig.cpp
[CBDZCInstallConfig::CheckMD5]Check MD5, file MD5 : %s, MD5 msg : %s
.\BDZCInstall.cpp
CopyExeFilePath
ReportProcessCrashRealTime
.\RTPServer.cpp
CRTPServer::Run
CRTPServer Run stop
D:\jenkins\workspace\bdzc_toolbar_compile\stable_proj\include\thirdInclude\boost/exception/detail/exception_ptr.hpp
asio.misc
asio.misc error
d:\jenkins\workspace\bdzc_toolbar_compile\basic\Output\BinRelease\tbservice.pdb
?DelSubKey@Register@Base@@YAHPAUHKEY__@@PB_W@Z
BaseDll.dll
GetReportMgr
ReportDll.dll
UtilsDll.dll
?WriteDataCfg@CLauchReportRecord@ReportRecord@@QAEHXZ
?ReadDataCfg@CLauchReportRecord@ReportRecord@@QAEHW4CMD@Report@@@Z
?SetLastLaunchIntervalAndLastStartTime@CLauchReportRecord@ReportRecord@@QAEHXZ
??0CLauchReportRecord@ReportRecord@@QAE@XZ
GetUnInstallReportRecord
GetInstallReportRecord
ReportRecordDll.dll
PluginFrame.dll
SetProcessShutdownParameters
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
PSAPI.DLL
WS2_32.dll
SHLWAPI.dll
MSVCP80.dll
MSVCR80.dll
_amsg_exit
_crt_debugger_hook
SensApi.dll
VERSION.dll
tbservice.exe
.Ge``
%û^[
<assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
explorer.exe
Advapi32.dll
LoadFileConfig, path=%s
row=%d,col=%d
y[CBDZCInstallConfig::CheckMD5]strConfigPath doesn't exist: %s
n********* m_dwFileVerifyVer = %u **********
[CBDZCInstall::CopyFolder]pFrom : %s, pTo : %s
[CBDZCInstall::CopyExeFilePath]pFrom : %s, pTo : %s, pFileName : %s
fileverify.xml
[CBDZCInstall::Install]CreateMutex Fail, lasterror : %d
u_.exe
%u.%u.%u.%u
W[CBDZCInstall::StartService]OpenService error : %d
[CBDZCInstall::StartService]StartService error : %d
[CBDZCInstall::StartService]QueryServiceStatus success : %d
[CBDZCInstall::StartService]QueryServiceStatus error : %d
\kernel32.dll
Windows 7
Windows Vista
Windows 7
Windows Vista
Windows Server 2003,
Windows XP
Windows 2000
Windows NT
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Windows 95
Windows 98
Windows ME
kernel32.dll
[CBDZCInstall::DoInstall]lastdir = %s
[CBDZCInstall::DoInstall]kill %s
[CBDZCInstall::DoInstall]uninstall server : %d
\data\*.*
[CBDZCInstall::DoInstall]delete lastdir : %s
[CBDZCInstall::DoInstall]rename and delete bdsg0001.dll/bdsg0002.dll
\Microsoft.VC80.ATL\*.*
\Microsoft.VC80.ATL
\Microsoft.VC80.CRT\*.*
\Microsoft.VC80.CRT
\*.xml
\*.ico
\BugReport.exe
\uninst.exe
\UtilsDll.dll
\ProtocolDll.dll
\ReportDll.dll
\ReportRecordDll.dll
\DownloadDll.dll
\BaseDll.dll
\PluginFrame.dll
[CBDZCInstall::DoInstall]strSupplyID : %s
[CBDZCInstall::DoInstall]Version %s
[CBDZCInstall::DoInstall]InstallDir %s
[CBDZCInstall::DoInstall]SupplyID %s
\drivers\x86\*.sys
\drivers\x64\*.sys
"%s\%s" %s
[CBDZCInstall::DoInstall]install server : %d
[CBDZCInstall::DoInstall]start server : %d
l\BDLogicUtils.dll
[CBDZCInstall::DoInstall]data report
ntdll.dll
dep360.exe
[CBDZCInstall::Uninstall]SupplyID = %s
[CBDZCInstall::Uninstall]strUninstallDir = %s
\BDLogicUtils.dll
[CBDZCInstall::Uninstall]Data Report
[CBDZCInstall::Uninstall]kill baiduprotect.exe
\Config\810.dat
\Config\8000.dat
[CBDZCInstall::Uninstall]RMDir %s
ptbservice.exe
Global\BDTBMutex{8C0DFAE2-573F-4ABE-9794-20A4A0F83FCA}
Global\BDTBEvent{35526931-E907-479C-9DDF-EAD73A500BE9}
[CRTPServer StartSystemModules Finish
pGlobal\TBD_SERVICE_{4A9CAFF9-6834-419c-AFB1-139AC49FF55E}
pGlobal\BDTBEvent{35526931-E907-479C-9DDF-EAD73A500BE9}
Global\BDTBMutex{1F4B7D75-C7D0-4C94-92F8-864C4FF29FE6}
HKEY_LOCAL_MACHINE\SOFTWARE\baidu\tbservice
BugReport.exe
"%s" %s
BDTBTray.exe
2.0.1.183

BarBroker.exe_2148:




.text
`.rdata
@.data
.rsrc
t.hTtB
8%utP
>.uBV
PSSSSSSh
tGHt.Ht&
ReleaseReportMgr
GetReportMgr
Content-Length: %d
HTTP/1.0
BaiduToolbarReport
0000000
0100666
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
1.2.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
kernel32.dll
.mixcrt
KERNEL32.DLL
mscoree.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
USER32.DLL
PSAPI.DLL
dbghelp.dll
InternetCrackUrlW
HttpEndRequestA
HttpSendRequestExA
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
KERNEL32.dll
USER32.dll
RegCloseKey
RegDeleteKeyW
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
RegCreateKeyW
RegOpenKeyW
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
.?AVCExeModule@@
.?AVCBugReport@@
.?AVCBugReportAlert@@
.?AV?$CDialogImpl@VCBugReportAlert@@VCWindow@ATL@@@ATL@@
.?AV?$CWinDataExchange@VCBugReportAlert@@@WTL@@
*.yUW
.?AVIReportMgr@Report@@
.?AVCReportDelegate@@
.?AVCUrlParser@@
.PA_W
%c%c%c%c%c%c%c%c%c%c
zcÁ
{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2} = s 'BarBroker'
'BarBroker.EXE'
val AppID = s {7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}
'{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}'
val AppName = s 'BarBroker.exe'
BarBroker.BDBroker.1 = s 'BDBroker Class'
CLSID = s '{5BECD27B-DCF5-4DEF-B066-486A47245C03}'
BarBroker.BDBroker = s 'BDBroker Class'
CurVer = s 'BarBroker.BDBroker.1'
ForceRemove {5BECD27B-DCF5-4DEF-B066-486A47245C03} = s 'BDBroker Class'
ProgID = s 'BarBroker.BDBroker.1'
VersionIndependentProgID = s 'BarBroker.BDBroker'
val AppID = s '{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}'
'TypeLib' = s '{3A8C9D89-3271-45F4-98C0-56B0F5A16172}'
stdole2.tlbWWW
PstrUrlWW
Created by MIDL version 6.00.0366 at Fri Feb 06 22:28:24 2015
ieframe.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
@Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.
Update.dll
##DisplayType=%d;InstallUpdate=%d;ModuleUpdate=%d
customid=%u --shmoffset=%u
-%s -%s
BaiduBarX.dll
BugReport
@/Dump.php
@dumpbar.baidu.com
ToolbarExceptionReport_{5B1E9512-0BAF-4be4-ACF1-3AA63BE8E1D5}
urlmon.dll
DBGHELP.DLL
CrashUrl:%s
SobarID:%s
BaiduToolbar_3529A021-28A0-4ada-A349-DD8388F8F950.dmp
BaiduToolbar_3529A021-28A0-4ada-A349-DD8388F8F950.txt
BaiduToolbar_3529A021-28A0-4ada-A349-DD8388F8F950.tar.gz
dump.php
ExceptionReportNoHint
CrashModule_%d
CrashAddr_%d
ReportDelegateMutex
Report.dll
rc.dll
http SendRequestEx fail!
\Internet Explorer\iexplore.exe
%Program Files%\Baidu\Toolbar\BarBroker.exe
2.0.400.80
BarBroker.EXE






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Scan a system with an anti-rootkit tool.
    2. 

  2. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    BarBroker.exe:336
    BarBroker.exe:2148
    Baidu_Addressbar_47078044_1_oem_dg_1.2.10.15.exe:1140
    ASBarBroker.exe:1756
    %original file name%.exe:980
    Baidu_Toolbar_4:2012
    tbservice.exe:1260
    

    3. 

  3. Delete the original Trojan file.
    4. 

  4. Delete or disinfect the following files created/modified by the Trojan:
    

    %Program Files%\Baidu\{9A6E096E-4588-3E32-F06C-69F6B8784825}\ASBarBroker.exe (673 bytes)
    %Program Files%\Baidu\conf.xml (468 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度地址栏1.0\卸载百度地址栏.lnk (1 bytes)
    %Program Files%\Baidu\{9A6E096E-4588-3E32-F06C-69F6B8784825}\addressbar.dll (7726 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr12.tmp (28640 bytes)
    %Program Files%\Baidu\{9A6E096E-4588-3E32-F06C-69F6B8784825}\conf.xml (468 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度地址栏1.0\百度地址栏官网.url (158 bytes)
    %Program Files%\Baidu\AddressBar.dll (34561 bytes)
    %Program Files%\Baidu\ASBarBroker.exe (5064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nspE.tmp (84037 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu_Addressbar_47078044_1_oem_dg_1.2.10.15.exe (19592 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu_Toolbar_47078044_5_cb_2.0.400.80.exe (66604 bytes)
    %Program Files%\Baidu\Toolbar\BaiduBarX.dll (19686 bytes)
    %Program Files%\Baidu\Toolbar\BaiduBarX_Tmp\rc.dll (37025 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x64\TBEnhance.sys (102 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\BDArKit.sys (673 bytes)
    %Program Files%\Baidu\Toolbar\BrowserDownload.dll (673 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\10000102.dat (1 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\垃圾清理.url (63 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\bduniptk.sys (1281 bytes)
    %System%\drivers\bduniptk.sys (1281 bytes)
    %Program Files%\Baidu\Toolbar\BarBroker.exe.N1 (1281 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Toolbar\tmp\bd_13.tmp (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\广告拦截.url (60 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\DownloadDll.dll (103 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
    %Program Files%\Baidu\Toolbar\BaiduBarX_Tmp\Update.dll (13584 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\隐私保护.url (63 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\ReportRecordDll.dll (111 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x64\bd0001.sys (181 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
    %Program Files%\Baidu\Toolbar\BDToolbarProxy.cab (1922 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
    %System%\drivers\TBEnhance.sys (673 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\microsoft.vc80.crt\msvcm80.dll (1760 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\自定义按钮.url (171 bytes)
    %Program Files%\Baidu\Toolbar\Report.dll (1281 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\config.xml (456 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\TBEnhance.sys (673 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\BDKitUtils.dll (62 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\10000101.dat (1 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
    %System%\drivers\bd0001.sys (601 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\microsoft.vc80.crt\msvcr80.dll (3705 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\10000102_ad.dat (165 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\BDKitUtils.dll (70 bytes)
    %Program Files%\Baidu\Toolbar\BugReport.exe.N1 (1425 bytes)
    %Program Files%\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll (86996 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\ArKit.dll (37 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\屏蔽列表.url (60 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
    %Program Files%\Baidu\Toolbar\rc.dll.N1 (8281 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\10000101_ad.dat (236 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\microsoft.vc80.crt\microsoft.vc80.crt.manifest (1 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\ReportDll.dll (140 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\microsoft.vc80.crt\msvcp80.dll (1835 bytes)
    %Program Files%\Baidu\Toolbar\Report.dll.N1 (1281 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\FileRecov.dll (168 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\IPC.dll (39 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\APIMgr.dll (197 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\uninst.exe (227 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x86\TBEnhance.sys (145 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\bdxcore.dll (1826 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\修复功能.url (63 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\toolbarsvc.dll.bdtmp (75523 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\BugReport.exe (304 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\PluginFrame.dll (3696 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\bd0001.sys (601 bytes)
    %Program Files%\Baidu\Toolbar\Update.dll.N1 (2321 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
    %Program Files%\Baidu\Toolbar\BaiduBarX_Tmp\BarBroker.exe (9320 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\UtilsDll.dll (82 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\伴侣导航.url (63 bytes)
    %Program Files%\Baidu\Toolbar\BrowserDownload.dll.N1 (673 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\ProtocolDll.dll (3876 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\microsoft.vc80.atl\microsoft.vc80.atl.manifest (466 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x86\bd0001.sys (72 bytes)
    %Program Files%\Baidu\Toolbar\BaiduBarX_Tmp\Report.dll (8560 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc11.tmp (141446 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\卸载百度工具栏.lnk (1 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
    %Program Files%\Baidu\Toolbar\BaiduBarX_Tmp\BugReport.exe (11344 bytes)
    %Program Files%\Baidu\Toolbar\BaiduBarX.dll.N1 (19686 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\BaseDll.dll (7386 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\microsoft.vc80.atl\atl80.dll (97 bytes)
    %System%\drivers\BDArKit.sys (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ohz\LKHelper.7z (12289 bytes)
    %Program Files%\Baidu\Toolbar\BDToolbarProxy.dll (12280 bytes)
    %Program Files%\Baidu\Toolbar\BaiduBarX_Tmp\BrowserDownload.dll (6360 bytes)
    %Program Files%\Baidu\Toolbar\BaiduBarX_Tmp\Protocol.dll (19096 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\fileverify.xml (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\个性化首页.url (183 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度工具栏\帮助指南.url (64 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\DriverManager.dll (160 bytes)
    %Program Files%\Baidu\Toolbar\Protocol.dll (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bdzc_Setup_2[1].0.1.183.dll (75523 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x64\bduniptk.sys (284 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x64\BDArKit.sys (151 bytes)
    %Program Files%\Baidu\Toolbar\Protocol.dll.N1 (3361 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\tbservice.exe (242 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x86\bduniptk.sys (258 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\drivers\x86\BDArKit.sys (140 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\apps.db (8171 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJV9VX VcdV2lU=\6FXLVcNVzlXfVehVy1XYVfJVhFXOVcZVxlU= (19686 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJV9VX VcdV2lU=\6FXLVdhV6FXYVcVVwVXPVdhVhFXPVdJVz1U= (1281 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\filerecov.dat (96 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXYVcVV3VXZVc9V2FXuVcVV3VXEVcZVxVXLVc5VhFXOVcZVxlU= (673 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJV9VX VcdV2lU=\6FXYVcVV3VXZVc9V2FXuVcVV3VXEVcZVxVXLVc5VhFXOVcZVxlU= (673 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJVhFXOVcZVxlU= (19686 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXfVc1V FXPVdpVxVXYVd5VhFXPVdJVz1U= (1425 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJV9VX VcdV2lU=\ lXYVcVV3lXFVclVxVXGVYRVzlXGVcZV (3361 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJV9VX VcdV2lU=\_1XaVc5Vy1XeVc9VhFXOVcZVxlU= (2321 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVdhV6FXYVcVVwVXPVdhVhFXPVdJVz1U= (1281 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\ FXPVdpVxVXYVd5VhFXOVcZVxlU= (1281 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\apps.db-journal (56054 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\_1XaVc5Vy1XeVc9VhFXOVcZVxlU= (2321 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\2FXJVYRVzlXGVcZV (8281 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJV9VX VcdV2lU=\ FXPVdpVxVXYVd5VhFXOVcZVxlU= (1281 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\ lXYVcVV3lXFVclVxVXGVYRVzlXGVcZV (3361 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJV9VX VcdV2lU=\6FXfVc1V FXPVdpVxVXYVd5VhFXPVdJVz1U= (1425 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXLVcNVzlXfVehVy1XYVfJV9VX VcdV2lU=\2FXJVYRVzlXGVcZV (8281 bytes)
    %Documents and Settings%\All Users\Baidu\tbservice\2.0.1.183\data\backup\6FXuVf5VxVXFVcZVyFXLVdhV lXYVcVV0lXTVYRVzlXGVcZV (4545 bytes)
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now