Why on earth my PC has a folder named "Baidu" in Documents folder

0

This folder has been nagging me for a long time though I do not know when it appeared in my PC. I have a folder named Baidu in Documents folder (C:\Users\Public\Documents\). It has a folder named 'Common' inside which another folder I18N which contains a file named conf.db. I could read its contents when opened in notepad, which, of course, doesn't make any sense to me(the content would be provided on request as I fear it may contain any personal identification data).
I tried deleting it and will get deleted without any problem. But it will come back there, not all of a sudden or after a reboot, but I can assure that it will be there after some days.
First of all, I would like to know:

  • What this folder is? And its contents?
  • Why is it in my computer?
  • Which program creates it?
  • What purpose does it serve?

and, ultimately,

  • How can I get rid of this folder and its contents forever?

RogUE

Posted 2016-01-11T15:32:33.463

Reputation: 2 431

Question was closed 2016-01-11T15:50:38.120

1If I were to guess it is malware. – Ramhound – 2016-01-11T15:35:20.857

Take a look: https://malwaretips.com/blogs/adware-win32-baidu-a-removal/ Good luck!

– duDE – 2016-01-11T15:36:41.173

@duDE I do not think so, as I do not see any other trails of an adware. – RogUE – 2016-01-11T15:42:33.357

@Ramhound I do not think so as I have an updated antivirus(Avast Free antivirus though), and I scanned the config.db file in virus total, they report it is clean

– RogUE – 2016-01-11T15:44:14.597

1

It's mal/crapware installed by other programs. "Baidu PC Faster". https://malwr.com/analysis/ZDljNjM2YTVjZjM0NDQwMTg1MGMzNTZjOGUwZGFjZDY/ http://www.thaivisa.com/forum/topic/720344-very-suspicious-of-baidu/ Don't just trust a single scanner. Use another malware-centric program like malware bytes or alike to perform additional scans. See the marked duplicate for assistance.

– Ƭᴇcʜιᴇ007 – 2016-01-11T15:50:24.640

@Ƭᴇcʜιᴇ007 How can I confirm the infection, any files to check, reg entries etc? – RogUE – 2016-01-11T15:56:08.190

A quick Google search turns up lots of info. I even provided you two usable links to figure out what to look for. :) – Ƭᴇcʜιᴇ007 – 2016-01-11T15:56:44.757

The file is clean but that not the infection and avast is a horrible malware scanner – Ramhound – 2016-01-11T16:56:37.693

@Ramhound@Ƭᴇcʜιᴇ007 Found the culprit which installed it, it's the [Format Factory] (http://format-factory.en.softonic.com/opinion/tries-to-install-spyware-bundle-silently-349306).

– RogUE – 2016-01-12T00:35:35.377

So malware like I originally indicated and you dismissed because you have free software Avast. Ever wonder the reason it is free? – Ramhound – 2016-01-12T00:50:21.710

@Ramhound Neither the Spybot Search&Destroy and MalwareBytes did not find it. Actually, the suspected program exibited any symptoms like showing ads, redirecting webpages etc, execpt for the folder issue. – RogUE – 2016-01-12T12:16:11.457

Answers

1

I would suggest rebooting the computer in safemode without networking and then running your AV scans.

Also check and ensure that there isn't a browser helper object by running HijackThis and checking that the .dll files are deleted as well. 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A7F05EE4-0426-454F-8013-C41E3596E9E9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BarBroker.EXE
HKEY_CURRENT_USER\Software\baidu
HKEY_CLASSES_ROOT\BaiduBar.Tool.1
HKEY_CLASSES_ROOT\BaiduBar.Tool
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBar.Tool
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.4
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.3
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2923508C-9425-4A61-B9CE-A98239055916}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.5
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBarX.BDLogin.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBarX.BDLogin
HKEY_CLASSES_ROOT\BaiduBarEx.BDHomePage.5
HKEY_CLASSES_ROOT\BaiduBarEx.BDHomePage.4
HKEY_CLASSES_ROOT\BaiduBarEx.BDHomePage.3
HKEY_CLASSES_ROOT\BaiduBarEx.BDHomePage.2
HKEY_CLASSES_ROOT\BaiduBarEx.BDHomePage.1
HKEY_CLASSES_ROOT\BaiduBarEx.BDHomePage
HKEY_CLASSES_ROOT\clsid\{77FEF28E-EB96-44FF-B511-3185DEA48697}
HKEY_CLASSES_ROOT\clsid\{B580CF65-E151-49C3-B73F-70B13FCA8E86}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBarX
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}
HKEY_LOCAL_MACHINE\SOFTWARE\Baidu
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}
HKEY_CLASSES_ROOT\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}
HKEY_LOCAL_MACHINE\SOFTWARE\Baidu\BaiduBar
HKEY_CURRENT_USER\Software\Baidu\BaiduBar
HKEY_CLASSES_ROOT\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}
HKEY_CLASSES_ROOT\TypeLib\{6AFC2761-1253-427C-9A56-385B4609BE1D}
HKEY_CLASSES_ROOT\BaiduBar.Baidu.1
HKEY_CLASSES_ROOT\BaiduBar.Baidu
HKEY_CLASSES_ROOT\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}
HKEY_CLASSES_ROOT\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}
HKEY_CLASSES_ROOT\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBar.Baidu.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBar.Baidu
HKEY_CLASSES_ROOT\CLSID\{7C76C055-ED6E-4535-A70F-CD476E727F67}
HKEY_CLASSES_ROOT\BaiduBarEx.BandIE.1
HKEY_CLASSES_ROOT\BaiduBarEx.BandIE
HKEY_CLASSES_ROOT\BaiduBarEx.DropTarget.1
HKEY_CLASSES_ROOT\BaiduBarEx.DropTarget
HKEY_CLASSES_ROOT\Interface\{A294F8EB-86D9-4C4A-8B3E-909253761C64}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBarEx.DropTarget.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBarEx.DropTarget
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBarEx.BandIE.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBarEx.BandIE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B580CF65-E151-49C3-B73F-70B13FCA8E86}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BdGuard
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\sobar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000001-fb22-4a4e-8ab8-c85cfab14626}
HKEY_LOCAL_MACHINE\SOFTWARE\Baidu_bar
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiduBar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}
HKEY_CLASSES_ROOT\clsid\{77FEF28E-EB96-44FF-B511-3185DEA48697}
HKEY_CLASSES_ROOT\clsid\{B580CF65-E151-49C3-B73F-70B13FCA8E86}

Are the registry keys that are created. 

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]{B580CF65-E151-49C3-B73F-70B13FCA8E86}=65CF80B551E1C349B73F70B13FCA8E86
[HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar]{B580CF65-E151-49C3-B73F-70B13FCA8E86}=12
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]{89FDCC4B-8D91-49B0-81A6-18BCFF582735}=4BCCFD89918DB04981A618BCFF582735
[HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar]{B580CF65-E151-49C3-B73F-70B13FCA8E86}=00
[HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar]{B580CF65-E151-49C3-B73F-70B13FCA8E86}=sobar
[HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar]{B580CF65-E151-49C3-B73F-70B13FCA8E86}=BaiduBar
[HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar] {B580CF65-E151-49C3-B73F-70B13FCA8E86}=00
[HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar] {B580CF65-E151-49C3-B73F-70B13FCA8E86}=BaiduBar

Are the values. If it keeps coming back, you have some sort of underlying infection, which is why I suggest running your scans in safemode without networking.

Matt King

Posted 2016-01-11T15:32:33.463

Reputation: 167

Asked: 2016-01-11T15:32:33.463

Viewed: 2 719 times

Active: 2016-01-11T15:50:55.780