Is Baidu an Antivirus Software or a Spyware/Malware?

[TempoMat]

Why this question?

First a background history:

I had my Toshiba Laptop with WinXP which I use among other things for RCE go dead.
The battery does not hold long and I made a mistake by using it for just 5 minutes without the mains when the laptop turned off automatically due to low battery level, even though the battery shows about 90%
After connecting the power supply the laptop will not boot any more. Tried all possibilities like safe mode, last known configuration and whatever option I had but always ended up with a BSoD.

Per chance I found out that one of the memories has popped out of its hooks and was almost out of the socket. I was happy to find that and thought that could be the source of the cyclic reboot of WinXP. Nop the joy did not last long. After correcting it the Laptop will still not boot. The result was always the same ugly BSoD.

Because I had so many old programs and custom software (some DOS based, hence a small DOS partition before the WinXP partition) on the laptop, a format of the whole drive with a fresh install of WinXP was not to be considered an option at first for me. However I ended up doing a fresh install which was also not as smooth as I thought it could be. Then all attempt to reinstall WinXP ended up with the annoying message:

"This disk does not contain a windows xp-compatible partition" message where you go back and (re)create a partition, use existing partition, scratch your head, have a cup of tea but always end up back at the:-
" ***To install Windows XP on the partition you selected, Setup must write some startup files to the following disk:
However, this disk does not contain a Windows XP-compatible partition.

To continue installing Windows XP, return to the partition selection screen (did it several time) and create a Windows XP-compatible partition on the disk above (did this too). If there is no free space on the disk, delete an existing partition (and this too), and then create a new one (and that as well).

To return to the partition selection screen, press ENTER (done that, now go back to ***)."

Damn what is happening?
I goggled for almost two days without a finding a solution.

When I finally found the faint light at the end of the the dark tunnel, it was a problem of WinXP setup not been able to recognize the partition C:\ as primary, even though some partition managers like Paragon Partition Manager, MiniTool Partition Wizard, Easeus Partition Master and a few others I had tried could identify the partition as primary and active. PartedMagic could only identify the complete disc as unallocated.
The main culprit is actually Window��s ��Disk Management�� which could neither identify the partition C:\ as active under Windows XP nor Windows 7. The workaround was to first repair the partition with GParted and after that everything went like it is supposed to be.

So after some sleepless nights I was able to finally install WinXP with SP3 integrated and all Services Packs until February 2014 included. I made sure I had most of the needed programs installed and working before connecting the laptop to the internet. Once I was on the net, I installed some Security software like Spybot , Window Essentials and finally Trend Micro Titanium Internet Security. It was after the installation of Trend Micro and then jDownloader, that I realized of a sudden Baidu Antivirus is also installed. There was no request for the installation of Baidu Antivirus during the numerous installations I had done before and yet this program managed to install fully at the background.

The nightmare began, when I tried to uninstall Baidu.
These are what I tried with some failures:

1. Started with the usual Add or Remove Software from Windows. Strangely any time I opted to uninstall Baidu the computer became slow and eventually the ��Change or Remove Program�� window was closed.

2. Next step was to throw CCleaner at it. This was also closed immediately whenever I chose to uninstall Baidu.

3. Then it was the turn of Revo Uninstaller Pro, which was also terminated immediately.

4. Gradually I became and angrier. So I thought why not just go and delete the installation folder of Baidu.
Guess what that did not work either, then there were two processes from Baidu (an exe and a dll) running which made sure that its installation folder is not tempered with, like wise the registry keys.

5. Next idea was try to use Olly's attach option to attach any of the processes and destroy their PE Header. It was a nice thought but Olly couldn��t attached any of the two processes either.

6. What next should I do, I thought? I was gruadually running out of ideas. So I tried to terminate those two notorious processes from Baidu with ProcessExplorer und Unlocker still neither worked. Puh everything I threw at these two processes failed.

7. Finally I had to boot the laptop with Active@Boot and deleted the complete folder of Baidu. Unfortunately editing the host registry with Active@Boot did not work well for me so I had to boot the second time with UltimateBootCD to edit and remove all traces of Baidu in the registry. And trust me this notorious program had keys scattered all over the registry. They were so many I lost track and gave up noting down the names and values of the keys I was deleting.

Now coming back to the initial question, is Baidu an antivirus software or a Spyware/Malware, considering the effort the programmers made to prevent any attempt to terminate any one of their running processes, let alone avoiding deletion of the installation folder, registry keys and so on?

I thought only Spywares and Malwares mostly install themselves on a target in background and try all means to avoid their deletion/un-installation but not a program self claimed to be an Antivirus Software.

Or I am missing something?

[chessgod101]

What I am thinking is that maybe you had a virus that is a fake copy of Baidu. Since you said that you never installed this yourself, I believe that you probably got infected with malware. Since it was killing the revo uninstaller an ccleaner process and doing everything that it could to prevent you from uninstalling it, I think that it is an infection as opposed to a genuine copy of Baidu antivirus. I found a tool on cnet that is designed to remove this adware. Perhaps this would have been the best option for you:

Code:

http://download.cnet.com/Adware-Baidu-Removal-Tool/3000-8022_4-75532472.html

If it were a genuine copy of this antivirus, I think it is a terrible practice to make a software that unremovable from the system. As for the Baidu antivirus, it seems to have decent reviews on cnet, so the genuine copy from the official website is not a virus itself. I hope that everything is back to normal for you now.

[TempoMat]

I just found out how Baidu was installed.

It came on the computer through JDownloader.
The installer was still located in a sub folder of JDownloader's Temp-Folder

The file is "BavPro_Setup_Mini_115.exe" with the following characteristics:

File size: 1.23 MB (1,291,624 bytes)
Size on Disk: 1.25 MB (1,310,720 bytes)
File version: 4.8.0.1383
Description: Baidu Antivirus Mini Setup
Copyright: Copyright (C) 2013 Baidu, Inc. All rights reserved.

The Dll that was blocking all uninstall attempts had "bavha" in its name and there were far more keys in the registry with the name BAV* in them than Baidu

[mr.exodia]

@TempoMat: is the setup file signed by Baidu Inc?

Greetings

[TempoMat]

Quote:

Originally Posted by mr.exodia

@TempoMat: is the setup file signed by Baidu Inc?

I can't confirm.
Here is the certificate I extracted from the setup file

[mr.exodia]

Hm,

If it's signed and it behaves like a virus, it might be that the signature of Baidu is compromised, but that doesn't sound real to me. Maybe you used a cracked winxp with some rootkit inside?

Take a look at GMER: http://www.gmer.net/ maybe you find some suspicous ssdt hooks or something.

Greetings

[RedBlkJck]

Yeah I seen that in a jdownloader package before also. If SpyBot was active, it could've been a conflict while it was silently being installed.

[TempoMat]

Unfortunately I have had Baidu installed silently before on a Windows 7 computer currently being used by a friend.
The friend might have unintentionally clicked on one of those luring adverts while surfing or it might have been in an installation package.
Though I had AVAST as firewall installed on this computer, Baidu managed to install itself and I only got to know of it, because it was suggestion to buy a full version and then the behaviour was brought to my attention.

At that time it was quite easy to uninstall it. And since then I have asked the friend never to install any non trusted programs without consultation.

I am now currently living far away from home and only have 3 laptops available so I can not experiment with this current BavPro_Setup. Otherwise I could have installed it on some of the old WinXP computers I have lying around at home to fully analyse the behaviour.

Quote:

Originally Posted by RedBlkJck

Yeah I seen that in a JDownloader package before also.

I had until only recently avoided installing the current version 2.

Quote:

Originally Posted by RedBlkJck

If SpyBot was active, it could've been a conflict while it was silently being installed.

SpyBot, TrendMicro and Windows Essentials were all active and yet Baidu managed to install.

Quote:

Originally Posted by mr.exodia

Hm,
Maybe you used a cracked winxp with some rootkit inside?
Greetings

.
I did not use a cracked WinXP here.

My formal company subscribes to MSDN so I had options of getting legit copies. I just slipstreamed some of the original ones with downloaded Service Packs when necessary.