Gen:Variant.Barys.1695

malware No Comments

Dmitry Sokolov recommends UnHackMe!

UnHackMe is a powerful tool against malware.

UnHackMe quickly removes rootkits/malware/adware/browser hijack issues!

: Solved! 5 Stars (5 / 5)

Gen:Variant.Barys.1695 also known as Trojan.Rootkit.Gen2.

Malware Analysis of Gen:Variant.Barys.1695 – BDZEBRASDK.DLL

Created files:

%APPDATA%\BAIDU\BAIDUBROWSER\PLUGIN\7.6.505.3805\GLOBALPLUGININFO.XML
%APPDATA%\BAIDU\BAIDUBROWSER\PLUGIN\EXTENDS\LOCALPLUGININFO.XML
%APPDATA%\BAIDU\BAIDUBROWSER\PLUGIN\EXTENDS\{6621B6C5-7C33-48AB-B124-735D58A68A10}\1.0.0.76\BDZEBRASDK.DLL
%APPDATA%\BAIDU\BAIDUBROWSER\PLUGIN\EXTENDS\{6621B6C5-7C33-48AB-B124-735D58A68A10}\1.0.0.76\COMPLETELIST.TXT
%APPDATA%\BAIDU\BAIDUBROWSER\PLUGIN\EXTENDS\{6621B6C5-7C33-48AB-B124-735D58A68A10}\1.0.0.76\COMPLETE_CHECK_LIST.PB

Autostart registry keys:

HKLM\SOFTWARE\CLASSES\CLSID\{11CC93E4-0BE6-4F8F-82AA-D577FB955B05}\INPROCSERVER32\: “%PROGRAM FILES%\BAIDU\{7956A63A-3FBC-8F70-3578-1A34BEDD5422}\ADDRESSBAR.DLL”
HKLM\SOFTWARE\CLASSES\CLSID\{7956A63A-3FBC-8F70-3578-1A34BEDD5422}\INPROCSERVER32\: “%PROGRAM FILES%\BAIDU\{7956A63A-3FBC-8F70-3578-1A34BEDD5422}\ADDRESSBAR.DLL”
HKLM\SOFTWARE\CLASSES\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\LOCALSERVER32\: “”%SYSTEMDRIVE%\PROGRA~1\BAIDU\{7956A~1\ASBARBROKER.EXE””
HKLM\SOFTWARE\CLASSES\CLSID\{AE3D5C7A-413F-4CDB-9331-0E1894637310}\INPROCSERVER32\: “%APPDATA%\BAIDU\BDWEBA~1\30348~1.0\BDEXIE.DLL”
HKLM\SOFTWARE\CLASSES\CLSID\{D3C9CF85-72D2-4D22-B16A-0B682403AB84}\INPROCSERVER32\: “%APPDATA%\BAIDU\BAIDURJDOWNLOADER\1.6.0.77\IEBDSOFTHELPERPLUG.DLL”
HKLM\SOFTWARE\CLASSES\CLSID\{FBEDBA6C-44A2-43B9-BD49-20EB6E0C4E86}\INPROCSERVER32\: “%PROGRAM FILES%\BAIDU\{7956A63A-3FBC-8F70-3578-1A34BEDD5422}\ADDRESSBAR.DLL”
HKLM\SOFTWARE\CLASSES\BAIDUBROWSERHTML\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\BAIDUBROWSER\7.6.505.3805\BAIDUBROWSER.EXE” — “%1″”
HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\BAIDUBROWSER.EXE\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\BAIDUBROWSER\7.6.505.3805\BAIDUBROWSER.EXE””
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BRBrowserInst: “”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\BaiduRJDownloader\DisplayName: “?????? 1.6.0.77”
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BAIDURJDOWNLOADER\UNINSTALLSTRING: “%APPDATA%\BAIDU\BAIDURJDOWNLOADER\1.6.0.77\UNINSTALLER.EXE”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{7956A63A-3FBC-8F70-3578-1A34BEDD5422}\DisplayName: “?????”
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{7956A63A-3FBC-8F70-3578-1A34BEDD5422}\UNINSTALLSTRING: “”%SYSTEMDRIVE%\PROGRA~1\BAIDU\{7956A~1\ASBARBROKER.EXE” -RUNASADMIN -SVCUNINSTALL -ADDRESSBAR.DLL”
HKLM\System\CurrentControlSet\services\bbnetdriver\ImagePath: “\SystemRoot\system32\drivers\bbnetdriver.sys”
HKLM\System\CurrentControlSet\services\bbnetdriver\DisplayName: “bbnetdriver”
HKLM\System\CurrentControlSet\services\bbnetservice\ImagePath: “%SystemRoot%\system32\svchost.exe -k bbnetservice”
HKLM\System\CurrentControlSet\services\bbnetservice\DisplayName: “bbnetservice”
HKLM\System\CurrentControlSet\services\bd0001\ImagePath: “system32\DRIVERS\bd0001.sys”
HKLM\System\CurrentControlSet\services\bd0001\DisplayName: “bd0001”
HKLM\System\CurrentControlSet\services\bd0002\DisplayName: “bd0002”
HKLM\System\CurrentControlSet\services\bd0002\ImagePath: “system32\DRIVERS\bd0002.sys”
HKLM\System\CurrentControlSet\services\bd0004\ImagePath: “system32\DRIVERS\bd0004.sys”
HKLM\System\CurrentControlSet\services\bd0004\DisplayName: “bd0004”
HKLM\System\CurrentControlSet\services\BDArKit\ImagePath: “system32\DRIVERS\BDArKit.sys”
HKLM\System\CurrentControlSet\services\BDArKit\DisplayName: “BDArKit”
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BDDLSVC\IMAGEPATH: “”%APPDATA%\BAIDU\BAIDURJDOWNLOADER\1.6.0.77\BDDLSVC.EXE” -R”
HKLM\System\CurrentControlSet\services\bddlsvc\DisplayName: “BDHY Service”
HKLM\System\CurrentControlSet\services\BDMWrench\ImagePath: “system32\DRIVERS\BDMWrench.sys”
HKLM\System\CurrentControlSet\services\BDMWrench\DisplayName: “BDMWrench”
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\DBSERVICE\IMAGEPATH: “%APPDATA%\BAIDU\BAIDUBROWSER\PLUGIN\EXTENDS\{CAC8ED57-54D1-4AF1-B5D2-C9534DEFEBFE}\1.0.0.4\DBPLUGIN_SERVICE.EXE”
HKLM\System\CurrentControlSet\services\DBService\DisplayName: “DBService”
HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\DisplayName: “????,????”
HKLM\SOFTWARE\CLASSES\FTP\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\BAIDUBROWSER\7.6.505.3805\BAIDUBROWSER.EXE” — “%1″”
HKLM\SOFTWARE\CLASSES\HTTP\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\BAIDUBROWSER\7.6.505.3805\BAIDUBROWSER.EXE” — “%1″”
HKLM\SOFTWARE\CLASSES\HTTPS\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\BAIDUBROWSER\7.6.505.3805\BAIDUBROWSER.EXE” — “%1″”

Detected by UnHackMe:

BDZEBRASDK.DLL
DEFAULT LOCATION: %APPDATA%\BAIDU\BAIDUBROWSER\PLUGIN\EXTENDS\{6621B6C5-7C33-48AB-B124-735D58A68A10}\1.0.0.76\BDZEBRASDK.DLL

Dropper hash(md5): f4b0ca57b19d060fb6843a7425bf6a62

Written by 

Malware Hunter.

UnHackMe removes malware invisible for your antivirus!

Free Download

4
UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10. UnHackMe uses minimum of computer resources.

Tatva WordPress theme by IdeaBox

WordPress SEO fine-tune by Meta SEO Pack from Poradnik Webmastera