Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

Activity Profile

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

IE8 picked up spyware (too quickly)

Follow
Oops, something didn't work.

Try again?

Sign In to be begin to follow this thread

What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in. You need to be signed in to Channel 9 to use this feature.

Getting "follow" information

Stop following this thread

Start following this thread

What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in and view them all on your notifications page.

Removing your "follow"

Setting up your "follow"

Did you know you can
sign up for email notifications?
- Subscribe to this feed

reddit

Tweet

akopacsi

Mar 23, 2009 at 2:07 PM

I installed IE8 on a Windows XP SP3 computer (new and clean install, fully patched system, running Windows Defender, NOD32 antivirus and windows malicious software removal tool). I used it for about 2 days (with a limited account) and then I ran a SpywareDoctor* scan.
It found a spyware called Spyware.BaiDu!

No warez, porn, file-sharing site was visited and I haven't installed any toolbars or adds-ons.

Any ideas how to avoid such infections?

It'd be interesting to see a test in which somebody visits specifically dangerous sites with IE8 and see how many malware is picked up.

( I won't do it for you...

I copy here the log file of SpywareDoctor.

Notice that it seems that the spyware modified registry. Again: it was used under a limited account. :-/

( *SpywareDoctor is a software which is included in Google Pack - a collection of essential softwares distributed by Google. )

2009.03.22. 21:34:30:390

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}, BlockType

2009.03.22. 21:34:30:390

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}, CompatibilityFlags

2009.03.22. 21:34:30:390

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}, DllName

2009.03.22. 21:34:30:390

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}, MasterCLSID

2009.03.22. 21:34:30:390

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}, Version

2009.03.22. 21:34:30:390

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Key

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}

2009.03.22. 21:34:30:421

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}, BlockType

2009.03.22. 21:34:30:421

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}, CompatibilityFlags

2009.03.22. 21:34:30:421

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}, DllName

2009.03.22. 21:34:30:421

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}, Version

2009.03.22. 21:34:30:421

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Key

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}
CannotResolveSymbol Microsoft: Who do you want to execute today?

Mar 23, 2009 at 3:37 PM

From the little Google searching I just did (I don't use Spyware Doctor myself), I'm inclined to think that this may be a false positive. The program that PCTools calls Spyware.BaiDu is a BHO, and therefore should be registered in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects, not in \Extension Compatibility\... I think Spyware Doctor may be picking up on Internet Explorer's BHO blacklist or list of compatibility shims.
joechung

Mar 24, 2009 at 11:03 PM

Hmm, a spyware detector included in Google Pack claims that a Baidu BHO is spyware.

Baidu is a popular search engine in China, more popular than Google China.

There seems to be a conflict of interest here...
Dexter

Mar 25, 2009 at 1:48 AM

joechung said:

Hmm, a spyware detector included in Google Pack claims that a Baidu BHO is spyware.

Baidu is a popular search engine in China, more popular than Google China.

There seems to be a conflict of interest here...

What's even more surprising is that it appears that the said spyware detector does a blind scan ignoring the usage of registry keys. Even if that "Extension Compatibility" key is not documented it should be pretty obvious what it does. Besides, if the computer was really infected then shouldn't the dll file be somewhere around?
CannotResolveSymbol Microsoft: Who do you want to execute today?

Mar 25, 2009 at 6:41 AM

joechung said:

Hmm, a spyware detector included in Google Pack claims that a Baidu BHO is spyware.

Baidu is a popular search engine in China, more popular than Google China.

There seems to be a conflict of interest here...

Actually, McAfee detects it too... it's classic adware, installing a useless toolbar and creating unwanted connections to other internet servers (possibly transmitting personal data to those servers).

If you don't see the toolbar, you don't have it installed. Chalk this one up to a poorly-programmed spyware scanner.

Thread Closed

This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.