Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Bargain Buddy removal

Status
Not open for further replies.

weberm

Programmer
Dec 23, 2002
240
US
Recently AdAware and Search-And-Destroy started telling me that it detected Bargain Buddy on my computer and deletes a registry entry but it keeps finding it again. I did some legwork on how to manually remove "bargain buddy" but don't see any of the folders or files it tells me to delete and my PC does not seem to be exhibiting any of the behaviors associated with Bargain Buddy. This may be a SWAG, but I am guessing something somewhere keeps trying to install it but my firewall prevents it from getting the install files from bargain-buddy.com so it only adds the one key to my registry. Does anyone have any ideas on how to remove this once and for all?
 
Post exactly what spybot is finding, it probably is a entry placed there to block bargain buddy and spybot is flagging it, are you using spywareblaster ?

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
I am running AdAware and Spybot Search and Destroy. I'll have to get the log when I get back home.
 
satrow said:
Ewido should help you out here, don't forget to save the log for troubleshooting purposes -
I installed and ran Ewido (for some "odd reason" the online version crashes) and it found this:
Code:
[tt]------------------------------------------------
ewido anti-spyware - Scan Report
------------------------------------------------
 + Created at:	11:17:24 PM 9/21/2006

 + Scan result:	



C:\System Volume Information\_restore{3C1D5673-48D2-4D16-B281-B0974C812358}\RP143\A0008529.dll -> Downloader.Small : No action taken.[/tt]
I went ahead and removed the offending entry, rebooted, and ran Ad-Aware, which gave me this:
Code:
[tt]
 BargainBuddy Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 8
    Category           : Malware
    Comment            : 
    Rootkey            : HKEY_USERS
    Object             :
S-1-5-21-220523388-562591055-725345543-1004\software\microsoft\windows\curre
ntversion\ext\stats\{d27cdb6e-ae6d-11cf-96b8-444553540000}

 Win32.Trojan.Agent Object Recognized!
    Type               : Regkey
    Data               : 
    TAC Rating         : 10
    Category           : Virus
    Comment            : 
    Rootkey            : HKEY_USERS
    Object             :
S-1-5-21-220523388-562591055-725345543-1004\software\microsoft\windows\curre
ntversion\ext\stats\{b45ff030-4447-11d2-85de-00c04fa35c89}
[/tt]
After removing these, a second reboot and rerun of both didn't come upwith anything, so I think it's been fixed. I'll check one more time tonight...
 
OK, here is what HijackThis reported:

Logfile of HijackThis v1.99.1
Scan saved at 10:07:19 PM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\SMARTDSK\FLASH\sdstat.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Eudora\eudora.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\weberm\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: FlashPath Monitor.lnk = C:\SMARTDSK\FLASH\sdstat.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {430A2D80-2D37-11D6-BEF9-00079554104B} - (file missing) (HKCU)
O9 - Extra button: Help - {430A2D81-2D37-11D6-BEF9-00079554104B} - (file missing) (HKCU)
O9 - Extra button: Support - {430A2D82-2D37-11D6-BEF9-00079554104B} - (file missing) (HKCU)
O13 - WWW. Prefix: http://
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
your log is clean!

how's the computer running now ?

Fix these with hijack this.


O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O13 - WWW. Prefix: http://
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -




Here's some free tools to keep you from getting infected in the future.


To stop reinfection get spywareblaster from




get the hosts file from here.Unzip it to a folder!





put it into : or click the mvps bat and it should do it for you!


Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS



ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.



Arovax shield: stop your computer from being hijacked!




Use spybot's immunize button and use spywareblaster' enable
protection once you update it. you can put spybot's hosts file into
your own and lock it.



I would also suggest switching to Mozilla's firefox browser, it's safer, has
a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good
e-mail client.



Another good and free browser is Opera!



Read here to see how to tighten your security:



A good overall guide for firewalls, anti-virus, and anti-trojans as well as
regular spyware cleaners.




you can mark your own thread solved through thread tools at the top of
the page.



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
CClean and HijackThis seem to have the trick! Thank you!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top