 |
Hi everyone.
I did a full norton anti-virus (2004) scan and detected Adware.BargainBuddy but norton wasn't able to delete this.
I also run Adaware SE and Spybot S&D and did another full norton scan but the adware still remained in my system.
Could somebody help me out about this adware? Thanks in advance and ill really appreciate your help. Thanks
This I copied from SYMANTEC's (Norton Antivirus' home) site:
Do one of the following:
On the Windows 98 taskbar:
Click Start > Settings > Control Panel.
In the Control Panel window, double-click Add/Remove Programs.
On the Windows Me taskbar:
Click Start > Settings > Control Panel.
In the Control Panel window, double-click Add/Remove Programs.
If you do not see the Add/Remove Programs icon, click "...view all Control Panel options."
On the Windows 2000 taskbar:
By default, Windows 2000 is set up the same as Windows 98. In that case, follow the Windows 98 instructions. Otherwise, click Start, point to Settings, point to Control Panel, and then click Add/Remove Programs.
On the Windows XP taskbar:
Click Start > Control Panel.
In the Control Panel window, double-click Add or Remove Programs.
Click Bargain Buddy.
--------------------------------------------------------------------------------
Note: You may need to use the scroll bar to view the whole list.
--------------------------------------------------------------------------------
Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.
Hi thanks for the reply...
I tried to follow the above instructions for windows xp but couldn't find it on the list.
Then maybe it is not installed.
Can you check if the following folder exists:
C:\Program Files\Bargain Buddy
And/or the files:
Apuc.dll
Bargains.exe
Note: the folder or files may be hidden, ensure that your explorer is set up to show hidden files too.
I couldn't find the folders too... :(
Gee, and the files neither I guess.
Can you check in Norton Antivirus where it found the infection?
> launch Norton Antivirus (do not scan), look up its history files.
Somewhere it will give you the path and filename where it found an infection.
When you got that information just post it here. Don't go deleting things - yet.
Here's what I found in the history files.
Source: C:/Windows/System32/exdl.exe
Description: The compressed file C:/Windows/System32/exdl.exe within C:\WINDOWS\system32\netut80ex.vxd is a Adware threat
Thanks for the reply...
*Can you check if you have any of these folders in your "program files" folder:
-Bullseye Network
-Net2phone Commcenter
-Blue Haven
-Broadjump
-Navisearch
-Cashback
-ADP
*Did ADAWARE also detect the bargainbuddy?
*In your taskmanager (ctl-alt-del), check if exdl.exe is running (if not, you're lucky).
Oh I couldn't see those folders from Program files and Windows
I have updated adware and did another scan of norton but still adware.bargainbuddy detected
Exdl.exe is not running but I found this folder C:\WINDOWS\system32\netut80ex.vxd from the history of norton
Well, it looks that you don't have the bargain buddy active, although part of it is present on your computer.
C:\WINDOWS\system32\netut80ex.vxd is a compressed file, and one of the files in there is exdl.exe, definitely an adware trojan. You don't seem to have used that file yet though, because I'd expect you (or Norton Antivirus) to find the file back in the system32 folder then. You may wish to double check that to be sure.
You might also want to check if the following service is running:
ISEXEng
To do this, START>RUN, type:
Services.msc
And press Enter. If ISEXEng is there, right click on it and choose DISABLE
5 more files you may want to search for are (delete them if found):
CC_Versn.dll
Angelex.exe
Msbe.dll
Mscb.dll
Nvms.dll
If everything is clean, I think that it is OK to delete the file:
C:\WINDOWS\system32\netut80ex.vxd
If some delete does not work because the "file is in use", retry in SAFE mode.
I found almost no information on that netut80ex.vxd, but it is NOT part of Windows itself. It must have been installed together with some OEM application from a not so honest software house. Do you remember what you installed shortly before you got the symptoms? I suspect that when you delete the netut80ex.vxd file, that that software might not run anymore. But after all, who would want such malicious software anyway?
Last, in your Internet Explorer, block the following URL:
Adp?ikena?com
Note that I have put question marks instead of dots, to avoid accidental clicking on it. When filling it in in your "forbidden sites" in your browser, you should use dots of course.
That is the URL where exdl.exe tries to connect to.
****
Do not forget to empty Windows' "waste bin".
****
I'm very interested in the outcome of this, please give me some feedback...
Hi thanks for the reply again.
First I would like you to know that I didn't find any files you were telling me to delete. ISEXEng,CC_Versn.dll,angelex.exe ,msbe.dll ,mscb.dll ,nvms.dll.
I didn't install any software or programs before I detected the adware but a friend of mine use my computer and visit some sites about serials and I believe from those sites the adware detected.
OK, delete:
C:\WINDOWS\system32\netut80ex.vxd
This works :p thanks a lot for your help and detailed instructions.Quote:
Originally Posted by urmod4u
I had read the posts between polaris and urmod4u and saw that urmod4u likes to invite comments, as a result, I would also like to add my experience into thess posts.Quote:
Originally Posted by urmod4u
I had been quiet careless two days ago and got the BargainBuddy adware infected my computer. After scanning with adware for its existence, I began to uninstall this adware by deleting all the programs, files and registry entries relating to this adware. However, after deleting all the related files, programs and their registry entries, I still found three files: exdl.exe, bbclk.exe and exul.exe and some 19 to 25 registry entries which would unceasingly be self-regenerated after rebooting the computer and they would be self-regenerated even with the internet disconnected. So I concluded that there should be some hidden files installed by buddy bargain which would do the job. I then made search in the internet and found your link and learned that the file netut80ex.vxd would be the cause. I then deleted the file netut80ex.vxd and the files exdl.exe etc were disappeared when the computer was rebooted. I must express my gratitude and thanks for your assistance in this matter. Your advice had saved me a lot of time. However, the 19 to 25 registry entries were still there when checking with adware. I then went to the internet again and tried every free adware scans to search for suspected files and from one of the free scans, I finally detected two suspected files, msexreg.exe and javexulm.vxd which might be the cause of self-regenerating the adware registry entries. I had the 2 files examined carefully and then had them deleted. After deleting these two files, the adware registry did not appear again after reboot.
I think the file msexreg.exe must be the main cause of the self regenerating registry entries but I don't know whether the file javexulm.vxd would have any relationship with the bargainbuddy adware. That's my observation. Thank you for wasting your time.
Software should be the last step of any spyware removal process... not the first. If the removal procedure is done out of sequence, your problems will just return the next time you restart your computer. If you’ve ever used a spyware removal program in the past, then you’ve likely already experienced this. YOU NEED THIS MANUAL!
Try the Spyware-Adware Removal Kit that is available at the link below. By following this detailed 11 page, step-by-step document with screen shots, you will be able to restore your computer to like-new condition.
Hi,
Are you running the newer AdAware called AdAware_SE?
If not, get it, install it, and it will take care of the problem for you.
Run AdAware_SE in SafeMode. Run it 2 or 3 times, then re-boot into SafeMode again, and run it 2 or 3 times again.
Then, re-boot.
All of BargainBuddy should be gone.
Some of these spyware programs (like also about: blank; will rebuild their own files after some are deleted by AdAware, and after re-booting). That's why you must run the scan multiple times.
Best of luck,
fredg
I found this menace too and, thanks to you guys, have now found that it's safe to delete this file!
I know I definitely got it after installing a printer I got from eBay on 30.12.04 (I think it must have been in the printer's memory... let me explain why I think that's the reason:
I already had an Epson C62 but it got damaged so I bought another [C62] as a replacement - I knew all I had to do was swap them over! I also had dozens of ink carts and didn't want to waste them!
As soon as I connected it to the PC, BargainBuddy and Bullseye shot into action. I managed to get rid of them using AdAware but Norton couldn't delete the actual files - although it told me where to find them!
Anyway (and once again), thanks to everyone who discussed this problem and the solution. It really is appreciated. :)
Cheers,
trip
... I deleted the file "netut80ex.vxd" I opened a can of worms!
Instaead of just five adware files I had 14! During deletion I had reactivated it. I emptied the bin, restarted PC and ran various removal tools in safe mode and normal mode but nothing lasted very long.
I was about to give up when I found a link to a link etc which stated that "ewido security suite" came bundled with this spyware (and other nasties), so I deleted it and cleaned out all traces from my PC... no more problems.
So there you have it, another cleaner bundled with malware etc!
Hi,
Here are steps, and programs to use, to delete all this Bargain Buddy stuff from you computer:
If you think you already have Spyware/Advertising Ware in your computer, run these as follows:
http://www.security-related.com/download2.htm
Download: SpyBot Search & Destroy; 1.3
AdAware at:
www.lavasoftusa.com
Download: AdAware_SE
CWShredder at:
http://www.download.com/CWShredder/3...ml?tag=lst-0-1
(CWShredder is intended only for removal of CoolWebSearch files; placed as spyware on the harddrive). It is not a "stand alone" scan, but needs to be run.
All 3 of the above programs run better and much faster when run in SafeMode.
It's best to run the AdAware scan first; 3 times; then re-boot.
Then, run the AdAware scan again 3 times; then run the SpyBot. Then, run CWShredder.
Re- Boot.
Reason for running so many times:
Some of these trojans' files can be deleted the first time; leaving some others; but on re-boot, they re-write the files that were deleted.
Running multiple times deletes most of it the first
Time.
If you wish to have a great program, after you clean out Spyware/Advertising Ware:
SpyWare Blaster 3.2
Great, free, program that STOPS spyware, trojans, home page hijacks, etc, BEFORE they get into your computer. Check it out at CNET at link:
http://www.download.com/SpywareBlast...ml?tag=lst-0-2
Two Tips:
If you notice the little green computer lights that show your dial-up connection to the internet staying on when they shouldn't be, located on the bottom right of the system tray, disconnect immediately and run AdAware. These lights staying on means that some URL is sending or receiving spyware/advertising ware to or from your computer, most of the time.
Other Tip: After being on the net, if you have visited any sites you don't really trust, then run AdAware BEFORE you shut down or re-start the computer. This will delete any Spyware easier, before the computer can configure it, set it up, spread it throughout the Registry, and make it more difficult to remove after re-booting.
Best of luck,
fredg
PS; Clear out all cookies, History, etc, from your Internet Explorer temp files.
Right click on the IE icon on the desktop, then Left click on Properties.
Click on the Delete and Clear buttons.
| All times are GMT -7. The time now is 01:04 AM. |