Can't Remove Bargain Buddy etc [RESOLVED]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Can't Remove Bargain Buddy etc [RESOLVED] Trojan Issue(?)

#1 IanSpark

Group: Member
Posts: 17
Joined: 08-July 05

Posted 11 February 2006 - 05:30 AM

Hi There,

I've been getting "Your computer might be at risk - Norton Antivrus is turned off" messages on startup which resolve themselves after all programmes had finished loading. At about the same time Norton Antivirus reported a trojan attack where their file repair failed - no specifics in report. After updating & running all the Anti-Malware software I have, I ran a PandaSoft online scan which reported this:

Incident Status Location

Adware:adware/cws Not disinfected C:\Documents and Settings\Ian Jones\Favorites\Health
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry

Also, I'm unable to boot in safe mode to run the anti-malware programmes again.

Anyway, I've posted the HijackThis below and I'd be grateful for any help.

Logfile of HijackThis v1.99.1
Scan saved at 11:14:46, on 11/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\2000\Office\1033\OLFSNT40.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Documents and Settings\Ian Jones\My Documents\Computing\CWS Shredder\cwshredder.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ian Jones\My Documents\Computing\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://uk.red.clientapps.yahoo.com/customi...www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://uk.red.clientapps.yahoo.com/customi...www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://uk.red.clientapps.yahoo.com/customi...www.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://uk.red.clientapps.yahoo.com/customi...www.yahoo.co.uk
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -

C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program

Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton

Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton

Antivirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft

Office\2000\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center

11\DMDownload.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program

Files\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program

Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft....k/?linkid=48835
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

https://scan.safety.live.com/resource/downl...lscbase3401.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat...b?1132507982578
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) -

http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -

http://download.zonelabs.com/bin/promotion...canner37380.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -

http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program

Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton

SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation -

C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation -

C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation -

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Many Thanks

Ian

#2 IanSpark

Group: Member
Posts: 17
Joined: 08-July 05

Posted 16 February 2006 - 02:28 AM

This is a repost of http://www.geekstogo.com/forum/index.php?s...77&#entry561277 (11/02/2006). I think there are several problems on my XP Pro machine but I do know I have a problem with BargainBuddy.
Any help would be much appreciated.

Ian

#3 greyknight17

Group: Visiting Consultant
Posts: 16,560
Joined: 24-April 05

Posted 19 February 2006 - 06:55 PM

Please do not post duplicate topics for this next time. If you waited 3 days without a reply, we have a place for you to post so you can get help faster (see the link below in my signature).

Please make sure that Word Wrap is turned OFF in Notepad before you post your HijackThis log next time. As you can see, the formatting it creates (see the log you posted) makes it harder for us to read it.

Check Ewido for any updates. Boot into Safe Mode and run the Ewido scan. Save the report when it's done.

Boot back to Normal Mode. Post the Ewido report here along with a new HijackThis log (make sure Word Wrap is turned OFF this time

#4 IanSpark

Group: Member
Posts: 17
Joined: 08-July 05

Posted 20 February 2006 - 01:27 AM

Sorry about that. As I said in the original post, I can't boot into safe mode. I've tried all there options and they all give "Windows can't do this at this time..." message.

Here's the latest HijackThis log without WordWrap this time(!):
Logfile of HijackThis v1.99.1
Scan saved at 07:16:14, on 20/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\97\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\2000\Office\1033\OLFSNT40.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\MICROS~2\2000\Office\OUTLOOK.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Microsoft Office\2000\Office\1033\wfxmsrvr.exe
C:\PROGRA~1\MICROS~2\2000\Office\1033\OLFMOD32.EXE
C:\Documents and Settings\Ian Jones\My Documents\Computing\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...www.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...www.yahoo.co.uk
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\97\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\2000\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\2000\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132507982578
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37380.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#5 greyknight17

Group: Visiting Consultant
Posts: 16,560
Joined: 24-April 05

Posted 20 February 2006 - 12:56 PM

That's the error message you get? How about Safe Mode with Networking support? Do you also get that message?

If you can't get into Safe Mode, then run Ewido in Normal Mode and post the report here. Check and fix these in HijackThis first:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.client...www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...www.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...www.yahoo.co.uk

#6 IanSpark

Group: Member
Posts: 17
Joined: 08-July 05

Posted 21 February 2006 - 02:01 PM

Yup, none of the safe mode options were available. I deleted the items you suggested and ran ewido. Ewido reports no problems

Hmmm...

#7 greyknight17

Group: Visiting Consultant
Posts: 16,560
Joined: 24-April 05

Posted 21 February 2006 - 05:53 PM

Run a virus scan using Kaspersky Online Scanner. Just click on the Kaspersky Online Scanner button and read what's posted there - hit Accept once you're done. Download the ActiveX file when prompted. Scanning will begin shortly. When it's done post the log here.

#8 IanSpark

Group: Member
Posts: 17
Joined: 08-July 05

Posted 22 February 2006 - 05:22 AM

Here's the report from the online scan:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, February 22, 2006 11:18:03 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 22/02/2006
Kaspersky Anti-Virus database records: 178048
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 122378
Number of viruses found: 7
Number of infected objects: 22
Number of suspicious objects: 6
Duration of the scan process: 04:59:17

Infected Object Name / Virus Name / Last Action
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\74C73CCF.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\74C73CCF.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\74C73CCF.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\74C73CCF.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\74C73CCF.zip ZIP: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\74C73CCF.zip CryptFF: infected - 3 skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/03 Mar 2004 11:20 from Ben Newport:EEEKK/Master.zip/Master.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.4929 skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/03 Mar 2004 11:20 from Ben Newport:EEEKK/Master.zip Infected: not-a-virus:RemoteAdmin.Win32.RA.4929 skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 08:40 from Mail Delivery System:Mail delivery failed.eml/[From ann.jones@breathemail.net][Date Mon, 29 Mar 2004 09:15:42 +0100]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 08:40 from Mail Delivery System:Mail delivery failed.eml/[From ann.jones@breathemail.net][Date Mon, 29 Mar 2004 09:15:42 +0100]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 08:40 from Mail Delivery System:Mail delivery failed.eml/[From ann.jones@breathemail.net][Date Mon, 29 Mar 2004 09:15:42 +0100]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 08:40 from Mail Delivery System:Mail delivery failed.eml/[From ann.jones@breathemail.net][Date Mon, 29 Mar 2004 09:15:42 +0100]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 08:40 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 08:46 from Mail Delivery System:Mail delivery failed.eml/[From ann.jones@breathemail.net][Date Mon, 29 Mar 2004 09:21:35 +0100]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 08:46 from Mail Delivery System:Mail delivery failed.eml/[From ann.jones@breathemail.net][Date Mon, 29 Mar 2004 09:21:35 +0100]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 08:46 from Mail Delivery System:Mail delivery failed.eml/[From ann.jones@breathemail.net][Date Mon, 29 Mar 2004 09:21:35 +0100]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 08:46 from Mail Delivery System:Mail delivery failed.eml/[From ann.jones@breathemail.net][Date Mon, 29 Mar 2004 09:21:35 +0100]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 08:46 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 16:05 from Mail Delivery System:Mail delivery failed.eml/[From ann.jones@breathemail.net][Date Mon, 29 Mar 2004 16:40:17 +0100]/UNNAMED/document.doc Infected: Email-Worm.Win32.NetSky.q skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 16:05 from Mail Delivery System:Mail delivery failed.eml/[From ann.jones@breathemail.net][Date Mon, 29 Mar 2004 16:40:17 +0100]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 16:05 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 16:37 from Mail Delivery System:Mail delivery failed.eml/[From ann.jones@breathemail.net][Date Mon, 29 Mar 2004 17:12:30 +0100]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 16:37 from Mail Delivery System:Mail delivery failed.eml/[From ann.jones@breathemail.net][Date Mon, 29 Mar 2004 17:12:30 +0100]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 16:37 from Mail Delivery System:Mail delivery failed.eml/[From ann.jones@breathemail.net][Date Mon, 29 Mar 2004 17:12:30 +0100]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 16:37 from Mail Delivery System:Mail delivery failed.eml/[From ann.jones@breathemail.net][Date Mon, 29 Mar 2004 17:12:30 +0100]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/29 Mar 2004 16:37 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q skipped
D:\Laptop Files\My Documents\archive.pst/Archive Folders/Inbox/11 Jun 2004 15:20 from katee008@hotmail.com:Re: Hello/your_picture.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Laptop Files\My Documents\archive.pst Mail MS Mail: infected - 15, suspicious - 6 skipped

#9 greyknight17

Group: Visiting Consultant
Posts: 16,560
Joined: 24-April 05

Posted 22 February 2006 - 04:46 PM

Go into your Outlook Express email program and open up the Archive Folders. Delete those emails found by Kaspersky (see above).

Then delete everything inside this folder:

C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\

Restart your computer. Is BargainBuddy still being detected now?

#10 IanSpark

Group: Member
Posts: 17
Joined: 08-July 05

Posted 23 February 2006 - 03:48 AM

I re-ran Kapersky (my level of paranoia is v. high now!) and it reported no problems. I also did another PandaSoft online scan and I've got once less reference to BargainBuddy. Here's the report:

Incident Status Location

Adware:adware/exact.bargainbuddy Not disinfected Windows Registry

Things are improving...Ta

#11 IanSpark

Group: Member
Posts: 17
Joined: 08-July 05

Posted 23 February 2006 - 03:52 AM

Sorry I forgot to say that also Spyware Doctor blocked an I.E. search page change: res://C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll/gen_english

#12 greyknight17

Group: Visiting Consultant
Posts: 16,560
Joined: 24-April 05

Posted 23 February 2006 - 09:34 PM

PCTools Site Guard or Spyware Doctor is trying to change your homepage there...

I wouldn't worry about that windows registry entry found by Panda. It's harmless now

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

#13 IanSpark

Group: Member
Posts: 17
Joined: 08-July 05

Posted 02 March 2006 - 02:34 PM

Hi greyknight17,

Sorry for the late reply. I've been away from the computer 'till now. Thanks for all you help. It's really been appreciated.

Cheers

Ian

#14 greyknight17

Group: Visiting Consultant
Posts: 16,560
Joined: 24-April 05

Posted 02 March 2006 - 04:55 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

Can't Remove Bargain Buddy etc [RESOLVED] - Geeks to Go Forums