Bargain Buddy is getting nastier

Printable View

November 17th, 2004, 09:06 AM
prouton

Bargain Buddy is getting nastier

I don't know how long this variant has been out there, but I got hit by bargain Buddy this evening and neither AdAware 6 nor SpyBot 1.3 could clean up my machine. The stupid thing just kept coming back (even with hand editing of the registry). It turns out that it had installed a service (I'm running Win2k, but this exploit would work for WinXP and WinNT), and the service was re-polluting my computer with various files each time I restart (it wasn't content to have just one attack vector).

So if you're having a problem getting rid of it, look for a service (Start / Run / services.msc) called ISEXEng and disable it. Then look for a file in c:\WINNT\system32 called "angelex.exe" and delete it. I also found the following files in that folder which I believe are additional vectors for infection:

exdl0.exe
exdl1.exe
exul1.exe
javexulm.vxd
mac80ex.idf
mqexdlm.srg
netut80ex.vxd
vx0.nls
vx1.nls
vx1x.nls

These later files are probably baddies. Their removal hasn't caused me a problem yet, but I found/removed them only because of their creation date (today), and the fact that many of then had a last modified date older than their creation date.

I'd really like to take big stick to the cretins that write/release these things...
November 17th, 2004, 01:07 PM
fink

Thanks for the info. How were you infected?
November 17th, 2004, 05:30 PM
NolanF

A drunken night in vegas...

Sorry couldnt resist :rolleyes: .
November 17th, 2004, 06:48 PM
prouton

As near as I can tell, it was while I was doing research, dropping into links from a google search, and hit a page that was no longer what it claimed to be (it looked like the original domain holder may have lost/given up the site, and it was taken over by opportunists). It was probably a Javascript initiated exploit (which I try to always cancel out of), but perhaps it wasn't a real Javascript warning, and the close box was mapped to the same code as the okay button. As I say, I don't know for sure, I just know roughly when it happened, and took immediate steps to fix it.

I sure wish the big boys would get involved and put out spyware removal tools of the same caliber as antivirus. I appreciate the fact that AdAware and Spybot are major efforts for very little remuneration, but this problem needs a serious infusion of cash, and only fully commercial apps are going to get it. And I still haven't found anything (even for money) that gets the job done 98% of the time. And I've got numerous clients with teenage children using the computer that desperately need a solution on the scale of antivirus protection.
November 19th, 2004, 03:09 PM
PC 101

Quote:

Originally posted by NolanF
A drunken night in vegas...

Sorry couldnt resist :rolleyes: .

https://discussions.virtualdr.com/im.../2004/11/6.gif