|
-
November 17th, 2004, 09:06 AM
#1
Bargain Buddy is getting nastier
I don't know how long this variant has been out there, but I got hit by bargain Buddy this evening and neither AdAware 6 nor SpyBot 1.3 could clean up my machine. The stupid thing just kept coming back (even with hand editing of the registry). It turns out that it had installed a service (I'm running Win2k, but this exploit would work for WinXP and WinNT), and the service was re-polluting my computer with various files each time I restart (it wasn't content to have just one attack vector).
So if you're having a problem getting rid of it, look for a service (Start / Run / services.msc) called ISEXEng and disable it. Then look for a file in c:\WINNT\system32 called "angelex.exe" and delete it. I also found the following files in that folder which I believe are additional vectors for infection:
exdl0.exe
exdl1.exe
exul1.exe
javexulm.vxd
mac80ex.idf
mqexdlm.srg
netut80ex.vxd
vx0.nls
vx1.nls
vx1x.nls
These later files are probably baddies. Their removal hasn't caused me a problem yet, but I found/removed them only because of their creation date (today), and the fact that many of then had a last modified date older than their creation date.
I'd really like to take big stick to the cretins that write/release these things...
-
November 17th, 2004, 01:07 PM
#2
Thanks for the info. How were you infected?
-
November 17th, 2004, 05:30 PM
#3
A drunken night in vegas...
Sorry couldnt resist  .
-
November 17th, 2004, 06:48 PM
#4
As near as I can tell, it was while I was doing research, dropping into links from a google search, and hit a page that was no longer what it claimed to be (it looked like the original domain holder may have lost/given up the site, and it was taken over by opportunists). It was probably a Javascript initiated exploit (which I try to always cancel out of), but perhaps it wasn't a real Javascript warning, and the close box was mapped to the same code as the okay button. As I say, I don't know for sure, I just know roughly when it happened, and took immediate steps to fix it.
I sure wish the big boys would get involved and put out spyware removal tools of the same caliber as antivirus. I appreciate the fact that AdAware and Spybot are major efforts for very little remuneration, but this problem needs a serious infusion of cash, and only fully commercial apps are going to get it. And I still haven't found anything (even for money) that gets the job done 98% of the time. And I've got numerous clients with teenage children using the computer that desperately need a solution on the scale of antivirus protection.
-
November 19th, 2004, 03:09 PM
#5
Originally posted by NolanF
A drunken night in vegas...
Sorry couldnt resist .
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
