Can't remove BargainBuddy!

I use system suite 6, and it's fairly useless. I've tried many times to remove bargainbuddy, including using hijackthis and many other programs. Some don't recognize it and some do. When I remove it, it comes right back. I've done this in safe mode with system restore turned off. Nothing works! How do I get rid of this? Here is my hijackthis file: Any help is greatly appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 12:15:34 PM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Buck\Desktop\spyware fix\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220 "
O4 - HKLM\..\Run: [GhostSurf Reminder] "C:\Program Files\GhostSurf\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf\DeleteSatellite.exe "
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127181002401
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152863356187
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winopn32 - winopn32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

 

sinnistar--Perhaps of help
http://www.google.com/search?source...G,GGLG:2006-38,GGLG:en&q=remove+Bargain+buddy
And if some of the fixes at the top of the list do not help, consider the procedure here
http://www.windowsbbs.com/showthread.php?t=37074

 

Hello sinnistar and welcome to the forums.

I am not seeing anything which points to BargainBuddy, can you tell me where System Suite 6 is saying it is finding it?

I do see however a reference to a TrojanDownloader infection in this line:
O20 - Winlogon Notify: winopn32 - winopn32.dll (file missing)


Ewido seems to get it, so lets DL and run Ewido nd see what remains afterwards.

Download Ewido Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

• Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
• Once the setup is complete you will need run ewido and update the definition files.
• On the main screen select the icon "Update" then select the "Update now" link.

• Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".
• Under "Reports "

• Select "Automatically generate report after every scan "
• Un-Select "Only if threats were found "

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
   IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process:
   • Launch ewido-anti-spyware by double-clicking the icon on your desktop.
   • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".
   • ewido will now begin the scanning process, be patient this may take a little time.
     Once the scan is complete do the following:
   • If you have any infections you will prompted, then select "Apply all actions "
   • Next select the "Reports" icon at the top.
   • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
   • Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.(Please edit out any cookie references)

 

1. 
   
   I did everything and here is the list, minus the 7 cookie listings.
   
   HKLM\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
   C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
   
   C:\Documents and Settings\Buck\Desktop\spyware fix\backups\backup-20060922-175859-904.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
   C:\WINDOWS\system32\jjolfplh.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
   
   I'll keep checking to see if bargainbuddy comes back.
   Thank you for your help!
   
   Ooops, I just used ad-aware and it found bargainbuddy again!

 

Ok, you still have not told me where it finds Bargain buddy, is it a regitry entry or a file or what?

Ewido seems to have gotten one file tho, which is good.

Get back to me about Bargain buddy and exactly where System Suite finds it.

 

registry. ad-aware calls it a regkey, HKEY_USERS.S-1-5-21-1060284298 etc.

It seems to come back whenever I use int. explorer. I rebooted and it was no longer present, but after I used int. explorer it was back.

 

This section of the registry pertains to individual user settings:
HKEY_USERS -

And the subkey you point to likely has several other sub keys as well. I'm guessing this could be a false\positive, but without even the more specific sub key details it would be hard to guess.

 

I have no idea what that means other then, you are unable to help. But thanks for your effort.

 

The problem is that you continually fail to give me all the info I need. This:

Is like going to the doctor and saying I think I have pain in my back, and expecting the doctor to know exactly where that pain is in your back. He can't, unless you tell him where to look.

The HKEY_USERS is one of the main keys in the registry. The long number, is sub section of that key, but that too also has sub-keys, such as:

1. AppID
2. Applications
3. Network
4. Software
5. TypeLib

So without the last parts I can't tell you if the findings are a threat or not.

 

and you're like a Doctor who never asks where it hurts then later complains: why didn't you tell me exactly where it hurts???!!!

I'm obviously not an expert or I would not be here asking for help. The only way I know to answer your question is to tell you what ad-aware tells me. Which is this: It lists the "critical object" as name-bargainbuddy, type-Regkey, Category-Malware, Object-HKEY_USERS:S-1-5-21-1060284298-1993962763-725345543-1004\software\microsoft\windows\currentversion\ext\stats\(d27cdb6e-ae6d-11cf-96b8-444553540000)\

 

Confusion all around, first you said it was System Suite, then it was Adaware. And I asked twice for the specifics.

You can set that fining to ignore with Adaware, its related to shockwave flash player.

 

well, I guess you're trying to help? But you come across as a complete ass. You assumed system suite, After your first assumption I clearly replied, "registry. ad-aware calls it a regkey, HKEY_USERS.S-1-5-21-1060284298 etc. "
Maybe you are here just to mess with people? If so,,,,Good job! I'll try another post, and please, please, don't respond!

 

Due to resolution or the lack of feedback this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.