Adware.Agent.BN
Hi
I am trying to find/remove an 'Adware.Agent.BN decideinteractive.com' malware found using Spyware doctor. I have tried Spyware Terminator and Spybot S&D. After 'fixing' with Spyware Doctor it reappears next boot or sooner?!
Spyware Doctor also keeps finding and then fixing adware advertising a tracking cookies but these are low risk according to S D.
Any pointers appreciated.
TIA
Anantech Benchmarking Tool for CPU, GPU and SSDs
**SASH25 - Your removal steps are on page #2**
Ok, first of all i will say any steps i give are not 100% Guaranteed to work and i cannot guarantee the safety of your system if you use these removal steps. However i am a member of ASAP (Security Professionals) and do alot of malware removal work on another forum.
First of all lets turn off System Restore we dont want a backup of any malware files to reside in here (Can be re-enabled once infection is removed)-
*Guessing you are running XP*
Disabling or enabling Windows XP System Restore
Second Download Hijackthis -
TrendSecure | Download TrendMicro™ HijackThis™
Run Hijackthis. Click "Do a system scan and save logfile"
Post the contents of this logfile here. DO NOT CLICK "FIX CHECKED" - Do not fix anything just post log here.
Download SMITFRAUDFIX (Save it to a known location)-
SmitFraudFIX
---------------------------------------------------------------------------------------------------------------
Boot into Safe Mode *Safe Mode required to kill processes/start up's/conflicts* -
Windows XP
* If the computer is running, shut down Windows, and then turn off the power
* Wait 30 seconds, and then turn the computer on.
* Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
* Ensure that the Safe mode option is selected.
* Press Enter. The computer then begins to start in Safe mode.
* When you are finished with all troubleshooting, close all programs and restart the computer as you normally would.
To use the System Configuration Utility method
* Close all open programs.
* Click Start, Run and type MSCONFIG in the box and click OK
* The System Configuration Utility appears, On the BOOT.INI tab, Check the "/SAFEBOOT" option, and then click OK and Restart your computer when prompted.
* The computer restarts in Safe mode.
* Perform the troubleshooting steps for which you are using Safe Mode.
---------------------------------------------------------------------------------------------------------------
Once in safemode doubleclick on SMITFRAUDFIX.exe.
Once the BlueBox shows, select 1 (To search)
Once finished searching you run option 2 (Clean) *May require a restart of application/system*
During cleaning if prompted to clean registry select Y (Yes)
Once this is finished Reboot You Computer or When you are finished with troubleshooting in Safe mode (MSCONFIG WAY), open MSCONFIG again, on the BOOT.INI tab, uncheck "/SAFEBOOT" and click OK to restart your computer.
Once complete, re-scan with Spyware Doctor and post any results (If it still finds infection) -
If it still persists i will try to give you manual removal steps via your Hijackthis log.
Hope it helps - I have prepared a large manual removal process, however some parts may not apply and could cause conflict thus Hijackthis log is needed. We may also need other logs depending on the severity of the problem.
Last edited by CrazyMonkey; 02-03-2008 at 11:59 PM.
geezerone (24-02-2008)
Hi
I tried what you suggested but still getting same 44 infections from Spyware Doctor. I don't get any pop-ups but don't know if this makes a difference?
Anantech Benchmarking Tool for CPU, GPU and SSDs
Might be time to nip into the registry and start srtipping out any reference to the malware in there. Had to do that to a mates laptop, it took me hours to remove it all. I would have been happy to have done a total re-install of the operating system to be quite honest, which in the end I had to as within a week it came back anyway.
Wondering if there is a way to do it using a Linux Boot CD or something ??
Where is the Hijack this log? I can only continue to help if you provide the logs. Otherwise go here Remove Agent BN, removal instructions try to manually strip it all away, dont know if that will work i havent personally tested or ran over it if you dont do it right it can cause more harm than good.
Update
I cleared out history and temp folders etc and afterseveral more attempts with Spyware Doctor I no longer get Adware Agent.BN hooray!
Still getting yieldmanager and statcounter cookies.
Still want the Hijack this log for these or are they worth bothering with?
Thanks again.
Anantech Benchmarking Tool for CPU, GPU and SSDs
tbh, any half decent anti virus product picks up Adware Agent.BN so I'd make sure you run one to double check (AntiVir certainly picks it up). An online scan using Trend Micros Housecall would also pick it up and clean up any remnants.
Up to you if you want to put a log down.
.
"Ladies and Gentlemen, take my advice: Pull down your pants and slide on the ice"
A log can look for further problems/resident files/infections.
Entirely up to you, if you feel that your problems have been fully sorted then their is no need to post.
Glad you have got it sorted =]
geezerone (25-03-2008)
Hi crazyMonkey and geezerone!
i'm new here and in front of all - sorry for my broken english, because i'm from austria!
first i had the same problem with adware agent bn - nothing works correctly, then i tried this from crazymonkey - you are great - now it works without the spyware.
Thanks a lot!!!
But i have one problem any way: when i will start the task-manager, then i get the reply: taskmgr is deactivated by the administrator, but i have all rights with my only one User!
Have you any idea what happens? and geezerone have you the same problem?
Thank you for your post and have a nice day
sash25
hi,
also hkey_classes_root is on "%1"%*
hi once more,
i will send my logfile, but i must give a minimum of 5 posts, so i will write some more!
Sorry
only in the save mode with my admin i have the taskmanager!
so i hope after one more post i can send you my logfile
so on the next time it will be there
Hi together,
my taskmanager don't work and here is my logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:31:15, on 27.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe
C:\Programme\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\dvd43\dvd43_tray.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\NETGEAR\WPN111 Configuration Utility\wpn111.exe
C:\Programme\T-Online\DSL-Manager\DslMgr.exe
c:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\T-Online\DSL-Manager\DslMgrSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] "C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [T-Online DSL-Manager] "C:\Programme\T-Online\DSL-Manager\TODslMgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [dvd43] C:\Programme\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [SystemManager] C:\WINDOWS\system32\winsta32.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: DSL-Manager.lnk = C:\Programme\T-Online\DSL-Manager\DslMgr.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O21 - SSODL: bdmanager - {242F3554-CF18-40E4-8A27-4634F3605A5D} - C:\WINDOWS\bdmanager.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - C:\Programme\T-Online\DSL-Manager\DslMgrSvc.exe
--
End of file - 9114 bytes
Hope anybody can help me,
ciao
Hi sash25
It's a long story, so if you copy and paste that pdf document link into your browser, it should give you an idea of the problem...
Code:http://www.symantec.com/avcenter/reference/stories.from.the.drm.world.pdf
Choose the language for you below and use the Alpha-DISC Protection Uninstall Guide...
Web Uninstaller Template: Alpha-DISC Protection Uninstall Guide
and it should get rid of the rootkit behaviour you see (or should do).
==========================================
winsta32.exe...
Translated version of http://www.wintotal.de/Spyware/index.php?Filter=W
.
.
Last edited by godsdog; 27-02-2008 at 09:27 PM.
.
"Ladies and Gentlemen, take my advice: Pull down your pants and slide on the ice"
Hey Sash25. No problem regarding the help, i did it on a daily basis on a malware forum.
Regarding your Hijackthis log, their are a few entries that require immediate fixing -
- Open Hijackthis
- Click "Do a System Scan Only"
- Once the scan is completed tick/check the box next to the entry(s):
O4 - HKLM\..\Policies\Explorer\Run: [SystemManager] C:\WINDOWS\system32\winsta32.exe
O21 - SSODL: bdmanager - {242F3554-CF18-40E4-8A27-4634F3605A5D} - C:\WINDOWS\bdmanager.dll
**Make sure only the above entry(s) is/are ticked/selected**
- Once ticked click the "Fix Checked" button, after fixing is done close Hijackthis.
The O4 entry is what appears to be a still active form of malware.
The O21 entry is the reminants of adware.
In regards to your task manager problem were you able to enter task manager before the infection? It may just be a setting within Windows.
First of all we will try Combofix, this fixes many malware problems and tampered task manager entries.
- Download Combo Fix to your computer (ie desktop)
- Close all open Windows including this one.
- Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
- Finally run combofix.exe and click "Run" on any security warnings that may pop-up.
- Follow the onscreen prompts to complete the combofix process.
A logfile should be saved to a location made known to you on screen whilst running combofix please make a note of this location. After completion of combofix reboot your computer (if you havent already done so) , please copy the contents of the combofix logfile here. Try to use task manager, post the results.
Finally a long with the combofix log post an updated Hijackthis log so i can check that it is finally clean.
The steps i have provided are yours alone tailor made to suit what your logs show. However the combo fix steps can be used universally.
Hope it goes well.
Last edited by CrazyMonkey; 28-02-2008 at 12:59 AM.
There are currently 2 users browsing this thread. (0 members and 2 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote
