Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

adware.agent.bn


  • Please log in to reply
18 replies to this topic

#1 MrZ

MrZ

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 18 October 2008 - 07:08 AM

Hia

Started with a popup vanted ne to download a codec.
Next i soon realized it was a virus/trojan and pulled the plug to the lan.

Couldnt start command, regedit, taskmanager etc.
Googled a bit, downloaded spyware docktor and that told me it was adware.agent.bn.
Tried some manual cleanup, restorepoint with no luck.
Found SDFix, booted in safemode, run SDFix and reboted, SDFix started agan and now it have been running for about 2 hours. Almoust everyfile is say "Unble to open the file "C:\Windows\temp\SDFix_Filecheck\filename"

Not sure what to do right now

BC AdBot (Login to Remove)

 


#2 MrZ

MrZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 18 October 2008 - 07:49 AM

Just felt I had to stop it, ran over 3 hours....
Stoped it and installed and ran mbam in safemode and as i still havent alowed the oc Internet i also ran mbam-rules.exe.

Logg below. Whitout a reboot I started SDFix again, wrong??


Malwarebytes' Anti-Malware 1.29
Database version: 1203
Windows 5.1.2600 Service Pack 2

2008-10-18 14:39:55
mbam-log-2008-10-18 (14-39-55).txt

Scan type: Quick Scan
Objects scanned: 53539
Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\fccaYpNe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\drvkeys.bat (Trojan.Agent) -> Quarantined and deleted successfully.

#3 MrZ

MrZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 18 October 2008 - 08:04 AM

Still Same.. cant get SDFix to work after the furst run and reboot.
Canceled it again :thumbsup:

Tried SmitfraudFix and that didnt find nothing

Edited by MrZ, 18 October 2008 - 08:22 AM.


#4 MrZ

MrZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 18 October 2008 - 09:20 AM

dammit, thought I got it when remembered that I always remove the defult path (C:\windows\temp) for temp.
Added it again and still having the same problem.
I have a lot of big files, iso and sutch but SDFix still say "Unble to open the file "C:\Windows\temp\SDFix_Filecheck\filename" on every file.

Can anyone help me to get SDFix to work please?

I just downloaded Symantec's TrojanVundo Removal Tool and running it now.

Any suggestions apriciated

#5 MrZ

MrZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 18 October 2008 - 11:20 AM

WOW, wonder what I said to scare you all off from posting.
Must be my bad hangower breath...

#6 MrZ

MrZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 19 October 2008 - 02:49 AM

Well recognized now that I problably ruined myself by keep posting what i doing in my own tread.

Still not all clean here, Symantec's TrojanVundo Removal Tool showed nothing, even tried VundoFix from Atribune with same result.


MBAB shoved that there was still something, my guess is that I missed to tell my vife and she tried to log in to with here acount (admin). With resulted in her profile also get poluted. Fact is that my doughter also have an account (user) but that seems not to have been tempered

Now running in safe mode ATF-Claner, MBAB and SAS in that order on both accounts.

Still apriciate help

#7 MrZ

MrZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 20 October 2008 - 09:59 AM

Still no help?

#8 Maniac

Maniac

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria, EU
  • Local time:08:11 PM

Posted 20 October 2008 - 10:07 AM

Please provide a log file of ESET SysInspector:

Download ESET SysInspector
http://www.eset.com/download/sysinspector.php

- Start program through the SysInspector.exe
The program will collect information about the situation on your machine.
- When "inspector" is ready and log file - generated, select File> Save Log
- Confirm their wish

Choose to save the file somewhere and then use the forum option to attach that file to your comments.


Upload on http://4storing.com/ (when you open the page, click on the Great Britain flag to open the page in English), then give me the link.
Posted Image

#9 MrZ

MrZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 20 October 2008 - 11:53 AM

Hia nod32fen and thanx for ur reply.
Right now the computer seems pretty clean, running MBAB, SAS, HJT, Spyhunter, stinge, ATF, FIX-vundo, Smitfraus etc etc...
BUT.. still there is something, files poping up in TEMP folder, weeeeeery sloooow to shut down, entrys in the event log that a system restore failed after a reebot, just things that makes me feel NOT to let it have access to the INternet yet.

I started a online scan with F-Secure but aborted it when strange files poped up in TEMP folder that were NOT from the online scan.

I have now decided to let the SDFix fisnish it run so I might have a log, as you can se from earlier posts the only thing it getting me is "unable to open file bla bla bla".

It have been running for about 4 hours now and my guess is that it wount be finished untill tomorow.
I have downloaded the SysInspector and maybe tomorow morning i can run it.

Is that a new prog since I have almoust read every tread from the lastest month amd havent seen it (or you:) here before.

Best regards //a fool

#10 MrZ

MrZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 20 October 2008 - 01:29 PM

After SDFix hanging on the same file for over 2 hours i had to stop it again.
Tried to have it just make a report but seemed to have problem copying a file:
IF NOT EXIST "%cd%\apps\CSweg.exe" COPY /Y "%cd%\apps\swreg.exe" "%cd%\apps\CSweg.exe">nul.
I copyed the file myself and here is the log.

Gee, sorry about the big file!!
Removed file, I deleted a lot of files and finnaly got a full SDFix scan, hope that is ok posting it here..

Edited: found codebox tags :thumbsup:

SDFix _linenums:0'><strong class='bbc'>SDFix: Version 1.236 </strong>Run by someone on 2008-10-20 at 20:52Microsoft Windows XP [Version 5.1.2600]Running From: C:\SDFix<strong class='bbc'>Checking Services </strong>:Restoring Default Security ValuesRestoring Default Hosts FileRebooting<strong class='bbc'>Checking Files </strong>: No Trojan Files FoundRemoving Temp Files<strong class='bbc'>ADS Check </strong>:                                  <strong class='bbc'>Final Check </strong>:catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]Rootkit scan 2008-10-20 20:58:13Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...scanning hidden services & system hive ...scanning hidden registry entries ...scanning hidden files ...scan completed successfullyhidden processes: 0hidden services: 0hidden files: 0<strong class='bbc'>Remaining Services </strong>:Authorized Application Key Export:[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]"C:\\Program\\Radmin\\radmin.exe"="C:\\Program\\Radmin\\radmin.exe:*:Enabled:Remote Administrator viewer""C:\\Program\\Winamp\\winamp.exe"="C:\\Program\\Winamp\\winamp.exe:*:Enabled:Winamp""C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019""C:\\Program\\TVersity\\Media Server\\MediaServer.exe"="C:\\Program\\TVersity\\Media Server\\MediaServer.exe:*:Enabled:MediaServer.exe""C:\\Program\\Qwix\\Qwix.exe"="C:\\Program\\Qwix\\Qwix.exe:*:Enabled:Qwix""C:\\Program\\FlashFXP\\flashfxp.exe"="C:\\Program\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3""C:\\Program\\Logitech\\Harmony Remote\\PatchHelper.exe"="C:\\Program\\Logitech\\Harmony Remote\\PatchHelper.exe:*:Enabled:Remote Control Software Patch Helper""C:\\Program\\Messenger\\msmsgs.exe"="C:\\Program\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger""C:\\Program\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7""C:\\Program\\uTorrent\\uTorrent.exe"="C:\\Program\\uTorrent\\uTorrent.exe:*:Enabled:uTorrent""C:\\Program\\Winamp Remote\\bin\\Orb.exe"="C:\\Program\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb""C:\\Program\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray""C:\\Program\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client""C:\\Program\\DC\\AIR201\\AirDC.exe"="C:\\Program\\DC\\AIR201\\AirDC.exe:*:Enabled:AirDC++""C:\\Program\\DC\\Kopia av RSX 1.0 B1\\RSXPlusPlus.exe"="C:\\Program\\DC\\Kopia av RSX 1.0 B1\\RSXPlusPlus.exe:*:Disabled:RSX++""C:\\Program\\DC\\RSX 1.0 B3\\RSXPlusPlus.exe"="C:\\Program\\DC\\RSX 1.0 B3\\RSXPlusPlus.exe:*:Enabled:RSX++""C:\\Program\\DC\\DC++705\\DCPlusPlus.exe"="C:\\Program\\DC\\DC++705\\DCPlusPlus.exe:*:Enabled:DC++""C:\\BluesLovers\\YnHub.exe"="C:\\BluesLovers\\YnHub.exe:*:Enabled:YnHub 1.036""C:\\Program\\DC\\AIR203\\AirDC.exe"="C:\\Program\\DC\\AIR203\\AirDC.exe:*:Enabled:AirDC++""C:\\BluesBreakers\\YnHub.exe"="C:\\BluesBreakers\\YnHub.exe:*:Enabled:YnHub 1.036""C:\\Program\\DC\\RSX 1.0\\RSXPlusPlus.exe"="C:\\Program\\DC\\RSX 1.0\\RSXPlusPlus.exe:*:Enabled:RSX++""C:\\Program\\Symantec\\Symantec Endpoint Protection\\Smc.exe"="C:\\Program\\Symantec\\Symantec Endpoint Protection\\Smc.exe:*:Enabled:SMC Service""C:\\Program\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"="C:\\Program\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE:*:Enabled:SNAC Service""C:\\Program\\Delade filer\\Symantec Shared\\ccApp.exe"="C:\\Program\\Delade filer\\Symantec Shared\\ccApp.exe:*:Enabled:Symantec Email""C:\\Program\\Orbitdownloader\\orbitdm.exe"="C:\\Program\\Orbitdownloader\\orbitdm.exe:*:Enabled:Orbit""C:\\Program\\Orbitdownloader\\orbitnet.exe"="C:\\Program\\Orbitdownloader\\orbitnet.exe:*:Enabled:Orbit""C:\\Program\\Internet Explorer\\iexplore.exe"="C:\\Program\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer""C:\\Program\\DC\\UC\\jUCy.exe"="C:\\Program\\DC\\UC\\jUCy.exe:*:Enabled:jUCy"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\\Program\\FlashFXP\\flashfxp.exe"="C:\\Program\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3""C:\\Program\\Logitech\\Harmony Remote\\HarmonyClient"="C:\\Program\\Logitech\\Harmony Remote\\HarmonyClient:*:Enabled:Logitech Harmony Remote Software V5""C:\\Program\\Logitech\\Harmony Remote\\PatchHelper.exe"="C:\\Program\\Logitech\\Harmony Remote\\PatchHelper.exe:*:Enabled:Remote Control Software Patch Helper""C:\\Program\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"<strong class='bbc'>Remaining Files </strong>:<strong class='bbc'>Files with Hidden Attributes </strong>:Sun 18 May 2008     6,104,632 A..H. --- "C:\Program\Picasa2\setup.exe"Thu 22 Dec 2005         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"Mon 12 Jul 2004       122,880 A..HR --- "C:\Program\Microsoft Works Suite 2005\Setup\EulaRegn.dll"Wed 15 Sep 2004     1,949,696 A..HR --- "C:\Program\Microsoft Works Suite 2005\Setup\launcher.exe"Wed 15 Sep 2004        53,760 A..HR --- "C:\Program\Microsoft Works Suite 2005\Setup\mnyinsta.dll"Wed 15 Sep 2004        94,208 A..HR --- "C:\Program\Microsoft Works Suite 2005\Setup\RmvSuite.exe"Wed 15 Sep 2004        35,328 A..HR --- "C:\Program\Microsoft Works Suite 2005\Setup\setuplng.dll"Wed 15 Sep 2004        20,480 A..HR --- "C:\Program\Microsoft Works Suite 2005\Setup\unregwtr.exe"Thu 12 Aug 2004        13,824 A..HR --- "C:\Program\Microsoft Works Suite 2005\Setup\wkernlng.dll"Thu  7 Aug 2008         1,024 A..H. --- "C:\System Volume Information\_restore{8B55CCD8-CE2C-44D5-AF1D-45D83AF7A5F3}\RP1\A0001110.sys"Sat 18 Oct 2008             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"Fri  7 Dec 2007           407 A..H. --- "C:\Program\Delade filer\Symantec Shared\COH\COH32LU.reg"Fri  7 Dec 2007           400 A..H. --- "C:\Program\Delade filer\Symantec Shared\COH\COHDLU.reg"Mon 12 Feb 2007     3,096,576 A..H. --- "C:\Documents and Settings\Dennis\Application Data\U3\temp\Launchpad Removal.exe"Mon 12 Feb 2007     3,096,576 A..H. --- "C:\Documents and Settings\Felizia\Application Data\U3\temp\Launchpad Removal.exe"Fri  1 Mar 2002        20,480 A..H. --- "C:\Documents and Settings\Maggan\Skrivbord\FR¸N GAMLA USB MINNET\F”rhandling\Avslutade f”rhandlingar\2002\Bistron\~WRL0002.tmp"Tue 14 Oct 2003        20,480 A..H. --- "C:\Documents and Settings\Maggan\Skrivbord\FR¸N GAMLA USB MINNET\F”rhandling\Avslutade f”rhandlingar\2003\B„ckakrogen AB\~WRL3623.tmp"Tue  7 Jan 2003        20,480 A..H. --- "C:\Documents and Settings\Maggan\Skrivbord\FR¸N GAMLA USB MINNET\F”rhandling\Avslutade f”rhandlingar\2003\Nicklas Express\~WRL0001.tmp"Fri  1 Mar 2002        20,480 A..H. --- "C:\Documents and Settings\Maggan\Mina dokument\HRF\_Flyttat fr†n Toshiba'n\F”rhandling\Avslutade f”rhandlingar\2002\Bistron\~WRL0002.tmp"Tue 14 Oct 2003        20,480 A..H. --- "C:\Documents and Settings\Maggan\Mina dokument\HRF\_Flyttat fr†n Toshiba'n\F”rhandling\Avslutade f”rhandlingar\2003\B„ckakrogen AB\~WRL3623.tmp"Tue  7 Jan 2003        20,480 A..H. --- "C:\Documents and Settings\Maggan\Mina dokument\HRF\_Flyttat fr†n Toshiba'n\F”rhandling\Avslutade f”rhandlingar\2003\Nicklas Express\~WRL0001.tmp"Finished!

Edited by MrZ, 20 October 2008 - 02:15 PM.


#11 MrZ

MrZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 20 October 2008 - 01:34 PM

@nod32fen

I have uploaded the ESET SysInspector log file named SysInspector-HEM-PC-081020-2024.zip
http://4storing.com/ry0gi/f186e0ec2040346e...aecac959fb.html

tnx for ur interest

regards

Edited by MrZ, 20 October 2008 - 01:35 PM.


#12 Maniac

Maniac

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria, EU
  • Local time:08:11 PM

Posted 21 October 2008 - 06:54 AM

I think everything is fine! I suggest you update your software.
Posted Image

#13 MrZ

MrZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 21 October 2008 - 10:24 AM

Tnx a LOT nod32fen, feels a lot better not to be alone here...
What software do you mean? Windows?..
I am running symantec avand that is all upp to date, all other logs from the amtispyware also say its ok now and are upp to date.

One thing makes me suspicious, it takes about 5 min after klic on reboot before it respondes.
I also have 2 other accounts on the puter

#14 Maniac

Maniac

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria, EU
  • Local time:08:11 PM

Posted 21 October 2008 - 12:26 PM

Tnx a LOT nod32fen, feels a lot better not to be alone here...
What software do you mean? Windows


Everything including the operating system Microsoft Windows. It's recommended to update the following programs:

Audacity - http://www.softpedia.com/get/Multimedia/Au.../Audacity.shtml
CD Catalog Expert - http://www.softpedia.com/get/Others/File-C...og-Expert.shtml
DC++ - http://www.softpedia.com/get/Internet/File...plus-plus.shtml
DVDFab Platinum - http://www.softpedia.com/get/CD-DVD-Tools/...-Platinum.shtml
EVEREST Ultimate Edition - http://www.softpedia.com/get/System/System...e-Edition.shtml
FlashFXP - http://www.softpedia.com/get/Internet/FTP-.../FlashFXP.shtml
foobar2000 - http://www.softpedia.com/get/Multimedia/Au...rs/Foobar.shtml
Mozilla Firefox - http://www.softpedia.com/get/Internet/Brow...fox-Final.shtml
Picasa - http://www.softpedia.com/get/Multimedia/Gr...rs/Picasa.shtml
TVersity Media Server - http://www.softpedia.com/get/Multimedia/Vi...ia-Server.shtml
Unlocker - http://www.softpedia.com/get/System/System.../Unlocker.shtml
VLC media player - http://www.softpedia.com/get/Multimedia/Vi...AN-Client.shtml
Adobe Reader - http://www.softpedia.com/get/Office-tools/...be-Reader.shtml


I could not see which version are some of your programs. Here are some tips and/or information on programs that use:

* Very good alternatives to p2p client DC++ are StrongDC++ and ApexDC++.
* You use Mozilla Firefox (2.0.0.13), which is very old, even for version 2. This year, Mozilla released version 3 of Firefox, which is at times better than version 2. More secure, more light, more secure - This is Mozilla Firefox v3. I suggest you pass on it. For her I gave link above.
* You have installed several versions of Java. Older versions of the update 7, even in the new contain serious vulnerabilities that are used by Internet threats. I suggest you uninstall all older updates from the update of Java 7.
* At least once a month visiting the portal www.softpedia.com. There ensure new versions of many programs. Check for new versions of your programs and update them. If you do not find any of your programs, signaling the team site and they'll add it. This update of the software will save you many problems.


One thing makes me suspicious, it takes about 5 min after klic on reboot before it respondes.
I also have 2 other accounts on the puter


To clean your computer, you install multiple programs, which is completely wrong approach. Unfortunately, this is helping in this way. After cleaning the virus/threats is necessary to optimize your Microsoft Windows. It is recommended: to uninstall the software that you do not need, to delete residues uninstall programs, to clean the temporary files from your computer (with Windows Disk Clean-up), to defragment your hard disk and check your hard disk for errors.
Posted Image

#15 MrZ

MrZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 21 October 2008 - 12:37 PM

:thumbsup: I am wery suprised you is the only one concerned in my problem but I apriciate it mutch!!
Well Il try to clean out the antispyware program but moust of em dont have a uninstall.

The reboot problem started after the trojan/antispyware program, dono when

Edited by MrZ, 21 October 2008 - 01:42 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users