Techie help.....Backdoor.Agent.B.

[RhumbRunner13]

I was running Ad-aware yesterday when half way through a warning box popped up saying Norton had found an unrepairable virus, Backdoor.Agent.B. I let Ad-aware finish and ran virus scan; no virii detected. I then ran Spybot S&D, got the same warning and this time it would not clear/close. I let SB finish and had to reboot to clear the warning.

I Googled B.A.B. and found Symantic's site that indicated to me that B.A.B. must be cleaned manually through Regedit. I printed the instructions and started the process (minus the back up of "system state"). I disabled "System Restore". I updated virus definitions and ran another virus scan. I started Regedit and navigated to: HKEY_LOCAL_MACHINE_SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The directions then were "in the right pane, delete the value: "*<1-5 random characters>"= "RUNDLL32%System%\DLL filename).dll.StreamingDeviceSetup. The ONLY file I have even similiar to that is a NvCplDaemon subkey that reads, "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup.

Is that the value I should delete? It doesn't appear to be the same value as what the directions say to delete .

Further on in the instructions it says to navigate to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows and to double click "Appinit_DLLs" in the right pane and then to "delete the following text from the Value Data box"........I have NO value in the box - it is blank!

Sooo.......what do you guys think? Do I have B.A.B or not? Could something in Ad-aware and SB S&D be triggering a false warning?

Much further into the process and I will be over my head as far as changing stuff. Think I should just take the 'puter to a Pro?

Rhumb

 

[ShyGuy68]

I suggest that you try a second anti virus software, and see if that can fix it.

AVG antivirus from www.grisoft.com is one of the best free antivirus that's on the market, so try and download it, and run it, and see what happens.

 

[RhumbRunner13]

I suggest that you try a second anti virus software, and see if that can fix it.

AVG antivirus from www.grisoft.com is one of the best free antivirus that's on the market, so try and download it, and run it, and see what happens.

Thanks for the link,SG. I downloaded from the Grisoft site and ran Vcleaner with the same results as Ad-aware and SB S&D. When Vcleaner was checking Windows 32, Norton popped up saying it had detected B.A.B.

Vcleaner did not detect anything!

 

[Weird Harold]

Thanks for the link,SG. I downloaded from the Grisoft site and ran Vcleaner with the same results as Ad-aware and SB S&D. When Vcleaner was checking Windows 32, Norton popped up saying it had detected B.A.B.

Vcleaner did not detect anything!

It may be that Norton is popping up and detecting B.A.B. because it's detecting the pattern ad-aware and vcleaner use to detect it?

Since you didn't find the registry entries that the manual clean instructions told you to look for, you're probably clean and Norton is giving you a false positive.

To be sure, reboot and hold the control key down until you get the boot menu. Choose Safe Mode and run AVG from safe mode to insure that Norton isn't blocking AVG from checking for that particular virus. If that comes up clean, I wouldn't worry about it any further.

 

[RhumbRunner13]

It may be that Norton is popping up and detecting B.A.B. because it's detecting the pattern ad-aware and vcleaner use to detect it?

Since you didn't find the registry entries that the manual clean instructions told you to look for, you're probably clean and Norton is giving you a false positive.

To be sure, reboot and hold the control key down until you get the boot menu. Choose Safe Mode and run AVG from safe mode to insure that Norton isn't blocking AVG from checking for that particular virus. If that comes up clean, I wouldn't worry about it any further.

I was hoping you would show up, Harold, thanks. I finally got booted in safe mode (it's F8 on this Dell) but couldn't get to Grisoft on my desktop. I'm getting tired now and my concentration isn't what I want to be doing "weird" stuff (no pun intended) on my 'puter.

The fact that several other programs besides Norton have found nothing makes me think you are right-on with Norton being triggered by the routines of the other scans. My Norton has been on the computer since it was new and always had Live Update active.

Maybe I'll play with it some tomorrow. Thanks again.

Rhumb

 

[ReadyOne]

This is probably a false positive.

The places that start the virus running do not contain instructions to start it, so it isn't running (unless its start up is hidden in still yet another places -- and a virus often hides in multiple places).

However the program itself (that would be started by the RUN entry in the registry) may still be around (though not actively running), and Adaware is looking at it. When it finds it, Norton (watching over AdAware's should) sees it too.

Now as long as it doesn't run, life is well. Some previous "clean up" of the virus might not gotten rid of everything (though it should have), and some traces like the executable remain.

In fact, it could be that the cleaning operation tried to delete the executable but was denied delete access because it was activrly running. The cleaner did get rid of the "start command" so now the executable (after you rebooted) is totaly dormant and could be deleted.

Look for the dll (who's name is not quite obvious from the text you posted) and rename it; then if all is well after a couple of days, delete the renamed.

While some cleaners still have signature files in the clear, the fact that they generate false positives has sent the cleaners to "hide" them so they won't be detected bu the AV scanners. keeping them in an encrypted zip file (which the scanner can not open with decryption) or putting them in an obvious not-execuatable data file in some scambled format are two methods in use.

For the record, the AdAware and Spybot current signatures are not reported as false positives by either AVG, Norton, or McAfee, so the following won't make any difference...

You might want to add "C:\Program Files\Lavasoft\Adaware" to the excluded list of your scanner (Norton, AVG) or just scan that directory only to see if that's where the scanner is finding it. If you look in the scanner log file you should find an entry identifying where the offender was found on the last scan or last access during normal operation (i.e. while AdAware was running).

PS: AVG free is a lousy cleaner. In fact, I'm not sure it really cleans anything even when you use the "clean" option off of the "virus discoveres" screen that appears durning normal computer use).

PPS: Norton, McAfee, Panda, Nod, and PC-Cillan, have specialized cleaners for many virues that do the job when the scanner won't. I assume that if you look up the name in a vendor's virus library you will be told if a stand-alone cleaner is available from that vendor.

 

[RhumbRunner13]

This is probably a false positive.

The places that start the virus running do not contain instructions to start it, so it isn't running (unless its start up is hidden in still yet another places -- and a virus often hides in multiple places).

However the program itself (that would be started by the RUN entry in the registry) may still be around (though not actively running), and Adaware is looking at it. When it finds it, Norton (watching over AdAware's should) sees it too.

Now as long as it doesn't run, life is well. Some previous "clean up" of the virus might not gotten rid of everything (though it should have), and some traces like the executable remain.

In fact, it could be that the cleaning operation tried to delete the executable but was denied delete access because it was activrly running. The cleaner did get rid of the "start command" so now the executable (after you rebooted) is totaly dormant and could be deleted.

Look for the dll (who's name is not quite obvious from the text you posted) and rename it; then if all is well after a couple of days, delete the renamed.

While some cleaners still have signature files in the clear, the fact that they generate false positives has sent the cleaners to "hide" them so they won't be detected bu the AV scanners. keeping them in an encrypted zip file (which the scanner can not open with decryption) or putting them in an obvious not-execuatable data file in some scambled format are two methods in use.

For the record, the AdAware and Spybot current signatures are not reported as false positives by either AVG, Norton, or McAfee, so the following won't make any difference...

You might want to add "C:\Program Files\Lavasoft\Adaware" to the excluded list of your scanner (Norton, AVG) or just scan that directory only to see if that's where the scanner is finding it. If you look in the scanner log file you should find an entry identifying where the offender was found on the last scan or last access during normal operation (i.e. while AdAware was running).

PS: AVG free is a lousy cleaner. In fact, I'm not sure it really cleans anything even when you use the "clean" option off of the "virus discoveres" screen that appears durning normal computer use).

PPS: Norton, McAfee, Panda, Nod, and PC-Cillan, have specialized cleaners for many virues that do the job when the scanner won't. I assume that if you look up the name in a vendor's virus library you will be told if a stand-alone cleaner is available from that vendor.

WOW!!! Great response Ready.

With you and Harold "on the case" my mind is set at ease. I don't have the tech knowledge to totally understand what you are saying, but I "almost" understand. It's a little too late to start messing with the internal codes once again, but tomorrow I'll see what I can track down. I know B.A.B. goes by several different names so I doubt that a simple search will solve much.

I havn't had ANY problems except a week ago a neighbor emailed me that they were unable to open the attachment that I had included in the email I sent. I hadn't sent an email, much less an attachment. I ran Norton immediatly and found nothing.

I'll work on this more later, but thanks guys for being such a great help!

Rhumb

 

[ReadyOne]

If you and you neigbor have something in common (and they say everyone is withing seven degrees of closeness in this world) then you might be hit by remailer virus some thrid party is running.

Third party has both your addresses in thier address book, and the virus intheecting their machine constructs e-mail using random selections from the address book as the sender. Destination = your neighbor, "sender" = you, real source = 3rd person.

You can see this also when you get a courtsey "bounced" message about mail to someone you never heard of that was "apparently" sent by you.

 

[RhumbRunner13]

If you and you neigbor have something in common (and they say everyone is withing seven degrees of closeness in this world) then you might be hit by remailer virus some thrid party is running.

Third party has both your addresses in thier address book, and the virus intheecting their machine constructs e-mail using random selections from the address book as the sender. Destination = your neighbor, "sender" = you, real source = 3rd person.

You can see this also when you get a courtsey "bounced" message about mail to someone you never heard of that was "apparently" sent by you.

I have seen that. Also messages from people I don't know supposedly replying to a message I never sent. Is that indicating that I have malware on my computer, or that they have have captured my address and are sending out messages as me?

Rhumb