Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.Onban

Adware.Onban

Updated:
February 13, 2007
Risk Impact:
Low
File Names:
Onban000.exe Ob2.dll Ob4.dll Onban004.exe
Systems Affected:
Windows

Behavior


Adware.Onban displays popup advertisements.

Symptoms


Advertising pop-ups are displayed.

Behavior


This adware component can be manually installed or installed as a component of another program.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version February 01, 2015 revision 020
  • Initial Daily Certified version March 19, 2004
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date March 22, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Adware.Onban runs, it performs the following actions:
  1. Downloads ob4.dll from a Web site and saves it in %Windir%.

    Note: %Windir% is a variable. The adware locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
  2. Registers Ob4.dll as a Browser Helper Object by creating and populating the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Browser Helper Objects
    \{5A7CBCDC-9228-4104-A57D-738CE50FBA4F}
    HKEY_LOCAL_MACHINE\CLASSES\CLSID\{5A7CBCDC-9228-4104-A57D-738CE50FBA4F}
    HKEY_LOCAL_MACHINE\CLASSES\Interface\{8DBFDE2A-A02C-4203-A3A1-CC848CA5355F}
    HKEY_LOCAL_MACHINE\CLASSES\TypeLib\{C465A061-CDA5-4553-9FEB-F5A4FA658BFD}
    HKEY_LOCAL_MACHINE\CLASSES\Onban004.ViewSource.1
    HKEY_LOCAL_MACHINE\CLASSES\Onban004.ViewSource

  3. Registers Ob2.dll as a Browser Helper Object by creating and populating the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Browser Helper Objects
    \{0F9E1CB9-1B32-436B-B44C-BC7B7369CB9B}
    HKEY_LOCAL_MACHINE\CLASSES\CLSID\{0F9E1CB9-1B32-436B-B44C-BC7B7369CB9B}
    HKEY_LOCAL_MACHINE\CLASSES\Interface\{87368154-7BA0-43BE-90F4-6D47BA01EB09}
    HKEY_LOCAL_MACHINE\CLASSES\TypeLib\{D897D800-4D10-4981-B927-ACA77586D8CA}
    HKEY_LOCAL_MACHINE\CLASSES\Onban002.ViewSource.1
    HKEY_LOCAL_MACHINE\CLASSES\Onban002.ViewSource

  4. Displays pop-up windows containing advertisements. It also downloads an updated list of popup windows.

    Note: At the time of writing, the Web site from which the adware downloads was unavailable.



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Unregister the Browser Helper Objects.
  3. Run a full system scan and delete all the files detected as Adware.Onban.
For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. Unregistering the Browser Helper Object
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type, or copy and paste, the following text:

    regsvr32 /u "%Windir%\ob4.dll"

    then click OK.

  3. If a dialog box confirming this action appears, click OK.
  4. Click Start, and then click Run. (The Run dialog box appears.)
  5. Type, or copy and paste, the following text:

    regsvr32 /u "<path to ob2.dll>\ob2.dll"

    then click OK.

  6. If a dialog box confirming this action appears, click OK.

3. Scanning for and deleting the files
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Adware.Onban, click Delete.

    Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.