New not detected adware. - Safer-Networking Forums

jaycee · 2005-10-25, 13:05

Hi,
Here is a new adware, that is not yet detected by spybot...

A guess it's from ad-w-a-r-e.com

it runs in randomly time, the following path
"C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE" hxxp://www.ad-w-a-r-e.com/cgi-bin/PopupV3?ID={9364E9EC-BFF4-77E5-47C9-BE1559C316B5}&type=normal&mSkip=1&rnd=20448

which opens a popup with such url : hxxp://www.searc-h.com/normal/yyy53.html

Creates randomly file in windows\system32
(currently: dnwave.dll, kt0ml7d11.dll, lvp4097qe.dll, h2l2lc3o1f.dll...)
Size about 234.751 to 235.858
Add a registry entry in winlogon/notify with (NetCache or Shell) as key and one of the dll as value.
- When I try to delete it (registry entry), it's back in 1 or 2 sec.
- When I add the ad-w-a-r-e.com to hosts file, entry in file is deleted after 1 or 2 sec.
- Safe mode doesn't work, still loaded.
- regmon/filemon from systinternals don't work anymore since that crap is installed.
- Last SBot update doesn't detect it... (although it discover tsr something that has been installed in the same time as this ad-w-a-r-e...).

<edit>
I found a previous version of filemon (systinternals) that works (the one provided with a .sys file), hosts file is accessed every 5 sec by winlogon process.
I guess the dll in winlogon registry accessing it.
but can't kill dll, certainelly can't kill winlogon.
processXP (still sysinternals) detect a running process running (rundll32.exe "C:\WINDOWS\system32\guard.tmp",DllGetVersion)
guard.tmp is a copy of generated dll, which comes at boot time.
</edit>

Any help would be welcome...

Thanks,
Jean-Christophe

Disabled urls.

MisterW · 2005-10-25, 16:30

Hi Jaycee,
I think the stuff from www.ad-w**** will be detected with the next update. But I will check it again

Thank you for your help,
Markus

**tashi** · 2005-10-25, 17:30

Hi there.
As you have a L2M infection it would be a good idea for you to go to a forum that has malware removal assistance to clean up the computer.

There may be other infections on the system.

Here are two forums, please choose one only.
http://www.atribune.org/forums/index.php?
Or
http://247fixes.com/forums/

FYI: There are many ASAP sites on a list here:
http://asap.maddoktor2.com/

You will need to post a HiJackThis log at the forum of your choice.
Instructions are posted at each site.

Hope that helps.

Edited URL

Said Bakr · 2005-10-27, 03:04

This problem cause a headek for me. I hope the SpyBot update for solve this ad ware come so soon.

ad-w-a-r-e.com
****
Today, I have downloaded the update of 28 OCT. 2005. I have run the scan, but there is no detection for this adware. The problem is still exist.

2005-10-25, 13:05	#1
jaycee Junior Member Join Date: Oct 2005 Posts: 2	New not detected adware. Hi, Here is a new adware, that is not yet detected by spybot... A guess it's from ad-w-a-r-e.com it runs in randomly time, the following path "C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE" hxxp://www.ad-w-a-r-e.com/cgi-bin/PopupV3?ID={9364E9EC-BFF4-77E5-47C9-BE1559C316B5}&type=normal&mSkip=1&rnd=20448 which opens a popup with such url : hxxp://www.searc-h.com/normal/yyy53.html Creates randomly file in windows\system32 (currently: dnwave.dll, kt0ml7d11.dll, lvp4097qe.dll, h2l2lc3o1f.dll...) Size about 234.751 to 235.858 Add a registry entry in winlogon/notify with (NetCache or Shell) as key and one of the dll as value. - When I try to delete it (registry entry), it's back in 1 or 2 sec. - When I add the ad-w-a-r-e.com to hosts file, entry in file is deleted after 1 or 2 sec. - Safe mode doesn't work, still loaded. - regmon/filemon from systinternals don't work anymore since that crap is installed. - Last SBot update doesn't detect it... (although it discover tsr something that has been installed in the same time as this ad-w-a-r-e...). <edit> I found a previous version of filemon (systinternals) that works (the one provided with a .sys file), hosts file is accessed every 5 sec by winlogon process. I guess the dll in winlogon registry accessing it. but can't kill dll, certainelly can't kill winlogon. processXP (still sysinternals) detect a running process running (rundll32.exe "C:\WINDOWS\system32\guard.tmp",DllGetVersion) guard.tmp is a copy of generated dll, which comes at boot time. </edit> Any help would be welcome... Thanks, Jean-Christophe Disabled urls. Last edited by tashi; 2005-10-26 at 04:31.

2005-10-25, 17:30	#3
tashi Member of Team Spybot Join Date: Oct 2005 Location: USA Posts: 23,455 Rated LASSHes: 16	Hi there. As you have a L2M infection it would be a good idea for you to go to a forum that has malware removal assistance to clean up the computer. There may be other infections on the system. Here are two forums, please choose one only. http://www.atribune.org/forums/index.php? Or http://247fixes.com/forums/ FYI: There are many ASAP sites on a list here: http://asap.maddoktor2.com/ You will need to post a HiJackThis log at the forum of your choice. Instructions are posted at each site. Hope that helps. Edited URL Last edited by tashi; 2005-10-25 at 20:36.

2005-10-27, 03:04	#4
Said Bakr Translator Team Join Date: Oct 2005 Location: Kafr Sakr, Egypt Posts: 24	Oh ! This problem cause a headek for me. I hope the SpyBot update for solve this ad ware come so soon. ad-w-a-r-e.com ** Today, I have downloaded the update of 28 OCT. 2005. I have run the scan, but there is no detection for this adware. The problem is still exist. __________________ for ($i = 0; $i != -1; $i++){ echo "Best Regards*"; } Last edited by Said Bakr; 2005-10-28 at 19:54.*

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

2005-10-25, 16:30	#2
MisterW Member of Team Spybot Join Date: Oct 2005 Posts: 538 Rated LASSHes: 62	Hi Jaycee, I think the stuff from www.ad-w**** will be detected with the next update. But I will check it again Thank you for your help, Markus