jaycee
2005-10-25, 14:05
Hi,
Here is a new adware, that is not yet detected by spybot...
A guess it's from ad-w-a-r-e.com
it runs in randomly time, the following path
"C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE" hxxp://www.ad-w-a-r-e.com/cgi-bin/PopupV3?ID={9364E9EC-BFF4-77E5-47C9-BE1559C316B5}&type=normal&mSkip=1&rnd=20448
which opens a popup with such url : hxxp://www.searc-h.com/normal/yyy53.html
Creates randomly file in windows\system32
(currently: dnwave.dll, kt0ml7d11.dll, lvp4097qe.dll, h2l2lc3o1f.dll...)
Size about 234.751 to 235.858
Add a registry entry in winlogon/notify with (NetCache or Shell) as key and one of the dll as value.
- When I try to delete it (registry entry), it's back in 1 or 2 sec.
- When I add the ad-w-a-r-e.com to hosts file, entry in file is deleted after 1 or 2 sec.
- Safe mode doesn't work, still loaded.
- regmon/filemon from systinternals don't work anymore since that crap is installed.
- Last SBot update doesn't detect it... (although it discover tsr something that has been installed in the same time as this ad-w-a-r-e...).
<edit>
I found a previous version of filemon (systinternals) that works (the one provided with a .sys file), hosts file is accessed every 5 sec by winlogon process.
I guess the dll in winlogon registry accessing it.
but can't kill dll, certainelly can't kill winlogon.
processXP (still sysinternals) detect a running process running (rundll32.exe "C:\WINDOWS\system32\guard.tmp",DllGetVersion)
guard.tmp is a copy of generated dll, which comes at boot time.
</edit>
Any help would be welcome...
Thanks,
Jean-Christophe
Disabled urls.
Here is a new adware, that is not yet detected by spybot...
A guess it's from ad-w-a-r-e.com
it runs in randomly time, the following path
"C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE" hxxp://www.ad-w-a-r-e.com/cgi-bin/PopupV3?ID={9364E9EC-BFF4-77E5-47C9-BE1559C316B5}&type=normal&mSkip=1&rnd=20448
which opens a popup with such url : hxxp://www.searc-h.com/normal/yyy53.html
Creates randomly file in windows\system32
(currently: dnwave.dll, kt0ml7d11.dll, lvp4097qe.dll, h2l2lc3o1f.dll...)
Size about 234.751 to 235.858
Add a registry entry in winlogon/notify with (NetCache or Shell) as key and one of the dll as value.
- When I try to delete it (registry entry), it's back in 1 or 2 sec.
- When I add the ad-w-a-r-e.com to hosts file, entry in file is deleted after 1 or 2 sec.
- Safe mode doesn't work, still loaded.
- regmon/filemon from systinternals don't work anymore since that crap is installed.
- Last SBot update doesn't detect it... (although it discover tsr something that has been installed in the same time as this ad-w-a-r-e...).
<edit>
I found a previous version of filemon (systinternals) that works (the one provided with a .sys file), hosts file is accessed every 5 sec by winlogon process.
I guess the dll in winlogon registry accessing it.
but can't kill dll, certainelly can't kill winlogon.
processXP (still sysinternals) detect a running process running (rundll32.exe "C:\WINDOWS\system32\guard.tmp",DllGetVersion)
guard.tmp is a copy of generated dll, which comes at boot time.
</edit>
Any help would be welcome...
Thanks,
Jean-Christophe
Disabled urls.