Results 1 to 4 of 4

Thread: New not detected adware.

  1. #1
    Junior Member
    Join Date
    Oct 2005

    Default New not detected adware.

    Here is a new adware, that is not yet detected by spybot...

    A guess it's from

    it runs in randomly time, the following path
    "C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE" hxxp://{9364E9EC-BFF4-77E5-47C9-BE1559C316B5}&type=normal&mSkip=1&rnd=20448

    which opens a popup with such url : hxxp://

    Creates randomly file in windows\system32
    (currently: dnwave.dll, kt0ml7d11.dll, lvp4097qe.dll, h2l2lc3o1f.dll...)
    Size about 234.751 to 235.858
    Add a registry entry in winlogon/notify with (NetCache or Shell) as key and one of the dll as value.
    - When I try to delete it (registry entry), it's back in 1 or 2 sec.
    - When I add the to hosts file, entry in file is deleted after 1 or 2 sec.
    - Safe mode doesn't work, still loaded.
    - regmon/filemon from systinternals don't work anymore since that crap is installed.
    - Last SBot update doesn't detect it... (although it discover tsr something that has been installed in the same time as this ad-w-a-r-e...).

    I found a previous version of filemon (systinternals) that works (the one provided with a .sys file), hosts file is accessed every 5 sec by winlogon process.
    I guess the dll in winlogon registry accessing it.
    but can't kill dll, certainelly can't kill winlogon.
    processXP (still sysinternals) detect a running process running (rundll32.exe "C:\WINDOWS\system32\guard.tmp",DllGetVersion)
    guard.tmp is a copy of generated dll, which comes at boot time.

    Any help would be welcome...


    Disabled urls.
    Last edited by tashi; 2005-10-26 at 05:31.

  2. #2
    Join Date
    Oct 2005


    Hi Jaycee,
    I think the stuff from**** will be detected with the next update. But I will check it again

    Thank you for your help,

  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005


    Hi there.
    As you have a L2M infection it would be a good idea for you to go to a forum that has malware removal assistance to clean up the computer.

    There may be other infections on the system.

    Here are two forums, please choose one only.

    FYI: There are many ASAP sites on a list here:

    You will need to post a HiJackThis log at the forum of your choice.
    Instructions are posted at each site.

    Hope that helps.
    Edited URL
    Last edited by tashi; 2005-10-25 at 21:36.

  4. #4
    Translator Team Said Bakr's Avatar
    Join Date
    Oct 2005
    Kafr Sakr, Egypt

    Lightbulb Oh !

    This problem cause a headek for me. I hope the SpyBot update for solve this ad ware come so soon.
    Today, I have downloaded the update of 28 OCT. 2005. I have run the scan, but there is no detection for this adware. The problem is still exist.
    Last edited by Said Bakr; 2005-10-28 at 20:54.
    for ($i = 0; $i != -1; $i++){
    echo "Best Regards";

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts