Exotic Virus Attack... Again!!!

gsoul2soul · 24-01-2008, 09:20 PM

Just my luck... i guess!!!

This is happening to me... everytime i put my pen-drive

It gets an icon... and inside i can see files like "Autorun", "iesetup.exe", "explorer.exe"

It won't go... so i guess something is inside my computer. And when i checked the task manager there are couple of instances of: "dxdlg.exe" running with "wscript" also

What shall i do... i have avast... anything else i need to do or install

Help... is it something called "lizard tail?"

help... SOS

**ico** · 24-01-2008, 09:45 PM

Its a virus. Scan your PC with NOD32 3.0 or Kasprsky...........

gsoul2soul · 24-01-2008, 11:29 PM

I do have Avast... but that's not enough?

Krazy_About_Technology · 25-01-2008, 05:01 AM

Nope. Avast is ineffective again many of the Flash drive based viruses. NOD 32 is the best antivirus i have seen in my life. It doesn't affects the performance of system a bit and yet provides complete heuristics based protection against old and new viruses. Its update system is also quiet responsive. Try it, it'll will solve all your virus problems. Trust me.

khattam_ · 26-01-2008, 12:15 AM

Just download HijackThis from http://www.majorgeeks.com/download3155.html and then scan and save a logfile and then post the contents of logfile here.....

Lets see what this virus is doing..

gsoul2soul · 26-01-2008, 02:26 PM

okay...then

Thanks "khattam" for that tip!!

Here's the Log from "hijack this"

**********************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:03 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dxdlg.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\Y!Multi Messenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Download Manager\IDMan.exe
D:\Temp\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=explorer.exe wproxp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\wscript.exe C:\WINDOWS\system32\boot.vbs
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [imapd] "C:\WINDOWS\system32\imapd.exe" -at
O4 - HKUS\S-1-5-19\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'Default user')
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7EB624E-57C6-460A-B3EC-374E78883389}: NameServer = 202.79.32.33 202.79.32.35
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 5415 bytes

**ico** · 26-01-2008, 02:40 PM

I guess C:\WINDOWS\system32\dxdlg.exe is creating problems.

Have a look at these links:
http://www.spywareremove.com/removeLizardsTail11.html
http://www.securitystronghold.com/ga...-tail-1.1.html

Batistabomb · 26-01-2008, 03:24 PM

first delete autorun.inf file from each drives , but these files are visible only when you uncheck all the three items from tools->folder options , i.e; show hidden files and folders and the other two below it

The Unknown · 26-01-2008, 07:52 PM

I know what it is to face malicious things on your pc. That's the reason i moved off to Linux. When I had Windows XP, I nearly have removed about 20 viruses, 40 trojans, 2 adwares & 1 spyware using Avast. I never can forget this incident!

gsoul2soul · 26-01-2008, 10:58 PM

Thanks you guys... but this one is exotic!!

I can't remove dxdlg.exe whatever i do... and one thing !!

whenever i put a pendrive... it will just put 3 files!!

autorun, iesetup.exe and explorer.exe

And the funny thing is... when I scan it with Avast it won't detect it as virus !!
even Nod32 couldn't

I checked all my folder... no autorun or anything!!!

This thing just comes... when i use a usb drive!!

gaurav_indian · 26-01-2008, 11:01 PM

^lol is this hard enough to understand that your pen drive has a virus in it?Even if you remove virus from your system.Inserting your pen drive again will cause problems.Download this software

http://www.comodo.com/boclean/boclean.html

and restart your pc and then it will disable those files.And dont forget to update it.

**ico** · 27-01-2008, 12:47 PM

@gsoul2soul
Do one thing then. Boot from Linux and delete the files from your Pendrive.

khattam_ · 27-01-2008, 09:10 PM

Quote:

Originally Posted by gsoul2soul

okay...then

Thanks "khattam" for that tip!!

Here's the Log from "hijack this"

**********************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:03 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dxdlg.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\Y!Multi Messenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Download Manager\IDMan.exe
D:\Temp\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=explorer.exe wproxp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\wscript.exe C:\WINDOWS\system32\boot.vbs
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [imapd] "C:\WINDOWS\system32\imapd.exe" -at
O4 - HKUS\S-1-5-19\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'Default user')
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7EB624E-57C6-460A-B3EC-374E78883389}: NameServer = 202.79.32.33 202.79.32.35
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 5415 bytes

The problems are boldened above....

Download Process Explorer from:
www.microsoft.com/technet/sysinternals/ ProcessesAndThreads/ProcessExplorer.mspx

Download Autouns From:
www.microsoft.com/technet/sysinternals/ ProcessesAndThreads/Autoruns.mspx

Run Process Explorer and Kill the Following Processes:
wscript.exe
dxdlg.exe

Run Autoruns and under logon tab, remove
C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\boot.vbs
Search for entries named wproxp and remove it

Remove the following files from your PC:
C:\WINDOWS\system32\dxdlg.exe
wproxp.exe (Most probably in your system32 or windows folder)
C:\WINDOWS\system32\boot.vbs

DO NOT REMOVE wscript. It is a windows application for executing vbs files.

This shud do. Please post your HijackThis log file after rebooting.

dOm1naTOr · 27-01-2008, 10:35 PM

Anybody knows bout the virus nemed "FUNNY UST SCANDAL.avi.exe" ?
It has got into my PC, nd its in every drives root.
There is no autorun files like *.ini etc and they just come back if deleted after a refresh. It came via pendrive.
I cant access taskmgr,eventvwr,or most major system utilities nd all AV s/w except AVG will not get installed. The installer vanishes. Same is in safe mode.
And ive a bootable live windows disc which caches files temporarly on HDD, nd using that i deleted all files named the above one from all partitions, but when i boot again it comes back. There are some builtin AV s/w in that disc like NOD32, Karspersky etc which all failed to detect the virus.

I dun wanna reinstall windows coz ill have to reinstall many games too like Crysis [discs are now at friends place]. SO suggest any idea guys.
Ive another PC which has not yet infected, thanks my lan card was already broken.

j1n M@tt · 27-01-2008, 10:52 PM

^^ check %systemroot%\system32\

look whether there r any unusual .exe ....or any script files.

..........open up d script file to find out which .exe file in the %systemroot%\ it is calling up with a time delay(like 30msec to regenerate dat virus again).

Quote:

Originally Posted by dOm1naTOr

I dun wanna reinstall windows coz ill have to reinstall many games too like Crysis [discs are now at friends place].

domi.........eeeeee

piracy......

dOm1naTOr · 27-01-2008, 10:59 PM

Whenever i open system directories like SYStem32, or drivers, the windows closes automatically nd im not able to open or view any event logs/scripts etc. Everythin just quits even in safe mode.
And i cant access those events from the live discs as well.

And bout the discs, if it were pirated then he[friend] ll have easily made copies of it nd returned it.

j1n M@tt · 27-01-2008, 11:05 PM

Quote:

Originally Posted by dOm1naTOr

Whenever i open system directories like SYStem32, or drivers, the windows closes automatically nd im not able to open or view any event logs/scripts etc. Everythin just quits even in safe mode.
And i cant access those events from the live discs as well.

hey buddy ,try by Run.. cmd promt.

Quote:

And bout the discs, if it were pirated then he[friend] ll have easily made copies of it nd returned it.

....v the pirates???

**ico** · 27-01-2008, 11:05 PM

@dOm1naTOr

Download this: http://rs10.rapidshare.com/files/77599047/FixFunny.rar

dOm1naTOr · 27-01-2008, 11:29 PM

thnx, but that file helped in deleting the file nd was not restored on refresh. But still taskmgr, eventvwr etc were closing automatically nd the funny file was restored on restart.
Shud i try running it from live windows?

j1n M@tt · 27-01-2008, 11:35 PM

^^ after using dat tool try using an anti-virus.....or repair/reinstall ur windows with XP disc.....so it won't remove ur already installed games.....

gsoul2soul · 28-01-2008, 06:57 AM

Well... it's now "officially" making me NUTS !!! x-(

I plug in my Ipod... the files appears
I plug in my Memory card... the file appears
I plug in my Digital camera... the F@#king Files appear....

And here's two screen shots of what happens...

File1: this picture shows the "3 files" that come in every USB plugged drive

File2: the iesetup.exe is an archive... and here's what's inside... loads of file including

dxdlg.exe
wprop.exe
imapd.exe

**ico** · 28-01-2008, 03:30 PM

Quote:

Originally Posted by dOm1naTOr

thnx, but that file helped in deleting the file nd was not restored on refresh. But still taskmgr, eventvwr etc were closing automatically nd the funny file was restored on restart.
Shud i try running it from live windows?

Do you have this file in your System32 folder??

C:\WINDOWS\System32\svvchost.exe

Task Manager used to close automatically in a few computers of my school due to this.

gsoul2soul · 28-01-2008, 09:34 PM

Please... HELP !!

I have posted the pictures... the whole content and all!!

And here's what written in the file "actmon.ini"

***********************************************
[SETTINGS]
FolderLogs=<APP>syswin\
FolderReports=<DOC>Reports\
NameLogs=#<USER>#<PC>#
LE_SendBytes=0
LE_SendLastTime=0
LE_SendNumber=1
FolderLAN=\\Admin-PC\ActMonReports\
FolderLANUser=
FolderLANPwd=
IniVersion=5110713
FirstStart=0
LicenseKey=KPLRU-QMIKC-PUTQ4-JN3ED-JDLNH-VNCD5
Autostart=1
AutostartMode=1
TestURL1=http://www.actmonpro.com/index_a.htm
TestURL2=http://www.actmon.com/actmonpro/index_a.htm
BannerText=<CR><BR>ALL ACTIVITIES ON THIS SYSTEM ARE MONITORED.
BannerShow=0
BannerFrequency=60
LogWebsites=1
ReportFormat=100
LogKeystrokes=1
LogApplicationPath=1
LogApplication=1
LogChat=1
LogTech=0
LogSTARR=0
LogAol=0
PwdActMonHash=a5HJescXl+qF0VzgEhLOqw==
PwdLogHash=M8zuMd3Q+4EYdR12cIIdNA==
LogDuringWinLogon=1
CreateSupportLog=0
LogBackDate=1
RawLogFileName_Encryption=1
DeleteReportsOnExit=1
SkipEventsShorterThan=2
UseSkipFeature=0
SendReportFormat=100
SendAsZip=0
EmailAssumeAlwaysOnline=0
SendZipPassword=
SendAddNumber=1
SendDeltaKB=500
LogfileMaxsizeMB=20
SendMode=2
EmailUseUserAccount=0
SendEveryXMinutes=15
EmailUnlock=0
SendDelete=1
SendTrigger=1
EmailTo=eneenza@gmail.com
EmailSmtp=
EmailFrom=
EmailPort=25
EmailSubject=Report, No. <COUNTER>, Current User:<USER>
SendFilePrefix=No[<COUNTER>]-
EmailPopName=
EmailPopPwd=
EmailPopHost=
InstallKeyboardMonitor=1
HideProcess=1
DeleteMRUEntriesAfterReboot=1
DeleteMRUEntriesInstantly=0
StartActMonCmdWord=actmon
AskEngineRestart=1
ShowDialogRunWord=1
ScreenCaptureQuality=1
ScreenCaptureMode=2
ScreenCaptureIntervall=300
MonitorScreenCapture=0
LogUserListExclude=1
LogUserList=
DLLMode1=0
KeyboardMonitorMode=1
PmMode=1
RMode1=
RMode4=x
RMode2=405kiv
RMode3=0

khattam_ · 28-01-2008, 10:27 PM

I solved it here today:
http://forum.mazzako.com/index.php?topic=12960.15

If you'd like to test with the virus, I've uploaded it here:
http://rapidshare.com/files/87334967/Vai_Rush.rar.html

And here's the remover script:
http://rapidshare.com/files/87337802...mover.bat.html

kpmsivachand · 28-01-2008, 10:49 PM

Quote:

Originally Posted by dOm1naTOr

thnx, but that file helped in deleting the file nd was not restored on refresh. But still taskmgr, eventvwr etc were closing automatically nd the funny file was restored on restart.
Shud i try running it from live windows?

If you have any linux live cd it could be better. Booting from linux and you can delete the virus files...

ajayritik · 05-02-2008, 10:38 AM

Thanks for the info!

dadwhiskers · 02-03-2008, 03:14 PM

Quote:

Originally Posted by gsoul2soul

Please... HELP !!

I have posted the pictures... the whole content and all!!

And here's what written in the file "actmon.ini"

***********************************************

TestURL1=http://www.actmonpro.com/index_a.htm
TestURL2=http://www.actmon.com/actmonpro/index_a.htm
BannerText=<CR><BR>ALL ACTIVITIES ON THIS SYSTEM ARE MONITORED.
=0

I did a Who-is on actmonpro.com, and surprise, surprise:

Registry Whois

Domain Search:

Domain Name: actmonpro.com

Status: clientDeleteProhibited, clientRenewProhibited, clientTransferProhibited, clientUpdateProhibited

Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com

Expiration Date: 2009-03-31
Creation Date: 2004-01-13
Last Update Date: 2008-01-06

Name Servers:
ns1.theplanet.com
ns2.theplanet.com

Extended Info

IP Address: 69.93.50.238
IP Location:

United States
Website Status: active
Cache Date: 2008-03-02 02:20:48 MST

What the ? ? ? ? ? ? ?

However, if you go to to web site you get an error that the host is invalid:

Bad Request (Invalid Hostname)

Also look here:

http://www.aboutus.org/ActMon.com (I Googled ActMonPro.com)

I also sent an email to the gmail address in the ActMon.ini file and it didn't bounce.

Is GODADDY creating spyware? Or . . . . Any ideas?

Popular Categories

Popular Articles

Content Categories

Sister Sites

Follow Us

Facebook Channels

Digit Magazine