Author Topic: Admilliserv (Hijack I THINK I HAVE SOLVED) (Read 8368 times)

Megavolt · « **on:** January 06, 2005, 04:38:03 PM »

My wifes computer after being infected with Win32:Trojano-803, and bullseye, kept getting repeat infections.

After removal of "ncase package.exe" and bulls eye, her
computer kept going to rogue sites and Trojano etc returned.

I have think I have solved the problem manually, but thought I would share the information as it does not appear to be documented anywhere I searched on the net...

admilliserv Hijack info

Delete in Regedit this control {98264495-6376-443C-9340-2996038BD143}(VaCtrl Class) and these files:

C:\WINDOWS\Downloaded Program Files\AdmilliServX.dll

C:\WINDOWS\System32\acledit7.exe

C:\WINDOWS\System32\igmprn.exe

You also need to delete the folder & contents of "admilli Service" under program files (Use dos or safemode)
The files are admillikeep.exe and admilliserv.exe

Code: [Select]

--------------------------------------------------------------------------------------------
REMOVED FOLLOWING REGISTRY ENTRIES :-
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c18.cab

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}]
"SystemComponent"=dword:00000000
"Installer"="MSICD"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\DownloadInformation]
"CODEBASE"="http://static.windupdates.com/cab/CDTInc/ie/bridge-c18.cab"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\InstalledVersion]
@="0,0,0,1"
"LastModified"="Thu, 23 Dec 2004 17:34:46 GMT"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\Contains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\Contains\Files]
"C:\\WINDOWS\\Downloaded Program Files\\AdmilliServX.dll"=""


[HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}]

[HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\InprocServer32]
@="C:\\WINDOWS\\DOWNLOADED PROGRAM FILES\\ADMILLISERVX.DLL"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\Implemented Categories]

[HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]

---------------------------------------------------------------------------------------------------------------------------------------------
ALSO CREATES THE FOLLOWING:-
---------------------------------------------------------------------------------------------------------------------------

R3 - Default URLSearchHook is missing

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~3.DLL

O1 - Hosts: 65.125.226.85 www.al4a.com
O1 - Hosts: 65.125.226.82 www.altavista.com
O1 - Hosts: 65.125.226.85 www.amplandmovies.com
01 - Hosts: 65.125.226.85 www.book-mark.net
O1 - Hosts: 65.125.226.85 www.call-kelly.com
O1 - Hosts: 65.125.226.85 www.easypic.com
O1 - Hosts: 65.125.226.82 www.gg.com
O1 - Hosts: 65.125.226.82 www.gmail.com
O1 - Hosts: 65.125.226.82 www.google.com
O1 - Hosts: 65.125.226.82 www.hotmail.com
O1 - Hosts: 65.125.226.82 www.icq.com
O1 - Hosts: 65.125.226.82 www.infospace.com
O1 - Hosts: 65.125.226.82 www.lycos.com
O1 - Hosts: 65.125.226.82 www.mail.com
O1 - Hosts: 65.125.226.85 www.mature-post.com
O1 - Hosts: 65.125.226.82 www.microsoft.com
O1 - Hosts: 207.68.172.246 www.msn.com
O1 - Hosts: 65.125.226.82 www.norton.com
O1 - Hosts: 65.125.226.85 www.sleazydream.com
O1 - Hosts: 65.125.226.85 www.thehun.com
O1 - Hosts: 65.125.226.85 www.worldsex.com

O1 - Hosts: 65.125.226.85 al4a.com
O1 - Hosts: 65.125.226.82 altavista.com
O1 - Hosts: 65.125.226.85 amplandmovies.com
01 - Hosts: 65.125.226.85 book-mark.net
O1 - Hosts: 65.125.226.85 call-kelly.com
O1 - Hosts: 65.125.226.85 easypic.com
O1 - Hosts: 65.125.226.82 gg.com
O1 - Hosts: 65.125.226.82 gmail.com
O1 - Hosts: 65.125.226.82 google.com
O1 - Hosts: 65.125.226.82 hotmail.com
O1 - Hosts: 65.125.226.82 icq.com
O1 - Hosts: 65.125.226.82 infospace.com
O1 - Hosts: 65.125.226.82 lycos.com
O1 - Hosts: 65.125.226.82 mail.com
O1 - Hosts: 65.125.226.85 mature-post.com
O1 - Hosts: 65.125.226.82 microsoft.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 65.125.226.82 norton.com
O1 - Hosts: 65.125.226.85 sleazydream.com
O1 - Hosts: 65.125.226.85 thehun.com
O1 - Hosts: 65.125.226.85 worldsex.com

------------------------------------------------------------------------------------------------------
The above appear to act as DNS poisoning - so if you enter URL for Hotmail you end up at 65.125.226.82
------------------------------------------------------------------------------------------------------

I think the problem originated from an active X on a site she had visited possibly may be one of the IP address in the list above; but did not want to risk reinfecting computer.

Hope this helps someone else.

Eddy · « **Reply #1 on:** January 06, 2005, 04:42:00 PM »

Do you still have the hijackthis log with the infection in it?
If so, please send it to me. hjtbeta@yahoo.com

I can use it for my HJT analyzer.

Megavolt · « **Reply #2 on:** January 06, 2005, 05:38:39 PM »

Really sorry, no I didn't save the log file,
I do still have the "backup" files that HJT makes though.
Which I could zip up and send to you if that
might help.?

Eddy · « **Reply #3 on:** January 06, 2005, 05:43:25 PM »

Yes please do so. At least I will have the info on the removed items.

Thanks in advance.

Megavolt · « **Reply #4 on:** January 06, 2005, 06:29:56 PM »

Have sent them to your e-mail, let me know if I can be anymore help :-)

Lisandro · « **Reply #5 on:** January 07, 2005, 01:04:09 AM »

Quote from: Megavolt on January 06, 2005, 04:38:03 PM

kept getting repeat infections.

To prevent this, disable (and enable it after) System Restore:

Start > Control Panel > System > System restore > Disable
Click Apply
Enable it again
Click Ok

How to disable system restore: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

Author Topic: Admilliserv (Hijack I THINK I HAVE SOLVED) (Read 8368 times)

Megavolt

Admilliserv (Hijack I THINK I HAVE SOLVED)

Eddy

Re: Admilliserv (Hijack I THINK I HAVE SOLVED)

Megavolt

Re: Admilliserv (Hijack I THINK I HAVE SOLVED)

Eddy

Re: Admilliserv (Hijack I THINK I HAVE SOLVED)

Megavolt

Re: Admilliserv (Hijack I THINK I HAVE SOLVED)

Lisandro

Re: Admilliserv (Hijack I THINK I HAVE SOLVED)