Exotic Virus Attack... Again!!!

Status
Not open for further replies.
OP
gsoul2soul

gsoul2soul

WOW... are you?
Well... it's now "officially" making me NUTS !!! x-(

I plug in my Ipod... the files appears
I plug in my Memory card... the file appears
I plug in my Digital camera... the F@#king Files appear....

And here's two screen shots of what happens...

File1: this picture shows the "3 files" that come in every USB plugged drive

File2: the iesetup.exe is an archive... and here's what's inside... loads of file including

dxdlg.exe
wprop.exe
imapd.exe
 
skeletor

skeletor

Chosen of the Omnissiah
dOm1naTOr said:
thnx, but that file helped in deleting the file nd was not restored on refresh. But still taskmgr, eventvwr etc were closing automatically nd the funny file was restored on restart.
Shud i try running it from live windows?
Click to expand...

Do you have this file in your System32 folder??
[SIZE=-1]
C:\WINDOWS\System32\svvchost.exe
[/SIZE]

Task Manager used to close automatically in a few computers of my school due to this.
 
OP
gsoul2soul

gsoul2soul

WOW... are you?
Please... HELP !!

I have posted the pictures... the whole content and all!!

And here's what written in the file "actmon.ini"

***********************************************
[SETTINGS]
FolderLogs=<APP>syswin\
FolderReports=<DOC>Reports\
NameLogs=#<USER>#<PC>#
LE_SendBytes=0
LE_SendLastTime=0
LE_SendNumber=1
FolderLAN=\\Admin-PC\ActMonReports\
FolderLANUser=
FolderLANPwd=
IniVersion=5110713
FirstStart=0
LicenseKey=KPLRU-QMIKC-PUTQ4-JN3ED-JDLNH-VNCD5
Autostart=1
AutostartMode=1
TestURL1=*www.actmonpro.com/index_a.htm
TestURL2=*www.actmon.com/actmonpro/index_a.htm
BannerText=<CR><BR>ALL ACTIVITIES ON THIS SYSTEM ARE MONITORED.
BannerShow=0
BannerFrequency=60
LogWebsites=1
ReportFormat=100
LogKeystrokes=1
LogApplicationPath=1
LogApplication=1
LogChat=1
LogTech=0
LogSTARR=0
LogAol=0
PwdActMonHash=a5HJescXl+qF0VzgEhLOqw==
PwdLogHash=M8zuMd3Q+4EYdR12cIIdNA==
LogDuringWinLogon=1
CreateSupportLog=0
LogBackDate=1
RawLogFileName_Encryption=1
DeleteReportsOnExit=1
SkipEventsShorterThan=2
UseSkipFeature=0
SendReportFormat=100
SendAsZip=0
EmailAssumeAlwaysOnline=0
SendZipPassword=
SendAddNumber=1
SendDeltaKB=500
LogfileMaxsizeMB=20
SendMode=2
EmailUseUserAccount=0
SendEveryXMinutes=15
EmailUnlock=0
SendDelete=1
SendTrigger=1
EmailTo=eneenza@gmail.com
EmailSmtp=
EmailFrom=
EmailPort=25
EmailSubject=Report, No. <COUNTER>, Current User:<USER>
SendFilePrefix=No[<COUNTER>]-
EmailPopName=
EmailPopPwd=
EmailPopHost=
InstallKeyboardMonitor=1
HideProcess=1
DeleteMRUEntriesAfterReboot=1
DeleteMRUEntriesInstantly=0
StartActMonCmdWord=actmon
AskEngineRestart=1
ShowDialogRunWord=1
ScreenCaptureQuality=1
ScreenCaptureMode=2
ScreenCaptureIntervall=300
MonitorScreenCapture=0
LogUserListExclude=1
LogUserList=
DLLMode1=0
KeyboardMonitorMode=1
PmMode=1
RMode1=
RMode4=x
RMode2=405kiv
RMode3=0
 
K

khattam_

Guest
I solved it here today:
*forum.mazzako.com/index.php?topic=12960.15

If you'd like to test with the virus, I've uploaded it here:
*rapidshare.com/files/87334967/Vai_Rush.rar.html

And here's the remover script:
*rapidshare.com/files/87337802/kinza.remover.bat.html
 
Last edited by a moderator:
K

kpmsivachand

SivaChand
dOm1naTOr said:
thnx, but that file helped in deleting the file nd was not restored on refresh. But still taskmgr, eventvwr etc were closing automatically nd the funny file was restored on restart.
Shud i try running it from live windows?
Click to expand...

If you have any linux live cd it could be better. Booting from linux and you can delete the virus files...:cool:
 
D

dadwhiskers

Right off the assembly line
gsoul2soul said:
Please... HELP !!

I have posted the pictures... the whole content and all!!

And here's what written in the file "actmon.ini"

***********************************************

TestURL1=*www.actmonpro.com/index_a.htm
TestURL2=*www.actmon.com/actmonpro/index_a.htm
BannerText=<CR><BR>ALL ACTIVITIES ON THIS SYSTEM ARE MONITORED.
=0
Click to expand...

I did a Who-is on actmonpro.com, and surprise, surprise:

Registry Whois *www.whois.ws/include/images/googleapps_300x250_1_top.gif Domain Search:

Domain Name: actmonpro.com

Status: clientDeleteProhibited, clientRenewProhibited, clientTransferProhibited, clientUpdateProhibited

Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Referral URL: *registrar.godaddy.com

Expiration Date: 2009-03-31
Creation Date: 2004-01-13
Last Update Date: 2008-01-06

Name Servers:
ns1.theplanet.com
ns2.theplanet.com

Extended Info *ast.amazonaws.com/?Action=Redirect&AWSAccessKeyId=1VZRP41HXVMCB79H09G2&Signature=n2SAHWkNymYO2kBlZZ%2Fmb5O3RQQ%3D&Timestamp=2008-03-02T09:20:49.000Z&Url=actmonpro.com&Size=Large&DefaultImage=*www.whois.ws/include/images/pixel.gif IP Address: 69.93.50.238
IP Location: *www.whois.ws/include/images/flags/us.png United States
Website Status: active
Cache Date: 2008-03-02 02:20:48 MST


What the ? ? ? ? ? ? ?

However, if you go to to web site you get an error that the host is invalid:

Bad Request (Invalid Hostname)


Also look here:

*www.aboutus.org/ActMon.com (I Googled ActMonPro.com)

I also sent an email to the gmail address in the ActMon.ini file and it didn't bounce.

Is GODADDY creating spyware? Or . . . . Any ideas?
 
Status
Not open for further replies.
Top Bottom