# Exotic Virus Attack... Again!!!



## gsoul2soul (Jan 24, 2008)

Just my luck... i guess!!!

This is happening to me... everytime i put my pen-drive

It gets an icon... and inside i can see files like *"Autorun", "iesetup.exe", "explorer.exe"*

It won't go... so i guess something is inside my computer. And when i checked the task manager there are *couple of instances of: "dxdlg.exe"* running with "wscript" also

What shall i do... i have avast... anything else i need to do or install

Help... is it something called "lizard tail?"

help... SOS


----------



## ico (Jan 24, 2008)

Its a virus. Scan your PC with NOD32 3.0 or Kasprsky...........


----------



## gsoul2soul (Jan 24, 2008)

I do have Avast... but that's not enough?


----------



## Krazy_About_Technology (Jan 25, 2008)

Nope. Avast is ineffective again many of the Flash drive based viruses. NOD 32 is the best antivirus i have seen in my life. It doesn't affects the performance of system a bit and yet provides complete heuristics based protection against old and new viruses. Its update system is also quiet responsive. Try it, it'll will solve all your virus problems. Trust me.


----------



## khattam_ (Jan 26, 2008)

Just download HijackThis from *www.majorgeeks.com/download3155.html and then scan and save a logfile and then post the contents of logfile here.....

Lets see what this virus is doing..


----------



## gsoul2soul (Jan 26, 2008)

*okay...then 

Thanks "khattam" for that tip!!

Here's the Log from "hijack this"*

**********************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:03 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dxdlg.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\Y!Multi Messenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Download Manager\IDMan.exe
D:\Temp\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
F2 - REG:system.ini: Shell=explorer.exe wproxp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\boot.vbs
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [imapd] "C:\WINDOWS\system32\imapd.exe" -at
O4 - HKUS\S-1-5-19\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'Default user')
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7EB624E-57C6-460A-B3EC-374E78883389}: NameServer = 202.79.32.33 202.79.32.35
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 5415 bytes


----------



## ico (Jan 26, 2008)

I guess  *C:\WINDOWS\system32\dxdlg.exe *is creating problems. 

Have a look at these links: 
*www.spywareremove.com/removeLizardsTail11.html
*www.securitystronghold.com/gates/lizards-tail-1.1.html


----------



## Batistabomb (Jan 26, 2008)

first delete autorun.inf file from each drives , but these files are visible only when you uncheck all the three items from tools->folder options , i.e; show hidden files and folders and the other two below it


----------



## nileshgr (Jan 26, 2008)

I know what it is to face malicious things on your pc. That's the reason i moved off to Linux. When I had Windows XP, I nearly have removed about 20 viruses, 40 trojans, 2 adwares & 1 spyware using Avast. I never can forget this incident!


----------



## gsoul2soul (Jan 26, 2008)

Thanks you guys... but this one is exotic!!

I can't remove dxdlg.exe whatever i do... and one thing !!

whenever i put a pendrive... it will just put 3 files!!

autorun, iesetup.exe and explorer.exe

And the funny thing is... when I scan it with Avast it won't detect it as virus !!
even Nod32 couldn't

I checked all my folder... no autorun or anything!!!

This thing just comes... when i use a usb drive!!


----------



## gaurav_indian (Jan 26, 2008)

^lol is this hard enough to understand that your pen drive has a virus in it?Even if you remove virus from your system.Inserting your pen drive again will cause problems.Download this software

*www.comodo.com/boclean/boclean.html

and restart your pc and then it will disable those files.And dont forget to update it.


----------



## ico (Jan 27, 2008)

@gsoul2soul
Do one thing then. Boot from Linux and delete the files from your Pendrive.


----------



## khattam_ (Jan 27, 2008)

gsoul2soul said:


> *okay...then
> 
> Thanks "khattam" for that tip!!
> 
> ...


The problems are boldened above....

*Download Process Explorer from:*
www.microsoft.com/technet/sysinternals/ ProcessesAndThreads/ProcessExplorer.mspx

*Download Autouns From:*
www.microsoft.com/technet/sysinternals/ ProcessesAndThreads/Autoruns.mspx 

*Run Process Explorer and Kill the Following Processes:*
wscript.exe
dxdlg.exe

*Run Autoruns and under logon tab, remove *
C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\boot.vbs
Search for entries named wproxp and remove it

Remove the following files from your PC:
C:\WINDOWS\system32\dxdlg.exe
wproxp.exe (Most probably in your system32 or windows folder)
C:\WINDOWS\system32\boot.vbs

DO NOT REMOVE wscript. It is a windows application for executing vbs files.

This shud do. Please post your HijackThis log file after rebooting.


----------



## dOm1naTOr (Jan 27, 2008)

Anybody knows bout the virus nemed "FUNNY UST SCANDAL.avi.exe" ?
It has got into my PC, nd its in every drives root.
There is no autorun files like *.ini etc and they just come back if deleted after a refresh. It came via pendrive.
I cant access taskmgr,eventvwr,or most major system utilities nd all AV s/w except AVG will not get installed. The installer vanishes. Same is in safe mode.
And ive a bootable live windows disc which caches files temporarly on HDD, nd using that i deleted all files named the above one from all partitions, but when i boot again it comes back. There are some builtin AV s/w in that disc like NOD32, Karspersky etc which all failed to detect the virus.

I dun wanna reinstall windows coz ill have to reinstall many games too like Crysis [discs are now at friends place]. SO suggest any idea guys.
 Ive another PC which has not yet infected, thanks my lan card was already broken.


----------



## j1n M@tt (Jan 27, 2008)

^^ check %systemroot%\system32\     

look whether there r any unusual  .exe ....or  any script files.

..........open up d script file to find out which .exe file in the %systemroot%\   it is calling up with a time delay(like 30msec to regenerate dat virus again).



dOm1naTOr said:


> I dun wanna reinstall windows coz ill have to reinstall many games too like Crysis [discs are now at friends place].




domi.........eeeeee   piracy......*gigasmilies.googlepages.com/35.gif


----------



## dOm1naTOr (Jan 27, 2008)

Whenever i open system directories like SYStem32, or drivers, the windows closes automatically nd im not able to open or view any event logs/scripts etc. Everythin just quits even in safe mode.
And i cant access those events from the live discs as well.

And bout the discs, if it were pirated then he[friend] ll have easily made copies of it nd returned it.


----------



## j1n M@tt (Jan 27, 2008)

dOm1naTOr said:


> Whenever i open system directories like SYStem32, or drivers, the windows closes automatically nd im not able to open or view any event logs/scripts etc. Everythin just quits even in safe mode.
> And i cant access those events from the live discs as well.



hey buddy ,try by Run.. cmd promt.



> And bout the discs, if it were pirated then he[friend] ll have easily made copies of it nd returned it.



....v the pirates???


----------



## ico (Jan 27, 2008)

@dOm1naTOr

Download this: *rs10.rapidshare.com/files/77599047/FixFunny.rar


----------



## dOm1naTOr (Jan 27, 2008)

thnx, but that file helped in deleting the file nd was not restored on refresh. But still taskmgr, eventvwr etc were closing automatically nd the funny file was restored on restart.
Shud i try running it from live windows?


----------



## j1n M@tt (Jan 27, 2008)

^^ after using dat tool try using an anti-virus.....or repair/reinstall ur windows with XP disc.....so it won't remove ur already installed games.....


----------



## gsoul2soul (Jan 28, 2008)

Well... it's now "officially" making me NUTS !!! x-(

I plug in my Ipod... the files appears
I plug in my Memory card... the file appears
I plug in my Digital camera... the F@#king Files appear.... 

And here's two screen shots of what happens... 
*
File1: this picture shows the "3 files" that come in every USB plugged drive

File2: the iesetup.exe is an archive... and here's what's inside... loads of file including

dxdlg.exe
wprop.exe
imapd.exe*


----------



## ico (Jan 28, 2008)

dOm1naTOr said:


> thnx, but that file helped in deleting the file nd was not restored on refresh. But still taskmgr, eventvwr etc were closing automatically nd the funny file was restored on restart.
> Shud i try running it from live windows?



Do you have this file in your System32 folder??
[SIZE=-1]
C:\WINDOWS\System32\*svvchost.exe*
[/SIZE]

Task Manager used to close automatically in a few computers of my school due to this.


----------



## gsoul2soul (Jan 28, 2008)

*Please... HELP !!

I have posted the pictures... the whole content and all!! 

And here's what written in the file "actmon.ini"*

***********************************************
[SETTINGS]
FolderLogs=<APP>syswin\
FolderReports=<DOC>Reports\
NameLogs=#<USER>#<PC>#
LE_SendBytes=0
LE_SendLastTime=0
LE_SendNumber=1
FolderLAN=\\Admin-PC\ActMonReports\
FolderLANUser=
FolderLANPwd=
IniVersion=5110713
FirstStart=0
LicenseKey=KPLRU-QMIKC-PUTQ4-JN3ED-JDLNH-VNCD5
Autostart=1
AutostartMode=1
TestURL1=*www.actmonpro.com/index_a.htm
TestURL2=*www.actmon.com/actmonpro/index_a.htm
BannerText=<CR><BR>ALL ACTIVITIES ON THIS SYSTEM ARE MONITORED.
BannerShow=0
BannerFrequency=60
LogWebsites=1
ReportFormat=100
LogKeystrokes=1
LogApplicationPath=1
LogApplication=1
LogChat=1
LogTech=0
LogSTARR=0
LogAol=0
PwdActMonHash=a5HJescXl+qF0VzgEhLOqw==
PwdLogHash=M8zuMd3Q+4EYdR12cIIdNA==
LogDuringWinLogon=1
CreateSupportLog=0
LogBackDate=1
RawLogFileName_Encryption=1
DeleteReportsOnExit=1
SkipEventsShorterThan=2
UseSkipFeature=0
SendReportFormat=100
SendAsZip=0
EmailAssumeAlwaysOnline=0
SendZipPassword=
SendAddNumber=1
SendDeltaKB=500
LogfileMaxsizeMB=20
SendMode=2
EmailUseUserAccount=0
SendEveryXMinutes=15
EmailUnlock=0
SendDelete=1
SendTrigger=1
EmailTo=eneenza@gmail.com
EmailSmtp=
EmailFrom=
EmailPort=25
EmailSubject=Report, No. <COUNTER>, Current User:<USER>
SendFilePrefix=No[<COUNTER>]-
EmailPopName=
EmailPopPwd=
EmailPopHost=
InstallKeyboardMonitor=1
HideProcess=1
DeleteMRUEntriesAfterReboot=1
DeleteMRUEntriesInstantly=0
StartActMonCmdWord=actmon
AskEngineRestart=1
ShowDialogRunWord=1
ScreenCaptureQuality=1
ScreenCaptureMode=2
ScreenCaptureIntervall=300
MonitorScreenCapture=0
LogUserListExclude=1
LogUserList=
DLLMode1=0
KeyboardMonitorMode=1
PmMode=1
RMode1=
RMode4=x
RMode2=405kiv
RMode3=0


----------



## khattam_ (Jan 28, 2008)

I solved it here today:
*forum.mazzako.com/index.php?topic=12960.15

If you'd like to test with the virus, I've uploaded it here:
*rapidshare.com/files/87334967/Vai_Rush.rar.html

And here's the remover script:
*rapidshare.com/files/87337802/kinza.remover.bat.html


----------



## kpmsivachand (Jan 28, 2008)

dOm1naTOr said:


> thnx, but that file helped in deleting the file nd was not restored on refresh. But still taskmgr, eventvwr etc were closing automatically nd the funny file was restored on restart.
> Shud i try running it from live windows?


 
If you have any linux live cd it could be better. Booting from linux and you can delete the virus files...


----------



## ajayritik (Feb 5, 2008)

Thanks for the info!


----------



## dadwhiskers (Mar 2, 2008)

gsoul2soul said:


> *Please... HELP !!
> 
> I have posted the pictures... the whole content and all!!
> 
> ...



I did a Who-is on actmonpro.com, and surprise, surprise:

Registry Whois    *www.whois.ws/include/images/googleapps_300x250_1_top.gif  Domain Search:

 Domain Name: *actmonpro.com* 

Status: clientDeleteProhibited, clientRenewProhibited, clientTransferProhibited, clientUpdateProhibited 

Registrar: GODADDY.COM, INC. 
Whois Server: whois.godaddy.com 
Referral URL: *registrar.godaddy.com 

Expiration Date: 2009-03-31 
Creation Date: 2004-01-13 
Last Update Date: 2008-01-06 

Name Servers: 
    ns1.theplanet.com 
    ns2.theplanet.com 

Extended Info      *ast.amazonaws.com/?Action=Redirect&AWSAccessKeyId=1VZRP41HXVMCB79H09G2&Signature=n2SAHWkNymYO2kBlZZ%2Fmb5O3RQQ%3D&Timestamp=2008-03-02T09:20:49.000Z&Url=actmonpro.com&Size=Large&DefaultImage=*www.whois.ws/include/images/pixel.gif      IP Address: 69.93.50.238
IP Location: *www.whois.ws/include/images/flags/us.png United States
Website Status: active
Cache Date: 2008-03-02 02:20:48 MST


What the ? ? ? ? ? ? ?

However, if you go to to web site you get an error that the host is invalid:

*Bad Request (Invalid Hostname)*


Also look here:

*www.aboutus.org/ActMon.com  (I Googled ActMonPro.com)

I also sent an email to the gmail address in the ActMon.ini file and it didn't bounce.

Is GODADDY creating spyware?  Or . . . .   Any ideas?


----------

