Admillie service

November 6, 2006 on 8:18 pm | In Malware analysis | 2 Comments

Originally posted  Jan 13 2005, 10:54 PM

Received from a dear friend.   😎

It gets installed by ActiveX:
O16 – DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} – http://static.windupdates.com/cab/C…e/bridge-c3.cab

Scanned file:   AdmilliService.zip
~gram Files/Admilli Service/AdmilliComm.dll – infected by not-a-virus:AdWare.WinAD.k
~gram Files/Admilli Service/AdmilliKeep.exe – infected by not-a-virus:AdWare.WinAD.k
~gram Files/Admilli Service/AdmilliServ.exe – infected by not-a-virus:AdWare.WinAD.k
~/Downloaded Program Files/AdmilliServX.dll – infected by not-a-virus:AdWare.WinAD.j

Removal

Since the two executables protect each other and even run in Safe Mode they will have to be removed on reboot..

Download and unzip: [url=http://www.downloads.subratam.org/KillBox.zip]Killbox[/url]
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.
%SystemDrive%\Program Files\Admilli Service\AdmilliKeep.exe
%SystemDrive%\Program Files\Admilli Service\AdmillliServ.exe

Total Uninstall log

Files and Folders
===============
(FOLDER) C:\WINDOWS\system32
(+)(FILE) ide21201.vxd = 22:22 13-01-05 4720 bytes

Registry
===============
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\AdmilliServX.Installer
(+)(REG VALUE) (Standaard) = ‘AdmilliServX.Installer’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\AdmilliServX.Installer\CLSID
(+)(REG VALUE) (Standaard) = ‘{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\Implemented Categories
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\InprocServer32
(+)(REG VALUE) (Standaard) = ‘M:\Manege\blazefind admilli\AdmilliServX.dll’
(+)(REG VALUE) ThreadingModel = ‘Apartment’
(+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Admilli Service
(+)(REG VALUE) LastUpdate = 1105651340
(+)(REG VALUE) reqcount = 1
(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(+)(REG VALUE) Admilli Service = ‘M:\Manege\blazefind admilli\AdmilliServ.exe’
(+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Admilli Service
(+)(REG VALUE) DisplayName = ‘Admilli Service’
(+)(REG VALUE) UninstallString = ‘M:\Manege\blazefind admilli\AdmilliServ.exe /Remove’
(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Microsoft\Windows\ShellNoRoam\MUICache
(+)(REG VALUE) C:\WINDOWS\system32\regsvr32.exe = ‘Microsoft© Register Server’
(+)(REG VALUE) M:\Manege\blazefind admilli\AdmilliKeep.exe = ‘AdmilliKeep’
(+)(REG VALUE) M:\Manege\blazefind admilli\AdmilliServ.exe = ‘AdmilliServ’

2 Comments »

RSS feed for comments on this post. TrackBack URI

  1. originally posted by Gotcha Mar 12 2005, 01:50 AM

    Hi and thanks for postin your info,however, the information on how to delete Admilli with Killbox is unclear.
    Please try to reword it where its easier to understand what lines are pasted in what order, etc. I have Admilli service crap on my pc too, and would appreciate you adjusting your post. Did you have attacks on your firewall while Admilli was on your pc? I sure am, and cant get any help with it.
    Thanks and have a good one.

    Comment by metallica — November 6, 2006 #

  2. Originally posted
    Mar 17 2005, 08:55 PM

    Hi Gotcha,

    The two files you have to delete are called:
    AdmilliKeep.exe
    AdmillliServ.exe

    As far as I know they will show up in the same folder. I did notice a lot of outbound traffic blocked by my firewall, nothing coming in, but that copuld be because I didn’t allow it to “phone home”

    Good luck in removing it.

    Regards,

    Pieter

    Comment by metallica — November 6, 2006 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^