adac.exe in c:\WINNT\Fonts

[Guest]

I'd like to know if this hidden file into the c:\WINNT\Fonts is suppose to be
there.

This process in the task manager used from 20 to 80% of the CPU ressources.
It's slowing down the PC, it's unbelievable.

I ended the process in the task manager but it always come back, I even went
to DOS prompt under the correct directory to try to delete it but because
it's always running I can't do it.

I ran AdAware and use McAfee and everything looks fine.

Is anyone have an idea?

Thanks

 

[David H. Lipman]

No, it should not be there !

1) Download the following four items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt255.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using the three
utilities; Trend Sysclean, Stinger and Adaware
7) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

You can also try some of the below online scanners.

BitDefender:
http://www.bitdefender.com/scan/license.php

Computer Associates:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

DialogueScience:
http://www.antivir.ru/english/www_av/

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

Freedom Online scanner:
http://www.freedom.net/viruscenter/index.html

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

RAV
http://www.ravantivirus.com/scan/

Symantec:
http://security.symantec.com/

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com


* * * Please report your results ! * * *

Dave





| I'd like to know if this hidden file into the c:\WINNT\Fonts is suppose to be
| there.
|
| This process in the task manager used from 20 to 80% of the CPU ressources.
| It's slowing down the PC, it's unbelievable.
|
| I ended the process in the task manager but it always come back, I even went
| to DOS prompt under the correct directory to try to delete it but because
| it's always running I can't do it.
|
| I ran AdAware and use McAfee and everything looks fine.
|
| Is anyone have an idea?
|
| Thanks

 

[John Wunderlich]

I'd like to know if this hidden file into the c:\WINNT\Fonts is
suppose to be there.

This process in the task manager used from 20 to 80% of the CPU
ressources. It's slowing down the PC, it's unbelievable.

I ended the process in the task manager but it always come back, I
even went to DOS prompt under the correct directory to try to
delete it but because it's always running I can't do it.

I ran AdAware and use McAfee and everything looks fine.

Is anyone have an idea?

I've seen this one, too. Symantec AV, Adaware, and SpyBot S&D do not
recognize it. File names are random but rarely over 6-7 characters
plus the .exe. File lengths are random, too, although usually in the
range of 700-900 KB. If you delete or rename the file, it comes back.
If you delete the "run" entry in the registry, it comes back. Kill the
process and it comes back. When I examined my system, I found these
hidden .exe files with different filenames everywhere in my WINNT
folder & subfolders (40 or 50 in all). It seems to create hidden
..dat files in your \docume~1\<username>\local settings\temp folder.

This is how I finally figured out how to get rid of it:
1) find the hidden .exe file on your system
2) Right click on it, select "Properties, select "Security" tab
3) If checked, uncheck the "inherited" box
4) Change privilege on this file such that every user including system
is "Deny All". (If the system can't read it, it can't run it)
5) Now kill the process using task manager. It will try to come back
but it can't because of the permissions in step 4 above.
6) Remove the "run" entries out of the registry. I use "startup
control panel" from http://www.mlin.com, but registry editing will work
as well.
7) Reboot your computer (you should not see this process running after
it comes up)
8) Find the hidden file again, restore permissions, and delete it.
9) Search everywhere in your WinNT folder for clones of this file. Use
the windows search tool and look for files that contain the string
"\CurrentVersion\Run". This will find legitimate files too but might
find some that you missed. Pay particular attention to hidden files.
If other people log into this machine with different user names, they
could reactivate "their version" of this and you will become infected
again.

Good Luck and HTH,
John

 

[John Wunderlich]

6) Remove the "run" entries out of the registry. I use "startup
control panel" from http://www.mlin.com, but registry editing will
work as well.

Sorry,
My error... make that http://www.mlin.net

-- John

 

[Guest]

I did first what David suggested but as John stated nothing was found, so I
completed all the steps provided by John and I still had some issue as to get
the properties of the hidden.exe file so I used Highjackthis to get the
hidden file in this case adac.exe, just double click on the file gave me
access to the properties, then I followed all the remaining steps and
everything is fine now for this....

Thanks for your great help in this frustrating experience....

But now because of this File My Ethernet ports are not working anymore it
giving me 169.254.143.104 on both ports as I tried my 2 network ports...

I'll investigate further!!!!

Thanks again

 

[John Wunderlich]

everything is fine now for this....

Thanks for your great help in this frustrating experience....

But now because of this File My Ethernet ports are not working
anymore it giving me 169.254.143.104 on both ports as I tried my 2
network ports...

I'll investigate further!!!!

I'm glad you got rid of it. I won't tell you the things I tried before
I came up with that procedure. I didn't end up with your network
problem, though.

For your network problem, you might try lspfix at:
<http://cexx.org/lspfix.htm>

HTH,
John

 

[John Wunderlich]

I did first what David suggested but as John stated nothing was
found, so I completed all the steps provided by John and I still
had some issue as to get the properties of the hidden.exe file so
I used Highjackthis to get the hidden file in this case adac.exe,
just double click on the file gave me access to the properties,
then I followed all the remaining steps and everything is fine now
for this....

Thanks for your great help in this frustrating experience....

But now because of this File My Ethernet ports are not working
anymore it giving me 169.254.143.104 on both ports as I tried my 2
network ports...

I'll investigate further!!!!

FWIW, Norton now recognizes this bug as "Trojan.Vundo" and has a
removal tool at:
<http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html>

HTH,
John