What does Admilli Service do?

Admilli Service has the ability to install itself automatically while surfing on the internet with Internet Explorer (even under higher security level).

We were unable to determine its exact activity after installation, but it looks like some sort of sophisticated spyware and should not be on your PC.

Antivirus solutions

We tried to detect and clean the virus with the following antivirus and antispyware solutions, that were all up to date (on the 26th December 2004), but none of them found anything!

Therefore we came to the conclusion that the thing is yet unknown to the world and it behaves differently than common viruses (because none of the heuristic detection mechanisms found anything).

More technical results

Admilli Service is a new spyware program that well at least in Windows XP/98 operating system and has the ability to install itself automatically through the Internet Explorer (even under higher security restrictions in many versions of it, also in 6.0 SP2). It forces Internet Explorer to execute some commands which download, copy and install an unsigned add-on on the system. After this we can see that the two new services, called AdmilliServ.exe and AdmilliKeep.exe, are running and from the directory C:\Program Files\Admilli Service\. This two programs have the ability to execute each other after one is closed and therefore it is difficult to close them.

Here are all the things that change on a system after the installation/infection:

New contents in file C:\Windows\setupapi.log:

[2004/12/26 13:50:47 880.74]
#-198 Command line processed: "C:\Program Files\Internet Explorer\iexplore.exe"
#-024 Copying file "C:\DOCUME~1\User\LOCALS~1\Temp\ICD1.tmp\AdmilliServX.dll" to "C:\WINDOWS\Downloaded Program Files\AdmilliServX.dll".
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\User\LOCALS~1\Temp\ICD1.tmp\AdmilliServX.dll" will be installed (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.

A file was added to C:\WINDOWS\Downloaded Program Files\. There is a new registered key control name and a file that is invisible in Explorer: AdmilliServX.dll (23.040 bytes). The key can be deleted with Explorer, but for the removal of the file you will need to go into MS-DOS console or use another program like Total Commander.

All installed files are placed into C:\Program Files\Admilli Service\. These are: AdmilliComm.dll (60.928 bytes), AdmilliKeep.exe (17.920 bytes), AdmilliServ.exe (26.112 bytes).

New registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Admilli Service]
"param"="84ff9b0589be58f2fbb4f0b2047978d6d2c681f572f44776ea800a2822cf80fd5393a5536ca9d30e8b03:3732336438643833383439636664333333373836306136353164336534633133:Internet%20Explorer:6.0%20SP2%28SV1%29:winxp:flash"
"track"=dword:00000001
"LastUpdate"=dword:41ceb3bc
"reqcount"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Admilli Service]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,00,02,00,00,00,00,00,00,58,4d,\
  a0,9e,eb,c4,01,00,00,00,00,44,00,3a,00,5c,00,76,00,69,00,72,00,75,00,73,00,\
  5c,00,41,00,64,00,6d,00,69,00,6c,00,6c,00,69,00,20,00,53,00,65,00,72,00,76,\
  00,69,00,63,00,65,00,5c,00,41,00,64,00,6d,00,69,00,6c,00,6c,00,69,00,4b,00,\
  65,00,65,00,70,00,2e,00,65,00,78,00,65,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Admilli Service"="C:\\Program Files\\Admilli Service\\AdmilliServ.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Admilli Service]
"UninstallString"="C:\\Program Files\\Admilli Service\\AdmilliServ.exe /Remove"
"DisplayName"="Admilli Service"

As you can see the program also added itself to the Add or Remove Programs section in Control Panel. Because the malware came in through Internet Explorer there is still a copy of it in its cache (Temporary Internet Files).

You can also download all files described files (password: virus) and check it yourself.

Removal instructions (the hard way)

You may try some of the antispyware solutions described above (when they are updated) or try the following instruction for removing this malware the hard way:

  1. First of all you will somehow need to deactivate the program. You will need to stop the processes named AdmilliServ* and AdmilliKeep, but this is not as easy as it looks like.

    • The easiest method (for Windows XP and NT) to effectively close Admilli Service until next reboot is to press Ctrl+Alt+Del and selecting the Processes tab. There you will just need to end the process tree of the program. To do this right click on AdmilliServ and choose End Process Tree option. Both AdmilliServ and AdmilliKeep should disappear from the processes list and you may continue with instruction 2.
    • Another simple method for the deletion is to restart your computer in Safe mode. When you manage to get there none of the suspicious programs are running, so you may continue with instruction 2.
    • A trickier method (for Windows XP and NT) is to press Ctrl+Alt+Del and selecting the Processes tab. There you need to lower the priority under which both of the processes are running. This can be done by right clicking on AdmilliServ and then on AdmilliKeep and setting the priority to Low. After that you will somehow need to give your computer some work to do (execute multiple programs really fast) and in the mean time (when your computer is loading all the programs) try to select and end both processes AdmilliServ and AdmilliKeep really fast. If you are lucky and fast enough, you will be able to close both of the programs that won’t reappear again until reboot.
  2. It is also a smart idea to disable the System Restore option during this process.

  3. Locate the directory where Admilli Service installed itself into and delete it with all the files in it. It can usually be found in C:\Program Files\Admilli Service\. With this action you will delete the following files:

    • AdmilliServ.exe (26.112 bytes) - main spyware program
    • AdmilliKeep.exe (17.920 bytes) - slave program that makes it harder to close the main one
    • AdmilliComm.dll (60.928 bytes) - unknown strange dynamic link library
  4. At next you will need to edit your Registry, therefore open a program called Regedit. This can be done by clicking on the Run option in the Start menu and entering regedit.exe inside the text field. You should use this program with care, because invalid or deleted entries may crash your computer and leave it in an unbootable state. Now you will need to locate the following keys on the left side:

    • Locate HKEY_LOCAL_MACHINE\SOFTWARE\Admilli Service, select and delete it all by right clicking on it or pressing Del.
    • Find the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Admilli Service and delete it with all its values (right click on it or press Del).
    • Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and select the value called Admilli Service (right click on it or press Del).
  5. Open up the Command Prompt (MS-DOS console) or any other program that allows you to browse through your files except Explorer (for example Total Commander is a good alternative). Locate the directory* C:\WINDOWS\Downloaded Program Files\ and delete the file called AdmilliServX.dll (23.040 bytes).

  6. Locate the same directory again in Explorer and delete a strangely named key associated with AdmilliServX.dll out.

  7. Open up the Control Panel and choose to Add or Remove Programs. Locate Admilli Service in it and click the uninstall button. A window will pop up and complain that some files are missing, but that’s OK, because we removed them earlier.

  8. At the end you may also empty your Temporary Internet Files cache in Internet Explorer. For this you need to select the menu Tools, then Internet options and click on the Delete files button.

Now you can relax, because you are spyware-free or at least free from this Admilli Service virus.