Aurora Fix

[Jim Byrd]

Come on now, you have to know better than that, and you really shouldn't be
spreading that kind of FUD! MSAS may fail to remove some particular VX2
variant - there are quite a number of them - but, if so, it's certainly due
to some technical issue such as lack of an appropriate signature yet, not to
any Machiavellian purpose!

 

[plun]

Bill Sanderson laid this down on his screen :

This is absolute nonsense plun. If Microsoft antispyware is not removing a
given VX2 variant, it isn't due to any legal issues--its a technical issue.

Hi Bill

Discussion again

Aurora came out in late May, so you mean that MSAS team
cannot handle this "pest" ? ( Call Andy ! directly )

No I believe its about EULAs and lawyers as for Sunbelt (Counterspy).

http://www.webhelper4u.com/directrevenue/betterinternetcanddletter.html

But that´s my opinion again And we never get the answer for this

 

[plun]

Hi

If you have followed this NG you have probably noticed
that Andy tested this day and nights.

But to be sure I am going to visit abetterinternet to find out
what is true. Its worth it to blow up one PC.

www.abetterinternet.com

 

[Bill Sanderson]

I don't know, we could ask some other folks. I've no idea if they can
answer this kind of question at all--I suspect not--but it won't hurt to
ask.

One possible answer would be: "we presently remove a number of members of
this family, and are responding to changes as needed." I'm not sure they
can say that much though, given the general lid on statements about what is
and is not removed.

I think you may be misquoting Andy, too--I believe that some vx2 variants
have been removed by Microsoft antispyware, and I don't think Andy has
denied that.

--

 

[plun]

Hi

No this was about "Aurora fix"

Nothing else and we know the answer to that.

IMHO, but I am going to download "Free Phone" from
abetterinternet and see it myself.

 

[Bill Sanderson]

Worth trying. I went through a cycle of that stuff a few months back, using
a virtual PC. As I recall Microsoft Antispyware got all of it at that
point. But I didn't see the real Aurora. I have seen that, in person, and
cleaned it manually. It took a good while, but I was able to kill it with
just Norton, Microsoft Antispyware and my own brain and the recovery
console.

--

 

[Jean]

Yes, I did follow this precisely. And it does not work,
neither with the vx2 cleaner available on the lavasoft
website, which claims the system is clean and does
nothing, nor with the one referenced in Andy Manchesta's
message, which does detect the vx2 infection but shutdowns
AdAware without doing anything either.

I have tried this repeatedly in safe mode on a clean boot
as well, with the same results (or lack, thereof).

For the record, the malicious process that seems to be at
the root of all this is called "tsap.exe".

-----Original Message-----
Hi

Did you follow this precisely ?
Hi

This is from "Readme" within Zip container for this tool.
(Install instruction is removed)


Installing VX2 Cleaner 2.0 Beta

1) Before running the VX2 Cleaner, make sure other anti- virus or
anti-spyware applications are closed.
2) If your Ad-Aware is running a scan, stop the scan; however, Ad-Aware
and Ad-Watch windows may remain open.
3) Run the VX2 Cleaner. If you computer has got VX2, a dialog with the
texts like â?oNew VX2 variant foundâ? or â?oVX2 variant 1 foundâ? and so on,
appear. If you computer is VX2 free, â?oSystem cleanâ? will appear.
4) Press â?oCleanâ? and you will get message "Installed, please reboot and
perform a Smart Scan with Ad-Aware." After saving your work, reboot
your system manually.
5) Repeat this until the VX2 Cleaner reports â?oSystem clean,â? press
â?oCloseâ?T to exitâ?.
6) Run Ad-Aware one more time and scan your computer to make sure VX2
has been found and removed.

--
plun


















Jean explained :

Hello all,

Like many others, I have been infected with this
VX2/Aurora calamity. After quite a few hours spent trying
to remove it on my own, I was happy to find this fix.
Alas, it does not seem to work for me.

I installed Lavasoft's AdAware (the free version,
downloaded from cnet.com) and updated it with the latest
definition files. Then I installed the VX2 cleaner plugin
downloaded from the link posted by Andy in the original
message. When I try to run the tool, it does display a pop
up telling me a VX2 variant has been detected, but it also
says "to install Ad Aware SE will be shut down". Then if I
click the "Clean" button, Ad Aware is indeed shut down but
nothing else seems to happen. If I restart Ad Aware (with
or without manually rebooting first) and repeat the same
operation, the exact same steps occur. I never get
the "Installed, please reboot and perform a Smart Scan
with Ad-Aware." message.

Am I doing something wrong? or is the VX2 cleaner add on
not compatible with the free version?

Thanks in advance for your response.

Since it might help, here is the log I get if I run an Ad
Aware smart scan:


Ad-Aware SE Build 1.06r1
Logfile Created on:Thursday, August 18, 2005 10:05:46 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R62 17.08.2005

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»Â»

AdRotator(TAC index:6):1 total references
BargainBuddy(TAC index:8):8 total references
BookedSpace(TAC index:10):1 total references
MRU List(TAC index:0):9 total references
Possible Browser Hijack attempt(TAC index:3):13 total
references
SurfSideKickBHO(TAC index:7):2 total references
Tracking Cookie(TAC index:3):15 total references
Windows(TAC index:3):1 total references
VirtualBouncer(TAC index:5):1 total references
VX2(TAC index:10):33 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»Â»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user
only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates
critical objects


8-18-2005 10:05:46 AM - Scan started. (Smart mode)

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 192
ThreadCreationTime : 8-18-2005 2:54:25 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 212
ThreadCreationTime : 8-18-2005 2:54:53 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 264
ThreadCreationTime : 8-18-2005 2:54:55 PM
BasePriority : Normal
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 276
ThreadCreationTime : 8-18-2005 2:54:55 PM
BasePriority : Normal
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL
(Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:5 [scardsvr.exe]
FilePath : C:\WINNT\System32\
ProcessID : 404
ThreadCreationTime : 8-18-2005 2:54:59 PM
BasePriority : Normal
FileVersion : 5.00.2195.6609
ProductVersion : 5.00.2195.6609
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Smart Card Resource Management
Server
InternalName : SCardSvr.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : SCardSvr.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 504
ThreadCreationTime : 8-18-2005 2:55:01 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32
Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 544
ThreadCreationTime : 8-18-2005 2:55:02 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32
Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : svchost.exe

#:8 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 608
ThreadCreationTime : 8-18-2005 2:55:04 PM
BasePriority : Normal
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : spoolss.exe

#:9 [ati2evxx.exe]
FilePath : C:\WINNT\System32\
ProcessID : 660
ThreadCreationTime : 8-18-2005 2:55:06 PM
BasePriority : Normal


#:10 [blackd.exe]
FilePath : C:\Program Files\ISS\BlackICE\
ProcessID : 684
ThreadCreationTime : 8-18-2005 2:55:06 PM
BasePriority : Normal
FileVersion : 3.6.52
ProductVersion : 3.6
ProductName : Network ICE Corporation blackd
CompanyName : Internet Security Systems, Inc.
FileDescription : blackd
InternalName : BlackICE Daemon
LegalCopyright : Copyright ¨ 1999-2003, Internet
Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security
Systems, Inc.
OriginalFilename : blackd.exe
Comments : Reverse engineering prohibited by
license agreement

#:11 [cam.exe]
FilePath : C:\PROGRA~1\CA\SHARED~1 \CAM\bin\
ProcessID : 700
ThreadCreationTime : 8-18-2005 2:55:07 PM
BasePriority : Normal
FileVersion : 3.11.29.3
ProductVersion : 3.11.29.3
ProductName : Unicenter Message Queuing
CompanyName : Computer Associates
International, Inc.
FileDescription : CA Message Queuing Server
InternalName : cam
LegalCopyright : Copyright © 2002 Computer
Associates International, Inc.
OriginalFilename : cam.exe
Comments : CA Message Queuing Server

#:12 [cisvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 644
ThreadCreationTime : 8-18-2005 2:55:08 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : cisvc.exe

#:13 [cvpnd.exe]
FilePath : C:\Program Files\Cisco
Systems\VPN Client\
ProcessID : 712
ThreadCreationTime : 8-18-2005 2:55:17 PM
BasePriority : Normal
FileVersion : 4.0.2 (B)
ProductVersion : 4.0.2 (B)
ProductName : Cisco Systems VPN Client
CompanyName : Cisco Systems, Inc.
FileDescription : Cisco Systems VPN Client
InternalName : cvpnd
LegalCopyright : Copyright © 1998-2003 Cisco
Systems, Inc.
OriginalFilename : CVPND.EXE

#:14 [cvslock.exe]
FilePath : D:\Program Files\cvsnt\
ProcessID : 836
ThreadCreationTime : 8-18-2005 2:55:20 PM
BasePriority : Normal


#:15 [cvsservice.exe]
FilePath : D:\Program Files\cvsnt\
ProcessID : 860
ThreadCreationTime : 8-18-2005 2:55:26 PM
BasePriority : Normal
FileVersion : cvsservice 2.5.01 (Travis) Build
1976
ProductVersion : cvsnt 2.5.01 (Travis) Build 1976
ProductName : cvsnt
CompanyName : March-Hare Software Ltd
FileDescription : cvsnt service
InternalName : cvsservice
LegalCopyright : Copyright (C) 2004, March-Hare
Software Ltd
OriginalFilename : cvsservice.exe
Comments : cvsnt 2.5.01 (Travis) Build 1976,
Copyright (C) 2004, March Hare Software Ltd.
Containts code Copyright (C) 2001, Free Software
Foundation, and others.
Licensed under GNU General Public License version 2.0 or
above.

#:16 [defwatch.exe]
FilePath : C:\Program Files\NavNT\
ProcessID : 884
ThreadCreationTime : 8-18-2005 2:55:26 PM
BasePriority : Normal
FileVersion : 8.00.01.425
ProductVersion : 8.00.01.425
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
LegalCopyright : Copyright © 1998 Symantec
Corporation
OriginalFilename : DefWatch.exe

#:17 [sagent2.exe]
FilePath : C:\Program Files\Common
Files\EPSON\EBAPI\
ProcessID : 916
ThreadCreationTime : 8-18-2005 2:55:27 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 0
ProductVersion : 1, 0, 0, 0
ProductName : EPSON Bidirectional Printer
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Printer Status Agent
InternalName : SAgent2
LegalCopyright : Copyright (C) SEIKO EPSON CORP.
2000
OriginalFilename : SAgent2.exe

#:18 [humdisplayserver.exe]
FilePath : D:\Program
Files\Hummingbird\Connectivity\9.00\Exceed\
ProcessID : 956
ThreadCreationTime : 8-18-2005 2:55:28 PM
BasePriority : Normal
FileVersion : 9.0.0.0
ProductVersion : 9.0.0.0
ProductName : Exceed
CompanyName : Hummingbird Ltd.
FileDescription : Display Number Manager Service
for Win32
InternalName : HumDisplayServer
LegalCopyright : Copyright © 2003 Hummingbird Ltd.
All Rights Reserved.
OriginalFilename : HumDisplayServer.exe

#:19 [logwatnt.exe]
FilePath : C:\WINNT\
ProcessID : 972
ThreadCreationTime : 8-18-2005 2:55:29 PM
BasePriority : Normal


#:20 [mdm.exe]
FilePath : C:\Program Files\Common
Files\Microsoft Shared\VS7Debug\
ProcessID : 1012
ThreadCreationTime : 8-18-2005 2:55:29 PM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All
rights reserved.
OriginalFilename : mdm.exe

#:21 [rtvscan.exe]
FilePath : C:\Program Files\NavNT\
ProcessID : 1100
ThreadCreationTime : 8-18-2005 2:55:31 PM
BasePriority : Normal
FileVersion : 8.00.01.425
ProductVersion : 8.00.01.425
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright (C) Symantec
Corporation 1991-2002

#:22 [nutsrv4.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1120
ThreadCreationTime : 8-18-2005 2:55:33 PM
BasePriority : Normal
FileVersion : 4.64.0000
ProductVersion : 4.64.0000
ProductName : NuTCRACKER 4
CompanyName : DataFocus, Inc.
FileDescription : NuTCRACKER Service
InternalName : nutsrv4
LegalCopyright : Copyright (c) 1993-2004
DataFocus, Inc.
LegalTrademarks : NuTCRACKER is a registered
trademark of DataFocus, Inc.
Comments : Built on Fri Apr 16 16:47:49 EDT
2004

#:23 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1164
ThreadCreationTime : 8-18-2005 2:55:34 PM
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : REGSVC.EXE

#:24 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1176
ThreadCreationTime : 8-18-2005 2:55:34 PM
BasePriority : Normal
FileVersion : 4.71.2195.6920
ProductVersion : 4.71.2195.6920
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright (C) Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:25 [sdserv.exe]
FilePath : C:\Program Files\CA\Unicenter
Software Delivery\BIN\
ProcessID : 1188
ThreadCreationTime : 8-18-2005 2:55:35 PM
BasePriority : Normal


#:26 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 1292
ThreadCreationTime : 8-18-2005 2:55:36 PM
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright (C) Microsoft Corp.
1995-1999

#:27 [triggag.exe]
FilePath : C:\Program Files\CA\Unicenter
Software Delivery\BIN\
ProcessID : 1320
ThreadCreationTime : 8-18-2005 2:55:38 PM
BasePriority : Normal
FileVersion : 4, 0, 2107, 0
ProductVersion : 4, 0, 2107, 0
ProductName : Unicenter Software Delivery
CompanyName : Computer Associates
International, Inc.
FileDescription : TRIGGAG
InternalName : TRIGGAG
LegalCopyright : Copyright 2003
OriginalFilename : TRIGGAG.exe

#:28 [winvnc.exe]
FilePath : D:\Program Files\TightVNC\
ProcessID : 1328
ThreadCreationTime : 8-18-2005 2:55:41 PM
BasePriority : Normal
FileVersion : 1, 2, 9, 0
ProductVersion : 1, 2, 9, 0
ProductName : TightVNC Win32 Server
CompanyName : Constantin Kaplinsky
FileDescription : TightVNC Win32 Server
InternalName : WinVNC
LegalCopyright : Copyright (C) 1998-2002 [many
holders]
OriginalFilename : WinVNC.exe
Comments : Based on TridiaVNC by Tridia
Corporation

#:29 [wltrysvc.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1352
ThreadCreationTime : 8-18-2005 2:55:42 PM
BasePriority : Normal


#:30 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1368
ThreadCreationTime : 8-18-2005 2:55:42 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32
Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : svchost.exe

#:31 [bcmwltry.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1388
ThreadCreationTime : 8-18-2005 2:55:42 PM
BasePriority : Normal
FileVersion : 3.70.18.0
ProductVersion : 3.70.18.0
ProductName : BCM 802.11g Network Adapter
Wireless Network Tray Applet
CompanyName : Broadcom Corporation
FileDescription : BCM 802.11g Network Adapter
Wireless Network Tray Applet
InternalName : bcmwltry.exe
LegalCopyright : 1998-2004, Broadcom Corporation
All Rights Reserved.
OriginalFilename : bcmwltry.exe

#:32 [smsapm32.exe]
FilePath : C:\WINNT\MS\SMS\clicomp\apa\Bin\
ProcessID : 1564
ThreadCreationTime : 8-18-2005 2:55:55 PM
BasePriority : Normal
FileVersion : 2.00.1493.5147
ProductVersion : 2.00.1493.5147
ProductName : Systems Management Server
CompanyName : Microsoft Corporation
FileDescription : SMS 2.0 Client - Advertised
Programs Manager (Win32)
InternalName : SMSAPM32
LegalCopyright : Copyright (C) Microsoft
Corporation 1994-2003
OriginalFilename : SMSAPM32.EXE

#:33 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 1896
ThreadCreationTime : 8-18-2005 2:56:11 PM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : EXPLORER.EXE

#:34 [afdprb.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1948
ThreadCreationTime : 8-18-2005 2:56:16 PM
BasePriority : Normal
FileVersion : 1, 1, 0, 7
ProductVersion : 0, 0, 7, 0

#:35 [atiptaxx.exe]
FilePath : C:\Program Files\ATI
Technologies\ATI Control Panel\
ProcessID : 2028
ThreadCreationTime : 8-18-2005 2:56:33 PM
BasePriority : Normal
FileVersion : 6.14.10.4000
ProductVersion : 6.14.10.4000
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright (C) 1998-2002 ATI
Technologies Inc.
OriginalFilename : Atiptaxx.exe

#:36 [dadapp.exe]
FilePath : C:\Program
Files\DELL\AccessDirect\
ProcessID : 2096
ThreadCreationTime : 8-18-2005 2:56:40 PM
BasePriority : Normal


#:37 [carpserv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 2124
ThreadCreationTime : 8-18-2005 2:56:46 PM
BasePriority : Normal
FileVersion : 6.00.09.00
ProductVersion : 6.00.09.00
ProductName : Conexant carpserv
CompanyName : Conexant Systems, Inc.
FileDescription : carpserv
InternalName : carpserv
LegalCopyright : Copyright© Conexant Systems, Inc.
2003
OriginalFilename : carpserv.exe

#:38 [prpcui.exe]
FilePath : C:\WINNT\system32\
ProcessID : 716
ThreadCreationTime : 8-18-2005 2:56:48 PM
BasePriority : Normal
FileVersion : 3.0.0.0
ProductVersion : 3.0.0.0
ProductName : Intel(R) SpeedStep(TM) technology
applet
CompanyName : Intel Corporation
FileDescription : Intel(R) SpeedStep(TM) technology
User Interface
InternalName : prpcui.exe
LegalCopyright : Copyright© Intel Corporation 1998-
2001
LegalTrademarks : Intel(R) SpeedStep(TM) technology
OriginalFilename : prpcui.exe
Comments : Intel SpeedStep technology Applet
v3.0

#:39 [tsap.exe]
FilePath : C:\Program Files\arau\
ProcessID : 2112
ThreadCreationTime : 8-18-2005 2:56:51 PM
BasePriority : Normal


#:40 [apoint.exe]
FilePath : C:\Program Files\Apoint\
ProcessID : 2072
ThreadCreationTime : 8-18-2005 2:56:52 PM
BasePriority : Normal
FileVersion : 5.4.101.118
ProductVersion : 5.4.101.118
ProductName : Alps Pointing-device Driver
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver
InternalName : Alps Pointing-device Driver
LegalCopyright : Copyright (C) 1999-2003 Alps
Electric Co., Ltd.
OriginalFilename : Apoint.exe

#:41 [createcd50.exe]
FilePath : C:\Program Files\Common
Files\Adaptec Shared\CreateCD\
ProcessID : 1924
ThreadCreationTime : 8-18-2005 2:56:57 PM
BasePriority : Normal
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
ProductName : Easy CD Creator
CompanyName : Roxio
FileDescription : Roxio Create CD
InternalName : createcd.exe
LegalCopyright : Copyright (c) 1999-2002 Roxio,
Inc.
OriginalFilename : createcd.exe

#:42 [apntex.exe]
FilePath : C:\Program Files\Apoint\
ProcessID : 2012
ThreadCreationTime : 8-18-2005 2:57:06 PM
BasePriority : Normal
FileVersion : 5.0.1.15
ProductVersion : 5.0.1.15
ProductName : Alps Pointing-device Driver for
Windows NT/2000/XP
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver for
Windows NT/2000/XP
InternalName : Alps Pointing-device Driver for
Windows NT/2000/XP
LegalCopyright : Copyright (C) 1998-2003 Alps
Electric Co., Ltd.
OriginalFilename : ApntEx.exe

#:43 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\
ProcessID : 1940
ThreadCreationTime : 8-18-2005 2:57:07 PM
BasePriority : Normal
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright (c) 2001,2002, Roxio,
Inc.
OriginalFilename : Directcd.exe

#:44 [vptray.exe]
FilePath : C:\Program Files\NavNT\
ProcessID : 1004
ThreadCreationTime : 8-18-2005 2:57:09 PM
BasePriority : Normal
FileVersion : 8.00.01.425
ProductVersion : 8.00.01.425
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright (C) Symantec
Corporation 1991-2002

#:45 [launch32.exe]
FilePath : C:\WINNT\MS\SMS\CORE\BIN\
ProcessID : 1832
ThreadCreationTime : 8-18-2005 2:57:11 PM
BasePriority : Normal
FileVersion : 2.00.1493.5116
ProductVersion : 2.00.1493.5116
ProductName : Systems Management Server
CompanyName : Microsoft Corporation
FileDescription : Systems Management Server
InternalName : LAUNCH32
LegalCopyright : Copyright (C) Microsoft
Corporation 1994-2003
OriginalFilename : LAUNCH32.EXE

#:46 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 2048
ThreadCreationTime : 8-18-2005 2:57:21 PM
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2004 Apple Computer, Inc.
All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:47 [smsmon32.exe]
FilePath : C:\WINNT\MS\SMS\CLICOMP\SWDist32
\bin\
ProcessID : 2144
ThreadCreationTime : 8-18-2005 2:57:21 PM
BasePriority : Normal
FileVersion : 2.00.1493.5116
ProductVersion : 2.00.1493.5116
ProductName : Systems Management Server
CompanyName : Microsoft Corporation
FileDescription : SMS 2.0 Client - Advertised
Programs Monitor (Win32)
InternalName : SMSMON32
LegalCopyright : Copyright (C) Microsoft
Corporation 1994-2003
OriginalFilename : SMSMON32.EXE

#:48 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 732
ThreadCreationTime : 8-18-2005 2:57:23 PM
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001- 2004
OriginalFilename : QTTask.exe

#:49 [sxplog32.exe]
FilePath : C:\SxpInst\
ProcessID : 2212
ThreadCreationTime : 8-18-2005 2:57:27 PM
BasePriority : Normal
FileVersion : 6.4/67
ProductVersion : 4.0 Service Pack 1
ProductName : Software Delivery
CompanyName : Computer Associates
International, Inc.
LegalCopyright : © 2003 Computer Associates
International, Inc.
Comments : Common Version Info

#:50 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 2224
ThreadCreationTime : 8-18-2005 2:57:28 PM
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2004 Apple Computer, Inc.
All Rights Reserved.
OriginalFilename : iPodService.exe

#:51 [blackice.exe]
FilePath : C:\Program Files\ISS\BlackICE\
ProcessID : 2320
ThreadCreationTime : 8-18-2005 2:57:48 PM
BasePriority : Normal
FileVersion : 3.6.46
ProductVersion : 3.6
ProductName : Internet Security Systems, Inc.
BlackICE
CompanyName : Internet Security Systems, Inc.
FileDescription : BlackICE MFC Application
InternalName : BlackICE
LegalCopyright : Copyright ¨ 1999-2003, Internet
Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security
Systems, Inc.
OriginalFilename : blackice.exe
Comments : Reverse engineering prohibited by
license agreement

#:52 [cidaemon.exe]
FilePath : C:\WINNT\system32\
ProcessID : 2336
ThreadCreationTime : 8-18-2005 3:02:10 PM
BasePriority : Idle
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : cidaemon.exe

#:53 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-
Aware SE Personal\
ProcessID : 1452
ThreadCreationTime : 8-18-2005 3:05:36 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»

New critical objects: 0
Objects found so far: 0


Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»

AdRotator Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1cfb8b32-4053-4144-
af6f-1540eec7f101}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8eee58d5-130e-4cbd-
9c83-35a0564e1357}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8eee58d5-130e-4cbd-
9c83-35a0564e5678}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c6906a23-4717-4e1f-
b6fd-f06ebed11357}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c6906a23-4717-4e1f-
b6fd-f06ebed15678}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{4eb7bbe8-2e15-424b- 9ddb-
2cdb9516c2e3}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{4eb7bbe8-2e15-424b- 9ddb-
2cdb9516b2c3}

BookedSpace Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{05080e6b-a88a-4cfd-
8c3d-9b2557670b6e}

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUL3a5stSSChckin

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUL3a5stMotsSDay

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUP3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUB3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky1S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky2S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky3S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky4S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUE3v5nt

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSBath

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSysSInf

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSCheckSIn

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSMots

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUL3n5Title

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AU3N5a7tionSCode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUD3s5tSSEnd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUC3u5rrentSMode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUC3n5tFyl

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUM3o5deSSync

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3g5noreS

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUC1o3d5eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3i5m7eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3d5OfSInst

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3n5ProgSCab

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3n5ProgSEx

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3n5ProgSLstest

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUS3t5atusOfSInst

SurfSideKickBHO Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object :
software\microsoft\windows\currentversion\uninstall\surf
sidekick

SurfSideKickBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object :
software\microsoft\windows\currentversion\uninstall\surf
sidekick
Value : UninstallString

VirtualBouncer Object Recognized!
Type : RegValue
Data : 100
TAC Rating : 5
Category : Malware
Comment : "DistID"
Rootkey : HKEY_LOCAL_MACHINE
Object :
software\microsoft\cryptography\services
Value : DistID

Windows Object Recognized!
Type : RegData
Data : explorer.exe c:\winnt\nail.exe
TAC Rating : 3
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows
nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\winnt\nail.exe

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»

New critical objects: 40
Objects found so far: 40


Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»

Possible Browser Hijack attempt :
Software\Microsoft\Internet Explorer\MainSearch
Pagewebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet
Explorer\Main
Value : Search Page

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt :
Software\Microsoft\Internet Explorer\MainSearch
Barwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet
Explorer\Main
Value : Search Bar

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt :
Software\Microsoft\Internet
Explorer\SearchSearchAssistantwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet
Explorer\Search
Value : SearchAssistant

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt :
Software\Microsoft\Internet
Explorer\SearchCustomizeSearchwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet
Explorer\Search
Value : CustomizeSearch

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-1790325321-
210772826-1412238824-500\Software\Microsoft\Internet
Explorer\MainSearch Pagewebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\Software\Microsoft\Internet Explorer\Main
Value : Search Page

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-1790325321-
210772826-1412238824-500\Software\Microsoft\Internet
Explorer\MainSearch Barwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\Software\Microsoft\Internet Explorer\Main
Value : Search Bar

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-1790325321-
210772826-1412238824-500\Software\Microsoft\Internet
Explorer\SearchURLwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "websearch.drsnsrch.com/q.cgi? q="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\Software\Microsoft\Internet
Explorer\SearchURL
Value :
Data : "websearch.drsnsrch.com/q.cgi? q="

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi- 1

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi- 1
Value : DisplayName

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi- 1
Value : URLInfoAbout

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi- 1
Value : Publisher

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi- 1
Value : HelpLink

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi- 1
Value : Contact

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»

New critical objects: 13
Objects found so far: 53


Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@tradedoubler [1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value :
Cookie:[email protected]/
Expires : 8-13-2025 12:58:50 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@qsrch[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:[email protected]/
Expires : 9-17-2005 8:58:32 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed) [1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value :
Cookie:[email protected]/
Expires : 8-18-2006 9:32:18 AM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@pacificpoker [1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value :
Cookie:[email protected]/
Expires : 4-12-2007 1:03:48 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 8-17-2010 10:06:38 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed)
[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value :
Cookie:[email protected]/
Expires : 11-23-2005 6:12:40 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@cgi-bin[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value :
Cookie:[email protected]/cgi-bin
Expires : 8-16-2015 9:09:20 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed)-sys
[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]
sys.com/
Expires : 1-1-2038
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed) [1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value :
Cookie:[email protected]/
Expires : 8-19-2005 9:05:38 AM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@weborama[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 8-17-2010 1:22:12 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@trafficmp[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:11
Value :
Cookie:[email protected]/
Expires : 8-18-2006 9:46:42 AM
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@serving-sys [2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:administrator@serving-
sys.com/
Expires : 1-1-2038
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@overstock[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:15
Value :
Cookie:[email protected]/
Expires : 2-19-2020 9:28:00 AM
LastSync : Hits:15
UseCount : 0
Hits : 15

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@zedo[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:13
Value : Cookie:[email protected]/
Expires : 8-16-2015 9:38:36 AM
LastSync : Hits:13
UseCount : 0
Hits : 13

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@realmedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value :
Cookie:[email protected]/
Expires : 12-31-2020 7:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»

New critical objects: 15
Objects found so far: 68



Deep scanning and examining files...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»

Disk Scan Result for C:\WINNT

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»

New critical objects: 0
Objects found so far: 68

Disk Scan Result for C:\WINNT\system32

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»

New critical objects: 0
Objects found so far: 68

Disk Scan Result for C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»

New critical objects: 0
Objects found so far: 68


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32 \drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»Â»

»»»»»»»»»»»»»»»»»

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»

18 entries scanned.
New critical objects:0
Objects found so far: 68



MRU List Object Recognized!
Location: : C:\Documents and
Settings\Administrator\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: :
software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use
microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500\software\microsoft\internet explorer
Description : last download directory used in
microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500\software\microsoft\internet
explorer\typedurls
Description : list of recently entered
addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500\software\microsoft\microsoft management
console\recent file list
Description : list of recent snap-ins used in
the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500
\software\microsoft\windows\currentversion\explorer\comdlg3
2\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500
\software\microsoft\windows\currentversion\explorer\comdlg3
2\opensavemru
Description : list of recently saved files,
stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500
\software\microsoft\windows\currentversion\explorer\recentd
ocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500
\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in
start | run



Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»

BargainBuddy Object Recognized!
Type : RegData
Data : no
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet
explorer\main
Value : Use Search Asst
Data : no

BargainBuddy Object Recognized!
Type : File
Data : bbchk.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\WINNT\system32\
FileVersion : 5.101.1663.1
ProductVersion : 5.101.1663.1
ProductName : Microsoft(R) Windows NT(R)
Operating System
CompanyName : Microsoft Corporation
FileDescription : ECM ChkTrust
InternalName : CHKTRUST.EXE
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1997
OriginalFilename : CHKTRUST.EXE


VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001
\control\print\monitors\zepmon

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object :
system\currentcontrolset\control\print\monitors\zepmon

VX2 Object Recognized!
Type : RegData
Data : explorer.exe c:\winnt\nail.exe
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows
nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\winnt\nail.exe

VX2 Object Recognized!
Type : File
Data : vx2cleaner.dlx
TAC Rating : 10
Category : Malware
Comment : This file is placed by the VX2
Cleaner Plugin. Selecting this item for removal is for
the sole purpose of keeping the system tidy (the file is
no longer required in your Windows folder). Removing this
file does not impact the plugin.
Object : C:\WINNT\



VX2 Object Recognized!
Type : File
Data : abiuninst.htm
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINNT\



Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»

New critical objects: 7
Objects found so far: 84

10:07:30 AM Scan Complete

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Â
»Â»Â»Â»Â»Â»Â»Â»Â»

Total scanning time:00:01:43.589
Objects scanned:56313
Objects identified:75
Objects ignored:0
New critical objects:75

.

 

[Jean]

Tried this too, to no avail. MS AntiSpyware Beta does not
detect "my" variant of the vx2. It only detects and cleans
all the "byproducts".

Note: the infection seems to be getting worse, since now a
number of applications can't run any longer from the
standard boot (notepad, regsrv32, msconfig, AdAware all
crash systematically, internet explorer only
intermittently). Some of the spyware applications also
crash.

If anybody can provide any insight...that'd be greatly
appreciated. And it would save me the trouble of backing
up and reinstall the whole system.

-----Original Message-----
Hi - MS AntiSpyware Beta is capable of removing a number of the VX2
variants. Run it _twice_ in Safe mode or from a Clean Boot.

From
http://support.microsoft.com/default.aspx?scid=kb;en-

us;904677&sd=rss&spid=2073

1. Run Windows AntiSpyware (Beta) to remove the VX2 program variants
that are detected.
2. Register the Initpki.dll file. To do this, click Start, click Run,
type regsvr32 initpki.dll, and then click OK.




From my Blog, Defending Your Machine, addy in Signature below:

#########IMPORTANT#########

Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible, logged on as an Administrator. BEFORE
running these tools, be sure to clear all Temp files and your Temporary
Internet Files (TIF)(including offline content.) Reboot and test if the
malware is fixed after using each tool.

HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2 002092715262339

Clean Boot - General Win2k/XP procedure, but see below for links for other
OS's (This for Win2k w/msconfig - you can obtain msconfig for Win2k here:
http://www.3feetunder.com/files/win2K_msconfig_setup.exe ) :

1. StartRun enter msconfig.

2. On the General tab, click Selective Startup, and then clear the 'Process
System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
boxes. Leave the 'boot.ini' boxes however they are currently set.

3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button. If you use a third party firewall
then re-check (enable) it. For example, if you use Zone Alarm, re-check the
True Vector Internet Monitor service (and you may also want to re-check
(enable) the zlclient on the Startup tab.) Equivalent services exist for
other third party firewalls. An alternative to this for XP users is to
enable at this time the XP native firewall (Internet Connection Firewall -
ICF). Be sure to turn it back off when you re-enable your non-MS services
and Startup tab programs and restore your normal msconfig configuration
after cleaning your machine.

4. Click OK and then reboot.

For additional information about how to clean boot your operating system,
click the following article links to view the articles in the Microsoft
Knowledge Base:

310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########

--
Regards, Jim Byrd, MS-MVP
My Blog, Defending Your Machine, here:
http://defendingyourmachine.blogspot.com/

no, I haven't. I will do that tonight. In the meantime,
any other suggestion?

-----Original Message-----
Did you try restarting in Safe mode and doing it there?

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/


Hello all,

Like many others, I have been infected with this
VX2/Aurora calamity. After quite a few hours spent trying
to remove it on my own, I was happy to find this fix.
Alas, it does not seem to work for me.

I installed Lavasoft's AdAware (the free version,
downloaded from cnet.com) and updated it with the latest
definition files. Then I installed the VX2 cleaner plugin
downloaded from the link posted by Andy in the original
message. When I try to run the tool, it does display a pop
up telling me a VX2 variant has been detected, but it also
says "to install Ad Aware SE will be shut down". Then if I
click the "Clean" button, Ad Aware is indeed shut down but
nothing else seems to happen. If I restart Ad Aware (with
or without manually rebooting first) and repeat the same
operation, the exact same steps occur. I never get
the "Installed, please reboot and perform a Smart Scan
with Ad-Aware." message.

Am I doing something wrong? or is the VX2 cleaner add on
not compatible with the free version?

Thanks in advance for your response.

Since it might help, here is the log I get if I run an Ad
Aware smart scan:


Ad-Aware SE Build 1.06r1
Logfile Created on:Thursday, August 18, 2005 10:05:46 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R62 17.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
AdRotator(TAC index:6):1 total references
BargainBuddy(TAC index:8):8 total references
BookedSpace(TAC index:10):1 total references
MRU List(TAC index:0):9 total references
Possible Browser Hijack attempt(TAC index:3):13 total
references
SurfSideKickBHO(TAC index:7):2 total references
Tracking Cookie(TAC index:3):15 total references
Windows(TAC index:3):1 total references
VirtualBouncer(TAC index:5):1 total references
VX2(TAC index:10):33 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user
only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates
critical objects


8-18-2005 10:05:46 AM - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 192
ThreadCreationTime : 8-18-2005 2:54:25 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 212
ThreadCreationTime : 8-18-2005 2:54:53 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 264
ThreadCreationTime : 8-18-2005 2:54:55 PM
BasePriority : Normal
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 276
ThreadCreationTime : 8-18-2005 2:54:55 PM
BasePriority : Normal
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL
(Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:5 [scardsvr.exe]
FilePath : C:\WINNT\System32\
ProcessID : 404
ThreadCreationTime : 8-18-2005 2:54:59 PM
BasePriority : Normal
FileVersion : 5.00.2195.6609
ProductVersion : 5.00.2195.6609
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Smart Card Resource Management
Server
InternalName : SCardSvr.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : SCardSvr.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 504
ThreadCreationTime : 8-18-2005 2:55:01 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32
Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 544
ThreadCreationTime : 8-18-2005 2:55:02 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32
Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : svchost.exe

#:8 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 608
ThreadCreationTime : 8-18-2005 2:55:04 PM
BasePriority : Normal
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : spoolss.exe

#:9 [ati2evxx.exe]
FilePath : C:\WINNT\System32\
ProcessID : 660
ThreadCreationTime : 8-18-2005 2:55:06 PM
BasePriority : Normal


#:10 [blackd.exe]
FilePath : C:\Program Files\ISS\BlackICE\
ProcessID : 684
ThreadCreationTime : 8-18-2005 2:55:06 PM
BasePriority : Normal
FileVersion : 3.6.52
ProductVersion : 3.6
ProductName : Network ICE Corporation blackd
CompanyName : Internet Security Systems, Inc.
FileDescription : blackd
InternalName : BlackICE Daemon
LegalCopyright : Copyright ¨ 1999-2003, Internet
Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security
Systems, Inc.
OriginalFilename : blackd.exe
Comments : Reverse engineering prohibited by
license agreement

#:11 [cam.exe]
FilePath : C:\PROGRA~1\CA\SHARED~1 \CAM\bin\
ProcessID : 700
ThreadCreationTime : 8-18-2005 2:55:07 PM
BasePriority : Normal
FileVersion : 3.11.29.3
ProductVersion : 3.11.29.3
ProductName : Unicenter Message Queuing
CompanyName : Computer Associates
International, Inc.
FileDescription : CA Message Queuing Server
InternalName : cam
LegalCopyright : Copyright © 2002 Computer
Associates International, Inc.
OriginalFilename : cam.exe
Comments : CA Message Queuing Server

#:12 [cisvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 644
ThreadCreationTime : 8-18-2005 2:55:08 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : cisvc.exe

#:13 [cvpnd.exe]
FilePath : C:\Program Files\Cisco
Systems\VPN Client\
ProcessID : 712
ThreadCreationTime : 8-18-2005 2:55:17 PM
BasePriority : Normal
FileVersion : 4.0.2 (B)
ProductVersion : 4.0.2 (B)
ProductName : Cisco Systems VPN Client
CompanyName : Cisco Systems, Inc.
FileDescription : Cisco Systems VPN Client
InternalName : cvpnd
LegalCopyright : Copyright © 1998-2003 Cisco
Systems, Inc.
OriginalFilename : CVPND.EXE

#:14 [cvslock.exe]
FilePath : D:\Program Files\cvsnt\
ProcessID : 836
ThreadCreationTime : 8-18-2005 2:55:20 PM
BasePriority : Normal


#:15 [cvsservice.exe]
FilePath : D:\Program Files\cvsnt\
ProcessID : 860
ThreadCreationTime : 8-18-2005 2:55:26 PM
BasePriority : Normal
FileVersion : cvsservice 2.5.01 (Travis) Build
1976
ProductVersion : cvsnt 2.5.01 (Travis) Build 1976
ProductName : cvsnt
CompanyName : March-Hare Software Ltd
FileDescription : cvsnt service
InternalName : cvsservice
LegalCopyright : Copyright (C) 2004, March-Hare
Software Ltd
OriginalFilename : cvsservice.exe
Comments : cvsnt 2.5.01 (Travis) Build 1976,
Copyright (C) 2004, March Hare Software Ltd.
Containts code Copyright (C) 2001, Free Software
Foundation, and others.
Licensed under GNU General Public License version 2.0 or
above.

#:16 [defwatch.exe]
FilePath : C:\Program Files\NavNT\
ProcessID : 884
ThreadCreationTime : 8-18-2005 2:55:26 PM
BasePriority : Normal
FileVersion : 8.00.01.425
ProductVersion : 8.00.01.425
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
LegalCopyright : Copyright © 1998 Symantec
Corporation
OriginalFilename : DefWatch.exe

#:17 [sagent2.exe]
FilePath : C:\Program Files\Common
Files\EPSON\EBAPI\
ProcessID : 916
ThreadCreationTime : 8-18-2005 2:55:27 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 0
ProductVersion : 1, 0, 0, 0
ProductName : EPSON Bidirectional Printer
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Printer Status Agent
InternalName : SAgent2
LegalCopyright : Copyright (C) SEIKO EPSON CORP.
2000
OriginalFilename : SAgent2.exe

#:18 [humdisplayserver.exe]
FilePath : D:\Program
Files\Hummingbird\Connectivity\9.00\Exceed\
ProcessID : 956
ThreadCreationTime : 8-18-2005 2:55:28 PM
BasePriority : Normal
FileVersion : 9.0.0.0
ProductVersion : 9.0.0.0
ProductName : Exceed
CompanyName : Hummingbird Ltd.
FileDescription : Display Number Manager Service
for Win32
InternalName : HumDisplayServer
LegalCopyright : Copyright © 2003 Hummingbird Ltd.
All Rights Reserved.
OriginalFilename : HumDisplayServer.exe

#:19 [logwatnt.exe]
FilePath : C:\WINNT\
ProcessID : 972
ThreadCreationTime : 8-18-2005 2:55:29 PM
BasePriority : Normal


#:20 [mdm.exe]
FilePath : C:\Program Files\Common
Files\Microsoft Shared\VS7Debug\
ProcessID : 1012
ThreadCreationTime : 8-18-2005 2:55:29 PM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All
rights reserved.
OriginalFilename : mdm.exe

#:21 [rtvscan.exe]
FilePath : C:\Program Files\NavNT\
ProcessID : 1100
ThreadCreationTime : 8-18-2005 2:55:31 PM
BasePriority : Normal
FileVersion : 8.00.01.425
ProductVersion : 8.00.01.425
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright (C) Symantec
Corporation 1991-2002

#:22 [nutsrv4.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1120
ThreadCreationTime : 8-18-2005 2:55:33 PM
BasePriority : Normal
FileVersion : 4.64.0000
ProductVersion : 4.64.0000
ProductName : NuTCRACKER 4
CompanyName : DataFocus, Inc.
FileDescription : NuTCRACKER Service
InternalName : nutsrv4
LegalCopyright : Copyright (c) 1993-2004
DataFocus, Inc.
LegalTrademarks : NuTCRACKER is a registered
trademark of DataFocus, Inc.
Comments : Built on Fri Apr 16 16:47:49 EDT
2004

#:23 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1164
ThreadCreationTime : 8-18-2005 2:55:34 PM
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : REGSVC.EXE

#:24 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1176
ThreadCreationTime : 8-18-2005 2:55:34 PM
BasePriority : Normal
FileVersion : 4.71.2195.6920
ProductVersion : 4.71.2195.6920
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright (C) Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:25 [sdserv.exe]
FilePath : C:\Program Files\CA\Unicenter
Software Delivery\BIN\
ProcessID : 1188
ThreadCreationTime : 8-18-2005 2:55:35 PM
BasePriority : Normal


#:26 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 1292
ThreadCreationTime : 8-18-2005 2:55:36 PM
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright (C) Microsoft Corp.
1995-1999

#:27 [triggag.exe]
FilePath : C:\Program Files\CA\Unicenter
Software Delivery\BIN\
ProcessID : 1320
ThreadCreationTime : 8-18-2005 2:55:38 PM
BasePriority : Normal
FileVersion : 4, 0, 2107, 0
ProductVersion : 4, 0, 2107, 0
ProductName : Unicenter Software Delivery
CompanyName : Computer Associates
International, Inc.
FileDescription : TRIGGAG
InternalName : TRIGGAG
LegalCopyright : Copyright 2003
OriginalFilename : TRIGGAG.exe

#:28 [winvnc.exe]
FilePath : D:\Program Files\TightVNC\
ProcessID : 1328
ThreadCreationTime : 8-18-2005 2:55:41 PM
BasePriority : Normal
FileVersion : 1, 2, 9, 0
ProductVersion : 1, 2, 9, 0
ProductName : TightVNC Win32 Server
CompanyName : Constantin Kaplinsky
FileDescription : TightVNC Win32 Server
InternalName : WinVNC
LegalCopyright : Copyright (C) 1998-2002 [many
holders]
OriginalFilename : WinVNC.exe
Comments : Based on TridiaVNC by Tridia
Corporation

#:29 [wltrysvc.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1352
ThreadCreationTime : 8-18-2005 2:55:42 PM
BasePriority : Normal


#:30 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1368
ThreadCreationTime : 8-18-2005 2:55:42 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32
Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : svchost.exe

#:31 [bcmwltry.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1388
ThreadCreationTime : 8-18-2005 2:55:42 PM
BasePriority : Normal
FileVersion : 3.70.18.0
ProductVersion : 3.70.18.0
ProductName : BCM 802.11g Network Adapter
Wireless Network Tray Applet
CompanyName : Broadcom Corporation
FileDescription : BCM 802.11g Network Adapter
Wireless Network Tray Applet
InternalName : bcmwltry.exe
LegalCopyright : 1998-2004, Broadcom Corporation
All Rights Reserved.
OriginalFilename : bcmwltry.exe

#:32 [smsapm32.exe]
FilePath : C:\WINNT\MS\SMS\clicomp\apa\Bin\
ProcessID : 1564
ThreadCreationTime : 8-18-2005 2:55:55 PM
BasePriority : Normal
FileVersion : 2.00.1493.5147
ProductVersion : 2.00.1493.5147
ProductName : Systems Management Server
CompanyName : Microsoft Corporation
FileDescription : SMS 2.0 Client - Advertised
Programs Manager (Win32)
InternalName : SMSAPM32
LegalCopyright : Copyright (C) Microsoft
Corporation 1994-2003
OriginalFilename : SMSAPM32.EXE

#:33 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 1896
ThreadCreationTime : 8-18-2005 2:56:11 PM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : EXPLORER.EXE

#:34 [afdprb.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1948
ThreadCreationTime : 8-18-2005 2:56:16 PM
BasePriority : Normal
FileVersion : 1, 1, 0, 7
ProductVersion : 0, 0, 7, 0

#:35 [atiptaxx.exe]
FilePath : C:\Program Files\ATI
Technologies\ATI Control Panel\
ProcessID : 2028
ThreadCreationTime : 8-18-2005 2:56:33 PM
BasePriority : Normal
FileVersion : 6.14.10.4000
ProductVersion : 6.14.10.4000
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright (C) 1998-2002 ATI
Technologies Inc.
OriginalFilename : Atiptaxx.exe

#:36 [dadapp.exe]
FilePath : C:\Program
Files\DELL\AccessDirect\
ProcessID : 2096
ThreadCreationTime : 8-18-2005 2:56:40 PM
BasePriority : Normal


#:37 [carpserv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 2124
ThreadCreationTime : 8-18-2005 2:56:46 PM
BasePriority : Normal
FileVersion : 6.00.09.00
ProductVersion : 6.00.09.00
ProductName : Conexant carpserv
CompanyName : Conexant Systems, Inc.
FileDescription : carpserv
InternalName : carpserv
LegalCopyright : Copyright© Conexant Systems, Inc.
2003
OriginalFilename : carpserv.exe

#:38 [prpcui.exe]
FilePath : C:\WINNT\system32\
ProcessID : 716
ThreadCreationTime : 8-18-2005 2:56:48 PM
BasePriority : Normal
FileVersion : 3.0.0.0
ProductVersion : 3.0.0.0
ProductName : Intel(R) SpeedStep(TM) technology
applet
CompanyName : Intel Corporation
FileDescription : Intel(R) SpeedStep(TM) technology
User Interface
InternalName : prpcui.exe
LegalCopyright : Copyright© Intel Corporation 1998-
2001
LegalTrademarks : Intel(R) SpeedStep(TM) technology
OriginalFilename : prpcui.exe
Comments : Intel SpeedStep technology Applet
v3.0

#:39 [tsap.exe]
FilePath : C:\Program Files\arau\
ProcessID : 2112
ThreadCreationTime : 8-18-2005 2:56:51 PM
BasePriority : Normal


#:40 [apoint.exe]
FilePath : C:\Program Files\Apoint\
ProcessID : 2072
ThreadCreationTime : 8-18-2005 2:56:52 PM
BasePriority : Normal
FileVersion : 5.4.101.118
ProductVersion : 5.4.101.118
ProductName : Alps Pointing-device Driver
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver
InternalName : Alps Pointing-device Driver
LegalCopyright : Copyright (C) 1999-2003 Alps
Electric Co., Ltd.
OriginalFilename : Apoint.exe

#:41 [createcd50.exe]
FilePath : C:\Program Files\Common
Files\Adaptec Shared\CreateCD\
ProcessID : 1924
ThreadCreationTime : 8-18-2005 2:56:57 PM
BasePriority : Normal
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
ProductName : Easy CD Creator
CompanyName : Roxio
FileDescription : Roxio Create CD
InternalName : createcd.exe
LegalCopyright : Copyright (c) 1999-2002 Roxio,
Inc.
OriginalFilename : createcd.exe

#:42 [apntex.exe]
FilePath : C:\Program Files\Apoint\
ProcessID : 2012
ThreadCreationTime : 8-18-2005 2:57:06 PM
BasePriority : Normal
FileVersion : 5.0.1.15
ProductVersion : 5.0.1.15
ProductName : Alps Pointing-device Driver for
Windows NT/2000/XP
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver for
Windows NT/2000/XP
InternalName : Alps Pointing-device Driver for
Windows NT/2000/XP
LegalCopyright : Copyright (C) 1998-2003 Alps
Electric Co., Ltd.
OriginalFilename : ApntEx.exe

#:43 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\
ProcessID : 1940
ThreadCreationTime : 8-18-2005 2:57:07 PM
BasePriority : Normal
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright (c) 2001,2002, Roxio,
Inc.
OriginalFilename : Directcd.exe

#:44 [vptray.exe]
FilePath : C:\Program Files\NavNT\
ProcessID : 1004
ThreadCreationTime : 8-18-2005 2:57:09 PM
BasePriority : Normal
FileVersion : 8.00.01.425
ProductVersion : 8.00.01.425
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright (C) Symantec
Corporation 1991-2002

#:45 [launch32.exe]
FilePath : C:\WINNT\MS\SMS\CORE\BIN\
ProcessID : 1832
ThreadCreationTime : 8-18-2005 2:57:11 PM
BasePriority : Normal
FileVersion : 2.00.1493.5116
ProductVersion : 2.00.1493.5116
ProductName : Systems Management Server
CompanyName : Microsoft Corporation
FileDescription : Systems Management Server
InternalName : LAUNCH32
LegalCopyright : Copyright (C) Microsoft
Corporation 1994-2003
OriginalFilename : LAUNCH32.EXE

#:46 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 2048
ThreadCreationTime : 8-18-2005 2:57:21 PM
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2004 Apple Computer, Inc.
All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:47 [smsmon32.exe]
FilePath : C:\WINNT\MS\SMS\CLICOMP\SWDist32
\bin\
ProcessID : 2144
ThreadCreationTime : 8-18-2005 2:57:21 PM
BasePriority : Normal
FileVersion : 2.00.1493.5116
ProductVersion : 2.00.1493.5116
ProductName : Systems Management Server
CompanyName : Microsoft Corporation
FileDescription : SMS 2.0 Client - Advertised
Programs Monitor (Win32)
InternalName : SMSMON32
LegalCopyright : Copyright (C) Microsoft
Corporation 1994-2003
OriginalFilename : SMSMON32.EXE

#:48 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 732
ThreadCreationTime : 8-18-2005 2:57:23 PM
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001- 2004
OriginalFilename : QTTask.exe

#:49 [sxplog32.exe]
FilePath : C:\SxpInst\
ProcessID : 2212
ThreadCreationTime : 8-18-2005 2:57:27 PM
BasePriority : Normal
FileVersion : 6.4/67
ProductVersion : 4.0 Service Pack 1
ProductName : Software Delivery
CompanyName : Computer Associates
International, Inc.
LegalCopyright : © 2003 Computer Associates
International, Inc.
Comments : Common Version Info

#:50 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 2224
ThreadCreationTime : 8-18-2005 2:57:28 PM
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2004 Apple Computer, Inc.
All Rights Reserved.
OriginalFilename : iPodService.exe

#:51 [blackice.exe]
FilePath : C:\Program Files\ISS\BlackICE\
ProcessID : 2320
ThreadCreationTime : 8-18-2005 2:57:48 PM
BasePriority : Normal
FileVersion : 3.6.46
ProductVersion : 3.6
ProductName : Internet Security Systems, Inc.
BlackICE
CompanyName : Internet Security Systems, Inc.
FileDescription : BlackICE MFC Application
InternalName : BlackICE
LegalCopyright : Copyright ¨ 1999-2003, Internet
Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security
Systems, Inc.
OriginalFilename : blackice.exe
Comments : Reverse engineering prohibited by
license agreement

#:52 [cidaemon.exe]
FilePath : C:\WINNT\system32\
ProcessID : 2336
ThreadCreationTime : 8-18-2005 3:02:10 PM
BasePriority : Idle
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : cidaemon.exe

#:53 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-
Aware SE Personal\
ProcessID : 1452
ThreadCreationTime : 8-18-2005 3:05:36 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

AdRotator Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1cfb8b32-4053-4144-
af6f-1540eec7f101}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8eee58d5-130e-4cbd-
9c83-35a0564e1357}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8eee58d5-130e-4cbd-
9c83-35a0564e5678}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c6906a23-4717-4e1f-
b6fd-f06ebed11357}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c6906a23-4717-4e1f-
b6fd-f06ebed15678}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{4eb7bbe8-2e15-424b- 9ddb-
2cdb9516c2e3}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{4eb7bbe8-2e15-424b- 9ddb-
2cdb9516b2c3}

BookedSpace Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{05080e6b-a88a-4cfd-
8c3d-9b2557670b6e}

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUL3a5stSSChckin

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUL3a5stMotsSDay

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUP3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUB3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky1S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky2S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky3S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky4S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUE3v5nt

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSBath

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSysSInf

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSCheckSIn

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSMots

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUL3n5Title

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AU3N5a7tionSCode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUD3s5tSSEnd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUC3u5rrentSMode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUC3n5tFyl

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUM3o5deSSync

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3g5noreS

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUC1o3d5eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3i5m7eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3d5OfSInst

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3n5ProgSCab

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3n5ProgSEx

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3n5ProgSLstest

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUS3t5atusOfSInst

SurfSideKickBHO Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object :
software\microsoft\windows\currentversion\uninstall\surf
sidekick

SurfSideKickBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object :
software\microsoft\windows\currentversion\uninstall\surf
sidekick
Value : UninstallString

VirtualBouncer Object Recognized!
Type : RegValue
Data : 100
TAC Rating : 5
Category : Malware
Comment : "DistID"
Rootkey : HKEY_LOCAL_MACHINE
Object :
software\microsoft\cryptography\services
Value : DistID

Windows Object Recognized!
Type : RegData
Data : explorer.exe c:\winnt\nail.exe
TAC Rating : 3
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows
nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\winnt\nail.exe

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 40
Objects found so far: 40


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt :
Software\Microsoft\Internet Explorer\MainSearch
Pagewebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidese
aData : "http://websearch.drsnsrch.com/sidese
aData : "http://websearch.drsnsrch.com/sidese
aData : "http://websearch.drsnsrch.com/sidese
aData : "http://websearch.drsnsrch.com/sidese
aData : "http://websearch.drsnsrch.com/sidese
aData : "http://websearch.drsnsrch.com/sidese
aData : "http://websearch.drsnsrch.com/sidese
aData : "http://websearch.drsnsrch.com/sidese
aData : "http://websearch.drsnsrch.com/sidese
aData : "http://websearch.drsnsrch.com/sidese
aData : "http://websearch.drsnsrch.com/sidese
a

rch.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-1790325321-
210772826-1412238824-500\Software\Microsoft\Internet
Explorer\SearchURLwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "websearch.drsnsrch.com/q.cgi? q="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\Software\Microsoft\Internet
Explorer\SearchURL
Value :
Data : "websearch.drsnsrch.com/q.cgi? q="

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : DisplayName

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : URLInfoAbout

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : Publisher

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : HelpLink

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : Contact

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 13
Objects found so far: 53


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@tradedoubler [1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value :
Cookie:[email protected]/
Expires : 8-13-2025 12:58:50 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@qsrch[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:[email protected]/
Expires : 9-17-2005 8:58:32 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed) [1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value :
Cookie:[email protected]/
Expires : 8-18-2006 9:32:18 AM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@pacificpoker [1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value :
Cookie:[email protected]/
Expires : 4-12-2007 1:03:48 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 8-17-2010 10:06:38 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed)
[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value :
Cookie:[email protected]/
Expires : 11-23-2005 6:12:40 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@cgi-bin[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value :
Cookie:[email protected]/cgi-bin
Expires : 8-16-2015 9:09:20 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed)-sys
[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]
sys.com/
Expires : 1-1-2038
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed) [1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value :
Cookie:[email protected]/
Expires : 8-19-2005 9:05:38 AM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@weborama[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 8-17-2010 1:22:12 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@trafficmp[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:11
Value :
Cookie:[email protected]/
Expires : 8-18-2006 9:46:42 AM
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@serving-sys [2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:administrator@serving-
sys.com/
Expires : 1-1-2038
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@overstock[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:15
Value :
Cookie:[email protected]/
Expires : 2-19-2020 9:28:00 AM
LastSync : Hits:15
UseCount : 0
Hits : 15

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@zedo[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:13
Value : Cookie:[email protected]/
Expires : 8-16-2015 9:38:36 AM
LastSync : Hits:13
UseCount : 0
Hits : 13

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@realmedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value :
Cookie:[email protected]/
Expires : 12-31-2020 7:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 15
Objects found so far: 68



Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\WINNT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 68

Disk Scan Result for C:\WINNT\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 68

Disk Scan Result for C:\DOCUME~1\ADMINI~1\LOCALS~1 \Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 68


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32 \drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»» »
»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
18 entries scanned.
New critical objects:0
Objects found so far: 68



MRU List Object Recognized!
Location: : C:\Documents and
Settings\Administrator\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: :
software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use
microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500\software\microsoft\internet explorer
Description : last download directory used in
microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500\software\microsoft\internet
explorer\typedurls
Description : list of recently entered
addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500\software\microsoft\microsoft management
console\recent file list
Description : list of recent snap-ins used in
the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500

\software\microsoft\windows\currentversion\explorer\comdlg
3\software\microsoft\windows\currentversion\explorer\comdlg
3\software\microsoft\windows\currentversion\explorer\recent
d

 

[Jim Byrd]

Hi Jean - Try running AWCloak.exe,
http://www.lavasoftnews.com/downloads/AAWCloak.exe, before opening Ad Aware.
When AAWCloak is open, click "Activate Cloak". Then open Ad Aware SE and
scan your system. Be SURE that you use THIS particular version of the VX2
plugin (re-download it using this link and then unzip and copy to the
AdAware plug-ins folder, replacing any existing components with the same
names): http://www.lavasoftresearch.com/upload/app/vx2cleaner.zip Then, as
per Andy's original post:

"Run Ad-Aware and click the Add-ons button in the main
window.Select VX2 Cleaner from the list.

Click the "Run Tool" button in the lower right corner of
the window.Click "OK" when asked if you want to execute
this tool.It will say VX2 variant found then press
clean.Next it will say to reboot and run a smart scan
with Adaware."


See if it will run that way.