Aurora Fix

AndyManchesta · Aug 15, 2005

Lavasoft have come to the rescue and released a new VX2
cleaner that kills Aurora, After many weeks of testing
and being involved in different fixes for this I have to
hand it to them, there's is the best fix for Aurora at
present and shows us all how it should be done.

This is a beta test so even though I will post the link
(which may change in the next couple of weeks when it
comes out of beta) anyone who wants to use it should
consider signing up to Lavasoft as a beta tester to help
them improve applications and definition files, You can
sign up at this address then choose definitions or
programs to take part:

http://www.lavasoftresearch.com/betaprogram

First you need Adaware SE :

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-
8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5

Then close Ad-aware SE and download the new VX2 Cleaner
(Not the one of thier site as it will not detect Aurora)

http://www.lavasoftresearch.com/upload/app/vx2cleaner.zip

Save the file where you can find it easily then Extract
the files and copy them (Left click and cover the files
and then right click and copy) then open Lavasoft's Ad-
Aware "Plugins" folder and paste them into there(Right
click and paste).

(C:\Program Files\Lavasoft\Ad-Aware SE\Plugins)

Run Ad-Aware and click the Add-ons button in the main
window.Select VX2 Cleaner from the list.

Click the "Run Tool" button in the lower right corner of
the window.Click "OK" when asked if you want to execute
this tool.It will say VX2 variant found then press
clean.Next it will say to reboot and run a smart scan
with Adaware.

It does miss acouple of traces which I will list below
but it kills the Nail infection and makes it look so easy.

Delete these if found:

C:\WINDOWS\ffsnvqmgpiy.exe
C:\WINDOWS\rramcx.exe

Then you can clear the Temp Internet files and the
contents of the prefetch folder to remove the final
traces if you wish:

goto start menu and run and type %temp% delete the
contents of this folder or at least the files that are
not in use then start and run and type prefetch and
delete the contents of this folder and its finished !

Good Work Lavasoft

Regards Andy

Bill Sanderson · Aug 15, 2005

Thanks very much, Andy--this will help a bunch of folks here, I believe.

AndyManchesta · Aug 15, 2005

No problem Bill

I appreciate this isnt about MS Antispy but they are not
detecting most of this anymore only drpmon.dll & the
software/Aurora folder in the registry last time I
checked so it doesnt faze them and the Epolvy trojan part
just replaces it. Epolvy is the random named exe in the
system32 folder that replaces the others and itself if
you delete it and deletes itself and creates a new random
name everytime you reboot so thats been the stalling
point for alot of removers,

This isnt just a case of pop ups though its a serious
matter in my view, Ive been recording the outgoing
traffic to Direct Revenue with Packet Sniffers and here's
some of the stuff they take:

Computer number and username
The space that has been used and what is free
All the programs installed and the paths to the files
Every page you visit online
Every entry you type on search engines
Every download you do
Version of Windows & Browser installed

So any help I can give people in removing this is
worthwhile and Im happy to assist in spoiling thier
business

Regards Andy

Bill Sanderson · Aug 15, 2005

Nasty stuff indeed. Not on the order of CoolWebSearch, but well worth
getting rid of quickly.

The range of these critters is remarkable--from CWS and keyloggers, to
Aurora, and on to the Claria folks, who look positively tame by comparison.

Tinkerer · Aug 15, 2005

Andy, I hope you don't mind me cutting and pasting this into a post in
microsoft.public.windowsxp.security_admin newsgroup.

--

Cheers,
Tinkerer

Lavasoft have come to the rescue and released a new VX2
cleaner that kills Aurora, After many weeks of testing
and being involved in different fixes for this I have to
hand it to them, there's is the best fix for Aurora at
present and shows us all how it should be done.

This is a beta test so even though I will post the link
(which may change in the next couple of weeks when it
comes out of beta) anyone who wants to use it should
consider signing up to Lavasoft as a beta tester to help
them improve applications and definition files, You can
sign up at this address then choose definitions or
programs to take part:

http://www.lavasoftresearch.com/betaprogram

First you need Adaware SE :

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-
8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5

Then close Ad-aware SE and download the new VX2 Cleaner
(Not the one of thier site as it will not detect Aurora)

http://www.lavasoftresearch.com/upload/app/vx2cleaner.zip

Save the file where you can find it easily then Extract
the files and copy them (Left click and cover the files
and then right click and copy) then open Lavasoft's Ad-
Aware "Plugins" folder and paste them into there(Right
click and paste).

(C:\Program Files\Lavasoft\Ad-Aware SE\Plugins)

Run Ad-Aware and click the Add-ons button in the main
window.Select VX2 Cleaner from the list.

Click the "Run Tool" button in the lower right corner of
the window.Click "OK" when asked if you want to execute
this tool.It will say VX2 variant found then press
clean.Next it will say to reboot and run a smart scan
with Adaware.

It does miss acouple of traces which I will list below
but it kills the Nail infection and makes it look so easy.

Delete these if found:

C:\WINDOWS\ffsnvqmgpiy.exe
C:\WINDOWS\rramcx.exe

Then you can clear the Temp Internet files and the
contents of the prefetch folder to remove the final
traces if you wish:

goto start menu and run and type %temp% delete the
contents of this folder or at least the files that are
not in use then start and run and type prefetch and
delete the contents of this folder and its finished !

Good Work Lavasoft

Regards Andy

AndyManchesta · Aug 15, 2005

I agree Claria aint got nothing on these guys, Eric Howes
has already written about the XML data which clearly
indicate that THInstaller as used by Aurora & mypctuneup
can check for and remove other software besides DR's own.
Ben Edelmans also written about this because DR removed
AvenueMedia which its well known they got sued for so it
shows the power they think they have.

Ive spent far too much time on fixes in the last few
weeks and can happily put them to one side now and move
on to other junk, most of it was easy enough but its very
time consuming trying to write batch files and reg fixes
to remove a random named file although this has now been
achieved with KillEpolvy by Swandog.

It doesnt matter who makes the fixes in my view as long
as they work and this cleaner from Lavasoft is excellent
on the tests Ive run tonight so good on them !

I appreciate your view about CWS & Keyloggers such as the
one Patrick Jordan(Webhelper) found they are the main
problems out there right now but you know what they say

If there's a will there's a way

Andy

AndyManchesta · Aug 15, 2005

Not at all Tinkerer

Its there for anyone and everyone untill DR change the
infection.

Just include the link to Lavasoft beta testing as its
only fair with it coming from them.

Thanks

Andy

Ron Chamberlin · Aug 15, 2005

Andy,

I appreciate this isnt about MS Antispy>

Don't worry about that. Tho these groups were presumably designed to help
folks with the MWAS product, I think we have wandered from that topic
several thousand posts ago.

If we can help people out here, that's what counts in my book.

Ron Chamberlin
MS-MVP

plun · Aug 15, 2005

Hi Andy !

Great news, thank you and also thank you for all work you have done
with Aurora removals. Great !

And of course this latest tool/news was from a swedish company :')
Maybe Direct revenues lawyers don´t go so far for trials !

Bill Sanderson · Aug 15, 2005

Well said!

--

Ron Chamberlin said:
Andy,

Don't worry about that. Tho these groups were presumably designed to help
folks with the MWAS product, I think we have wandered from that topic
several thousand posts ago.

If we can help people out here, that's what counts in my book.

Ron Chamberlin
MS-MVP

plun · Aug 15, 2005

AndyManchesta wrote :

So any help I can give people in removing this is
worthwhile and Im happy to assist in spoiling thier
business

Andy, have you seen Merijns new tool

"The Brute Force Uninstaller (BFU)"

Something for you to test out !

http://www.merijn.org

Tinkerer · Aug 16, 2005

No problem then, I did a copy and paster...

--

Cheers,
Tinkerer

Not at all Tinkerer

Its there for anyone and everyone untill DR change the
infection.

Just include the link to Lavasoft beta testing as its
only fair with it coming from them.

Thanks

Andy

AndyManchesta · Aug 16, 2005

Hey Plun

Ive been looking at the BFU since it was released and its
looks great,I'm intrigued by the capabilities of this and
will explore it in more detail sometime soon. Its taking
some getting used to but does make things easier, Ive
managed to write a couple of basic scripts for it and
they work great so Its going to be very usefull, Thanks
to Merijn as always for helping us all out with his great
programs.

Im just writing to Lavasoft now after receiving a email
from them about the installer file for Aurora and will
post the installer and files that are being missed so
hopefully they can add them soon enough. There's the
files I listed in the original mail then a couple of
references to svcproc left in the registry and the files
in the temp folders which isnt a big deal but it would be
nice for them to remove everything.

Hopefully I can start helping out more on here again as I
had been spending alot of time on them in the last few
weeks but glad its not needed now because of Lavasoft's
great work

Thanks to Ron & Bill for the kind words, I wasnt sure if
I should post it with it promoting Lavasoft but then
thought many of the people who beta test MSAS may also
like to get involved with beta testing at Lavasoft plus
its great to finally see a easy fix for this that doesnt
need 3 or 4 different programs,

Chat to you all soon

Regards Andy

Ron Chamberlin · Aug 16, 2005

Andy,
You're welcome. On one hand it's not 'our' group, tho it does feel like 'Our
Gang' after a few moths of dueling with both the regulars and the same
questions from newcomers.

I think we all started in here hoping to build out a new product, and
instead we find ourselves bailing the Titanic out.

Ron Chamberlin
MS-MVP

Bill Sanderson · Aug 16, 2005

Ron Chamberlin said:
Andy,
You're welcome. On one hand it's not 'our' group, tho it does feel like
'Our Gang' after a few moths of dueling with both the regulars and the
same questions from newcomers.

I think we all started in here hoping to build out a new product, and
instead we find ourselves bailing the Titanic out.

And a long voyage it's been, too!

Jean · Aug 18, 2005

Hello all,

Like many others, I have been infected with this
VX2/Aurora calamity. After quite a few hours spent trying
to remove it on my own, I was happy to find this fix.
Alas, it does not seem to work for me.

I installed Lavasoft's AdAware (the free version,
downloaded from cnet.com) and updated it with the latest
definition files. Then I installed the VX2 cleaner plugin
downloaded from the link posted by Andy in the original
message. When I try to run the tool, it does display a pop
up telling me a VX2 variant has been detected, but it also
says "to install Ad Aware SE will be shut down". Then if I
click the "Clean" button, Ad Aware is indeed shut down but
nothing else seems to happen. If I restart Ad Aware (with
or without manually rebooting first) and repeat the same
operation, the exact same steps occur. I never get
the "Installed, please reboot and perform a Smart Scan
with Ad-Aware." message.

Am I doing something wrong? or is the VX2 cleaner add on
not compatible with the free version?

Thanks in advance for your response.

Since it might help, here is the log I get if I run an Ad
Aware smart scan:

Ad-Aware SE Build 1.06r1
Logfile Created on:Thursday, August 18, 2005 10:05:46 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R62 17.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
AdRotator(TAC index:6):1 total references
BargainBuddy(TAC index:8):8 total references
BookedSpace(TAC index:10):1 total references
MRU List(TAC index:0):9 total references
Possible Browser Hijack attempt(TAC index:3):13 total
references
SurfSideKickBHO(TAC index:7):2 total references
Tracking Cookie(TAC index:3):15 total references
Windows(TAC index:3):1 total references
VirtualBouncer(TAC index:5):1 total references
VX2(TAC index:10):33 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user
only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates
critical objects

8-18-2005 10:05:46 AM - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 192
ThreadCreationTime : 8-18-2005 2:54:25 PM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 212
ThreadCreationTime : 8-18-2005 2:54:53 PM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 264
ThreadCreationTime : 8-18-2005 2:54:55 PM
BasePriority : Normal
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 276
ThreadCreationTime : 8-18-2005 2:54:55 PM
BasePriority : Normal
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL
(Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:5 [scardsvr.exe]
FilePath : C:\WINNT\System32\
ProcessID : 404
ThreadCreationTime : 8-18-2005 2:54:59 PM
BasePriority : Normal
FileVersion : 5.00.2195.6609
ProductVersion : 5.00.2195.6609
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Smart Card Resource Management
Server
InternalName : SCardSvr.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : SCardSvr.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 504
ThreadCreationTime : 8-18-2005 2:55:01 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32
Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 544
ThreadCreationTime : 8-18-2005 2:55:02 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32
Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : svchost.exe

#:8 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 608
ThreadCreationTime : 8-18-2005 2:55:04 PM
BasePriority : Normal
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : spoolss.exe

#:9 [ati2evxx.exe]
FilePath : C:\WINNT\System32\
ProcessID : 660
ThreadCreationTime : 8-18-2005 2:55:06 PM
BasePriority : Normal

#:10 [blackd.exe]
FilePath : C:\Program Files\ISS\BlackICE\
ProcessID : 684
ThreadCreationTime : 8-18-2005 2:55:06 PM
BasePriority : Normal
FileVersion : 3.6.52
ProductVersion : 3.6
ProductName : Network ICE Corporation blackd
CompanyName : Internet Security Systems, Inc.
FileDescription : blackd
InternalName : BlackICE Daemon
LegalCopyright : Copyright ¨ 1999-2003, Internet
Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security
Systems, Inc.
OriginalFilename : blackd.exe
Comments : Reverse engineering prohibited by
license agreement

#:11 [cam.exe]
FilePath : C:\PROGRA~1\CA\SHARED~1\CAM\bin\
ProcessID : 700
ThreadCreationTime : 8-18-2005 2:55:07 PM
BasePriority : Normal
FileVersion : 3.11.29.3
ProductVersion : 3.11.29.3
ProductName : Unicenter Message Queuing
CompanyName : Computer Associates
International, Inc.
FileDescription : CA Message Queuing Server
InternalName : cam
LegalCopyright : Copyright © 2002 Computer
Associates International, Inc.
OriginalFilename : cam.exe
Comments : CA Message Queuing Server

#:12 [cisvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 644
ThreadCreationTime : 8-18-2005 2:55:08 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : cisvc.exe

#:13 [cvpnd.exe]
FilePath : C:\Program Files\Cisco
Systems\VPN Client\
ProcessID : 712
ThreadCreationTime : 8-18-2005 2:55:17 PM
BasePriority : Normal
FileVersion : 4.0.2 (B)
ProductVersion : 4.0.2 (B)
ProductName : Cisco Systems VPN Client
CompanyName : Cisco Systems, Inc.
FileDescription : Cisco Systems VPN Client
InternalName : cvpnd
LegalCopyright : Copyright © 1998-2003 Cisco
Systems, Inc.
OriginalFilename : CVPND.EXE

#:14 [cvslock.exe]
FilePath : D:\Program Files\cvsnt\
ProcessID : 836
ThreadCreationTime : 8-18-2005 2:55:20 PM
BasePriority : Normal

#:15 [cvsservice.exe]
FilePath : D:\Program Files\cvsnt\
ProcessID : 860
ThreadCreationTime : 8-18-2005 2:55:26 PM
BasePriority : Normal
FileVersion : cvsservice 2.5.01 (Travis) Build
1976
ProductVersion : cvsnt 2.5.01 (Travis) Build 1976
ProductName : cvsnt
CompanyName : March-Hare Software Ltd
FileDescription : cvsnt service
InternalName : cvsservice
LegalCopyright : Copyright (C) 2004, March-Hare
Software Ltd
OriginalFilename : cvsservice.exe
Comments : cvsnt 2.5.01 (Travis) Build 1976,
Copyright (C) 2004, March Hare Software Ltd.
Containts code Copyright (C) 2001, Free Software
Foundation, and others.
Licensed under GNU General Public License version 2.0 or
above.

#:16 [defwatch.exe]
FilePath : C:\Program Files\NavNT\
ProcessID : 884
ThreadCreationTime : 8-18-2005 2:55:26 PM
BasePriority : Normal
FileVersion : 8.00.01.425
ProductVersion : 8.00.01.425
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
LegalCopyright : Copyright © 1998 Symantec
Corporation
OriginalFilename : DefWatch.exe

#:17 [sagent2.exe]
FilePath : C:\Program Files\Common
Files\EPSON\EBAPI\
ProcessID : 916
ThreadCreationTime : 8-18-2005 2:55:27 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 0
ProductVersion : 1, 0, 0, 0
ProductName : EPSON Bidirectional Printer
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Printer Status Agent
InternalName : SAgent2
LegalCopyright : Copyright (C) SEIKO EPSON CORP.
2000
OriginalFilename : SAgent2.exe

#:18 [humdisplayserver.exe]
FilePath : D:\Program
Files\Hummingbird\Connectivity\9.00\Exceed\
ProcessID : 956
ThreadCreationTime : 8-18-2005 2:55:28 PM
BasePriority : Normal
FileVersion : 9.0.0.0
ProductVersion : 9.0.0.0
ProductName : Exceed
CompanyName : Hummingbird Ltd.
FileDescription : Display Number Manager Service
for Win32
InternalName : HumDisplayServer
LegalCopyright : Copyright © 2003 Hummingbird Ltd.
All Rights Reserved.
OriginalFilename : HumDisplayServer.exe

#:19 [logwatnt.exe]
FilePath : C:\WINNT\
ProcessID : 972
ThreadCreationTime : 8-18-2005 2:55:29 PM
BasePriority : Normal

#:20 [mdm.exe]
FilePath : C:\Program Files\Common
Files\Microsoft Shared\VS7Debug\
ProcessID : 1012
ThreadCreationTime : 8-18-2005 2:55:29 PM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All
rights reserved.
OriginalFilename : mdm.exe

#:21 [rtvscan.exe]
FilePath : C:\Program Files\NavNT\
ProcessID : 1100
ThreadCreationTime : 8-18-2005 2:55:31 PM
BasePriority : Normal
FileVersion : 8.00.01.425
ProductVersion : 8.00.01.425
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright (C) Symantec
Corporation 1991-2002

#:22 [nutsrv4.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1120
ThreadCreationTime : 8-18-2005 2:55:33 PM
BasePriority : Normal
FileVersion : 4.64.0000
ProductVersion : 4.64.0000
ProductName : NuTCRACKER 4
CompanyName : DataFocus, Inc.
FileDescription : NuTCRACKER Service
InternalName : nutsrv4
LegalCopyright : Copyright (c) 1993-2004
DataFocus, Inc.
LegalTrademarks : NuTCRACKER is a registered
trademark of DataFocus, Inc.
Comments : Built on Fri Apr 16 16:47:49 EDT
2004

#:23 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1164
ThreadCreationTime : 8-18-2005 2:55:34 PM
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : REGSVC.EXE

#:24 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1176
ThreadCreationTime : 8-18-2005 2:55:34 PM
BasePriority : Normal
FileVersion : 4.71.2195.6920
ProductVersion : 4.71.2195.6920
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright (C) Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:25 [sdserv.exe]
FilePath : C:\Program Files\CA\Unicenter
Software Delivery\BIN\
ProcessID : 1188
ThreadCreationTime : 8-18-2005 2:55:35 PM
BasePriority : Normal

#:26 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 1292
ThreadCreationTime : 8-18-2005 2:55:36 PM
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright (C) Microsoft Corp.
1995-1999

#:27 [triggag.exe]
FilePath : C:\Program Files\CA\Unicenter
Software Delivery\BIN\
ProcessID : 1320
ThreadCreationTime : 8-18-2005 2:55:38 PM
BasePriority : Normal
FileVersion : 4, 0, 2107, 0
ProductVersion : 4, 0, 2107, 0
ProductName : Unicenter Software Delivery
CompanyName : Computer Associates
International, Inc.
FileDescription : TRIGGAG
InternalName : TRIGGAG
LegalCopyright : Copyright 2003
OriginalFilename : TRIGGAG.exe

#:28 [winvnc.exe]
FilePath : D:\Program Files\TightVNC\
ProcessID : 1328
ThreadCreationTime : 8-18-2005 2:55:41 PM
BasePriority : Normal
FileVersion : 1, 2, 9, 0
ProductVersion : 1, 2, 9, 0
ProductName : TightVNC Win32 Server
CompanyName : Constantin Kaplinsky
FileDescription : TightVNC Win32 Server
InternalName : WinVNC
LegalCopyright : Copyright (C) 1998-2002 [many
holders]
OriginalFilename : WinVNC.exe
Comments : Based on TridiaVNC by Tridia
Corporation

#:29 [wltrysvc.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1352
ThreadCreationTime : 8-18-2005 2:55:42 PM
BasePriority : Normal

#:30 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1368
ThreadCreationTime : 8-18-2005 2:55:42 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32
Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : svchost.exe

#:31 [bcmwltry.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1388
ThreadCreationTime : 8-18-2005 2:55:42 PM
BasePriority : Normal
FileVersion : 3.70.18.0
ProductVersion : 3.70.18.0
ProductName : BCM 802.11g Network Adapter
Wireless Network Tray Applet
CompanyName : Broadcom Corporation
FileDescription : BCM 802.11g Network Adapter
Wireless Network Tray Applet
InternalName : bcmwltry.exe
LegalCopyright : 1998-2004, Broadcom Corporation
All Rights Reserved.
OriginalFilename : bcmwltry.exe

#:32 [smsapm32.exe]
FilePath : C:\WINNT\MS\SMS\clicomp\apa\Bin\
ProcessID : 1564
ThreadCreationTime : 8-18-2005 2:55:55 PM
BasePriority : Normal
FileVersion : 2.00.1493.5147
ProductVersion : 2.00.1493.5147
ProductName : Systems Management Server
CompanyName : Microsoft Corporation
FileDescription : SMS 2.0 Client - Advertised
Programs Manager (Win32)
InternalName : SMSAPM32
LegalCopyright : Copyright (C) Microsoft
Corporation 1994-2003
OriginalFilename : SMSAPM32.EXE

#:33 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 1896
ThreadCreationTime : 8-18-2005 2:56:11 PM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : EXPLORER.EXE

#:34 [afdprb.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1948
ThreadCreationTime : 8-18-2005 2:56:16 PM
BasePriority : Normal
FileVersion : 1, 1, 0, 7
ProductVersion : 0, 0, 7, 0

#:35 [atiptaxx.exe]
FilePath : C:\Program Files\ATI
Technologies\ATI Control Panel\
ProcessID : 2028
ThreadCreationTime : 8-18-2005 2:56:33 PM
BasePriority : Normal
FileVersion : 6.14.10.4000
ProductVersion : 6.14.10.4000
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright (C) 1998-2002 ATI
Technologies Inc.
OriginalFilename : Atiptaxx.exe

#:36 [dadapp.exe]
FilePath : C:\Program
Files\DELL\AccessDirect\
ProcessID : 2096
ThreadCreationTime : 8-18-2005 2:56:40 PM
BasePriority : Normal

#:37 [carpserv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 2124
ThreadCreationTime : 8-18-2005 2:56:46 PM
BasePriority : Normal
FileVersion : 6.00.09.00
ProductVersion : 6.00.09.00
ProductName : Conexant carpserv
CompanyName : Conexant Systems, Inc.
FileDescription : carpserv
InternalName : carpserv
LegalCopyright : Copyright© Conexant Systems, Inc.
2003
OriginalFilename : carpserv.exe

#:38 [prpcui.exe]
FilePath : C:\WINNT\system32\
ProcessID : 716
ThreadCreationTime : 8-18-2005 2:56:48 PM
BasePriority : Normal
FileVersion : 3.0.0.0
ProductVersion : 3.0.0.0
ProductName : Intel(R) SpeedStep(TM) technology
applet
CompanyName : Intel Corporation
FileDescription : Intel(R) SpeedStep(TM) technology
User Interface
InternalName : prpcui.exe
LegalCopyright : Copyright© Intel Corporation 1998-
2001
LegalTrademarks : Intel(R) SpeedStep(TM) technology
OriginalFilename : prpcui.exe
Comments : Intel SpeedStep technology Applet
v3.0

#:39 [tsap.exe]
FilePath : C:\Program Files\arau\
ProcessID : 2112
ThreadCreationTime : 8-18-2005 2:56:51 PM
BasePriority : Normal

#:40 [apoint.exe]
FilePath : C:\Program Files\Apoint\
ProcessID : 2072
ThreadCreationTime : 8-18-2005 2:56:52 PM
BasePriority : Normal
FileVersion : 5.4.101.118
ProductVersion : 5.4.101.118
ProductName : Alps Pointing-device Driver
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver
InternalName : Alps Pointing-device Driver
LegalCopyright : Copyright (C) 1999-2003 Alps
Electric Co., Ltd.
OriginalFilename : Apoint.exe

#:41 [createcd50.exe]
FilePath : C:\Program Files\Common
Files\Adaptec Shared\CreateCD\
ProcessID : 1924
ThreadCreationTime : 8-18-2005 2:56:57 PM
BasePriority : Normal
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
ProductName : Easy CD Creator
CompanyName : Roxio
FileDescription : Roxio Create CD
InternalName : createcd.exe
LegalCopyright : Copyright (c) 1999-2002 Roxio,
Inc.
OriginalFilename : createcd.exe

#:42 [apntex.exe]
FilePath : C:\Program Files\Apoint\
ProcessID : 2012
ThreadCreationTime : 8-18-2005 2:57:06 PM
BasePriority : Normal
FileVersion : 5.0.1.15
ProductVersion : 5.0.1.15
ProductName : Alps Pointing-device Driver for
Windows NT/2000/XP
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver for
Windows NT/2000/XP
InternalName : Alps Pointing-device Driver for
Windows NT/2000/XP
LegalCopyright : Copyright (C) 1998-2003 Alps
Electric Co., Ltd.
OriginalFilename : ApntEx.exe

#:43 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\
ProcessID : 1940
ThreadCreationTime : 8-18-2005 2:57:07 PM
BasePriority : Normal
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright (c) 2001,2002, Roxio,
Inc.
OriginalFilename : Directcd.exe

#:44 [vptray.exe]
FilePath : C:\Program Files\NavNT\
ProcessID : 1004
ThreadCreationTime : 8-18-2005 2:57:09 PM
BasePriority : Normal
FileVersion : 8.00.01.425
ProductVersion : 8.00.01.425
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright (C) Symantec
Corporation 1991-2002

#:45 [launch32.exe]
FilePath : C:\WINNT\MS\SMS\CORE\BIN\
ProcessID : 1832
ThreadCreationTime : 8-18-2005 2:57:11 PM
BasePriority : Normal
FileVersion : 2.00.1493.5116
ProductVersion : 2.00.1493.5116
ProductName : Systems Management Server
CompanyName : Microsoft Corporation
FileDescription : Systems Management Server
InternalName : LAUNCH32
LegalCopyright : Copyright (C) Microsoft
Corporation 1994-2003
OriginalFilename : LAUNCH32.EXE

#:46 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 2048
ThreadCreationTime : 8-18-2005 2:57:21 PM
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2004 Apple Computer, Inc.
All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:47 [smsmon32.exe]
FilePath : C:\WINNT\MS\SMS\CLICOMP\SWDist32
\bin\
ProcessID : 2144
ThreadCreationTime : 8-18-2005 2:57:21 PM
BasePriority : Normal
FileVersion : 2.00.1493.5116
ProductVersion : 2.00.1493.5116
ProductName : Systems Management Server
CompanyName : Microsoft Corporation
FileDescription : SMS 2.0 Client - Advertised
Programs Monitor (Win32)
InternalName : SMSMON32
LegalCopyright : Copyright (C) Microsoft
Corporation 1994-2003
OriginalFilename : SMSMON32.EXE

#:48 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 732
ThreadCreationTime : 8-18-2005 2:57:23 PM
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:49 [sxplog32.exe]
FilePath : C:\SxpInst\
ProcessID : 2212
ThreadCreationTime : 8-18-2005 2:57:27 PM
BasePriority : Normal
FileVersion : 6.4/67
ProductVersion : 4.0 Service Pack 1
ProductName : Software Delivery
CompanyName : Computer Associates
International, Inc.
LegalCopyright : © 2003 Computer Associates
International, Inc.
Comments : Common Version Info

#:50 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 2224
ThreadCreationTime : 8-18-2005 2:57:28 PM
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2004 Apple Computer, Inc.
All Rights Reserved.
OriginalFilename : iPodService.exe

#:51 [blackice.exe]
FilePath : C:\Program Files\ISS\BlackICE\
ProcessID : 2320
ThreadCreationTime : 8-18-2005 2:57:48 PM
BasePriority : Normal
FileVersion : 3.6.46
ProductVersion : 3.6
ProductName : Internet Security Systems, Inc.
BlackICE
CompanyName : Internet Security Systems, Inc.
FileDescription : BlackICE MFC Application
InternalName : BlackICE
LegalCopyright : Copyright ¨ 1999-2003, Internet
Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security
Systems, Inc.
OriginalFilename : blackice.exe
Comments : Reverse engineering prohibited by
license agreement

#:52 [cidaemon.exe]
FilePath : C:\WINNT\system32\
ProcessID : 2336
ThreadCreationTime : 8-18-2005 3:02:10 PM
BasePriority : Idle
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : cidaemon.exe

#:53 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-
Aware SE Personal\
ProcessID : 1452
ThreadCreationTime : 8-18-2005 3:05:36 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

AdRotator Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1cfb8b32-4053-4144-
af6f-1540eec7f101}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8eee58d5-130e-4cbd-
9c83-35a0564e1357}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8eee58d5-130e-4cbd-
9c83-35a0564e5678}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c6906a23-4717-4e1f-
b6fd-f06ebed11357}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c6906a23-4717-4e1f-
b6fd-f06ebed15678}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{4eb7bbe8-2e15-424b-9ddb-
2cdb9516c2e3}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{4eb7bbe8-2e15-424b-9ddb-
2cdb9516b2c3}

BookedSpace Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{05080e6b-a88a-4cfd-
8c3d-9b2557670b6e}

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUL3a5stSSChckin

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUL3a5stMotsSDay

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUP3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUB3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky1S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky2S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky3S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky4S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUE3v5nt

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSBath

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSysSInf

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSCheckSIn

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSMots

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUL3n5Title

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AU3N5a7tionSCode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUD3s5tSSEnd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUC3u5rrentSMode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUC3n5tFyl

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUM3o5deSSync

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3g5noreS

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUC1o3d5eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3i5m7eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3d5OfSInst

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3n5ProgSCab

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3n5ProgSEx

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3n5ProgSLstest

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUS3t5atusOfSInst

SurfSideKickBHO Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object :
software\microsoft\windows\currentversion\uninstall\surf
sidekick

SurfSideKickBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object :
software\microsoft\windows\currentversion\uninstall\surf
sidekick
Value : UninstallString

VirtualBouncer Object Recognized!
Type : RegValue
Data : 100
TAC Rating : 5
Category : Malware
Comment : "DistID"
Rootkey : HKEY_LOCAL_MACHINE
Object :
software\microsoft\cryptography\services
Value : DistID

Windows Object Recognized!
Type : RegData
Data : explorer.exe c:\winnt\nail.exe
TAC Rating : 3
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows
nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\winnt\nail.exe

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 40
Objects found so far: 40

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt :
Software\Microsoft\Internet Explorer\MainSearch
Pagewebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet
Explorer\Main
Value : Search Page

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt :
Software\Microsoft\Internet Explorer\MainSearch
Barwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet
Explorer\Main
Value : Search Bar

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt :
Software\Microsoft\Internet
Explorer\SearchSearchAssistantwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet
Explorer\Search
Value : SearchAssistant

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt :
Software\Microsoft\Internet
Explorer\SearchCustomizeSearchwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet
Explorer\Search
Value : CustomizeSearch

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-1790325321-
210772826-1412238824-500\Software\Microsoft\Internet
Explorer\MainSearch Pagewebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\Software\Microsoft\Internet Explorer\Main
Value : Search Page

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-1790325321-
210772826-1412238824-500\Software\Microsoft\Internet
Explorer\MainSearch Barwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\Software\Microsoft\Internet Explorer\Main
Value : Search Bar

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-1790325321-
210772826-1412238824-500\Software\Microsoft\Internet
Explorer\SearchURLwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "websearch.drsnsrch.com/q.cgi?q="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\Software\Microsoft\Internet
Explorer\SearchURL
Value :
Data : "websearch.drsnsrch.com/q.cgi?q="

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : DisplayName

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : URLInfoAbout

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : Publisher

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : HelpLink

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : Contact

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 13
Objects found so far: 53

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@tradedoubler[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value :
Cookie:[email protected]/
Expires : 8-13-2025 12:58:50 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@qsrch[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:[email protected]/
Expires : 9-17-2005 8:58:32 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed)[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value :
Cookie:[email protected]/
Expires : 8-18-2006 9:32:18 AM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@pacificpoker[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value :
Cookie:[email protected]/
Expires : 4-12-2007 1:03:48 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 8-17-2010 10:06:38 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed)
[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value :
Cookie:[email protected]/
Expires : 11-23-2005 6:12:40 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@cgi-bin[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value :
Cookie:[email protected]/cgi-bin
Expires : 8-16-2015 9:09:20 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed)-sys
[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]
sys.com/
Expires : 1-1-2038
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed)[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value :
Cookie:[email protected]/
Expires : 8-19-2005 9:05:38 AM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@weborama[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 8-17-2010 1:22:12 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@trafficmp[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:11
Value :
Cookie:[email protected]/
Expires : 8-18-2006 9:46:42 AM
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@serving-sys[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:administrator@serving-
sys.com/
Expires : 1-1-2038
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@overstock[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:15
Value :
Cookie:[email protected]/
Expires : 2-19-2020 9:28:00 AM
LastSync : Hits:15
UseCount : 0
Hits : 15

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@zedo[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:13
Value : Cookie:[email protected]/
Expires : 8-16-2015 9:38:36 AM
LastSync : Hits:13
UseCount : 0
Hits : 13

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@realmedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value :
Cookie:[email protected]/
Expires : 12-31-2020 7:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 15
Objects found so far: 68

Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\WINNT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 68

Disk Scan Result for C:\WINNT\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 68

Disk Scan Result for C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 68

Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
18 entries scanned.
New critical objects:0
Objects found so far: 68

MRU List Object Recognized!
Location: : C:\Documents and
Settings\Administrator\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: :
software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use
microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500\software\microsoft\internet explorer
Description : last download directory used in
microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500\software\microsoft\internet
explorer\typedurls
Description : list of recently entered
addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500\software\microsoft\microsoft management
console\recent file list
Description : list of recent snap-ins used in
the microsoft management console

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500
\software\microsoft\windows\currentversion\explorer\comdlg3
2\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500
\software\microsoft\windows\currentversion\explorer\comdlg3
2\opensavemru
Description : list of recently saved files,
stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500
\software\microsoft\windows\currentversion\explorer\recentd
ocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500
\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in
start | run

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

BargainBuddy Object Recognized!
Type : RegData
Data : no
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet
explorer\main
Value : Use Search Asst
Data : no

BargainBuddy Object Recognized!
Type : File
Data : bbchk.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\WINNT\system32\
FileVersion : 5.101.1663.1
ProductVersion : 5.101.1663.1
ProductName : Microsoft(R) Windows NT(R)
Operating System
CompanyName : Microsoft Corporation
FileDescription : ECM ChkTrust
InternalName : CHKTRUST.EXE
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1997
OriginalFilename : CHKTRUST.EXE

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001
\control\print\monitors\zepmon

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object :
system\currentcontrolset\control\print\monitors\zepmon

VX2 Object Recognized!
Type : RegData
Data : explorer.exe c:\winnt\nail.exe
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows
nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\winnt\nail.exe

VX2 Object Recognized!
Type : File
Data : vx2cleaner.dlx
TAC Rating : 10
Category : Malware
Comment : This file is placed by the VX2
Cleaner Plugin. Selecting this item for removal is for
the sole purpose of keeping the system tidy (the file is
no longer required in your Windows folder). Removing this
file does not impact the plugin.
Object : C:\WINNT\

VX2 Object Recognized!
Type : File
Data : abiuninst.htm
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINNT\

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 7
Objects found so far: 84

10:07:30 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:01:43.589
Objects scanned:56313
Objects identified:75
Objects ignored:0
New critical objects:75

Frank Saunders, MS-MVP, IE/OE · Aug 18, 2005

Did you try restarting in Safe mode and doing it there?

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/

Hello all,

Like many others, I have been infected with this
VX2/Aurora calamity. After quite a few hours spent trying
to remove it on my own, I was happy to find this fix.
Alas, it does not seem to work for me.

I installed Lavasoft's AdAware (the free version,
downloaded from cnet.com) and updated it with the latest
definition files. Then I installed the VX2 cleaner plugin
downloaded from the link posted by Andy in the original
message. When I try to run the tool, it does display a pop
up telling me a VX2 variant has been detected, but it also
says "to install Ad Aware SE will be shut down". Then if I
click the "Clean" button, Ad Aware is indeed shut down but
nothing else seems to happen. If I restart Ad Aware (with
or without manually rebooting first) and repeat the same
operation, the exact same steps occur. I never get
the "Installed, please reboot and perform a Smart Scan
with Ad-Aware." message.

Am I doing something wrong? or is the VX2 cleaner add on
not compatible with the free version?

Thanks in advance for your response.

Since it might help, here is the log I get if I run an Ad
Aware smart scan:

Ad-Aware SE Build 1.06r1
Logfile Created on:Thursday, August 18, 2005 10:05:46 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R62 17.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
AdRotator(TAC index:6):1 total references
BargainBuddy(TAC index:8):8 total references
BookedSpace(TAC index:10):1 total references
MRU List(TAC index:0):9 total references
Possible Browser Hijack attempt(TAC index:3):13 total
references
SurfSideKickBHO(TAC index:7):2 total references
Tracking Cookie(TAC index:3):15 total references
Windows(TAC index:3):1 total references
VirtualBouncer(TAC index:5):1 total references
VX2(TAC index:10):33 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user
only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates
critical objects

8-18-2005 10:05:46 AM - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 192
ThreadCreationTime : 8-18-2005 2:54:25 PM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 212
ThreadCreationTime : 8-18-2005 2:54:53 PM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 264
ThreadCreationTime : 8-18-2005 2:54:55 PM
BasePriority : Normal
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 276
ThreadCreationTime : 8-18-2005 2:54:55 PM
BasePriority : Normal
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL
(Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:5 [scardsvr.exe]
FilePath : C:\WINNT\System32\
ProcessID : 404
ThreadCreationTime : 8-18-2005 2:54:59 PM
BasePriority : Normal
FileVersion : 5.00.2195.6609
ProductVersion : 5.00.2195.6609
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Smart Card Resource Management
Server
InternalName : SCardSvr.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : SCardSvr.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 504
ThreadCreationTime : 8-18-2005 2:55:01 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32
Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 544
ThreadCreationTime : 8-18-2005 2:55:02 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32
Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : svchost.exe

#:8 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 608
ThreadCreationTime : 8-18-2005 2:55:04 PM
BasePriority : Normal
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : spoolss.exe

#:9 [ati2evxx.exe]
FilePath : C:\WINNT\System32\
ProcessID : 660
ThreadCreationTime : 8-18-2005 2:55:06 PM
BasePriority : Normal

#:10 [blackd.exe]
FilePath : C:\Program Files\ISS\BlackICE\
ProcessID : 684
ThreadCreationTime : 8-18-2005 2:55:06 PM
BasePriority : Normal
FileVersion : 3.6.52
ProductVersion : 3.6
ProductName : Network ICE Corporation blackd
CompanyName : Internet Security Systems, Inc.
FileDescription : blackd
InternalName : BlackICE Daemon
LegalCopyright : Copyright ¨ 1999-2003, Internet
Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security
Systems, Inc.
OriginalFilename : blackd.exe
Comments : Reverse engineering prohibited by
license agreement

#:11 [cam.exe]
FilePath : C:\PROGRA~1\CA\SHARED~1\CAM\bin\
ProcessID : 700
ThreadCreationTime : 8-18-2005 2:55:07 PM
BasePriority : Normal
FileVersion : 3.11.29.3
ProductVersion : 3.11.29.3
ProductName : Unicenter Message Queuing
CompanyName : Computer Associates
International, Inc.
FileDescription : CA Message Queuing Server
InternalName : cam
LegalCopyright : Copyright © 2002 Computer
Associates International, Inc.
OriginalFilename : cam.exe
Comments : CA Message Queuing Server

#:12 [cisvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 644
ThreadCreationTime : 8-18-2005 2:55:08 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : cisvc.exe

#:13 [cvpnd.exe]
FilePath : C:\Program Files\Cisco
Systems\VPN Client\
ProcessID : 712
ThreadCreationTime : 8-18-2005 2:55:17 PM
BasePriority : Normal
FileVersion : 4.0.2 (B)
ProductVersion : 4.0.2 (B)
ProductName : Cisco Systems VPN Client
CompanyName : Cisco Systems, Inc.
FileDescription : Cisco Systems VPN Client
InternalName : cvpnd
LegalCopyright : Copyright © 1998-2003 Cisco
Systems, Inc.
OriginalFilename : CVPND.EXE

#:14 [cvslock.exe]
FilePath : D:\Program Files\cvsnt\
ProcessID : 836
ThreadCreationTime : 8-18-2005 2:55:20 PM
BasePriority : Normal

#:15 [cvsservice.exe]
FilePath : D:\Program Files\cvsnt\
ProcessID : 860
ThreadCreationTime : 8-18-2005 2:55:26 PM
BasePriority : Normal
FileVersion : cvsservice 2.5.01 (Travis) Build
1976
ProductVersion : cvsnt 2.5.01 (Travis) Build 1976
ProductName : cvsnt
CompanyName : March-Hare Software Ltd
FileDescription : cvsnt service
InternalName : cvsservice
LegalCopyright : Copyright (C) 2004, March-Hare
Software Ltd
OriginalFilename : cvsservice.exe
Comments : cvsnt 2.5.01 (Travis) Build 1976,
Copyright (C) 2004, March Hare Software Ltd.
Containts code Copyright (C) 2001, Free Software
Foundation, and others.
Licensed under GNU General Public License version 2.0 or
above.

#:16 [defwatch.exe]
FilePath : C:\Program Files\NavNT\
ProcessID : 884
ThreadCreationTime : 8-18-2005 2:55:26 PM
BasePriority : Normal
FileVersion : 8.00.01.425
ProductVersion : 8.00.01.425
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
LegalCopyright : Copyright © 1998 Symantec
Corporation
OriginalFilename : DefWatch.exe

#:17 [sagent2.exe]
FilePath : C:\Program Files\Common
Files\EPSON\EBAPI\
ProcessID : 916
ThreadCreationTime : 8-18-2005 2:55:27 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 0
ProductVersion : 1, 0, 0, 0
ProductName : EPSON Bidirectional Printer
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Printer Status Agent
InternalName : SAgent2
LegalCopyright : Copyright (C) SEIKO EPSON CORP.
2000
OriginalFilename : SAgent2.exe

#:18 [humdisplayserver.exe]
FilePath : D:\Program
Files\Hummingbird\Connectivity\9.00\Exceed\
ProcessID : 956
ThreadCreationTime : 8-18-2005 2:55:28 PM
BasePriority : Normal
FileVersion : 9.0.0.0
ProductVersion : 9.0.0.0
ProductName : Exceed
CompanyName : Hummingbird Ltd.
FileDescription : Display Number Manager Service
for Win32
InternalName : HumDisplayServer
LegalCopyright : Copyright © 2003 Hummingbird Ltd.
All Rights Reserved.
OriginalFilename : HumDisplayServer.exe

#:19 [logwatnt.exe]
FilePath : C:\WINNT\
ProcessID : 972
ThreadCreationTime : 8-18-2005 2:55:29 PM
BasePriority : Normal

#:20 [mdm.exe]
FilePath : C:\Program Files\Common
Files\Microsoft Shared\VS7Debug\
ProcessID : 1012
ThreadCreationTime : 8-18-2005 2:55:29 PM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All
rights reserved.
OriginalFilename : mdm.exe

#:21 [rtvscan.exe]
FilePath : C:\Program Files\NavNT\
ProcessID : 1100
ThreadCreationTime : 8-18-2005 2:55:31 PM
BasePriority : Normal
FileVersion : 8.00.01.425
ProductVersion : 8.00.01.425
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright (C) Symantec
Corporation 1991-2002

#:22 [nutsrv4.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1120
ThreadCreationTime : 8-18-2005 2:55:33 PM
BasePriority : Normal
FileVersion : 4.64.0000
ProductVersion : 4.64.0000
ProductName : NuTCRACKER 4
CompanyName : DataFocus, Inc.
FileDescription : NuTCRACKER Service
InternalName : nutsrv4
LegalCopyright : Copyright (c) 1993-2004
DataFocus, Inc.
LegalTrademarks : NuTCRACKER is a registered
trademark of DataFocus, Inc.
Comments : Built on Fri Apr 16 16:47:49 EDT
2004

#:23 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1164
ThreadCreationTime : 8-18-2005 2:55:34 PM
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : REGSVC.EXE

#:24 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1176
ThreadCreationTime : 8-18-2005 2:55:34 PM
BasePriority : Normal
FileVersion : 4.71.2195.6920
ProductVersion : 4.71.2195.6920
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright (C) Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:25 [sdserv.exe]
FilePath : C:\Program Files\CA\Unicenter
Software Delivery\BIN\
ProcessID : 1188
ThreadCreationTime : 8-18-2005 2:55:35 PM
BasePriority : Normal

#:26 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 1292
ThreadCreationTime : 8-18-2005 2:55:36 PM
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright (C) Microsoft Corp.
1995-1999

#:27 [triggag.exe]
FilePath : C:\Program Files\CA\Unicenter
Software Delivery\BIN\
ProcessID : 1320
ThreadCreationTime : 8-18-2005 2:55:38 PM
BasePriority : Normal
FileVersion : 4, 0, 2107, 0
ProductVersion : 4, 0, 2107, 0
ProductName : Unicenter Software Delivery
CompanyName : Computer Associates
International, Inc.
FileDescription : TRIGGAG
InternalName : TRIGGAG
LegalCopyright : Copyright 2003
OriginalFilename : TRIGGAG.exe

#:28 [winvnc.exe]
FilePath : D:\Program Files\TightVNC\
ProcessID : 1328
ThreadCreationTime : 8-18-2005 2:55:41 PM
BasePriority : Normal
FileVersion : 1, 2, 9, 0
ProductVersion : 1, 2, 9, 0
ProductName : TightVNC Win32 Server
CompanyName : Constantin Kaplinsky
FileDescription : TightVNC Win32 Server
InternalName : WinVNC
LegalCopyright : Copyright (C) 1998-2002 [many
holders]
OriginalFilename : WinVNC.exe
Comments : Based on TridiaVNC by Tridia
Corporation

#:29 [wltrysvc.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1352
ThreadCreationTime : 8-18-2005 2:55:42 PM
BasePriority : Normal

#:30 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1368
ThreadCreationTime : 8-18-2005 2:55:42 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32
Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : svchost.exe

#:31 [bcmwltry.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1388
ThreadCreationTime : 8-18-2005 2:55:42 PM
BasePriority : Normal
FileVersion : 3.70.18.0
ProductVersion : 3.70.18.0
ProductName : BCM 802.11g Network Adapter
Wireless Network Tray Applet
CompanyName : Broadcom Corporation
FileDescription : BCM 802.11g Network Adapter
Wireless Network Tray Applet
InternalName : bcmwltry.exe
LegalCopyright : 1998-2004, Broadcom Corporation
All Rights Reserved.
OriginalFilename : bcmwltry.exe

#:32 [smsapm32.exe]
FilePath : C:\WINNT\MS\SMS\clicomp\apa\Bin\
ProcessID : 1564
ThreadCreationTime : 8-18-2005 2:55:55 PM
BasePriority : Normal
FileVersion : 2.00.1493.5147
ProductVersion : 2.00.1493.5147
ProductName : Systems Management Server
CompanyName : Microsoft Corporation
FileDescription : SMS 2.0 Client - Advertised
Programs Manager (Win32)
InternalName : SMSAPM32
LegalCopyright : Copyright (C) Microsoft
Corporation 1994-2003
OriginalFilename : SMSAPM32.EXE

#:33 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 1896
ThreadCreationTime : 8-18-2005 2:56:11 PM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : EXPLORER.EXE

#:34 [afdprb.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1948
ThreadCreationTime : 8-18-2005 2:56:16 PM
BasePriority : Normal
FileVersion : 1, 1, 0, 7
ProductVersion : 0, 0, 7, 0

#:35 [atiptaxx.exe]
FilePath : C:\Program Files\ATI
Technologies\ATI Control Panel\
ProcessID : 2028
ThreadCreationTime : 8-18-2005 2:56:33 PM
BasePriority : Normal
FileVersion : 6.14.10.4000
ProductVersion : 6.14.10.4000
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright (C) 1998-2002 ATI
Technologies Inc.
OriginalFilename : Atiptaxx.exe

#:36 [dadapp.exe]
FilePath : C:\Program
Files\DELL\AccessDirect\
ProcessID : 2096
ThreadCreationTime : 8-18-2005 2:56:40 PM
BasePriority : Normal

#:37 [carpserv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 2124
ThreadCreationTime : 8-18-2005 2:56:46 PM
BasePriority : Normal
FileVersion : 6.00.09.00
ProductVersion : 6.00.09.00
ProductName : Conexant carpserv
CompanyName : Conexant Systems, Inc.
FileDescription : carpserv
InternalName : carpserv
LegalCopyright : Copyright© Conexant Systems, Inc.
2003
OriginalFilename : carpserv.exe

#:38 [prpcui.exe]
FilePath : C:\WINNT\system32\
ProcessID : 716
ThreadCreationTime : 8-18-2005 2:56:48 PM
BasePriority : Normal
FileVersion : 3.0.0.0
ProductVersion : 3.0.0.0
ProductName : Intel(R) SpeedStep(TM) technology
applet
CompanyName : Intel Corporation
FileDescription : Intel(R) SpeedStep(TM) technology
User Interface
InternalName : prpcui.exe
LegalCopyright : Copyright© Intel Corporation 1998-
2001
LegalTrademarks : Intel(R) SpeedStep(TM) technology
OriginalFilename : prpcui.exe
Comments : Intel SpeedStep technology Applet
v3.0

#:39 [tsap.exe]
FilePath : C:\Program Files\arau\
ProcessID : 2112
ThreadCreationTime : 8-18-2005 2:56:51 PM
BasePriority : Normal

#:40 [apoint.exe]
FilePath : C:\Program Files\Apoint\
ProcessID : 2072
ThreadCreationTime : 8-18-2005 2:56:52 PM
BasePriority : Normal
FileVersion : 5.4.101.118
ProductVersion : 5.4.101.118
ProductName : Alps Pointing-device Driver
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver
InternalName : Alps Pointing-device Driver
LegalCopyright : Copyright (C) 1999-2003 Alps
Electric Co., Ltd.
OriginalFilename : Apoint.exe

#:41 [createcd50.exe]
FilePath : C:\Program Files\Common
Files\Adaptec Shared\CreateCD\
ProcessID : 1924
ThreadCreationTime : 8-18-2005 2:56:57 PM
BasePriority : Normal
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
ProductName : Easy CD Creator
CompanyName : Roxio
FileDescription : Roxio Create CD
InternalName : createcd.exe
LegalCopyright : Copyright (c) 1999-2002 Roxio,
Inc.
OriginalFilename : createcd.exe

#:42 [apntex.exe]
FilePath : C:\Program Files\Apoint\
ProcessID : 2012
ThreadCreationTime : 8-18-2005 2:57:06 PM
BasePriority : Normal
FileVersion : 5.0.1.15
ProductVersion : 5.0.1.15
ProductName : Alps Pointing-device Driver for
Windows NT/2000/XP
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver for
Windows NT/2000/XP
InternalName : Alps Pointing-device Driver for
Windows NT/2000/XP
LegalCopyright : Copyright (C) 1998-2003 Alps
Electric Co., Ltd.
OriginalFilename : ApntEx.exe

#:43 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\
ProcessID : 1940
ThreadCreationTime : 8-18-2005 2:57:07 PM
BasePriority : Normal
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright (c) 2001,2002, Roxio,
Inc.
OriginalFilename : Directcd.exe

#:44 [vptray.exe]
FilePath : C:\Program Files\NavNT\
ProcessID : 1004
ThreadCreationTime : 8-18-2005 2:57:09 PM
BasePriority : Normal
FileVersion : 8.00.01.425
ProductVersion : 8.00.01.425
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright (C) Symantec
Corporation 1991-2002

#:45 [launch32.exe]
FilePath : C:\WINNT\MS\SMS\CORE\BIN\
ProcessID : 1832
ThreadCreationTime : 8-18-2005 2:57:11 PM
BasePriority : Normal
FileVersion : 2.00.1493.5116
ProductVersion : 2.00.1493.5116
ProductName : Systems Management Server
CompanyName : Microsoft Corporation
FileDescription : Systems Management Server
InternalName : LAUNCH32
LegalCopyright : Copyright (C) Microsoft
Corporation 1994-2003
OriginalFilename : LAUNCH32.EXE

#:46 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 2048
ThreadCreationTime : 8-18-2005 2:57:21 PM
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2004 Apple Computer, Inc.
All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:47 [smsmon32.exe]
FilePath : C:\WINNT\MS\SMS\CLICOMP\SWDist32
\bin\
ProcessID : 2144
ThreadCreationTime : 8-18-2005 2:57:21 PM
BasePriority : Normal
FileVersion : 2.00.1493.5116
ProductVersion : 2.00.1493.5116
ProductName : Systems Management Server
CompanyName : Microsoft Corporation
FileDescription : SMS 2.0 Client - Advertised
Programs Monitor (Win32)
InternalName : SMSMON32
LegalCopyright : Copyright (C) Microsoft
Corporation 1994-2003
OriginalFilename : SMSMON32.EXE

#:48 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 732
ThreadCreationTime : 8-18-2005 2:57:23 PM
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:49 [sxplog32.exe]
FilePath : C:\SxpInst\
ProcessID : 2212
ThreadCreationTime : 8-18-2005 2:57:27 PM
BasePriority : Normal
FileVersion : 6.4/67
ProductVersion : 4.0 Service Pack 1
ProductName : Software Delivery
CompanyName : Computer Associates
International, Inc.
LegalCopyright : © 2003 Computer Associates
International, Inc.
Comments : Common Version Info

#:50 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 2224
ThreadCreationTime : 8-18-2005 2:57:28 PM
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2004 Apple Computer, Inc.
All Rights Reserved.
OriginalFilename : iPodService.exe

#:51 [blackice.exe]
FilePath : C:\Program Files\ISS\BlackICE\
ProcessID : 2320
ThreadCreationTime : 8-18-2005 2:57:48 PM
BasePriority : Normal
FileVersion : 3.6.46
ProductVersion : 3.6
ProductName : Internet Security Systems, Inc.
BlackICE
CompanyName : Internet Security Systems, Inc.
FileDescription : BlackICE MFC Application
InternalName : BlackICE
LegalCopyright : Copyright ¨ 1999-2003, Internet
Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security
Systems, Inc.
OriginalFilename : blackice.exe
Comments : Reverse engineering prohibited by
license agreement

#:52 [cidaemon.exe]
FilePath : C:\WINNT\system32\
ProcessID : 2336
ThreadCreationTime : 8-18-2005 3:02:10 PM
BasePriority : Idle
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : cidaemon.exe

#:53 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-
Aware SE Personal\
ProcessID : 1452
ThreadCreationTime : 8-18-2005 3:05:36 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

AdRotator Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1cfb8b32-4053-4144-
af6f-1540eec7f101}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8eee58d5-130e-4cbd-
9c83-35a0564e1357}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8eee58d5-130e-4cbd-
9c83-35a0564e5678}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c6906a23-4717-4e1f-
b6fd-f06ebed11357}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c6906a23-4717-4e1f-
b6fd-f06ebed15678}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{4eb7bbe8-2e15-424b-9ddb-
2cdb9516c2e3}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{4eb7bbe8-2e15-424b-9ddb-
2cdb9516b2c3}

BookedSpace Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{05080e6b-a88a-4cfd-
8c3d-9b2557670b6e}

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUL3a5stSSChckin

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUL3a5stMotsSDay

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUP3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUB3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky1S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky2S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky3S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky4S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUE3v5nt

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSBath

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSysSInf

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSCheckSIn

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSMots

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUL3n5Title

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AU3N5a7tionSCode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUD3s5tSSEnd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUC3u5rrentSMode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUC3n5tFyl

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUM3o5deSSync

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3g5noreS

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUC1o3d5eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3i5m7eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3d5OfSInst

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3n5ProgSCab

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3n5ProgSEx

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3n5ProgSLstest

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUS3t5atusOfSInst

SurfSideKickBHO Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object :
software\microsoft\windows\currentversion\uninstall\surf
sidekick

SurfSideKickBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object :
software\microsoft\windows\currentversion\uninstall\surf
sidekick
Value : UninstallString

VirtualBouncer Object Recognized!
Type : RegValue
Data : 100
TAC Rating : 5
Category : Malware
Comment : "DistID"
Rootkey : HKEY_LOCAL_MACHINE
Object :
software\microsoft\cryptography\services
Value : DistID

Windows Object Recognized!
Type : RegData
Data : explorer.exe c:\winnt\nail.exe
TAC Rating : 3
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows
nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\winnt\nail.exe

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 40
Objects found so far: 40

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt :
Software\Microsoft\Internet Explorer\MainSearch
Pagewebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet
Explorer\Main
Value : Search Page

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt :
Software\Microsoft\Internet Explorer\MainSearch
Barwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet
Explorer\Main
Value : Search Bar

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt :
Software\Microsoft\Internet
Explorer\SearchSearchAssistantwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet
Explorer\Search
Value : SearchAssistant

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt :
Software\Microsoft\Internet
Explorer\SearchCustomizeSearchwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet
Explorer\Search
Value : CustomizeSearch

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-1790325321-
210772826-1412238824-500\Software\Microsoft\Internet
Explorer\MainSearch Pagewebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\Software\Microsoft\Internet Explorer\Main
Value : Search Page

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-1790325321-
210772826-1412238824-500\Software\Microsoft\Internet
Explorer\MainSearch Barwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\Software\Microsoft\Internet Explorer\Main
Value : Search Bar

Data : "http://websearch.drsnsrch.com/sidesea
rch.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-1790325321-
210772826-1412238824-500\Software\Microsoft\Internet
Explorer\SearchURLwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "websearch.drsnsrch.com/q.cgi?q="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\Software\Microsoft\Internet
Explorer\SearchURL
Value :
Data : "websearch.drsnsrch.com/q.cgi?q="

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : DisplayName

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : URLInfoAbout

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : Publisher

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : HelpLink

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : Contact

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 13
Objects found so far: 53

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@tradedoubler[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value :
Cookie:[email protected]/
Expires : 8-13-2025 12:58:50 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@qsrch[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:[email protected]/
Expires : 9-17-2005 8:58:32 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed)[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value :
Cookie:[email protected]/
Expires : 8-18-2006 9:32:18 AM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@pacificpoker[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value :
Cookie:[email protected]/
Expires : 4-12-2007 1:03:48 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 8-17-2010 10:06:38 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed)
[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value :
Cookie:[email protected]/
Expires : 11-23-2005 6:12:40 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@cgi-bin[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value :
Cookie:[email protected]/cgi-bin
Expires : 8-16-2015 9:09:20 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed)-sys
[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]
sys.com/
Expires : 1-1-2038
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed)[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value :
Cookie:[email protected]/
Expires : 8-19-2005 9:05:38 AM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@weborama[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 8-17-2010 1:22:12 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@trafficmp[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:11
Value :
Cookie:[email protected]/
Expires : 8-18-2006 9:46:42 AM
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@serving-sys[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:administrator@serving-
sys.com/
Expires : 1-1-2038
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@overstock[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:15
Value :
Cookie:[email protected]/
Expires : 2-19-2020 9:28:00 AM
LastSync : Hits:15
UseCount : 0
Hits : 15

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@zedo[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:13
Value : Cookie:[email protected]/
Expires : 8-16-2015 9:38:36 AM
LastSync : Hits:13
UseCount : 0
Hits : 13

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@realmedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value :
Cookie:[email protected]/
Expires : 12-31-2020 7:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 15
Objects found so far: 68

Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\WINNT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 68

Disk Scan Result for C:\WINNT\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 68

Disk Scan Result for C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 68

Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
18 entries scanned.
New critical objects:0
Objects found so far: 68

MRU List Object Recognized!
Location: : C:\Documents and
Settings\Administrator\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: :
software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use
microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500\software\microsoft\internet explorer
Description : last download directory used in
microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500\software\microsoft\internet
explorer\typedurls
Description : list of recently entered
addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500\software\microsoft\microsoft management
console\recent file list
Description : list of recent snap-ins used in
the microsoft management console

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500
\software\microsoft\windows\currentversion\explorer\comdlg3
2\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500
\software\microsoft\windows\currentversion\explorer\comdlg3
2\opensavemru
Description : list of recently saved files,
stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500
\software\microsoft\windows\currentversion\explorer\recentd
ocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500
\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in
start | run

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

BargainBuddy Object Recognized!
Type : RegData
Data : no
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet
explorer\main
Value : Use Search Asst
Data : no

BargainBuddy Object Recognized!
Type : File
Data : bbchk.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\WINNT\system32\
FileVersion : 5.101.1663.1
ProductVersion : 5.101.1663.1
ProductName : Microsoft(R) Windows NT(R)
Operating System
CompanyName : Microsoft Corporation
FileDescription : ECM ChkTrust
InternalName : CHKTRUST.EXE
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1997
OriginalFilename : CHKTRUST.EXE

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001
\control\print\monitors\zepmon

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object :
system\currentcontrolset\control\print\monitors\zepmon

VX2 Object Recognized!
Type : RegData
Data : explorer.exe c:\winnt\nail.exe
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows
nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\winnt\nail.exe

VX2 Object Recognized!
Type : File
Data : vx2cleaner.dlx
TAC Rating : 10
Category : Malware
Comment : This file is placed by the VX2
Cleaner Plugin. Selecting this item for removal is for
the sole purpose of keeping the system tidy (the file is
no longer required in your Windows folder). Removing this
file does not impact the plugin.
Object : C:\WINNT\

VX2 Object Recognized!
Type : File
Data : abiuninst.htm
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINNT\

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 7
Objects found so far: 84

10:07:30 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:01:43.589
Objects scanned:56313
Objects identified:75
Objects ignored:0
New critical objects:75

Guest · Aug 18, 2005

no, I haven't. I will do that tonight. In the meantime,
any other suggestion?

-----Original Message-----
Did you try restarting in Safe mode and doing it there?

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/

Hello all,

Like many others, I have been infected with this
VX2/Aurora calamity. After quite a few hours spent trying
to remove it on my own, I was happy to find this fix.
Alas, it does not seem to work for me.

I installed Lavasoft's AdAware (the free version,
downloaded from cnet.com) and updated it with the latest
definition files. Then I installed the VX2 cleaner plugin
downloaded from the link posted by Andy in the original
message. When I try to run the tool, it does display a pop
up telling me a VX2 variant has been detected, but it also
says "to install Ad Aware SE will be shut down". Then if I
click the "Clean" button, Ad Aware is indeed shut down but
nothing else seems to happen. If I restart Ad Aware (with
or without manually rebooting first) and repeat the same
operation, the exact same steps occur. I never get
the "Installed, please reboot and perform a Smart Scan
with Ad-Aware." message.

Am I doing something wrong? or is the VX2 cleaner add on
not compatible with the free version?

Thanks in advance for your response.

Since it might help, here is the log I get if I run an Ad
Aware smart scan:

Ad-Aware SE Build 1.06r1
Logfile Created on:Thursday, August 18, 2005 10:05:46 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R62 17.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
AdRotator(TAC index:6):1 total references
BargainBuddy(TAC index:8):8 total references
BookedSpace(TAC index:10):1 total references
MRU List(TAC index:0):9 total references
Possible Browser Hijack attempt(TAC index:3):13 total
references
SurfSideKickBHO(TAC index:7):2 total references
Tracking Cookie(TAC index:3):15 total references
Windows(TAC index:3):1 total references
VirtualBouncer(TAC index:5):1 total references
VX2(TAC index:10):33 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user
only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates
critical objects

8-18-2005 10:05:46 AM - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 192
ThreadCreationTime : 8-18-2005 2:54:25 PM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 212
ThreadCreationTime : 8-18-2005 2:54:53 PM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 264
ThreadCreationTime : 8-18-2005 2:54:55 PM
BasePriority : Normal
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 276
ThreadCreationTime : 8-18-2005 2:54:55 PM
BasePriority : Normal
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL
(Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:5 [scardsvr.exe]
FilePath : C:\WINNT\System32\
ProcessID : 404
ThreadCreationTime : 8-18-2005 2:54:59 PM
BasePriority : Normal
FileVersion : 5.00.2195.6609
ProductVersion : 5.00.2195.6609
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Smart Card Resource Management
Server
InternalName : SCardSvr.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : SCardSvr.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 504
ThreadCreationTime : 8-18-2005 2:55:01 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32
Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 544
ThreadCreationTime : 8-18-2005 2:55:02 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32
Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : svchost.exe

#:8 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 608
ThreadCreationTime : 8-18-2005 2:55:04 PM
BasePriority : Normal
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : spoolss.exe

#:9 [ati2evxx.exe]
FilePath : C:\WINNT\System32\
ProcessID : 660
ThreadCreationTime : 8-18-2005 2:55:06 PM
BasePriority : Normal

#:10 [blackd.exe]
FilePath : C:\Program Files\ISS\BlackICE\
ProcessID : 684
ThreadCreationTime : 8-18-2005 2:55:06 PM
BasePriority : Normal
FileVersion : 3.6.52
ProductVersion : 3.6
ProductName : Network ICE Corporation blackd
CompanyName : Internet Security Systems, Inc.
FileDescription : blackd
InternalName : BlackICE Daemon
LegalCopyright : Copyright ¨ 1999-2003, Internet
Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security
Systems, Inc.
OriginalFilename : blackd.exe
Comments : Reverse engineering prohibited by
license agreement

#:11 [cam.exe]
FilePath : C:\PROGRA~1\CA\SHARED~1\CAM\bin\
ProcessID : 700
ThreadCreationTime : 8-18-2005 2:55:07 PM
BasePriority : Normal
FileVersion : 3.11.29.3
ProductVersion : 3.11.29.3
ProductName : Unicenter Message Queuing
CompanyName : Computer Associates
International, Inc.
FileDescription : CA Message Queuing Server
InternalName : cam
LegalCopyright : Copyright © 2002 Computer
Associates International, Inc.
OriginalFilename : cam.exe
Comments : CA Message Queuing Server

#:12 [cisvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 644
ThreadCreationTime : 8-18-2005 2:55:08 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : cisvc.exe

#:13 [cvpnd.exe]
FilePath : C:\Program Files\Cisco
Systems\VPN Client\
ProcessID : 712
ThreadCreationTime : 8-18-2005 2:55:17 PM
BasePriority : Normal
FileVersion : 4.0.2 (B)
ProductVersion : 4.0.2 (B)
ProductName : Cisco Systems VPN Client
CompanyName : Cisco Systems, Inc.
FileDescription : Cisco Systems VPN Client
InternalName : cvpnd
LegalCopyright : Copyright © 1998-2003 Cisco
Systems, Inc.
OriginalFilename : CVPND.EXE

#:14 [cvslock.exe]
FilePath : D:\Program Files\cvsnt\
ProcessID : 836
ThreadCreationTime : 8-18-2005 2:55:20 PM
BasePriority : Normal

#:15 [cvsservice.exe]
FilePath : D:\Program Files\cvsnt\
ProcessID : 860
ThreadCreationTime : 8-18-2005 2:55:26 PM
BasePriority : Normal
FileVersion : cvsservice 2.5.01 (Travis) Build
1976
ProductVersion : cvsnt 2.5.01 (Travis) Build 1976
ProductName : cvsnt
CompanyName : March-Hare Software Ltd
FileDescription : cvsnt service
InternalName : cvsservice
LegalCopyright : Copyright (C) 2004, March-Hare
Software Ltd
OriginalFilename : cvsservice.exe
Comments : cvsnt 2.5.01 (Travis) Build 1976,
Copyright (C) 2004, March Hare Software Ltd.
Containts code Copyright (C) 2001, Free Software
Foundation, and others.
Licensed under GNU General Public License version 2.0 or
above.

#:16 [defwatch.exe]
FilePath : C:\Program Files\NavNT\
ProcessID : 884
ThreadCreationTime : 8-18-2005 2:55:26 PM
BasePriority : Normal
FileVersion : 8.00.01.425
ProductVersion : 8.00.01.425
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
LegalCopyright : Copyright © 1998 Symantec
Corporation
OriginalFilename : DefWatch.exe

#:17 [sagent2.exe]
FilePath : C:\Program Files\Common
Files\EPSON\EBAPI\
ProcessID : 916
ThreadCreationTime : 8-18-2005 2:55:27 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 0
ProductVersion : 1, 0, 0, 0
ProductName : EPSON Bidirectional Printer
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Printer Status Agent
InternalName : SAgent2
LegalCopyright : Copyright (C) SEIKO EPSON CORP.
2000
OriginalFilename : SAgent2.exe

#:18 [humdisplayserver.exe]
FilePath : D:\Program
Files\Hummingbird\Connectivity\9.00\Exceed\
ProcessID : 956
ThreadCreationTime : 8-18-2005 2:55:28 PM
BasePriority : Normal
FileVersion : 9.0.0.0
ProductVersion : 9.0.0.0
ProductName : Exceed
CompanyName : Hummingbird Ltd.
FileDescription : Display Number Manager Service
for Win32
InternalName : HumDisplayServer
LegalCopyright : Copyright © 2003 Hummingbird Ltd.
All Rights Reserved.
OriginalFilename : HumDisplayServer.exe

#:19 [logwatnt.exe]
FilePath : C:\WINNT\
ProcessID : 972
ThreadCreationTime : 8-18-2005 2:55:29 PM
BasePriority : Normal

#:20 [mdm.exe]
FilePath : C:\Program Files\Common
Files\Microsoft Shared\VS7Debug\
ProcessID : 1012
ThreadCreationTime : 8-18-2005 2:55:29 PM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All
rights reserved.
OriginalFilename : mdm.exe

#:21 [rtvscan.exe]
FilePath : C:\Program Files\NavNT\
ProcessID : 1100
ThreadCreationTime : 8-18-2005 2:55:31 PM
BasePriority : Normal
FileVersion : 8.00.01.425
ProductVersion : 8.00.01.425
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright (C) Symantec
Corporation 1991-2002

#:22 [nutsrv4.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1120
ThreadCreationTime : 8-18-2005 2:55:33 PM
BasePriority : Normal
FileVersion : 4.64.0000
ProductVersion : 4.64.0000
ProductName : NuTCRACKER 4
CompanyName : DataFocus, Inc.
FileDescription : NuTCRACKER Service
InternalName : nutsrv4
LegalCopyright : Copyright (c) 1993-2004
DataFocus, Inc.
LegalTrademarks : NuTCRACKER is a registered
trademark of DataFocus, Inc.
Comments : Built on Fri Apr 16 16:47:49 EDT
2004

#:23 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1164
ThreadCreationTime : 8-18-2005 2:55:34 PM
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : REGSVC.EXE

#:24 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1176
ThreadCreationTime : 8-18-2005 2:55:34 PM
BasePriority : Normal
FileVersion : 4.71.2195.6920
ProductVersion : 4.71.2195.6920
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright (C) Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:25 [sdserv.exe]
FilePath : C:\Program Files\CA\Unicenter
Software Delivery\BIN\
ProcessID : 1188
ThreadCreationTime : 8-18-2005 2:55:35 PM
BasePriority : Normal

#:26 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 1292
ThreadCreationTime : 8-18-2005 2:55:36 PM
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright (C) Microsoft Corp.
1995-1999

#:27 [triggag.exe]
FilePath : C:\Program Files\CA\Unicenter
Software Delivery\BIN\
ProcessID : 1320
ThreadCreationTime : 8-18-2005 2:55:38 PM
BasePriority : Normal
FileVersion : 4, 0, 2107, 0
ProductVersion : 4, 0, 2107, 0
ProductName : Unicenter Software Delivery
CompanyName : Computer Associates
International, Inc.
FileDescription : TRIGGAG
InternalName : TRIGGAG
LegalCopyright : Copyright 2003
OriginalFilename : TRIGGAG.exe

#:28 [winvnc.exe]
FilePath : D:\Program Files\TightVNC\
ProcessID : 1328
ThreadCreationTime : 8-18-2005 2:55:41 PM
BasePriority : Normal
FileVersion : 1, 2, 9, 0
ProductVersion : 1, 2, 9, 0
ProductName : TightVNC Win32 Server
CompanyName : Constantin Kaplinsky
FileDescription : TightVNC Win32 Server
InternalName : WinVNC
LegalCopyright : Copyright (C) 1998-2002 [many
holders]
OriginalFilename : WinVNC.exe
Comments : Based on TridiaVNC by Tridia
Corporation

#:29 [wltrysvc.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1352
ThreadCreationTime : 8-18-2005 2:55:42 PM
BasePriority : Normal

#:30 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1368
ThreadCreationTime : 8-18-2005 2:55:42 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32
Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : svchost.exe

#:31 [bcmwltry.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1388
ThreadCreationTime : 8-18-2005 2:55:42 PM
BasePriority : Normal
FileVersion : 3.70.18.0
ProductVersion : 3.70.18.0
ProductName : BCM 802.11g Network Adapter
Wireless Network Tray Applet
CompanyName : Broadcom Corporation
FileDescription : BCM 802.11g Network Adapter
Wireless Network Tray Applet
InternalName : bcmwltry.exe
LegalCopyright : 1998-2004, Broadcom Corporation
All Rights Reserved.
OriginalFilename : bcmwltry.exe

#:32 [smsapm32.exe]
FilePath : C:\WINNT\MS\SMS\clicomp\apa\Bin\
ProcessID : 1564
ThreadCreationTime : 8-18-2005 2:55:55 PM
BasePriority : Normal
FileVersion : 2.00.1493.5147
ProductVersion : 2.00.1493.5147
ProductName : Systems Management Server
CompanyName : Microsoft Corporation
FileDescription : SMS 2.0 Client - Advertised
Programs Manager (Win32)
InternalName : SMSAPM32
LegalCopyright : Copyright (C) Microsoft
Corporation 1994-2003
OriginalFilename : SMSAPM32.EXE

#:33 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 1896
ThreadCreationTime : 8-18-2005 2:56:11 PM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : EXPLORER.EXE

#:34 [afdprb.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1948
ThreadCreationTime : 8-18-2005 2:56:16 PM
BasePriority : Normal
FileVersion : 1, 1, 0, 7
ProductVersion : 0, 0, 7, 0

#:35 [atiptaxx.exe]
FilePath : C:\Program Files\ATI
Technologies\ATI Control Panel\
ProcessID : 2028
ThreadCreationTime : 8-18-2005 2:56:33 PM
BasePriority : Normal
FileVersion : 6.14.10.4000
ProductVersion : 6.14.10.4000
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright (C) 1998-2002 ATI
Technologies Inc.
OriginalFilename : Atiptaxx.exe

#:36 [dadapp.exe]
FilePath : C:\Program
Files\DELL\AccessDirect\
ProcessID : 2096
ThreadCreationTime : 8-18-2005 2:56:40 PM
BasePriority : Normal

#:37 [carpserv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 2124
ThreadCreationTime : 8-18-2005 2:56:46 PM
BasePriority : Normal
FileVersion : 6.00.09.00
ProductVersion : 6.00.09.00
ProductName : Conexant carpserv
CompanyName : Conexant Systems, Inc.
FileDescription : carpserv
InternalName : carpserv
LegalCopyright : Copyright© Conexant Systems, Inc.
2003
OriginalFilename : carpserv.exe

#:38 [prpcui.exe]
FilePath : C:\WINNT\system32\
ProcessID : 716
ThreadCreationTime : 8-18-2005 2:56:48 PM
BasePriority : Normal
FileVersion : 3.0.0.0
ProductVersion : 3.0.0.0
ProductName : Intel(R) SpeedStep(TM) technology
applet
CompanyName : Intel Corporation
FileDescription : Intel(R) SpeedStep(TM) technology
User Interface
InternalName : prpcui.exe
LegalCopyright : Copyright© Intel Corporation 1998-
2001
LegalTrademarks : Intel(R) SpeedStep(TM) technology
OriginalFilename : prpcui.exe
Comments : Intel SpeedStep technology Applet
v3.0

#:39 [tsap.exe]
FilePath : C:\Program Files\arau\
ProcessID : 2112
ThreadCreationTime : 8-18-2005 2:56:51 PM
BasePriority : Normal

#:40 [apoint.exe]
FilePath : C:\Program Files\Apoint\
ProcessID : 2072
ThreadCreationTime : 8-18-2005 2:56:52 PM
BasePriority : Normal
FileVersion : 5.4.101.118
ProductVersion : 5.4.101.118
ProductName : Alps Pointing-device Driver
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver
InternalName : Alps Pointing-device Driver
LegalCopyright : Copyright (C) 1999-2003 Alps
Electric Co., Ltd.
OriginalFilename : Apoint.exe

#:41 [createcd50.exe]
FilePath : C:\Program Files\Common
Files\Adaptec Shared\CreateCD\
ProcessID : 1924
ThreadCreationTime : 8-18-2005 2:56:57 PM
BasePriority : Normal
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
ProductName : Easy CD Creator
CompanyName : Roxio
FileDescription : Roxio Create CD
InternalName : createcd.exe
LegalCopyright : Copyright (c) 1999-2002 Roxio,
Inc.
OriginalFilename : createcd.exe

#:42 [apntex.exe]
FilePath : C:\Program Files\Apoint\
ProcessID : 2012
ThreadCreationTime : 8-18-2005 2:57:06 PM
BasePriority : Normal
FileVersion : 5.0.1.15
ProductVersion : 5.0.1.15
ProductName : Alps Pointing-device Driver for
Windows NT/2000/XP
CompanyName : Alps Electric Co., Ltd.
FileDescription : Alps Pointing-device Driver for
Windows NT/2000/XP
InternalName : Alps Pointing-device Driver for
Windows NT/2000/XP
LegalCopyright : Copyright (C) 1998-2003 Alps
Electric Co., Ltd.
OriginalFilename : ApntEx.exe

#:43 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\
ProcessID : 1940
ThreadCreationTime : 8-18-2005 2:57:07 PM
BasePriority : Normal
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright (c) 2001,2002, Roxio,
Inc.
OriginalFilename : Directcd.exe

#:44 [vptray.exe]
FilePath : C:\Program Files\NavNT\
ProcessID : 1004
ThreadCreationTime : 8-18-2005 2:57:09 PM
BasePriority : Normal
FileVersion : 8.00.01.425
ProductVersion : 8.00.01.425
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright (C) Symantec
Corporation 1991-2002

#:45 [launch32.exe]
FilePath : C:\WINNT\MS\SMS\CORE\BIN\
ProcessID : 1832
ThreadCreationTime : 8-18-2005 2:57:11 PM
BasePriority : Normal
FileVersion : 2.00.1493.5116
ProductVersion : 2.00.1493.5116
ProductName : Systems Management Server
CompanyName : Microsoft Corporation
FileDescription : Systems Management Server
InternalName : LAUNCH32
LegalCopyright : Copyright (C) Microsoft
Corporation 1994-2003
OriginalFilename : LAUNCH32.EXE

#:46 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 2048
ThreadCreationTime : 8-18-2005 2:57:21 PM
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2004 Apple Computer, Inc.
All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:47 [smsmon32.exe]
FilePath : C:\WINNT\MS\SMS\CLICOMP\SWDist32
\bin\
ProcessID : 2144
ThreadCreationTime : 8-18-2005 2:57:21 PM
BasePriority : Normal
FileVersion : 2.00.1493.5116
ProductVersion : 2.00.1493.5116
ProductName : Systems Management Server
CompanyName : Microsoft Corporation
FileDescription : SMS 2.0 Client - Advertised
Programs Monitor (Win32)
InternalName : SMSMON32
LegalCopyright : Copyright (C) Microsoft
Corporation 1994-2003
OriginalFilename : SMSMON32.EXE

#:48 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 732
ThreadCreationTime : 8-18-2005 2:57:23 PM
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:49 [sxplog32.exe]
FilePath : C:\SxpInst\
ProcessID : 2212
ThreadCreationTime : 8-18-2005 2:57:27 PM
BasePriority : Normal
FileVersion : 6.4/67
ProductVersion : 4.0 Service Pack 1
ProductName : Software Delivery
CompanyName : Computer Associates
International, Inc.
LegalCopyright : © 2003 Computer Associates
International, Inc.
Comments : Common Version Info

#:50 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 2224
ThreadCreationTime : 8-18-2005 2:57:28 PM
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2004 Apple Computer, Inc.
All Rights Reserved.
OriginalFilename : iPodService.exe

#:51 [blackice.exe]
FilePath : C:\Program Files\ISS\BlackICE\
ProcessID : 2320
ThreadCreationTime : 8-18-2005 2:57:48 PM
BasePriority : Normal
FileVersion : 3.6.46
ProductVersion : 3.6
ProductName : Internet Security Systems, Inc.
BlackICE
CompanyName : Internet Security Systems, Inc.
FileDescription : BlackICE MFC Application
InternalName : BlackICE
LegalCopyright : Copyright ¨ 1999-2003, Internet
Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security
Systems, Inc.
OriginalFilename : blackice.exe
Comments : Reverse engineering prohibited by
license agreement

#:52 [cidaemon.exe]
FilePath : C:\WINNT\system32\
ProcessID : 2336
ThreadCreationTime : 8-18-2005 3:02:10 PM
BasePriority : Idle
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000
Operating System
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1999
OriginalFilename : cidaemon.exe

#:53 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-
Aware SE Personal\
ProcessID : 1452
ThreadCreationTime : 8-18-2005 3:05:36 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

AdRotator Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1cfb8b32-4053-4144-
af6f-1540eec7f101}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8eee58d5-130e-4cbd-
9c83-35a0564e1357}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8eee58d5-130e-4cbd-
9c83-35a0564e5678}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c6906a23-4717-4e1f-
b6fd-f06ebed11357}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c6906a23-4717-4e1f-
b6fd-f06ebed15678}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{4eb7bbe8-2e15-424b-9ddb-
2cdb9516c2e3}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{4eb7bbe8-2e15-424b-9ddb-
2cdb9516b2c3}

BookedSpace Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{05080e6b-a88a-4cfd-
8c3d-9b2557670b6e}

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUL3a5stSSChckin

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUL3a5stMotsSDay

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUP3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUB3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky1S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky2S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky3S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUs3t5icky4S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUE3v5nt

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSBath

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSysSInf

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSCheckSIn

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3h5rshSMots

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUL3n5Title

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AU3N5a7tionSCode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUD3s5tSSEnd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUC3u5rrentSMode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUC3n5tFyl

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUM3o5deSSync

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3g5noreS

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUC1o3d5eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUT3i5m7eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3d5OfSInst

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3n5ProgSCab

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3n5ProgSEx

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUI3n5ProgSLstest

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\software\aurora
Value : AUS3t5atusOfSInst

SurfSideKickBHO Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object :
software\microsoft\windows\currentversion\uninstall\surf
sidekick

SurfSideKickBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object :
software\microsoft\windows\currentversion\uninstall\surf
sidekick
Value : UninstallString

VirtualBouncer Object Recognized!
Type : RegValue
Data : 100
TAC Rating : 5
Category : Malware
Comment : "DistID"
Rootkey : HKEY_LOCAL_MACHINE
Object :
software\microsoft\cryptography\services
Value : DistID

Windows Object Recognized!
Type : RegData
Data : explorer.exe c:\winnt\nail.exe
TAC Rating : 3
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows
nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\winnt\nail.exe

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 40
Objects found so far: 40

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt :
Software\Microsoft\Internet Explorer\MainSearch
Pagewebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidese a
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet
Explorer\Main
Value : Search Page

Data : "http://websearch.drsnsrch.com/sidese a
rch.cgi?id="
Possible Browser Hijack attempt :
Software\Microsoft\Internet Explorer\MainSearch
Barwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidese a
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet
Explorer\Main
Value : Search Bar

Data : "http://websearch.drsnsrch.com/sidese a
rch.cgi?id="
Possible Browser Hijack attempt :
Software\Microsoft\Internet
Explorer\SearchSearchAssistantwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidese a
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet
Explorer\Search
Value : SearchAssistant

Data : "http://websearch.drsnsrch.com/sidese a
rch.cgi?id="
Possible Browser Hijack attempt :
Software\Microsoft\Internet
Explorer\SearchCustomizeSearchwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidese a
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet
Explorer\Search
Value : CustomizeSearch

Data : "http://websearch.drsnsrch.com/sidese a
rch.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-1790325321-
210772826-1412238824-500\Software\Microsoft\Internet
Explorer\MainSearch Pagewebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidese a
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\Software\Microsoft\Internet Explorer\Main
Value : Search Page

Data : "http://websearch.drsnsrch.com/sidese a
rch.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-1790325321-
210772826-1412238824-500\Software\Microsoft\Internet
Explorer\MainSearch Barwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData

Data : "http://websearch.drsnsrch.com/sidese a
rch.cgi?id="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\Software\Microsoft\Internet Explorer\Main
Value : Search Bar

Data : "http://websearch.drsnsrch.com/sidese a
rch.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-1790325321-
210772826-1412238824-500\Software\Microsoft\Internet
Explorer\SearchURLwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "websearch.drsnsrch.com/q.cgi?q="
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1790325321-210772826-
1412238824-500\Software\Microsoft\Internet
Explorer\SearchURL
Value :
Data : "websearch.drsnsrch.com/q.cgi?q="

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : DisplayName

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : URLInfoAbout

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : Publisher

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : HelpLink

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-
1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object :
Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : Contact

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 13
Objects found so far: 53

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@tradedoubler[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value :
Cookie:[email protected]/
Expires : 8-13-2025 12:58:50 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@qsrch[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:[email protected]/
Expires : 9-17-2005 8:58:32 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed)[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value :
Cookie:[email protected]/
Expires : 8-18-2006 9:32:18 AM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@pacificpoker[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value :
Cookie:[email protected]/
Expires : 4-12-2007 1:03:48 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 8-17-2010 10:06:38 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed)
[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value :
Cookie:[email protected]/
Expires : 11-23-2005 6:12:40 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@cgi-bin[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value :
Cookie:[email protected]/cgi-bin
Expires : 8-16-2015 9:09:20 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed)-sys
[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]
sys.com/
Expires : 1-1-2038
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : (e-mail address removed) [1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value :
Cookie:[email protected]/
Expires : 8-19-2005 9:05:38 AM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@weborama[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 8-17-2010 1:22:12 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@trafficmp[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:11
Value :
Cookie:[email protected]/
Expires : 8-18-2006 9:46:42 AM
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@serving-sys[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:administrator@serving-
sys.com/
Expires : 1-1-2038
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@overstock[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:15
Value :
Cookie:[email protected]/
Expires : 2-19-2020 9:28:00 AM
LastSync : Hits:15
UseCount : 0
Hits : 15

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@zedo[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:13
Value : Cookie:[email protected]/
Expires : 8-16-2015 9:38:36 AM
LastSync : Hits:13
UseCount : 0
Hits : 13

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@realmedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value :
Cookie:[email protected]/
Expires : 12-31-2020 7:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 15
Objects found so far: 68

Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\WINNT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 68

Disk Scan Result for C:\WINNT\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 68

Disk Scan Result for C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 68

Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »
»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
18 entries scanned.
New critical objects:0
Objects found so far: 68

MRU List Object Recognized!
Location: : C:\Documents and
Settings\Administrator\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: :
software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use
microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500\software\microsoft\internet explorer
Description : last download directory used in
microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500\software\microsoft\internet
explorer\typedurls
Description : list of recently entered
addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500\software\microsoft\microsoft management
console\recent file list
Description : list of recent snap-ins used in
the microsoft management console

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500
\software\microsoft\windows\currentversion\explorer\comdlg 3
2\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500
\software\microsoft\windows\currentversion\explorer\comdlg 3
2\opensavemru
Description : list of recently saved files,
stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500
\software\microsoft\windows\currentversion\explorer\recent d
ocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-1790325321-210772826-
1412238824-500
\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in
start | run

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

BargainBuddy Object Recognized!
Type : RegData
Data : no
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet
explorer\main
Value : Use Search Asst
Data : no

BargainBuddy Object Recognized!
Type : File
Data : bbchk.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\WINNT\system32\
FileVersion : 5.101.1663.1
ProductVersion : 5.101.1663.1
ProductName : Microsoft(R) Windows NT(R)
Operating System
CompanyName : Microsoft Corporation
FileDescription : ECM ChkTrust
InternalName : CHKTRUST.EXE
LegalCopyright : Copyright (C) Microsoft Corp.
1981-1997
OriginalFilename : CHKTRUST.EXE

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001
\control\print\monitors\zepmon

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object :
system\currentcontrolset\control\print\monitors\zepmon

VX2 Object Recognized!
Type : RegData
Data : explorer.exe c:\winnt\nail.exe
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows
nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\winnt\nail.exe

VX2 Object Recognized!
Type : File
Data : vx2cleaner.dlx
TAC Rating : 10
Category : Malware
Comment : This file is placed by the VX2
Cleaner Plugin. Selecting this item for removal is for
the sole purpose of keeping the system tidy (the file is
no longer required in your Windows folder). Removing this
file does not impact the plugin.
Object : C:\WINNT\

VX2 Object Recognized!
Type : File
Data : abiuninst.htm
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINNT\

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 7
Objects found so far: 84

10:07:30 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:01:43.589
Objects scanned:56313
Objects identified:75
Objects ignored:0
New critical objects:75

.

plun · Aug 18, 2005

Jim Byrd wrote on 2005-08-18 :

Hi - MS AntiSpyware Beta is capable of removing a number of the VX2
variants. Run it _twice_ in Safe mode or from a Clean Boot.

Hi

Well, I do believe with all respect that Andy already checked this
several times !

MS don´t want any EULA discussions/trials with Direct Revenue !

Bill Sanderson · Aug 18, 2005

plun said:
Well, I do believe with all respect that Andy already checked this several
times !

MS don´t want any EULA discussions/trials with Direct Revenue !

This is absolute nonsense plun. If Microsoft antispyware is not removing a
given VX2 variant, it isn't due to any legal issues--its a technical issue.

Addaware	5	Apr 11, 2009
Latest Offering: VX2 Cleaner V2.0	1	Mar 16, 2006
Spyware it isn't detecting - Same Thing	1	Jul 3, 2005
Aurora...new file discovery	14	Sep 26, 2005
Ad-Aware 2007	10	Dec 15, 2007
Beta did not find a data miner found by Lavasoft	4	Mar 29, 2005
Alternatives (if any) to Ad-Aware?	13	Dec 6, 2008
Aurora / "A Better Internet" / VX2 / Transponder - How to Eliminate???	4	Jul 10, 2005

Aurora Fix

AndyManchesta

Bill Sanderson

AndyManchesta

Bill Sanderson

Tinkerer

AndyManchesta

AndyManchesta

Ron Chamberlin

plun

Bill Sanderson

plun

Tinkerer

AndyManchesta

Ron Chamberlin

Bill Sanderson

Jean

Frank Saunders, MS-MVP, IE/OE

Guest

plun

Bill Sanderson

Ask a Question

Similar Threads