The Holder of this blog uses no cookies and collects no data whatsoever. He is only a guest on the Blogger platform. He has made no agreements concerning third party data collection and is not provided the opportunity to know the data collection policies of any of the standard blogging applications associated with the host platform. For information regarding the data collection policies of Facebook applications used on this blog contact Facebook. For information about the practices regarding data collection on the part of the owner of the Blogger platform contact Google Blogger.

Friday, May 27, 2005

American Life in Poetry #8: Karma Larsen.


Thousands, perhaps tens of thousands of poems have been written to express the grief of losing a parent. Many of the most telling of these attach the sense of loss to some object, some personal thing left behind, as in this elegy to her mother by a Nebraskan, Karma Larsen:

Milly Sorensen, January 16, 1922 - February 19, 2004

It was the moonflowers that surprised us.
Early summer we noticed the soft gray foliage.
She asked for seedpods every year but I never saw them in her garden.
Never knew what she did with them.
Exotic and tropical, not like her other flowers.
I expected her to throw them in the pasture maybe,
a gift to the coyotes. Huge, platterlike white flowers
shining in the night to soften their plaintive howling.
A sound I love; a reminder, even on the darkest night,
that manicured lawns don't surround me.

Midsummer they shot up, filled the small place by the back door,
sprawled over sidewalks, refused to be ignored.
Gaudy and awkward by day,
by night they were huge, soft, luminous.
Only this year, this year of her death
did they break free of their huge, prickly husks
and brighten the darkness she left.

Poem copyright by Karma Larsen, and reprinted by permission of the author. This weekly column is supported by The Poetry Foundation, The Library of Congress, and the Department of English at the University of Nebraska, Lincoln. This column does not accept unsolicited poetry.

Also at Virtual Grub Street by/about Ted Kooser:

More on Variant ADW_ELITEBAR.D.

A March 2005 forum thread at Midtown Computer Systems Enterprise provides more detail on ADW_ELITEBAR.D . It's a bit garbled, though: intertwined with discussions about how malware gets installed on computers and about the relative merits of Firefox compared to Internet Explorer. But some things are clarified in the course of "bu2's" (the plaintiff's) attempts to remove this resistant variant of SearchMiracle/EliteBar.

First he informs us of the original condition of the machine, which can be quite helpful:

I use WIN XP Home SP2, IE 6.0, my AV is PC-Cillin. I also use Spy Hunter and Beta version of MS Antispyware. Recently I somehowgot ADW_ELITEBAR.D adware that keeps reloading instantly afterI get rid of it with the AV.

It is a standard XP with two top-end commercial anti-virus programs. Moreover, one of the anti-virus programs -- Trend Micro's PC-Cillin -- we already know, from VGS's article "Diabolical New EliteBar Variant Strikes the Web!!!!", has claimed that it is able to remove EliteBar.D (a claim that Gian Carlo, at SimplyTech, disputes).

Next, he lets us follow the decision-making process:

I am still deciding what exactly to do and when. Trend Micro has a"solution" re the culprit at: [url] graywareDetails.asp?SNAME=ADW%5FELITEBAR%2ED [/url] I could not make it run. I'll have another look, maybe I was hasty and missed something. It just opens a DOS like C: Command Prompt it seems to run but nothing happens.We are talking about their instructions to download TMAPTN.ZIP with the latest grey something files. Why am I paying them and updating religiously several times a day? Anyway the program that uses the above file (tmntsrv.exe) does not run or does not run properly when I do it.

I also was told to look into Simply Tech site [url] [/url] and download the Elite Bar Remover
which I did and I am deciding whether to run it now or after my monthly (data)
backups just in case something goes awry.

Once the system is clean I may well switch to another Internet Browser. I am not happy with MS leaving so many holes in their software. Also their Beta Antispyware, while pretty good, cannot even see the Elite Bar!? The Trend Micro Antivirus Scan can not see it either but the special Scan for Spyware feature does and it even deletes it but the s*it reinstalls itself instantly.

The utility that Trend Micro claimed would remove EliteBar.D is "tmntsrv.exe". Whether due to the nature of the malware, his failure to properly deploy the removal tool or some other problem, the program fails even to run properly. He considers downloading and running the SimplyTech Elite Toolbar Remover.

The Beta version of MicroSoft Antispyware, we learn, was not able even to detect ADW_ELITEBAR.D. At some point bu2 (exactly when is not clear) does use "the special Scan for Spyware feature" provided with his Trend Micro service. It detects and briefly removes the malware which immediately thereafter reinstalls. Whether it actually reinstalled on reboot is not stated but it seems likely.

Next he tries SimplyTech's EliteBar Removal Tool. At this point, both SimplyTech and he are not aware that there is a variant of EliteBar that the removal tool won't remove:

Well, I ran the remedy as explained at [url] [/url] That was in WIN XP Safe Mode and ... I scored a big victory for the

It did not budge. As soon as I checked on it, after removing it with the "remover" and restarting the PC - I found it was still there.

Gian Carlo's commentary, soon after, in his own SimplyTech forum, can be found in VGS's article "Diabolical New EliteBar Variant Strikes the Web!!!!". What it all comes down to in the end is that no removal tool presently exists, free or commercial.

Source: Midtown Computer Systems Enterprise>message1508783

Also See:

[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

Wednesday, May 25, 2005

Find-It Web Search has Been Shut Down.

The malware sites and have recently been shutdown. The following message appears on the sites:

The domain [] has been terminated for abuse.

If you received an email from a bank, eBay, or PayPal directing you to visit this site to update your account details, please click here

The site was also used to originate phishing e-mails. The link is to a simple Citibank primer on spotting and avoiding phishing schemes.

Monday, May 23, 2005

The Eye of the Beholder.

by Gilbert Wesley Purdy.

eye: poems and retina prints
by Elizabeth Goldring.
Kansas City: BkMk Press, 2002.
ISBN 1-886157-37-5. $15.95

Note: The links in this essay/review are designed to provide a slideshow to accompany the text.

Elizabeth Goldring - the author of eye: poems and retina prints -- apparently began to lose her sight in the early 1980s. She is suffering from proliferative retinopathy - a disease restricted to diabetics. A lack of blood nutrients triggers a growth hormone, in some diabetics, causing new blood-vessels to grow in the retina of the eye. The vessels are improperly formed and eventually hemorrhage to fill the aqueous humor with blood.

Before her blindness, she had been impressively working (and networking) her way along a career path in academia. From her beginnings as a baccalaureate from Smith College, and a public school teacher of French and art, she had rapidly achieved positions at the Field Museum of Natural History of Chicago, the Smithsonian Institute and the Children's Museum of Boston, and had become a fellow at the Center for Advanced Visual Studies at M.I.T. In amongst it all, she found the time to acquire a Masters, in Education, from Harvard.

The Center for Advanced Visual Studies (CAVS, for short) is a remarkable place. Founded in 1967 by Gyorgy Kepes (whom Goldring cites as a profound influence on her work), it is dedicated to exploring the compatibility of science and art. The idea is to create art. The associated degree work is in science.

Kepes came to America, in 1937, at the behest of Laszlo Moholy-Nagy. Moholy-Nagy had found the backers necessary to open the New Bauhaus in Chicago. In the words of Hilton Kramer:

The dream he harbored was for a kind of art that could not be contained by the easel, the studio, or the museum. Nowadays, I suppose, we would call it environmental art, though Moholy's dream cannot really be understood in purely aesthetic terms. What he envisioned was a grandiose form of social reconstruction - a benevolent revolution in which the resources of industrial technology would be used to liberate and elevate the sensibility of the masses. The role of the artistic impulse in such a revolution would not be to produce precious objects (such as easel paintings), but to redesign every object - indeed, every visual sensation - in the environment. Art would cease to be an end in itself and become a method - the primary method, in fact - for transforming society into a happier and more harmonious community.

Kepes was appointed Professor of Color and Light. He came into his own with the publication, in 1944, of his book Language of Vision. The work is considered something of a classic.

Kepes was deeply interested in Kinetic Art composed of light, an early example of which was Nahum Gabo's 1920 light sculpture. Gabo had taken his bearings from Umberto Boccioni's continuity sculptures and Marcel Duchamps's "Nude Descending a Staircase," both of which had been influenced, in turn, by the tremendously exciting early experiments in the motion picture by the likes of Eadweard Muybridge. The studies had rapidly transformed the art world.

Through CAVS, he would finally have the resources necessary for new experiments and larger works. It was Moholy's dream come true at a level that he could hardly have imagined: Bauhaus: the New Generation, as it were. The world's finest environmental and kinetic artists joined scientists and technicians there for a continual celebration of technology and light. While the utilitarian aspect was not lost sight of, CAVS was also influenced by prevailing theories of play. Aesthetics were encouraged.

In 1974, Otto Piene - Kepes first choice for a CAVS fellowship, in 1968 -- took over as director. Elizabeth Goldring was named a fellow in 1975. The two collaborated with composer and light artist Paul Earls to create the tremendously successful "sky opera" Icarus. Piene created the Centerbeam: a 175 foot long construction of perforated pipes that continuously released a steam screen upon which light figures were projected in coordination with the story of the opera. Goldring's role seems mainly to have been as a project coordinator, of sorts. Both created the Sky Art conferences of the mid-80s.

Elizabeth Goldring's eye: poems and retina prints is an example of how the spirit of the Bauhaus renews itself still. The idea of the prints began to take shape when her eye doctor first utilized a Scanning Laser Ophthalmoscope (SLO) to flash a picture past her hemorrhages and onto her retina. She saw a clear image for the first time in years. Soon she was familiar with the machine and intent to use it as an Internet reading device for those with limited vision. A new language would be necessary: a vocabulary of images. "For me," the author writes, "the Retina Prints are visual poems."

Along the way, Goldring worked with Rob Smyser -- then manager of the M.I.T. Computer Resource Laboratory -- to do the initial interface of an SLO with the Internet. The feat comprised a genuine technological breakthrough. In this fashion, she has become one of the pioneers of the telemetric medical stations now being developed for use as a diagnostic tool in outer space and other remote locations where a specialist cannot be physically present in order to make direct observations.

Once the SLO image could be digitized, the technology was at hand to invent the retina print. The point of CAVS, after all, is to create works of art. The images were colorized using standard Photoshop™ software. (SLO images are necessarily black and white, at present.) Goldring's goal of helping to invent a low cost SLO to interface with the Internet, thus allowing the visually challenged to see in the virtual world, has been more difficult to accomplish. In her role as poet, she and her students continue, as well, to work at developing a serviceable visual language for those whose impairment will not allow them to read any considerable amount of normal text. The efforts range from retina prints to haiku-like poems such as "Pear Falls."

Finally, in 2002, the efforts of Goldring and M.I.T. were joined with those of the University of Missouri's BkMk Press in the volume eye: poems and retina prints. The journey has been a long one and the book is yet one more step along the way. Simple and dignified, it is 104 pages of word and visual poems.

The poems-proper begin with descriptions of travel. Most apparently describe the years before the onset of her retinopathy as they contain normal descriptions of a sighted person clearly the author. They are spare even by today's standards. A number of the retina print poems are painted with Photoshop™. Others are in black and white. At times there are several to a page. Only rarely does a print serve to illustrate a poem-proper.

The better poems in the volume are consistently retina prints. "Descent" gives a fair impression of what it must be like for a visually challenged person to descend an unfamiliar and ill-lit stairwell. "Door on Sabrina's Retina", with its combination of letter and pictogram, is a nice example of one of the methods being pursued in the creation of a new visual language. "September Eleven" is far better than the vast majority of 9/11 poems. There are several simple and effective visual puns.

It is not that the poems-proper do not have their moments. Those moments are generally snippets of poems that predictably read like a short oriental verse form. In the poem "Lavender":

A nun crosses the field,
her fluttering habit
a lunar bird.

In "Beijing":

twist to shape words,
whispered calligraphy.

The poem "Multicultural", in which the poet deftly navigates an ambiguous situation, is a nice bit of work throughout its 14 lines.

There are also some unique touches. Most of the travel in the poems was apparently expensed. At Taroudant, Morocco, the travelers find it impossible to get a receipt from their taxi driver. It is the kind of detail that says more than it seems to say on the surface. In the poem "Reconstructing Dan", the title is printed as the second line of the poem - taking Charles Bukowski and Lyn Lifshin (and, now, about half the poets in existence) an interesting step further.

Still, there can be no doubt that the retina prints dominate the volume. There are two reasons. First, reductionism works far better in pictures than in words as the rule. Second, it is clear that the retina prints are the result of a rich and patient creative process whereas the poems are not. Add to the creative process the fascinating technological and visual arts aspects and the prints have an advantage that even the finest of poets would find difficult to overcome.

That is part of the experience of reading eye: poems and retina prints. Poetry has yet to find a technology. Perhaps poems such as "Pear Falls" promise to bring it into the kinetic realm, but, delightful as the poem is, it still seems likely that the craft will have to look elsewhere for its avant garde effects. In the end it must look, as always, to words that have been given the attention and invention that this author has given her retina prints.

In the middle of her climb to the heights of academia Elizabeth Goldring was stricken with an affliction that might have broken most people. Instead she turned it into an advantage with the same determination that had fueled her ascent through academia from its inception. She is now a senior fellow at CAVS. Poet, visual artist, co-inventor, and academician, she is a leader in the most ironic of fields: the visual field. This, too, is part of the experience of reading eye.

Gilbert Wesley Purdy’s work in poetry, prose and translation has appeared in many fine journals, paper and electronic, including: The Georgia Review, Jacket Magazine (Australia); Poetry International (San Diego State University); Grand Street; The Pedestal Magazine; the Valparaiso Poetry Review (Valparaiso University); SLANT (University of Central Arkansas); Orbis (UK), Eclectica; and Quarterly Literary Review Singapore. His Hyperlinked Onlne Bibliography is now also hosted at BlogSpot. This review first appeared in the online journal Sidereality.

More from the Mailbag: David Eisenman and Terry Walton.

David Eisenman, Director of The Fred S. Bailey Scholarship Fund, and somehow member of The Finial Press, saw VGS's Guy Davenport's Memorial Service Was Held This Morning and posted a comment part of which I import to the "From the Mailbag" feature:

Mr. Purdy-- The memorial service came off beautifully. Perfect weather -- 70 degrees and a breeze. For 90 minutes, people famous and obscure spoke of Guy's erudition (a word once or twice pronounced correctly) but primarily of Guy's kindnesses. His prodigious letter writing, to hundreds of correspondents, was alluded to often. Highlights for this attendee were (1) Paul Prather's piece from the Lexington paper, written at the time of Davenport's death, read in his absence (a death in his family kept him away) by Bonnie Jean Cox. It's a beautiful piece centering on how Guy saw promise in the young Prather, and gave him the sort of encouragement that lasts a lifetime; and (2) Nikky Finney's eloquent poem about preparing to live in Guy's house, a case of a poet feeling the presence of her poet predecessor in these digs. It was perfect; look for it to be published somewhere.

Kenneth Haynes, presently of Brown University, also attended the service and read Greek and Latin passages from the classics. The Fessor was highly complimentary of Haynes's classical scholarship. Following his compliments, he would sometimes add, with a tone indicating the profoundest irony, that Haynes was a Baptist!

The Fessor was not at all pleased with the cuts to the story "Wo es War, Soll ich Werden" that he had been called upon to provide for The Death of Picasso : New & Selected Writing (Shoemaker & Hoard, 2003). The Finial Press, manned by aficionados Eisenman and A. Doyle Moore, offered to do a handmade limited edition of the original version of the story. The book was finished shortly before his death. Copies may still be available.

The following arrived in one of my e-mail boxes from another friend of some eight or nine years, Terry Walton. We have shared crying towels after each of the previous two presidential elections. Actually, we spent election night of 2000 simultaneously surfing the channels of two televisions and following the Internet coverage at Terry and Kathy's house. Terry and his wife Kathy moved up to Gainsville, Florida, several years ago now.

Terry has a dedicated mailing list which he keeps informed and entertained -- most recently, as follows:

We certainly learned a lesson from 9/11 -- right?

The following was excerpted from the Washington Post blog:

That's an image that isn't easy to forget: As official Washington bugged out Wednesday in the face of a possible terrorist attack, President Bush was on a bike ride and wasn't told a thing. See yesterday's column for background. John Roberts reports on the CBS Evening News: "The fact no one informed him that the first lady had been whisked to a bunker, the vice president moved and the government's emergency plan launched, would seem extraordinary. The White House insists the president didn't need to know."


Possible reasons they did not tell Bush:

(1) They were worried he would fly out to Omaha again.
(2) Without "My Pet Goat," this president cannot cope with a crisis.
(3) In case of national emergency, only essential personnel should be informed.
(4) Bush had gotten so used to manipulating the alert status of this country for cynical political purposes that he had forgotten that there might be a real threat.
(5) Bush and Rove don't worry because "the more damage done to the country,the more chances for us to seize control."
(6) Bush was busy interviewing his top choices for the next seat on the Supreme Court, John Bolton and Kenneth Lay, and did not want to be disturbed.
(7) Condy Rice decided that the warning of imminent attack was an "historical document."
(8) Dick Cheney is the most arrogant president we've ever had.
(9) They thought Bush would demand that we invade another country -- probably France, because it's so close.
(10) They figured God would tell him.

He is, of course, a moderate Democrat.

Also See:

Sunday, May 22, 2005

Diabolical New EliteBar Variant Strikes the Web!!!!

Giancarlo Calo, of, freeware Baron of the Internet, by virtue of his EliteBar Removal Tool, reports that a new malware variant has appeared on the net that Trend Micro has designated ADW_ELITEBAR.D. The first contacts with the new variant are described in an April 1 through 19 May, 2005, thread at Simply Tech's EliteBar forum. In the words of Calo, in the original April 1, 2005, forum posting:

Well, as far as we are working on this pest we can say that it is NOT an EliteToolbar malware! It is acting in a half-way as a virus and half-way as a malware/spyware. It is using some new typologies of attack we have never watched before...

We don't know if its a new product of the same guys who released the EliteToolbar malware, but we can say it is not an EliteToolbar malware and we are not yet able to do an automatic remover for it.

According to Calo, Trend Micro seems to have felt, at one point, that its commercial software could remove the infection but Simply Tech still found the malware intact after Trend Micro's process. The Trend Micro ADW_ELITEBAR.D information page presently lists only manual removal instructions.

This is not the only item that is unclear. TM desribes one toolbar on the ADW_ELITEBAR.D page while Calo provides a photo of an infection that leaves two toolbars, one top and one bottom. Just how these inconsistencies will be resolved remains to be seen.

All of that aside, Calo describes a truly diabolical new approach to malware:

It doesn't install any dll and changes the name of its executable on a randomic basis using real words took in documents of the user. It also traces and log the activity of the user and writes a log file with the attributes used for the system files. It works in low-level with the system and it is impossible to dump it from the system memory because it fools you directing your attention on a process that is not the real responsable of the infestation.

This would appear to mean that the main executable file randomly changes its name while the infection is in the computer such that it is all but impossible to target and delete it. The naming process ("...using real words [taken from] documents [in the user's computer]") makes it difficult to tell legit from infected files or to locate the infected file through file searches.

An excellent picture of the double toolbar arrangement is located at the forum posting. Giancarlo Calo, and Simply Tech, offer what little help they can for the time being:

At the moment the only way we can helping you removing this infestation is acting on your pc via a Remote Administration program. If you need for our help write us a mail ( about it and feel free to ask for details and times of intervention.

In at least some instances, the help provided will provide SimplyTech with much needed data in return. It is sure to help the effort to head off this variant before it ends up on all of our computers.

Also see:

[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

"How to Remove" Detail Pages.

The following "How to Remove" detail pages have recently been posted at Virtual Grub Street. How to Remove pages are linked from the Adware & Malware Indentifier Index.

The How to Remove Mirar Toolbar detail page has also recently been updated. Further pages will follow.

Friday, May 20, 2005

EliteBar Removal Tool Updates to 1.3.0!!!!!

or How to Remove SearchMiracle/EliteBar (Alt. 1, Rev. 2)

Giancarlo Calo, over at, is staying aggressive with his freeware EliteBar Removal Tool. Among the infections it claims to remove "every trace" of are the following. The items highlighted in red are linked to Virtual Grub Streets's "How to Remove/Detailed Information" pages:

EliteBar; EliteToolbar; EliteSidebar; BargainBuddy; Browser
Aid; CashToolbar; FreshBar; GameSpy; MoneyTree; Nail.exe; NaviSearch; navpsrvc.exe (also known as: W32/Forbot-EF, worm); SearchMeUp; SideStep; Spybot - Randex; SupportSoft; SurfSideKick; Win32.RBot; Winmon.exe (also known as: W32/Agobot-KA, trojan); and WinMoviePlugIn.

The "How to Remove" detail pages for SearchMiracle/EliteBar consist of the articles regularly posted at VGS. The file information for EliteBar is located on the Adware & Malware Indentifier Index itself. Further detail pages will be added on a continuing basis.

Simply Tech's description of the reason why SearchMiracle/EliteBar is so difficult to remove verifies the information in the various Virtual Grub Street articles over the past several months:

Actually some software like Spybot v.1.3, CWShredder v.2.12, Noadware,Adaware v.6, SpyNuker 2004 and SBC Yahoo! Anti-spy have no success in deleting this very frustrating malware. These programs find and delete it, but it keeps coming back since this new variant is very difficult to remove from the
operating system.

The main problem is that the malware creates a lot of registry entries and executes at PC startup, winding itself into RAM and deletes its own *.exe from the C:\Windows\System32 directory.

When ordinary tools try to remove it, they only clean the registry calls, the C:\Windows\EliteToolbar directory and the cabinets files where it originated from, but they don't take any action against the malware itself that is currently running in RAM and waiting for the PC OS to be shut down only to repeat the infestation once again!
This would seem to be a trick that the newer malware/adware products are widely copying. Perhaps this is the reason that the EliteBar Removal Tool has added so many porducts to the list of infections it removes. It is certainly the reason that most HijackThis and manual removal instructions direct the user to do main and downloader file deletions while in Safe Mode.

Also see:

[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

American Life in Poetry #7: Leonard Nathan.


Leonard Nathan is a master of short poems in which two or three figures are placed on what can be seen to be a stage, as in a drama. Here, as in other poems like it, the speaker's sentences are rich with implications. This is the title work from Nathan's book from Orchises Press (1999):

The Potato Eaters

Sometimes, the naked taste of potato
reminds me of being poor.

The first bites are gratitude,
the rest, contented boredom.

The little kitchen still flickers
like a candle-lit room in a folktale.

Never again was my father so angry,
my mother so still as she set the table,

or I so much at home.

Reprinted by permission of the author, whose most recent book is "Tears of the Old Magician," Orchises Press, 2003. This weekly column is supported by The Poetry Foundation, The Library of Congress, and the
Department of English at the University of Nebraska, Lincoln. This column does not accept unsolicited poetry.

Also at Virtual Grub Street by/about Ted Kooser:

Wednesday, May 18, 2005

Key File Index

The following is an in-progress index of key files. The files are designated "key" files as a result of issues discovered during various computer repairs and/or queries received at Virtual Grub Street and/or issues noted during extensive Internet research. It will be regularly updated with new information as it comes available. Revision dates will be listed in parenthesis next to the revised/updated item.

The information in the Key File Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.

File Name: mwsoemon.exe

  • Related Names:
  • Associated Files: websearch1.exe; hbhostie.dll; hbinst.exe; mwsbar.dll; mwsoestb.dll; mwssrcas.dll.
  • What is mwsoemon.exe?: Installs MyWebSearch (MySearchBar, MyWay Speed Bar). Loads down into "c:\program files\".
  • Related Articles:
  • Notes:

File Name: navlogon.dll

  • Related Names:
  • Associated Files:
  • What is Navlogon.dll?: In the location O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll for Windows Xp, C:\Winnt\System32\NavLogon.dll for Windows NT/2000, and C:\Windows\System\NavLogon.dll for Windows 95/98/Me, this file is the legitimate Norton Anti-Virus Log-On library. No other instances of this file are known.
  • Related Articles: None.
  • Notes:

File Name: rundll32.exe

  • Related Names: Normal Windows file for loading applications. It can also be associated with: Backdoor.Lastdoor trojan; StartPage trojan; W32/Legemer.worm; W32.Miroot.Worm; etc.
  • Associated Files:
  • What is rundll32.exe?: The normal Windows system file "rundll32.exe" is an executable file used to traffic-cop/import functions from Dynamic Link Libraries recognized by the Windows system. If it is removed, many legitimate programs will no longer be able to run on the subject machine. Counterfeit rundll32.exe programs are frequent components in viruses, trojans, worms, etc.
  • Related Articles: None.
  • Notes: The legitimate Windows rundll32.exe file is located at C:\WINDOWS\System32\rundll32.exe for Windows XP, C:\Winnt\System32\rundll32.exe for Windows NT/2000, and C:\Windows\System\rundll32.exe for Windows 95/98/Me. The legitimate rundll32.exe file can be overwritten, however, by the Backdoor.Lastdoor trojan. In all instances when rundll32.exe is located other than in the appropriate Windows folder it is associated with a virus, spyware, trojan or worm.

File Name: Sysmon.dll

  • Related Names: WORM_APRIFUL.A [Trend Micro]; Diplodock System Spy II [Spyware Information Center]; Spyware.SystemSpy [Symantec].
  • Associated Files: analyzer.exe; ss.exe.
  • What is Sysmon.dll?: Sysmon.dll is a keystroke logger that can effect Windows 95, Windows 98, Windows Me. It can run without appearing in the Task Manager.
  • Related Articles: None.
  • Notes:

File Name: Sysmon.exe

  • Related Names: Trojan.Sysmon [Dialogue Science]; [Kaspersky]; Worm.Win32.Bizex [Kaspersky]; W32/Bizex.worm [McAfee]; W32/Bizex-A [Sophos]; Java/Bizex.A.
  • Associated Files: ICQ2003Decrypt.dll; icq_socket.dll; irsetup.dat; java32.dll; javaext.dll; sysmon.ini.
  • What is Sysmon.exe?: Sysmon.exe can be a malware file especially if found together with any of the above files. This is also the file name for Aopen, Inc.'s legitimate CPU monitoring software.
  • Related Articles: None.
  • Notes: Sysmon.exe occupies approximately 32k of memory.

File Name: Sysmon.ocx

  • Related Names:
  • Associated Files:
  • What is Sysmon.ocx?: Sysmon.ocx is a legitimate program to monitor and enhance Windows-bearing computer hardware via ActiveX controls. If removed, some legitimate windows programs will no longer be functional.
  • Related Articles: None.
  • Notes: Sysmon.ocx occupies approximately 200-235k of memory.

File Name: winldra.exe

  • Related Names: Nibu.j trojan; Dumaru trojan (or worm); Dumador trojan (or worm); Bambo trojan.
  • Associated Files: dvpd.dll; netdx.dat; socks.dat; prntsvra.dll; TEMP\fa4537ef.tmp; prntk.log; prntc.log; feff35a0.htm; fe43e701.htm .
  • What is Winldra.exe?: Winldra.exe is associated with Nibu.j backdoor trojan (a.k.a. Dumaru, Dumador, Bambo). It harvests information from the user's computer and periodically sends it to the host site. The information may include screen-shots and keystroke logs.
  • Related Articles: None.
  • Notes:

Monday, May 16, 2005

Warning Bouy:

Warning bouy for sites: http://******

I am particularly pleased with my the "Alert" feature of my Google e-mail box. Unfortunately, it brought me to the following site in response to one of my Alerts. This, then, may qualify as a double warning bouy.

Scan type: Auto-Protect ScanEvent: Threat Found! Threat: Bloodhound.Exploit.6 File: C:\Documents and Settings\LL303012\Local Settings\Temporary Internet Files\Content.IE5\4LIFCTUB\web[1].htmLocation: C:\Documents and Settings\LL303012\Local Settings\Temporary Internet Files\Content.IE5\4LIFCTUBComputer: CLL3030012User: LL303012 Action taken: Delete succeeded : Access denied Date found: Monday, May 16, 2005 4:35:53 PM

Scan type: Auto-Protect ScanEvent: Threat Found! Threat: Trojan.Anicmoo File: C:\Documents and Settings\LL303012\Local Settings\Temporary Internet Files\Content.IE5\CTABOHQZ\sploit[1].anrLocation: C:\Documents and Settings\LL303012\Local Settings\Temporary Internet Files\Content.IE5\CTABOHQZComputer: CLL3030012User: LL303012 Action taken: Clean failed : Delete failed : Access denied Date found: Monday, May 16, 2005 4:43:40 PM

Scan type: Auto-Protect ScanEvent: Threat Found! Threat: Trojan.Anicmoo File: C:\Documents and Settings\LL303012\Local Settings\Temporary Internet Files\Content.IE5\4LIFCTUB\sploit[2].anrLocation: C:\Documents and Settings\LL303012\Local Settings\Temporary Internet Files\Content.IE5\4LIFCTUBComputer: CLL3030012User: LL303012 Action taken: Clean failed : Delete failed : Access denied Date found: Monday, May 16, 2005 4:44:32 PM

Scan type: Auto-Protect ScanEvent: Threat Found! Threat: Trojan.Anicmoo File: C:\Documents and Settings\LL303012\Local Settings\Temporary Internet Files\Content.IE5\C5ANCD2F\sploit[1].anrLocation: C:\Documents and Settings\LL303012\Local Settings\Temporary Internet Files\Content.IE5\C5ANCD2FComputer: CLL3030012User: LL303012 Action taken: Clean failed : Delete failed : Access denied Date found: Monday, May 16, 2005 4:45:23 PM

Trojan.Anicmoo downloads ADW_SWEETBAR.A. More details about Anicmoo and Sweetbar are available at Virtual Grub Street's Malware Indentifier Index.

Beware of these sites!

Also see:

Friday, May 13, 2005

American Life in Poetry #6: Barton Sutter.


Rhyme has a way of lightening the spirit of a poem, and in this instance, the plural, spirits, is the appropriate word choice. Lots of readers can relate to "Sober Song," which originally appeared in North Dakota Quarterly. Barton Sutter is a Minnesota poet, essayist, and fiction writer who has won awards in all three genres.

Sober Song

Farewell to the starlight in whiskey,
So long to the sunshine in beer.
The booze made me cocky and frisky
But worried the man in the mirror.
Goodnight to the moonlight in brandy,
Adieu to the warmth of the wine.
I think I can finally stand me
Without a glass or a stein.
Bye-bye to the balm in the vodka,
Ta-ta to the menthol in gin.
I'm trying to do what I ought to,
Rejecting that snake medicine.
I won't miss the blackouts and vomit,
The accidents and regret.
If I can stay off the rotgut,
There might be a chance for me yet.
So so long to God in a bottle,
To the lies of rum and vermouth.
Let me slake my thirst with water
And the sweet, transparent truth.

Reprinted from "Farewell to the Starlight in Whiskey," Rochester: BOA Editions, 2004, by permission of the author. This weekly column is supported by The Poetry Foundation, The Library of Congress and the Department of English at the University of Nebraska, Lincoln. This column does not accept unsolicited poetry.

Also at Virtual Grub Street by/about Ted Kooser:

Monday, May 09, 2005

Malware Identifier Index

This page is in the process of being transformed into a special targetted adware/malware index. It is not presently being updated. The new Adware & Malware Identifier Index is located >>> Here.

The following is an in-progress index of some of the more common malware toolbars/browser helper objects, and associated files, at large on the Internet. It links, when possible, to detail pages including vendor uninstall pages and freeware or trialware removal tools. No commercial removal software is cited. Only auxiliary information for manual removal is provided. It will be regularly updated with new information as it comes available. Revision dates will be listed in parenthesis next to the revised/updated item.

The information in the Adware & Malware Indentifier Index is the result of thousands of web searches. It can not, however, possibly be complete. The subject is vast and constantly changing. Moreover, vendor uninstall tools and other freeware removal tools do not necessarily remove all of an infection from your computer. Vendor uninstall tools, for instance, may silently leave cookies or other tracking software installed. It is suggestible to follow up a removal with one or more adware scans and/or to do an inspection using a HijackThis log. The information on the page is not guaranteed correct and any use you may choose to make of it is entirely at your own risk.

Indexed by Common Infection Name:

-[A]- -[B]- -[C]- -[D]- -[E]- -[F]- -[G]- -[H]- -[I]- -[J]- -[K]- -[L]- -[M]- -[N]- -[O]- -[P]- -[Q]- -[R]- -[S]- -[T]- -[U]- -[V]- -[W]- -[X]- -[Y]- -[Z]-

AproposMedia, PeopleOnPage, POP

  • Executable Files: 9yxuen.exe; addit.exe; all_files10.exe; aprload.exe; apropos.exe; apropos_client_loader.exe; apropos_uninstaller.exe; aufo.exe; autoupdate.exe; auto_update_install.exe; cxtpls.exe; dx8iext.exe; load.exe; magicinlayinstall.exe; midaddle.exe; monpop.exe; mv7dizbww.exe; mw.exe; mw_4s_stub.exe; notify.exe; ororoxid.exe; phomac.exe; popsrv225.exe; _ps_inst.exe; qnqyiee.exe; rcisp.exe; sepinst.exe; sfl.exe; shmhupnp.exe; sm1ay.exe; sysai.exe; update_1.exe; updater.exe; vmpremov.exe; wrifo.exe; z.exe; zga.exe.
  • Dynamic Link Libraries: 199e866.dll; 6ktkk.dll; 7ggoo.dll; acsdir.dll; activeinstall2.dll; aproposplugin.dll; atla.dll; atlw.dll; cxtpls.dll; directxvercheck.dll; dsetup.dll; dsetup16.dll; dsetup32.dll; pop225.dll; pophook4.dll; proxystub.dll; qnqyiee.dll; qtinstallerhelper.dll; sidesearch.dll; toolbar.dll; truetypefontinfo.dll; wingenerics.dll; write_ph.dll; z.dll; zga.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: According to the Spyware Information Center, this infection is also known as Adware/Apropos [Panda], Adware/SideSearch [Panda], Adware/WinTools [Panda], [Kaspersky], Trj/Upseter.A [Panda], TrojanDownloader.Win32.Apropo.b [Kaspersky], TrojanDownloader.Win32.Apropo.g [Kaspersky], Win32/Agent.AG trojan [Eset], Win32/TrojanDownloader.Apropo.B trojan [Eset], Win32/TrojanDownloader.Apropo.G trojan [Eset]. See: How to Remove AproposMedia.

C2, Lop

  • Executable Files: asshuktr.exe; bilyooas.exe; byb_save.exe; crgbeaoa.exe; dmvcrthl.exe; eaymulyl.exe; eeublidc.exe; glxshmcr.exe; ijlysseb.exe; jqumysto.exe; kfriegbs.exe; llfggrdr.exe; lltckiey.exe; lopsearc.exe; meemnckyqbr.exe; meepajlr.exe; mprcouie.exe; oofrkxpe.exe; peebqusz.exe; quveioot.exe; shoucrck.exe; ssmeeibl.exe; tchpeatr.exe; tglblrll.exe; trdzhtxf.exe; trstdris.exe; ulyuiexeechp.exe; vestufck.exe; vfthrcbr.exe; xogyfhp.exe; ykphmbre.exe; ylynfste.exe; yxogltoo.exe.
  • Dynamic Link Libraries: blztstulla.dll; blztstullc.dll; blztstullj.dll; blztstullp.dll; blztstulls.dll; blztstullt.dll; blztstully.dll; blztstullpr.dll; blztstulltr.dll; blztstulloo.dll; chksbdrlya.dll; eaeeishllblc.dll; eelykofrllfrpr.dll; eelykofrllfrj.dll; ealymfrprwch.dll; epllkeeoopr.dll; freabrlaouw.dll; gldqumssfrie.dll; hglllyxrxw.dll; icdrhwno.dll; heeachmstll.dll; meepajlr.dll; ousszidrta.dll; plg_ie*.dll; prxzoustustgr.dll; prnouestssstx.dll; quizbt*.dll; quglwachfs.dll; sstroallhqch.dll; tblchepruprgr.dll; trstshcrscksr.dll; ukfroigl.dll; upckeetoutw.dll; veaeyglckr.dll; woafrquzn.dll; yeecrsoustoull.dll; ziebaeeoaeepr.dll.
  • Directory/Search Page: and many others.
  • Uninstall page URL: See: How to Remove Lop.
  • Related Articles: Important Removal Tool Note.
  • Notes: Lop has utilized stealth downloads and has downloaded via bundling in the past. Some variants of this infection can also effect the Mozilla and Netscape browsers. See: How to Remove Lop.


Claria, Gain, Gator

  • Executable Files: cmessys.exe; fsg.exe; fsg-ag.exe; fsg*.exe; gain_trickler_*.exe.
  • Dynamic Link Libraries:
  • Directory/Search Page:
  • Uninstall page URL: See: How to Remove Claria, Gain, Gator.
  • Related Articles: Important Removal Tool Note.
  • Notes: This infection generally downloads bundled with other software which the user has voluntarilty accepted. It utilizes a "trickler" technology designed to limit its use of processor time. It claims to be entirely removable via the Windows "Add/Remove Programs" utility. It provides uninstall instructions at the above URLs. See: How to Remove Claria, Gain, Gator.



  • Executable Files: actalert.exe; goldentiger.exe; idctup20.exe; optimize.exe; thi6026.tmp\preinstt.exe; ssupdate.exe; view-m~1.exe.
  • Dynamic Link Libraries: iopti130.dll; nem207.dll; nem211.dll; nem214.dll; nem219.dll; nem220.dll; wsem210.dll; wsem216.dll; wsem218.dll; wsem302.dll; wsem303.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: DyFuCa is a porn dialer trojan. When downloaded as part of InternetOptimizer, it is also a 404 page ("Page Not Found") hijacker. The Spyware Information Center lists the following aliases: Spyware/Dyfuca [Panda], Spyware/SafeSurf [Panda], [Kaspersky], [Kaspersky], TrojanDownloader.Win32.Dyfuca.dc [Kaspersky], Trojan-Downloader.Win32.Dyfuca.dp [Kaspersky], TrojanDownloader.Win32.Dyfuca.gen [Kaspersky], Win32/TrojanDownloader.Dyfica.NAB trojan [Eset], Win32/TrojanDownloader.Dyfica.NAC trojan [Eset]. See: How to Remove DyFuCa.

EasyBar, HotOffers

  • Executable Files: dwvem.exe; file_0.exe; iau.exe; lssas.exe ; mservice.exe; msqdevl.exe; runwin32.exe; stisvsq.exe; svshost.exe; tibs3.exe [a.k.a. Troj/HideDial-A]; wininet32.exe.
  • Dynamic Link Libraries: csrss.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: The url is no longer an active search engine. More recent versions of this infection appear to involve single ad pages, pop-ups and pop-unders, and redirects to hard porn sites. They utilize a CHM exploit to execute through an unpatched Microsoft hole. If you have "iau.exe" on your machine without "runwin32.exe" you have the far more virulent, newer, heavily bundled CHM exploit version. This version somehow hides in the Windows text files areas, if removed, and reinstalls on the next reboot. See: How to Remove EasySearch, HotOffers.

EliteBar, Elite Toolbar, Elite SideBar, Elitum, ETBRUN, SearchMiracle, YupSearch

FastWebSearch, FreshBar

GlobalWebSearch, ISearch



  • Executable Files: wtoolss.exe.
  • Dynamic Link Libraries: ...btiein.dll; ...msielink.dll; ...msiein.dll; ...qdow.dll; ...SToolbar.dll; ...toolbar.dll; ...WToolsB.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: "Toolbar.dll" is a name widely used for legitimate and malware BHOs. It is not necessarily indicative of a particular BHO. See: How to Remove HuntBar.

Ibis Toolbar

  • Executable Files: wintools.exe; wsup.exe; wtoolsa.exe.
  • Dynamic Link Libraries: common.dll; toolbar.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: This malware is related to HuntBar and WinTools. "toolbar.dll" and "common.dll" are names used for legitimate and malware BHOs. They are not necessarily indicative of a particular BHO. See: How to Remove Ibis Toolbar.


  • Executable Files: aaa.exe; bbb.exe; iagold.exe; msudpb.exe ; py.exe; zzb.exe.
  • Dynamic Link Libraries: ieloader.dll; msudpb.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: Added by TrojanDownloader.Small.RR. Installs TrojanDialer.Freeload, which, according to Symantec, "is an ActiveX component that can be used by Web pages to download dialer programs. The dialer program may be used to access premium-rate services including pornographic and astrological services." See: How to Remove IELoader.



ISTBar, SideFind.

  • Executable Files: gjefpet.exe; istdownload.exe; istrecover.exe; istsvc.exe; juhpad.exe; sfsetup.exe; sidefind.exe; srchupdt.exe.
  • Dynamic Link Libraries: cmctl.dll; istactivex.dll; istbar.dll; istbarcm.dll; istbar_dh.dll; mscache.dll; sfbho.dll; sidefind.dll; sidefind13.dll; srchfst.dll; ysb.dll; ysbactivex.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: According to the Spyware Information Center, this infection is also known as: Adware/SearchFast [Panda], Adware/SideFind [Panda], Spyware/ISTbar [Panda], Trojan Horse [Panda], TrojanDownloader.Win32.Istbar.eo, TrojanDownloader.Win32.IstBar.gen [Kaspersky]. This infection is spread by stealth downloads, generally from game and porn sites. Numerous variants are at large and some may not be removable by the removal tool referenced on this page. All variants use a corresponding variant of the TrojanDownloader.Win32.IstBar. ISTBar may download various other parasites while installed. These items may have to be removed separately. See: How to Remove ISTBar.

KeenValue, SearchUpgrader Toolbar

  • Executable Files: SearchUpgrader.exe.
  • Dynamic Link Libraries: bho.dll; pwrs0rbi.dll; IncFindBHO.dll.
  • Directory/Search Page:
  • Uninstall Page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: Some versions of these infections are also known as eUniverse (Ad-Aware), KeenValue (Mcafee), Euniverse (PestPatrol), PowerSearch (PestPatrol), eUniverse.IncrediFind (Spybot), KeenValue.PerfectNav (Spybot), Adware.Keenval (Symantec), SPYW_KEENVAL.A (Trend Micro). See: How to Remove KeenValue.

Mirar Toolbar

MySearchBar, MyWay Speed Bar, MyWebSearch

NavExcell Toolbar

  • Executable Files:
  • Dynamic Link Libraries:
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles:
  • Notes:


nCase, Zango

  • Executable Files: 180adsolution.exe; 180ax.exe; msbb.exe; saap.exe; saie.exe; sain.exe; sais.exe; salm.exe; zango.exe.
  • Dynamic Link Libraries: 180adsolutionhook.dll ; 180axhook.dll; atpartners.dll; msbbhook.dll; ncmyb.dll; saaphook.dll; saiehook.dll; sainhook.dll; saishook.dll; zangohook.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: These items stealth install. See Spyware Information Center on Zango variant: "Based on eTrust PestPatrol Spyware Scorecard v2.05.03 Zango violates the following criteria: First, Installs itself or any other item without user permission or knowledge at time of installation...." See: How to Remove nCase, Zango.

Network Essentials, SmartPops

  • Executable Files: launcher.exe; ne.exe; networkessentials.exe; rh.exe.
  • Dynamic Link Libraries: me1.dll; ne.dll; networkessentials.dll.
  • Directory/Search Page:
  • Uninstall Page URL: (vendor's manual removal instructions only).
  • Related Articles: None.
  • Notes: Uses trojan downloader. According to Spyware Information Center: "Gathers info on your browsing habits to display popup ads targeted at your interests. Info gathered includes: Username, Zip, Gender, Age, Country, Address, Email, LastName, FirstName, CPU Speed, OS Version, Memory, SubProvider, Provider, Providers, Download."


  • Executable Files:
  • Dynamic Link Libraries: sbus.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles:
  • Notes:


  • Executable Files: htmlsync.exe; icasserv.exe; isystem.exe; ldriver.exe; zlibc.exe.
  • Dynamic Link Libraries: k6c40rvk.dll; rcj.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: HijackThis vs. SearchForFree (June 15, 2005); Important Removal Tool Note.
  • Notes: The file "icasserv.exe" is the downloader for this infection and is a also known as the "icasserv-a trojan" (a.k.a. AdClicker-CM , TROJ_ICASERV.A, and Trojan-Clicker.Win32.Small.fd) . The file "nvdsvc32.exe" is associated with "icasserv.exe" and may be present. The most recent variant of this infection downloads the file "zlibc.exe" instead of "icasserv.exe". The file zlibc.exe indicates that the infection is being downloaded by the Troj/Chorus-A (a.k.a. AdClicker-CM and Trojan-Clicker.Win32.Small.ft ) as of late June 2005. As of early July 2005, it is not clear whether fixes for the "fd" version of the infection work for the "ft" version. See: How to Remove SearchForFree.

SearchHH, SearchMeUp, UmaxSearch, WhitePages


  • Executable Files: ...searchrelevancy\uninstall.exe.
  • Dynamic Link Libraries: searchrelevancy.dll.
  • Directory/Search Page: None.
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: According to DoxDesk, "SearchRelevancy is an Internet Explorer Browser Helper Object (BHO) that adds advertising links to search engine results pages as fake results. Clicking the links sends the browser to the listed site via a hidden redirect through which adds affiliate codes to the URL. " See: How to Remove SearchRelevancy.


  • Executable Files: C:\Windows\System32\web.exe.
  • Dynamic Link Libraries:
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: None.
  • Notes: Downloaded by Trojan.Anicmoo which utilizes Windows vulnerability described in Microsoft Security Bulletin MS05-002: "Cursor and Icon Format Handling Vulnerability - CAN-2004-1049: A remote code execution vulnerability exists in the way that cursor, animated cursor, and icon formats are handled. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. " The trojan downloads the file "SecurityRisk.Downldr" which downloads "update.txt" which in turn downloads the Browser Helper Object (BHO) to connect to


  • Executable Files: bios32.exe; boot.exe; f0e66c68.exe; hjfp.exe; infwin.exe.
  • Dynamic Link Libraries: ablui.dll; akledit.dll; blowfish.dll; iehelper.dll; ktp6177s1.dll; multimpp.dll; rdfsaps.dll; vx2.dll.
  • Directory/Search Page:
  • Uninstall page URL:
  • Related Articles: Important Removal Tool Note.
  • Notes: The following aliases are listed at the Spyware Information Center page for this malware: Adware/MSView [Panda], Application/HideWindow.A [Panda], Application/Psexec.A [Panda], Application/ToolWget.A [Panda], Backdoor Program [Panda], Backdoor.Bionet.405 [Kaspersky], Backdoor.IRC.Zapchast [Kaspersky], Backdoor.IRC.Zcrew [Kaspersky], Backdoor/Bionet.405!Server [Computer Associates], Backdoor/IRC.Zcrew [Computer Associates], Backdoor/ZCrew.B [Computer Associates], Backdoor/ZCrew.B.IRC [Computer Associates], Backdoor/Zcrew.G [Computer Associates], BAT.IRCFlood [Computer Associates], BAT.Noshare.B [Computer Associates], Bat/Flood.C!Trojan [Computer Associates], Bck/IRC.Mirc.Based [Panda], Bck/Multi.I [Panda], Bck/Zcrew.B [Panda], Bck/Zcrew.G [Panda], Blackstone Data Transponder. Was also distributed under the name NetPal by, but the software now available there is the newer NetPal parasite which isn't the same code., DoS.Win32.Nenet [Kaspersky], Flooder.Win32.WarPing [Kaspersky], Flooder/Nenet. A [Panda], IRC.Flood [Computer Associates], mIRC/Flood.I!Trojan [Computer Associates], mIRC/Flood.RmtCfg!Trojan [Computer Associates], NetPal, RemoteProcessLaunch [McAfee], Sputnik (name used by VX2), Spyware/BetterInet [Panda], Trj/Femad.A [Panda], Trj/Flood.BI [Panda], Trj/Passer.C [Panda], Trojan [Name used by Ad-aware], Trojan Horse [Panda], TrojanDownloader.Win32.Femad.b [Kaspersky], VX2 RespondMiter., VX2.Clean Get-Away, VX2.MSView, VX2.My PanicButton, VX2.Respondmiter, VX2.SiteHelper, VX2.Transponder, Win32.BettInet.C [Computer Associates], Win32.Bionet.405 [Computer Associates], Win32.Femad.A [Computer Associates], Win32.IRCFlood [Computer Associates], Win32.Startpage.KF!downloader [Computer Associates], Win32/Femad.B trojan [Eset], Win32/Rslocal.B!Downloader [Computer Associates], Win32/SillyDL.70656!Trojan [Computer Associates], Win32/Spybot.FR!Worm [Computer Associates], Win32/Startpage.KF!Downloader [Computer Associates]. See: How to Remove VX2.

VGS is in the process of compiling a Trojan and Worm Appendix to the Malware Identifier Index. At present the following trojans/worms (listed by one or more popular name or by key file shown in parentheses) are being investigated and a freeware or trialware removal tool has been found:

Trojans: AdClicker-H; Win32.Backdoor.AfCore; Win32.Agent.Trojan;;; TrojanDownloader.Win32.Agent.z; Trojan/Backdoor-BDD; Win32.TrojanSpy.Banker; Win32.Dasmin.B; Trojan/Dasmin-F; Win32.Delf.Trojan.A; Trojan/Dloader-AB; Trojan/Downloader-LO; Win32.Trojan.IEStartpage; Win32.Trojan.Krepper; Win32.TrojanDownloader.Lemmy; Win32.Mitglieder Trojan; Trojan.Poldo.B; Win32.Trojan.Post; Win32.Backdoor.RBot; Win32.Dialer.Saristar; Win32.Sced.Trojan; Win32.Small.Trojan; Win32.TrojanDownloader.Small; Win32.TrojanProxy.Small; Win32.Backdoor.Spyboter;

Worms: Win32.Padobot; Win32.Sasser; Win32.Spybot.worm.

  • The above malware items can be removed by Lavasoft's Ad-Aware freeware.

Trojans: Win32.Bagle.AV; Win32.Bagle.B; Win32.Bagle.C; Win32.Bagle.E; Win32.Bagle.F; Win32.Bagle.G; Win32.Bagle.H; Win32.Bagle.I; Win32.Bagle.J; Win32.Bagle.N; Win32/Crowt-A; Trojan/Win32.Hwbot-A; Trojan/Haxdoor-H; Trojan/Peper; Trojan/RS-Local-A; Win32.R-Bot; Trojan/Startpage-EH; Backdoor.VB.nb; TrojanDownloader.Win32.VB.q; Trojan/Webus-D; Trojan/Winser-A; Trojan/Zwax.

  • The above malware items can be removed by Spybot S&D.

Trojans: (installer_MEDIAWHIZ3.exe; installer_MARKETING10.exe; installer_MARKETING11.exe ) TrojanDownloader.Adload.a; (A0000090.exe ) TrojanDownloader.Apropo.r; (GLF6EGLF6E.EXE ) TrojanDownloader.TSUpdate.f; (61[1].bin ) TrojanDropper.Small.ul.

  • The above malware items can be removed by the Ewido 14-day trialware product on the other side of this >>> link

Trojans: Backdoor.Win32.Wootbot; Backdoor.Win32.Agobot; Backdoor.Win32.Forbot; Backdoor.Win32.Rbot; Worm.P2P.Spybot; Backdoor.Win32.IRCBot; Backdoor.Win32.SdBot; Backdoor.Win32.Poebot; Backdoor.Win32.Codbot.

Worms: I-Worm.BadtransII; Badtrans.B@mm; W32/Badtrans.B ; WORM_BADTRANS.B; W32/Badtrans-B; W32/Badtrans.B@mm; W32/BadTrans@MM; Win32.Badtrans.29020; Worm/Badtrans.B.

Worms: W32/Bagle.A@mm W32/Bagle.B@mm W32/Bagle.C@mm W32/Bagle.D@mm W32/Bagle.E@mm W32/Bagle.F@mm W32/Bagle.G@mm W32/Bagle.H@mm W32/Bagle.I@mm W32/Bagle.J@mm W32/Bagle.K@mm W32/Bagle.L@mm W32/Bagle.M@mm W32/Bagle.O@mm W32/Bagle.U@mm W32/Bagle.V@mm W32/Bagle.W@mm W32/Bagle.X@mm W32/Bagle.Y@mm W32/Bagle.Z@mm W32/Bagle.AL@mm W32/Bagle.AC W32/Bagle.AF@mm W32/Bagle.AH@mm W32/Bagle.AI@mm W32/Bagle.AN@mm W32/Bagle.AO@mm W32/Bagle.AT@mm W32/Bagle.AU@mm W32/Bagle.AV@mm ("test version") W32/Bagle.AX@mm W32/Bagle.AY@mm Email-Worm.Win32.Bagle.bc Email-Worm.Win32.Bagle.pac (1 variant).

Trojans: W32/Mitglieder.S W32/Mitglieder.T W32/Mitglieder.AA W32/Mitglieder.AJ W32/Mitglieder.AG W32/Mitglieder.AV.

Worms: W32/Bugbear.A; W32/Bugbear.B; (I-Worm.Tanatos.A); (I-Worm.Tanatos.B).

Trojans: Trojan.Win32.Killav.q.

Worms: Win32.Deborm.R; Backdoor.Litmus.203; W32/Litmus.C; Backdoor.SDbot.gen; W32/SDBot.J.