!!! A MUST READ OF HOW IWON IS EXPOSING YOUR PERSONAL INFORMATION !!! Aornum on XP is the pathway to Hades!!! How chillingly applicable that the spy ware utility installed by the Iwon prize machine is called "Aornum" after Greek Mythology for "Pathway to Hades" (http://www.mythweb.com/encyc/entries/aornum.html). Well removing this Trojan is no less than a hellish task for sure and I would have to say that XP is probably the HARDEST system to remove it on (save performing a System Restore if caught early enough) but it IS do-able. This is not a posting requesting HOW TO DO IT, but rather a posting saying ***YOU BETTER DO IT*** if you have it on your XP system. Add/Remove programs will show you that it is installed on your system; MSconfig will show you that it is running at start-up; Ad-Aware will tell you that it is spy ware, and Regedit (even AFTER running Ad-Aware) will reveal additional keys that it is embedded in but it takes a combination of ALL OF THE ABOVE and a little bit of diligence to remove this annoying program. *** HOW_IT_GOT_THERE *** Well that's another posting for sure... or at least a VERY FLAMING EMAIL TO IWON (http://www.iwon.com) for this intrusion of privacy and temporary crippling of my network. *** HOW_TO_REMOVE_IT *** 1) Start Out With Ad/Remove Programs and uninstall ANY IWON software showing up in the list. 2) Next Install Ad-Aware with the latest Ref updates from Lava Soft (http://www.lavasoftusa.com) and run a full scan and remove all unwanted uglies. 3) Locate as many (and maybe more) of the following Program File Folders that exist on your computer: Aornum, Ornum, Iwon (others have been reported if computer has been infected for a longer period of time - mine was only infected for 1 DAY AND IT WAS HELL ALREADY~!) You will not be able to delete these folders until AFTER the calls to the exe's and dll's in the folder have been REMOVED from the Registry. The following DLL was found on my system I1SRCHAS.DLL (IWon Search Assistant). On my computer the DLL was called to (from the registry) directly AND as an executable named "Aornum.exe" through the shared folder in C:\Program Files\Ornum\Aornum1 -> C:\Program Files\Iwon\SrchAstt\1.bin\i1srch.dll (Aornum.exe). *** WHAT_IT_DOES *** Well since I didn't really program the darn thing I am not really going to ramble with what it "might" be doing, but it is apparent that it is a "Search Assistant" of sorts that tries to integrate and HIDE itself while it slams your bandwidth transmitting information OFF of your computer (didn't take the time to notice where...). *** IWON'S CLAIM THAT THEY WILL COLLECT THE FOLLOWING PERSONAL INFORMATION - Name, Address, Credit Card Info, Browser Urls and additional "personal" information: http://www.iwon.com/home/companyinfo/privacy/privacy_overview/0,11882,,00.html#1 *** OTHER_HELPFUL_SITES_&_POSTS *** It re-installs itself after revisiting Iwon if it was not completely removed the first time: http://pub176.ezboard.com/ffluffystidbitsfrm6.showMessage?topicID=82.topic Aornum.exe will rename to other executables and directories to continue hiding from you - Example Tensoft.exe: http://miataru.computing.net/windowsme/wwwboard/forum/28407.html You may be able to use Spybot Search & Destroy to remove Aornum (though I haven't tried it myself to know if it will COMPLETELY REMOVE IT) - http://security.kolla.de/ Other Forum Posts: http://www.computing.net/security/wwwboard/forum/1890.html http://www.computing.net/windowsme/wwwboard/forum/28407.html http://www.computing.net/windows95/wwwboard/forum/124030.html http://www.computing.net/windowsme/wwwboard/forum/28134.html *** REGISTRY_KEYS_INFECTED *** Here are the Registry Keys that I had to remove from my XP Pro System: ***NOTE: Removing Keys should NEVER BE DONE WIHTOUT BACKING UP YOU REGISTRY... and a little knowledge of what you’re doing :) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Aornum] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Aornum" "hkey"="HKLM" "command"="C:\\Program Files\\Ornum\\Aornum1\\1.bin\\Aornum.exe" "inimapping"="0" [HKEY_CLASSES_ROOT\TypeLib\{6D4E8F5B-2460-4DD0-920D-F49EA311FBBA}] *AND SUB KEYS* [.\1.0] @="Aornum13753" [.\1.0\0\1.0\0\win32] @="C:\\Program Files\\Ornum\\Aornum1\\1.bin\\Aornum.exe" [.\1.0\FLAGS] @="0" [.\1.0\HELPDIR] @="C:\\Program Files\\Ornum\\Aornum1\\1.bin" [HKEY_CLASSES_ROOT\TypeLib\{08E1C8E0-E565-44FC-A766-C9539BB3ABB7}] *AND SUB KEYS* [.\1.0] @="Search Assistant 1.0 Type Library" [.\1.0\0\win32] @="C:\\Program Files\\iWon\\SrchAstt\\1.bin\\I1SRCHAS.DLL" [.\1.0\FLAGS] @="0" [.\1.0\HELPDIR] @="C:\\Program Files\\iWon\\SrchAstt\\1.bin\\" [HKEY_CLASSES_ROOT\CLSID\{08E1C8E1-E565-44fc-A766-C9539BB3ABB7}] @="iWon Search Assistant BHO" *AND SUB KEYS* [.\InprocServer32] @="C:\\Program Files\\iWon\\SrchAstt\\1.bin\\I1SRCHAS.DLL" "ThreadingModel"="Apartment" [.\Programmable] *** IWON'S CLAIM THAT THEY WILL COLLECT THE FOLLOWING PERSONAL INFORMATION - Name, Address, Credit Card Info, Browser Urls and additional "personal" information: http://www.iwon.com/home/companyinfo/privacy/privacy_overview/0,11882,,00.html#1 It re-installs itself after revisiting Iwon if it was not completely removed the first time: http://pub176.ezboard.com/ffluffystidbitsfrm6.showMessage?topicID=82.topic Aornum.exe will rename to other executables and directories to continue hiding from you - Example Tensoft.exe: http://miataru.computing.net/windowsme/wwwboard/forum/28407.html You may be able to use Spybot Search & Destroy to remove Aornum (though I haven't tried it myself to know if it will COMPLETELY REMOVE IT) - http://security.kolla.de/ Other Forum Posts: http://www.computing.net/security/wwwboard/forum/1890.html http://www.computing.net/windowsme/wwwboard/forum/28407.html http://www.computing.net/windows95/wwwboard/forum/124030.html http://www.computing.net/windowsme/wwwboard/forum/28134.html

hmmm.Another one of "those" programs.I haven't heard of this particular program though.Aornum is on Spybot search and destroys target list,I saw that.Thanks for the "heads up" Michael.Man!You practically need a shield to surf anymore.Regards.JB

Great post Michael! Thanks for the info. I know someone who used to (or maybe still does) have iwon.com set as her homepage. I'll let her know about this too. The web is NOT a safe place unfortunately.

Could you put it into twentyfive words or less?