For Consumer

Virus Profile: ALS/Bursted

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 12/10/2003
Date Added: 12/15/2003
Origin: N/A
Length: Varies
Type: Virus
Subtype: AutoLisp
DAT Required: 7134
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

BURST command will display a message in chinese.

Presence of the above mentioned behavior

Methods of Infection

Infected "acad.lsp" file.

It automatically infects "acad.lsp" and “acad.mnl” files in the compromised machine.

Aliases

ACAD/Bursted, ALS.Bursted.A (NAV)
   

Virus Characteristics

----------------------Updated on Feb 12 2014 ---------------------

Aliases
  • Microsoft       -        virus:alisp/bursted.bd
  • Kaspersky    -         Virus.Acad.Bursted.a
  • Symantec     -         ALS.Bursted.A
  • Ikarus            -        Trojan.Lisp.Bursted.A

ALS/Bursted is a virus written using the Autolisp Programming language, the language used for scripting AutoCAD applications. The virus may spread via removable drive and mapped system drives.

ALS/Bursted is automatically loads it own script when the user tried to open any dwg file and also it copies itself into all autocad[.dwg] file location.

ALS/Bursted searches for the “base.dcl” file path, in order to locate AutoCAD Support directory (%AppData%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\).

ALS/Bursted edits the existing global ACAD.LSP or creates one to load itself at AutoCAD startup from ACADISO.LSP.


ALS/Bursted also infects the “acad.lsp” and “acad.mnr” files in the AutoCAD Support directory, by appending the following command in order to load itself automatically while opening the autocad[.dwg] drawing files.

(load"acadiso")
(princ)

AL/Bursted also undefines the following AutoCAD commands:

  • attedit
  • xref
  • xbind


ALS/Bursted then replaces the attedit command with a dummy one. The dummy attedit prompts you to "Select objects:" then displays "Seltct objects: nfound" where n is a number and finally displays the message "n was not able to be attedit".

Upon execution it copies itself into the following location:

  • % AppData%\Autodesk\AutoCAD[Year]\R[Version]\enu\Support\acad.lsp
  • %AppData%\Autodesk\AutoCAD 2006\R[Version]\enu\Support\acadiso.lsp
  • %Temp%\AdskCleanup.0001.dir.0000\PfdRun.pfd
  • %Temp%\AdskCleanup.0001.dir.0000\~de6c66.tmp
  • %Temp%\AdskCleanup.0001.dir.0000\~df394b.tmp
  • %Temp%\AdskCleanup.0001.dir.0000\~efe2.tmp
  • %Temp%\\UNDO.ac$

The following are the files modified to the system:

  • %AppData%Autodesk\AutoCAD [Year]\R[Version]\enu\Support\acad.mnr
  • %AppData%Autodesk\AutoCAD [Year]\R[Version]\enu\Support\Profiles\FixedProfile.aws
  • %AppData%Autodesk\AutoCAD [Year]\R[Version]\enu\Support\Profiles\Unnamed Profile\Profile.aws
  • %AppData%Autodesk\AutoCAD [Year]\R[Version]\enu\Support\RegisteredTools\AcTpTools.atc
  • %AppData%Autodesk\AutoCAD [Year]\R[Version]\enu\Support\ToolPalette\AcTpCatalog.atc
  • %AppData%Autodesk\AutoCAD [Year]\R[Version]\enu\Support\ToolPalette\Palettes\Annotation_A0CCA60A-AB56-4EFD-83A5-8764BC08CDA8.atc

The following are the registry keys have been deleted from the system:

  • HKEY_LOCAL_MACHINE \SOFTWARE\Classes\Microsoft.StdDataFormats.1
  • HKEY_LOCAL_MACHINE \SOFTWARE\Classes\Microsoft.StdDataFormats.1\CLSID

The following are the registry keys have been added to the system:

  • HKEY_LOCAL_MACHINE \SOFTWARE\Classes\DirectPlayVoice.AutoCAD.1
  • HKEY_LOCAL_MACHINE \SOFTWARE\Classes\DirectPlayVoice.AutoCAD.1\CLSID

The following are the registry key values have been added to the system:

  • HKEY_LOCAL_MACHINE \SOFTWARE\Classes\CLSID\{F052BAEB-B11D-05A4-2399-0727DCE7669E}\: "Microsoft Office 9"
  • HKEY_LOCAL_MACHINE \SOFTWARE\Classes\DirectPlayVoice.AutoCAD.1\CLSID\: "{6D022BCF-1586-0FAB-80BB-3F013EAF53AA}"
  • HKEY_LOCAL_MACHINE \SOFTWARE\Classes\DirectPlayVoice.AutoCAD.1\: "DirectPlayVoice Class"

The following are the registry key values have been modified to the system:

  • HKEY_USERS \S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[Version]\ACAD-4001:409\3DGS Configuration\GSHEIDI10\CustomHeidiDriver: ""
  • HKEY_USERS \S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[Version]\ACAD-4001:409\3DGS Configuration\GSHEIDI10\CustomHeidiDriver: "wopengl8.hdi"

----------------------Updated on Jan 27 2014 ---------------------


Aliases
  • Microsoft    -    Virus:ALisp/Bursted.BP
  • Kaspersky    -    Virus.Acad.Bursted.b
  • Symantec    -    ALS.Bursted.A
Characteristics –

ALS/Bursted is a virus written using the Autolisp Programming language, the language used for scripting AutoCAD applications. The virus may spread via removable drive and mapped system drives.
ALS/Bursted is automatically loads it own script when the user tried to open any dwg file and also it copies itself into all autocad[.dwg] file location.
ALS/Bursted is a Virus which downloads an executable from the below mentioned URL
  • hxxp://advg[Removed]ch.com/love.scr
Upon execution it copies itself into the following location:
  • %System%\<random_name>.exe
  • %Windir%\<random_name>.exe
Upon execution it creates the following INI
  • %System%\autorun.ini
Upon execution the Virus adds LNK File’s

User may get following message as an email:

  • happy valentine day screen saver from hxxp://advg[Removed]ch.com/love.scr  -> eg:(hxxp://www.mydre[Removed]ld.50webs.com,hxxp://advgoo[Removed]spot.com)
  • golden lovers rose screen saver from hxxp://advg[Removed]ch.com/love.scr   -> eg:(hxxp://www.mydre[Removed]ld.50webs.com,hxxp://advgoo[Removed]spot.com)
  • happy valentine day screen saver from hxxp://advg[Removed]ch.com/love.scr  -> eg: (hxxp://www.mydre[Removed]ld.50webs.com,hxxp://advgoo[Removed]spot.com)
  • happy valentine day screen saver from hxxp://advg[Removed]ch.com/love.scr  -> eg: (hxxp://www.mydre[Removed]ld.50webs.com,hxxp://advgoo[Removed]spot.com)
  • golden lovers rose screen saver from hxxp://advg[Removed]ch.com/love.scr   -> eg: (hxxp://www.mydre[Removed]ld.50webs.com,hxxp://advgoo[Removed]spot.com)
  • happy valentine day screen saver from hxxp://advg[Removed]ch.com/love.scr  -> eg: (hxxp://www.mydre[Removed]ld.50webs.com,hxxp://advgoo[Removed]spot.com)
  • rose is always red ,see in hxxp://advg[Removed]ch.com/love.scr  -> eg: (hxxp://www.mydre[Removed]ld.50webs.com,hxxp://advgoo[Removed]spot.com)
  • rose is always red ,see in hxxp://advg[Removed]ch.com/love.scr  -> eg: (hxxp://www.mydre[Removed]ld.50webs.com,hxxp://advgoo[Removed]spot.com)
  • happy valentine day screen saver from hxxp://advg[Removed]ch.com/love.scr  -> eg:(hxxp://www.mydre[Removed]ld.50webs.com,hxxp://advgoo[Removed]spot.com)
The following are the registry keys have been modified to the system:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Default_Page_URL" = "Malcious site"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Default_Search_URL" = "Malcious site"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Search Page" = "Malcious site"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Start Page" = "Malcious site"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "Malcious site
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe randomname_.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Chrome3"   Data: C:\WINDOWS\system32\chromechrist.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "google"  Data: hxxp://www.chrome10.com
The above registry entry’s confirms that the Virus gets executed upon every system boot.


--------------------------------------------------------------------------------------

------------------------------------Updated on 19 Dec 2013 ------------------------

Aliases

Avast        -    ALS:Bursted-A
Kaspersky    -    Virus.Acad.Bursted.b
Fortinet    -    ACM/Bursted.B
Microsoft    -    Virus:ALisp/Bursted.gen!A
Symantec    -    ALS.Bursted.B

ALS/Bursted is a virus written using the Autolisp Programming language, the language used for scripting AutoCAD applications.

The virus firsts gets the file name using the below command and if the file name is Drawing1.dwg is then it saves the file to “My Documents” folder as Drawing1.dwg.

Lsp command: getvar "dwgname"

Then the virus searches for the “base.dcl” file path, in order to locate AutoCAD Support directory (%AppData%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\).

The virus check for the presence of “acadappp.lsp” in the AutoCAD Support directory, if the file does not exist then it copies itself as "acadappp.lsp" to the AutoCAD Support directory and it will execute when the drawing file is opened, this file is automatically loaded by AutoCAD which causes the virus to get executed.

The virus also infects the “acad.mnl” file in the AutoCAD Support directory, by appending the following command:

(load "acadappp.lsp")
(princ)


Whenever the user tries open the *.dwg it checks for the existing "acad.lsp”file and “acadapp.lsp” if those files are found then it tries to read the first line to verify the following syntax “;;;”. If the syntax is not found, it replaces the file content as “;;;”

It also copy itself as "acad.lsp” located in the current working directory alongside the *.dwg files. 

Upon execution the following files are added to the system %AppData%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\acadappp.lsp
  • [*.dwg current working directory]\acad.lsp
  • %appdata%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\acadappp.lsp
  • %appdata%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\acetmain.mnr
  • %USERPROFILE%\My Documents\Drawing1.dwg
  • %USERPROFILE%\My Documents\Drawing1.dwl
The following are the files have been modified to the system.
  • %AppData%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\acad.mnl
  • %AppData%\Autodesk\AutoCAD [year]\R[Version]\enu\Support\acad.mnr
Upon execution it also tires to connect the following domain
  • FS1
------------------------------------Updated on 18 Dec 2013 ------------------------

Aliases

Avast        -    ALS:Bursted-A
Avira        -    ACAD/Bursted.C
Kaspersky    -    Virus.Acad.Bursted.b
Nod32        -    ALS/Bursted.AO

ALS/Bursted
is a virus written using the Autolisp Programming language, the language used for scripting AutoCAD applications. The virus may spread via removable drive and mapped system drives.

ALS/Bursted is automatically loads it own script when the user tried to open any dwg file and also it copies itself into all autocad[.dwg] file location.

AL/Bursted edits the existing global ACAD.LSP or creates one to load itself at AutoCAD startup from ACADISO.LSP.

AL/Bursted also infects the “acad.lsp” and “acad.mnr” files in the AutoCAD Support directory, by appending the following command in order to load itself automatically while opening the autocad[.dwg] drawing files.

(load"acadiso")
(princ)

AL/Bursted also undefines the following AutoCAD commands:
  • attedit
  • xref
  • xbind
AL/Bursted then replaces the attedit command with a dummy one. The dummy attedit prompts you to "Select objects:" then displays "Seltct objects: nfound" where n is a number and finally displays the message "n was not able to be attedit".

Upon execution it copies itself into the following location:
  • %APPDATA%\Autodesk\AutoCAD [Year]\R[Version]\enu\Support\acad.lsp
  • %APPDATA%\Autodesk\AutoCAD [Year]\R[Version]\enu\Support\acadiso.lsp
  • %APPDATA%\Autodesk\AutoCAD [Year]\R[Version]\enu\VLIDE.DSK
  • %TEMP%\AdskCleanup.0001.dir.0000\PfdRun.pfd
  • %TEMP%\AdskCleanup.0001.dir.0000\~de6c66.tmp
  • %TEMP%\AdskCleanup.0001.dir.0000\~df394b.tmp
  • %TEMP%\AdskCleanup.0001.dir.0000\~efe2.tmp
  • %TEMP%\UNDO.ac$
The following are the files modified to the system:
  • %APPDATA%Autodesk\AutoCAD [Year]\R[Version]\enu\Support\acad.mnr
  • %APPDATA%Autodesk\AutoCAD [year]\R[Version]\enu\Support\Profiles\FixedProfile.aws
  • %APPDATA%Autodesk\AutoCAD [year]\R[Version]\enu\Support\Profiles\Unnamed Profile\Profile.aws
  • %APPDATA%Autodesk\AutoCAD [year]\R[Version]\enu\Support\RegisteredTools\AcTpTools.atc
  • %APPDATA%Autodesk\AutoCAD [year]\R[Version]\enu\Support\ToolPalette\AcTpCatalog.atc
  • %APPDATA%Autodesk\AutoCAD [year]\R[Version]\enu\Support\ToolPalette\Palettes\Annotation_A0CCA60A-AB56-4EFD-83A5-8764BC08CDA8.atc
The following are the registry keys have been deleted from the system:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\awApi4.AcPpPaletteSet.3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\awApi4.AcPpPaletteSet.3\CLSID
The following are the registry key values have been added to the system:
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[Version]\ACAD-4001:409\FixedProfile\General Configuration\DYNMODE: 0x00000003
  • HKEY_USERS \S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[Version]\ACAD-4001:409\Profiles\<<Unnamed Profile>>\Dialogs\Appload\Startup\NumStartup: "0"
  • HKEY_USERS \S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[Version]\ACAD-4001:409\Profiles\<<Unnamed Profile>>\Dialogs\Appload\FileFilter: "AutoCAD Apps (*.arx;*.lsp;*.dvb;*.dbx;*.vlx;*.fas)"
The following are the registry key values have been modified to the system:
  • HKEY_USERS \S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[Version]\ACAD-4001:409\3DGS Configuration\GSHEIDI10\CustomHeidiDriver: ""
  • HKEY_USERS \S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[Version]\ACAD-4001:409\3DGS Configuration\GSHEIDI10\CustomHeidiDriver: "wopengl8.hdi"

--------Updated on 12th Sep 2013------

Aliases
  • Microsoft    -    Worm:ALisp/Kenilfe.M
  • NOD32       -    ALS/Agent.AC
  • IKarus        -    Worm.ALisp
Characteristics –

ALS/Bursted
is a virus written using the Autolisp Programming language, the language used for scripting AutoCAD applications.

ALS/Bursted is a Fast-Load LISP file for Autocad. These files are usually compiled LISP files used to implement new functions in Autocad.

ALS/Bursted is a malicious downloader which upon execution will attempt to download several other files to the user's machine. The file does not possess the ability to spread to other machines, so it needs to be dropped on the infected machine by some other mean. This usually involves an infected DWG file, or even other executable malware.
In order to execute automatically, the file is renamed to ACAD.FAS and copied to the root folder where Autocad is installed. Once Autocad is loaded, it will automatically load the malicious file.

Once executed, the malware will attempt to download several files to the user machine.

Upon execution it connects to the following URL, both with HTTP as well as FTP
  • hxxp :// www.c[Removed]s.com /z/lspdl.exe
  • hxxp :// cad[Removed]9.gxidc.com /z/logo.gif
  • hxxp :// www.c[Removed]s.com /z/httpurl.asp
  • hxxp :// www.c[Removed]s.com /z/updadat.asp
  • hxxp :// www.c[Removed]s.com /z/vbsupdat.asp
  • fxp :// ken[Removed]6.org /jhdl.exe
At the time of analysis, the above sites are offline or not serving the malicious files.

The above files will be dropped at varied locations on the disk, and the malware will also create some files as infection markers, to avoid reinfecting the system more than once.

The following files have been created or modified to the system

  • %Windir%\web\logo.exe
  • %Windir%\web\safemodelogo.gif
  • %ACADROOT%\Fonts\isohztxt.shx
  • %Windir%\DivX.fin
  • %Windir%\\system32\SHFR.CMD
  • %PROGRAMFILES%\Microsoft Shared\MSInfo\DivX.cmd
  • %PROGRAMFILES%\temp.vbe

--
------Updated on 19th Nov 2012------

Aliases

Microsoft    -    Worm:ALisp/Blemfox.A
Symantec    -    ALS.Bursted.B
Ikarus        -    Email-Worm.Acad
Fortinet    -    ACM/Medre.A@mm

ALS/Bursted is a virus written using the Autolisp Programming language, the language used for scripting AutoCAD applications. The virus may spread via removable drive and mapped system drives.

The virus automatically load it own script when the user tried to open any dwg file and also copy itself to all autocad file location.

Upon execution it copies itself into the following location:

  • %Appdata%Autodesk\AutoCAD [Year]\R[VERSION]\enu\Support\acad.fas
  • %Appdata%Autodesk\AutoCAD [Year]\R[VERSION]\enu\Support\cad.fas
  • %UserProfileP%\Desktop\cad.fas
  • %TEMP%\AdskCleanup.0001.dir.0000\PfdRun.pfd
  • %TEMP%\AdskCleanup.0001.dir.0000\~de6c66.tmp
  • %TEMP%\AdskCleanup.0001.dir.0000\~df394b.tmp
  • %TEMP%\AdskCleanup.0001.dir.0000\~efe2.tmp
  • %TEMP%\UNDO.ac$
  • %Programfiles%AutoCAD [Year]\Express\acad.fas
  • %Programfiles%AutoCAD [Year]\Express\cad.fas
  • %Programfiles%AutoCAD [Year]\Fonts\acad.fas
  • %Programfiles%AutoCAD [Year]\Fonts\cad.fas
  • %Programfiles%AutoCAD [Year]\Help\acad.fas
  • %Programfiles%AutoCAD [Year]\Help\cad.fas
  • %Programfiles%AutoCAD [Year]\Support\Color\acad.fas
  • %Programfiles%AutoCAD [Year]\Support\Color\cad.fas
  • %Programfiles%AutoCAD [Year]\Support\acad.fas
  • %Programfiles%AutoCAD [Year]\Support\cad.fas
  • %WINDIR%\system32\Acad.fas
  • %WINDIR%\system32\Ȥζ»úеÖÆͼ.rar
  • %WINDIR%\Acad.fas

Upon execution the virus also tried to connect the following URL/IP

  • smtp.q[Removed].com
  • 113.108.[Removed].44

The following are the registry keys have been added to the system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{GUID}
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Account Manager
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Account Manager\Accounts
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows Script Host
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows Script Host\Settings

The following are the registry keys have been added to the system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\: "%WINDIR%\system32\cmcfg32.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\ThreadingModel: "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{GUID}\: "Microsoft Wave File"
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[VERSION]\ACAD-4001:409\Profiles\<<Unnamed Profile>>\Drawing Window\SDIMode: 0x00000000
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[VERSION]\ACAD-4001:409\Profiles\<<Unnamed Profile>>\General\UseMRUConfig: 0x00000000
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[VERSION]\ACAD-4001:409\Profiles\<<Unnamed Profile>>\General\HideSystemPrinters: 0x00000000
The above registry key value confirms that the virus disable hiding system printer option for AutoCAD.
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[VERSION]\ACAD-4001:409\Profiles\<<Unnamed Profile>>\General\PLSPOOLALERT: 0x00000000
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[VERSION]\ACAD-4001:409\Profiles\<<Unnamed Profile>>\General\PAPERUPDATE: 0x00000000
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[VERSION]\ACAD-4001:409\Profiles\<<Unnamed Profile>>\General\PLOTLEGACY: 0x00000000
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[VERSION]\ACAD-4001:409\Profiles\<<Unnamed Profile>>\General\PSTYLEPOLICY: 0x00000001
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[VERSION]\ACAD-4001:409\Profiles\<<Unnamed Profile>>\General\OLEQUALITY: 0x00000003
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[VERSION]\ACAD-4001:409\Profiles\<<Unnamed Profile>>\General\Anyport: 0x0000000
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[VERSION]\ACAD-4001:409\Profiles\<<Unnamed Profile>>\General\Validation Policy: 0x00000003
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Autodesk\AutoCAD\R[VERSION]\ACAD-4001:409\Profiles\<<Unnamed Profile>>\General\Validation Strategy: 0x00000001
  • HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\
    • LDAP Server ID: 0x00000003
    • Account Name: "WhoWhere Internet Directory Service"
    • LDAP Server: "ldap.whowhere.com"
    • LDAP URL: "http://www.whowhere.com"
    • LDAP Search Return: 0x00000064
    • LDAP Timeout: 0x0000003C
    • LDAP Authentication: 0x00000000
    • LDAP Simple Search: 0x00000001
    • LDAP Logo: "%ProgramFiles%\Common Files\Services\whowhere.bmp"
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).