Trojan.Unclassified.ContextMenuHandler.A and Vx2.Narrator

Yesterday, February 28, 2005, I had removed spyware that had put a system, B, in a state where the user had no network access. Bazooka™ Adware and Spyware Scanner v1.13.02 had found lsp.dolsp on that date. I removed that spyware with LSP-Fix. The next night I checked Bazooka and Spybot Search & Destroy v1.3 for updates and rescanned the system. Neither found any spyware, but when I scanned the system with Microsoft's AntiSpyware Beta1, it found "Trojan.Unclassified.ContextMenuHandler.A" and "Vx2.Narrator (Toolbar)".

Bazooka and Spybot are both excellent adware/spyware scanners and I recommend both be used in addition to any other spyware scanners you may use, since I've found that most scanners will miss some things another may catch. And both of those are kept up-to-date. It is possible these files are remnants of previously removed spyware, since I could find no references to them in the registry when I searched with regedit, except for the references to the Microsoft AntiSpyware alerts for the files and Most Recently Used (MRU) references from my access of the files while checking them. I had removed VX2.Narrator with Microsoft AntiSpyware on February 24, 2005.

Bazooka does offer detection for Transponder and removal instructions. The Kephyr site from which one can obtain Bazooka, indicates it is also known as VX2 and Blackstone and is a Browser Helper Object (BHO) that monitors your web usage and opens pop-up windows. Kephyr also states the software updates itself. Though a particular piece of adware/spyware may slow your system, but not render it unusable when it is first installed, when such software updates itself unbeknownst to you, new bugs or conflicts with other software introduced by an update to the spyware may then render your system virtually unusable. You may find yourself at a loss as to what has changed to create the problem not knowing that some software on the system automatically updated itself.

Microsoft found instances of both of the detected spyware spyware elements in restore points, but also still present in c:\windows\system32. The details for the files found in that folder are listed below.

Type: Trojan
Threat Level: High

Description: This trojan installs as a context menu handler in Windows. It uses a 6 character random name on installation. ******.dll, it also will use a random 6 character Project Name ******.class to identify itself.

Advice: This is a very high risk threat and should be removed immediately as to prevent harm to your computer or your privacy.

About Trojan: A Trojan software is any software on a user's computer that the user is not aware or intentionally installed. Most Trojan software is designed to perform some sort of actions that could jeopardize the user's security or privacy.

Information About This Threat Location

File name: gpgyui.dll
File path: c:\windows\system32\gpgyui.dll
File size: 5632 bytes
File MD5: 62b74a4daddd9cd8e8255715092b2b04
Create date: 2/28/2005 7:08:14 AM

For screen captures see Microsoft AntiSpyware Trojan.Unclassified.ContextMenuHandler.A and gpgyui.dll info.

Type: Toolbar
Threat Level: Severe

Description: Related to the VX2 Transponder.

Advice: This is a very high risk threat and should be removed immediately as to prevent harm to your computer or your privacy.

About Toolbar: An Internet Explorer toolbar is a plug-in to Internet Explorer that installs a toolbar within the web browser. Many legitimate toolbars provide various convenient search features, however, many toolbars also include adware and spyware functionality used to track searching behavior and modify the search results to point to an alternative search engine.

Information About This Threat Location

File name: qvqaug.dat
File path: c:\windows\system32\qvqaug.dat
File size: 33280 bytes
File MD5: 61cfa0ded5666d451158c6f9a9a75854
Create date: 2/28/2005 7:08:13 AM

For screen captures see Microsoft AntiSpyware Vx2.Narrator and gvqaug.dat info

An examination of gpgyui.dll with FileAlyzer, a tool provided by the developer of Spybot for examining files, shows a reference to "Narrator" and two IP addresses, ( and ( when I used its "search strings" capability (open the file with FileAlyzer, choose "hex dump" and then "list strings"). See FileAlyzer gpgyui.dll Hex Dump.

The domain registrant for is Qool Aid LLC.

Qool Aid LLC
1048 Irvine Ave #345
Newport Beach, CA 92660

In the End User License Agreement (EULA) on its website, which is, Qool Aid, makes it obvious they are an adware distributor by the following section included in the EULA:
By installing the Service you understand and agree that the following changes may be made to your Internet Explorer browser and that the following functions may be performed by the Service: install a Free Ware Software Applications in your browser which may (i) deliver pop-up ads and pages; (ii) display links to related websites and keywords based on the information you view and the websites you visit; (iii) store non-personally identifiable statistics of the websites you have visited; (iv) redirect certain URL's including your browser default address bar search, DNS error page and Search Button page to or through the Service and; (v) automatically update the Service and install added features or functionality conveniently without your input or interaction unless you have chose to be notified of such update in advance.

The domain registrant for is GFC International d.o.o.

GFC International d.o.o.
Djure Danicica 6
Banja Luka, RS 51000
Bosnia and Herzegovina

For anyone wishing to analyze the files, I've included links to download them from this site below:

gpgyui.dll qvqaug.dat
Download Download