Guidelines for Helpers and Advanced users

[Pieter_Arntz]

Merijn has written a tutorial on what to remove with HijackThis.
It is well worth reading, but please remember, HijackThis is a very powerful tool. If you want to try and fix things yourself using HijackThis, always keep in mind, the program makes no difference between good or bad. It just does what the user instructs it to do, no matter what the consequences might be. You could end up disconnecting yourself from the internet or being unable to reboot at all.
So if you are in any doubt, post your log on a board that offers a adware, spyware & hijack cleaning forum
Make sure you have the latest version as it is updated often to keep up with the latest threats.

You will find some of these links in that tutorial, but I'd like to make them available here as well.

For running (mostly system) processes: http://www.liutilities.com/products/...rocesslibrary/
For BHO's and Toolbars: http://www.systemlookup.com/lists.php?list=1
For Startup entries: http://www.systemlookup.com/lists.php?list=2
Startups and running processes: http://www.answersthatwork.com/
For ActiveX elements: use the find feature in SpywareBlaster or look here: http://www.systemlookup.com/lists.php?list=10
For items in the LSP stack: http://www.systemlookup.com/lists.php?list=9
Rare Startup-locations:

• ShellServiceObjectDelayLoad: http://www.systemlookup.com/lists.php?list=6
• Shared Task Scheduler: http://www.systemlookup.com/lists.php?list=7
• AppInit_DLLs and Winlogon Notify: http://www.systemlookup.com/lists.php?list=5

Services: http://www.systemlookup.com/lists.php?list=8
ShellExecuteHooks:http://www.systemlookup.com/lists.php?list=8

And then, if all else fails, there is always your favorite search engine.

Further on in this thread you will find instructions on how to recognize and remove malware, that needs special attention and that uses random filenames and/or CLSID's

If you run across something you can't identify, feel free to IM me (or one of the other staff members) a link to the log it concerns. We are always on the lookout for new malware to submit to the developers.


Where no special credits are mentioned in the posts below, these should go to the expert groups at SpyWareInfo and the former ComputerCops aka CastleCops.

[Pieter_Arntz]

First example of spyware using random names and CLSID's for startup entries as well as BHO's.

C2.lop aka lop.com

Information: http://www.doxdesk.com/parasite/lop.html
Some example logs and removal instructions: http://www.wilderssecurity.com/showthread.php?t=7487

Sacnning with spyware-removing software will take care of the main executable most of the times, but the BHO and Toolbar are often not recognized so the victim will get stuck with the annoying bar.

[Pieter_Arntz]

A redirect-fee stealer using random names and CLSID's for its BHO's

WurldMedia

Examples from HijackThis logs from computers with different versions of Windows:
O2 - BHO: (no name) - {C76D8D39-9C48-4D6E-AA77-D4A149B00C52} - C:\WINNT\system32\azake.dll

O2 - BHO: (no name) - {93DABE7D-CD45-47C0-BBB9-9AD2853B8E10} - C:\WINDOWS\SYSTEM32\moaa030425s.dll

O2 - BHO: (no name) - {EC306669-5056-4707-8AA9-F639F6A8E589} - C:\WINDOWS\SYSTEM\BRMIMLWM.DLL

To identify these BHO's as WurldMedia:
Rightclick that file > Properties > Description.
If it says it's a "TC Module" it will be WurldMedia.

[Pieter_Arntz]

A toolbar BHO that slows down IE significantly, using random file names.

ToolbarCC

Log example:
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINDOWS\mslagp.dll

The CLSID's range from {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFA2} till {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF}

Note: the very similar {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} also using ms(+4 random letters).dll is a CWS variant

[Pieter_Arntz]

A family of hijackers is known under the name:

CWS

A special program to remove it, was developed and is kept up to date by Merijn, it is called CWShredder. We are mirroring it. A direct download link and a list of the sites the hijacks are leading to, can be found here:
http://www.wilderssecurity.com/showthread.php?t=14086

More info on the variants covered by CWShredder and a very good read, also including examples of HijackThis logs: http://www.spywareinfo.com/~merijn/cwschronicles.html

Variants that have been discovered, but are not added to CWShredder are added to this thread:
http://www.wilderssecurity.com/showthread.php?t=28658
Our staff will try and update that thread as often as we can. Variants that are added to CWShredder will be marked as such there.

[Pieter_Arntz]

Downloading and displaying advertisements, changing filenames

RapidBlaster

A special program called RapidBlaster Killer was written by Javacool to remove this pest.

Examples from logs:

Version 1
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"

Version 2
O4 - HKLM\..\Run: [newsgroup ml097e] "c:\program files\newsgroup\newsgroup.exe"

Version 3
O4 - HKLM\..\Run: [nvd32 ml710e] "C:\Program Files\NvidStar\nvd32.exe"

An overview of the filenames it has been known to use, and additional information can be found here:
http://www.wilderssecurity.net/specialinfo/rapidblaster.html

[Pieter_Arntz]

A randomly named trojan that creates new ones, when you try to disable or remove it. Displays porn pop-ups.

Peper Trojan

Log examples:
C:\WINDOWS\SYSTEM\ONP3E.EXE
C:\WINDOWS\SYSTEM\FPES3.EXE
O4 - HKLM\..\Run: [2L8FCMP467GN8D] C:\WINDOWS\SYSTEM\LhoK8W3.exe

C:\WINDOWS\System32\Njw7.exe
C:\WINDOWS\System32\Pnt4SuR.exe
O4 - HKLM\..\Run: [4HLQDEJ4W8T9B9] C:\WINDOWS\System32\AozDF.exe

The startup name between brackets is 14 characters long and starts with a number ranging from 2 to 6

Special instructions

Download and run this file to fix Peper Trojan:
http://www.memorywatcher.com/uninst.exe
The program needs internet access to complete the removal.

[Pieter_Arntz]

IRC trojan that attaches itself to the System(32) folder using a random filename.

AFlooder

Log example:
O4 - HKLM\..\Run: [leuimnd] rundll32 C:\WINDOWS\System32:leuimnd.dll,Init 1
O4 - HKLM\..\RunOnce: [*leuimnd] rundll32 C:\WINDOWS\System32:leuimnd.dll,Init 1

The name consist of seven letters (a-z)

Special instructions

Click "Start" > "Run" > type or copy&paste rundll32 <path to this DLL>,Uninstall > "OK"

[Pieter_Arntz]

Adware and hijacker requiring special instructions

MS T-Media Display

Total Velocity Hijacker also called, MS T-Media Display, is an adware and hijacker component. It is bundled with a program called Memory Meter. Total Velocity Hijacker connects to totalvelocity.com (66.159.219.201).

Log example:
O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.EXE

Special instructions

Go offline and uninstall: 'MS T Media Display' in Add/Remove Software
That is msmgt.exe.
Reboot, Find and delete: C:\WINDOWS\MSMGT.EXE

Then have HijackThis Fix:
O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.EXE

and delete MSMGT.exe and TINYINSTALLER.exe in the same directory.


Source: http://www.kephyr.com/spywarescanner/library/tvhijacker/index.phtml

[Pieter_Arntz]

Generates porn-popups and hijacks IE, using random filenames.

Winpup

Version one (there are more ) uses filenames that are 6-8 numbers long.

Log example:
O4 - HKLM\..\Run: [32577151.exe] C:\WINNT\System32\32577151.exe
O4 - HKLM\..\Run: [18626040.exe] C:\WINNT\System32\18626040.exe
O4 - HKLM\..\Run: [88517397.exe] C:\WINNT\System32\88517397.exe

The filesize is 36 kb and they show winpup under properties.

Special instructions

Endtask the process, fix the startup-entry in HijackThis and after rebooting find all the files with the above properties in the System(32) directory.
Note: the filenames may not correspond with the ones showing in the log.

Then use the regfile below:

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\pup]

Write-up done by FreeAtLast.

[Pieter_Arntz]

Adware that uses random filenames starting up, that check if nCase has been removed. It offers to reinstall the original program.

nCase

Log examples:
O4 - HKLM\..\Run: [AKVC] C:\WINDOWS\AKVC.exe
O4 - HKLM\..\Run: [ISAN] C:\WINDOWS\ISAN.exe
O4 - HKLM\..\Run: [ALVCQ] C:\WINDOWS\ALVCQ.exe
O4 - HKLM\..\Run: [GQLVDN] C:\WINDOWS\GQLVDN.exe

The above are from one log. They often come in groups.

The name between brackets and the name of the exe are always in capitals and always identical.

The original program will show up like this:
O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE

[Pieter_Arntz]

Advertiser suspected of spying, using random filenames. Some installs come bundled with lop.com.

FreeScratchCards (FreeScratchAndWin variant)

Log example:
O4 - HKLM\..\Run: [fxwnccbr] C:\WINDOWS\SYSTEM\fxwnccbr.exe

Always uses 8 letter filenames and is located in the System(32) folder. In the same folder you will find another exe file that has a dollar sign ($) as an icon.

[Pieter_Arntz]

Downloads and displays advertisements.

Purityscan/Clickspring (version 1)

Besides the winservn variant described here they also use a lot (maybe even random) 4 letter filenames as a startup entry.

Log examples:
O4 - HKCU\..\Run: [Ahst] C:\Documents and Settings\[username]\Application Data\iebs.exe

O4 - HKCU\..\Run: [Soar] C:\Documents and Settings\[username]\Application Data\rwod.exe

[Pieter_Arntz]

Hijacks to search-aide.com and changes the function of the F9 key.

IETray

Uses a Windows filename as a startup entry.

Log example:

O2 - BHO: (no name) - {BD51AEC6-7991-4A60-94D6-D5FEBB655D10} - C:\WINDOWS\SYSTEM32\IEMsg.dll
O4 - HKLM\..\Run: [CSRSS] C:\WINDOWS\CSRSS.EXE
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM

Fix the entries above and delete the CSRSS.EXE in the Windows directory, not the one in System(32).

[Pieter_Arntz]

Changes your AIM profile and redirects to talkstocks dot com and/or realphx dot com

TalkStocks trojan

Besides the executables random named BHO´s are installed.

Log examples:

O2 - BHO: (no name) - {4A2D7B5F-4E9E-839C-AC5C-768688C7DE8B} - C:\windows\system\itstgblg.dll

O2 - BHO: (no name) - {CB3B59F7-43E6-A0D6-956F-3673E9738AA6} - C:\WINDOWS\system32\ntmccdds.dll

The BHO´s can be recognized because they call themselves IEloader Module.

[Pieter_Arntz]

Hijacker and advertiser that uses randomly named BHO's with random CLSID's

AdGoblin

Log examples:

O2 - BHO: (no name) - {230E68F5-3CB6-4144-8A3D-360216EE3B2C} - C:\WINDOWS\System32\insatfunc.dll

O2 - BHO: (no name) - {A64C7BBA-EBDF-4AA2-9212-B601CD508D3B} - C:\WINDOWS\System32\oexts.dll

O2 - BHO: (no name) - {AA3832A0-02DC-11D8-A667-0004754CD6E5} - C:\WINDOWS\SYSTEM\MOCIOLE.DLL

O2 - BHO: (no name) - {8DC6F55B-AA4E-4FE0-9F6B-91C77BF7DCED} - C:\WINDOWS\System32\igcm32.dll

There are two variants. One has a filesize of 100 KB and a MD5 value of 1ff2edc905384d75ead352a56bc9466a
The other has a filesize of 120 KB and a MD5 value of 31ff532b8363d531f75583466ef49dd3

Research by mjc : http://www.s89223352.onlinehome.us/tinc?key=AbZ0JojL&formname=crapware

[Pieter_Arntz]

Spyware that slows down your computer, and sometimes disables the possibility to close windows with the X-button. Uses random filenames for the BHO and the running executable.

roings jimmyloader

Log examples:

O2 - BHO: (no name) - {6430BC19-3DA0-44CB-86A6-9BA9DFAFE16C} - C:\WINDOWS\f5QK.dll
O4 - HKLM\..\Run: [xGQH7sL] C:\WINDOWS\g176X9J.exe

O2 - BHO: (no name) - {F999B30F-6A4B-4E4F-8610-0D06FFD93B3E} - C:\WINNT\hkH4TG.dll
O4 - HKLM\..\Run: [iQusLz] C:\WINNT\fAhg6Ofp.exe

How to recognize:
Under properties > Version tab the Original filename for the exe will show load.exe and the BHO will be wat.dll

In the log also look for:
O16 - DPF: {B8A04596-1C1B-48B6-9268-F2F86C9D55BC} (jimmyloader.jimmyform) - hxxp://bins.roings.com/crack.cab

O16 - DPF: {65B818E1-F4D8-4F96-A1DF-35F3D1C86194} (limmyloding.limmyform) - hxxp://bins.roings.com/roing.cab

[Pieter_Arntz]

Downloads and displays advertisements. Produces a lot of popups.

PurityScan/Clickspring (Version 2)

Usually found in the company of version 1 (see Reply #12)

Log examples:

O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsu.exe
O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstssu.exe
O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe

There seems to be some consistency in the filenames but they sure look the same. (See attachment)
The description is always sear1 MFC Application.

[Pieter_Arntz]

Generates porn-popups and hijacks IE, using random filenames. Winpup renames itself each time the process is started, making it both hard to find and remove.

Winpup (aka Atoque)

Version two (there are more) uses filenames that are 6-8 digits long.

Log example:
O4 - HKLM\..\Run: [tmsmgrn] C:\WINDOWS\System32\tmsmgrn.exe
O4 - HKLM\..\Run: [xdiagnd] C:\WINDOWS\System32\xdiagnd.exe
O4 - HKLM\..\Run: [tildllu] C:\WINDOWS\System32\tildllu.exe

On the version tab these have the name pupdate.exe

Special instructions

Endtask the process, fix the startup-entry in HijackThis and after rebooting find all the files with the above properties in the System(32) directory.
Note: the filenames may not correspond with the ones showing in the log.

Then use the regfile below:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\comms]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\pup]

Credits to Unzy and Kephyr.com

[Pieter_Arntz]

Hijacker that uses random CLSID's for it's BHO and Toolbar.

Mirar aka NetNucleaus

The filenames are WinNB4*.dll where * ranges from 0 to 2 (for the moment) and the file itself is in the System(32) folder

Log examples:
O2 - BHO: (no name) - {FADEEE2B-A045-4B68-9903-69D873EA9B18} - C:\WINDOWS\SYSTEM\WINNB42.DLL
O3 - Toolbar: Related Page - {FADEEE2A-A045-4B68-9903-69D873EA9B18} - C:\WINDOWS\SYSTEM\WINNB42.DLL

O2 - BHO: (no name) - {F464C39B-AEF3-4605-B865-6A9E75683A67} - C:\WINDOWS\System32\WinNB42.dll
O3 - Toolbar: Related Page - {F464C39A-AEF3-4605-B865-6A9E75683A67} - C:\WINDOWS\System32\WinNB42.dll

[Pieter_Arntz]

Dutch porndialer. The filenames are not really random, but using so many of them that it may seem that way.

Switch dialer

Log examples

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MS-Connect/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Startportal/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/QuickPage/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/NowOnline/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/FirstEnter/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/First2Enter/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Plus18Point/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MStartEnter/Portal/portal.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MStart2Page/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/PageOn1/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/eMakeSV/Portal/portal.html

O4 - HKLM\..\Run: [MS-Connect] C:\WINDOWS\System32\msite18.exe
O4 - HKLM\..\Run: [MS-Connect] C:\WINNT\System32\cdm.exe
O4 - HKLM\..\Run: [MS-Connect] C:\WINDOWS\System32\game.exe
O4 - HKLM\..\Run: [MS-RunKey] C:\WINDOWS\System32\arr.exe
O4 - HKLM\..\Run: [Diskstart] C:\WINNT\system32\code.exe
O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\System32\cat.exe
O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\SYSTEM\HIT.EXE
O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\SYSTEM32\snt.exe
O4 - HKLM\..\Run: [Quicktlme] C:\WINDOWS\System32\ru.exe
O4 - HKLM\..\Run: [QuickZip] C:\WINDOWS\System32\ls.exe
O4 - HKLM\..\Run: [QuickZip] C:\WINDOWS\System32\lu.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\sed.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\msgplus.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\com.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\dll.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\plugin.exe
O4 - HKLM\..\Run: [Open2Enter] C:\WINDOWS\System32\runme.exe
O4 - HKLM\..\Run: [Open2Enter] C:\WINDOWS\System32\runme2.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\run_21.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\srv.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\srv2.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\intl.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\int1.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\system32\mstart.exe
O4 - HKLM\..\Run: [Classes] C:\WINDOWS\SYSTEM\MSTAR2.EXE
O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\System32\mcmgr32.exe
O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\System32\mmgr32.exe
O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\System32\m2gr32.exe
O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\system32\ntcpl.exe
O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\system32\ntopengl.exe
O4 - HKLM\..\Run: [rCron] C:\WINDOWS\System32\rcron.exe
O4 - HKLM\..\Run: [rCron] C:\WINDOWS\System32\dservice.exe
O4 - HKLM\..\Run: [eMakeSV] C:\WINDOWS\SYSTEM\EMAKESV.EXE

Other reported filenames: web.exe, patch.exe, cp.exe

You will have to end-task the running process or boot into safe mode to be able to remove the exe file.
Also remove the folder in the Program Files directory that holds the Portal subfolder.

[Pieter_Arntz]

This malware makes the infected system act as an HTTP proxy. It also opens TCP ports 6690 and 5590, possibly to notify a third party.

Agent.X trojan

Log example:

O4 - HKCU\..\Run: [sr64] C:\WINDOWS\SYSTEM\SR64\BQHPKFGM.EXE

On every subsequent execution, this Trojan drops another copy of itself in the SR64 directory using a different random file name, which is always 8 characters long.

Fix the entry in HijackThis and delete the entire sr64 folder in the System(32) directory.

Credits to TrendMicro

[Pieter_Arntz]

This Trojan Horse installs itself as a BHO and steals online banking information from web forms.

PWSteal.Refest

Log example:

O2 - BHO: (no name) - {DE862734-0DD8-49A2-91BD-0B98BB1718F9} - C:\WINDOWS\System32\lcnnn.dll

The BHO uses a random name with up to 8 lower-case characters, e.g., "abcde.dll" or "qrstuvwx.dll". The file is 45056 bytes in length.
The CLSID is random as well. The dll will be found in the System(32) folder.

Removal instructions and write-up by Symantec

[Pieter_Arntz]

Adware that uses contextual advertising. It uses a BHO that can be randomly named.

Midaddle by AdSypre

Log examples:
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} -
C:\Program Files\Common Files\midaddle\midaddle.dll

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\6PSEAG.dll

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\nz.dll

The CLSID is always the same (for now).

[Pieter_Arntz]

Adware causing popups, specifically from 680180.net

Adlogix™

Log examples:

When they were not random they looked like this:
O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\system32\SWin32.dll
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\system32\automove.exe

Now they have random filenames and CLSID's and look like this:
O2 - BHO: SDWin32 Class - {E9079510-297A-44DA-960E-6040FD3BD74D} - C:\WINDOWS\System32\igpir.dll
O4 - HKLM\..\Run: [igpirc] C:\WINDOWS\System32\igpirc.exe

The name of the exe has a "c" extra at the end of the filename of the dll.
Original filename of the dll is still SWin32.DLL
Original filename for the exe: localFilemove.EXE