Guidelines for Helpers and Advanced users

Discussion in 'news, general information and FAQs' started by Pieter_Arntz, Nov 7, 2003.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Merijn has written a tutorial on what to remove with HijackThis.
    It is well worth reading, but please remember, HijackThis is a very powerful tool. If you want to try and fix things yourself using HijackThis, always keep in mind, the program makes no difference between good or bad. It just does what the user instructs it to do, no matter what the consequences might be. You could end up disconnecting yourself from the internet or being unable to reboot at all.
    So if you are in any doubt, post your log on a board that offers a adware, spyware & hijack cleaning forum
    Make sure you have the latest version as it is updated often to keep up with the latest threats.

    You will find some of these links in that tutorial, but I'd like to make them available here as well.

    For running (mostly system) processes:
    For BHO's and Toolbars:
    For Startup entries:
    Startups and running processes:
    For ActiveX elements: use the find feature in SpywareBlaster or look here:
    For items in the LSP stack:
    Rare Startup-locations: Services:

    And then, if all else fails, there is always your favorite search engine.

    Further on in this thread you will find instructions on how to recognize and remove malware, that needs special attention and that uses random filenames and/or CLSID's

    If you run across something you can't identify, feel free to IM me (or one of the other staff members) a link to the log it concerns. We are always on the lookout for new malware to submit to the developers.

    Where no special credits are mentioned in the posts below, these should go to the expert groups at SpyWareInfo and the former ComputerCops aka CastleCops.
    Last edited: Jan 14, 2009
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    First example of spyware using random names and CLSID's for startup entries as well as BHO's.

    C2.lop aka

    Some example logs and removal instructions:

    Sacnning with spyware-removing software will take care of the main executable most of the times, but the BHO and Toolbar are often not recognized so the victim will get stuck with the annoying bar.
    Last edited: Apr 11, 2004
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    A redirect-fee stealer using random names and CLSID's for its BHO's


    Examples from HijackThis logs from computers with different versions of Windows:
    O2 - BHO: (no name) - {C76D8D39-9C48-4D6E-AA77-D4A149B00C52} - C:\WINNT\system32\azake.dll

    O2 - BHO: (no name) - {93DABE7D-CD45-47C0-BBB9-9AD2853B8E10} - C:\WINDOWS\SYSTEM32\moaa030425s.dll

    O2 - BHO: (no name) - {EC306669-5056-4707-8AA9-F639F6A8E589} - C:\WINDOWS\SYSTEM\BRMIMLWM.DLL

    To identify these BHO's as WurldMedia:
    Rightclick that file > Properties > Description.
    If it says it's a "TC Module" it will be WurldMedia.

  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    A toolbar BHO that slows down IE significantly, using random file names.


    Log example:
    O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINDOWS\mslagp.dll

    The CLSID's range from {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFA2} till {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF}

    Note: the very similar {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} also using ms(+4 random letters).dll is a CWS variant
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    A family of hijackers is known under the name:


    A special program to remove it, was developed and is kept up to date by Merijn, it is called CWShredder. We are mirroring it. A direct download link and a list of the sites the hijacks are leading to, can be found here:

    More info on the variants covered by CWShredder and a very good read, also including examples of HijackThis logs:

    Variants that have been discovered, but are not added to CWShredder are added to this thread:
    Our staff will try and update that thread as often as we can. Variants that are added to CWShredder will be marked as such there.
    Last edited: Apr 26, 2004
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Downloading and displaying advertisements, changing filenames


    A special program called RapidBlaster Killer was written by Javacool to remove this pest.

    Examples from logs:

    Version 1
    O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"

    Version 2
    O4 - HKLM\..\Run: [newsgroup ml097e] "c:\program files\newsgroup\newsgroup.exe"

    Version 3
    O4 - HKLM\..\Run: [nvd32 ml710e] "C:\Program Files\NvidStar\nvd32.exe"

    An overview of the filenames it has been known to use, and additional information can be found here:
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    A randomly named trojan that creates new ones, when you try to disable or remove it. Displays porn pop-ups.

    Peper Trojan

    Log examples:
    O4 - HKLM\..\Run: [2L8FCMP467GN8D] C:\WINDOWS\SYSTEM\LhoK8W3.exe

    O4 - HKLM\..\Run: [4HLQDEJ4W8T9B9] C:\WINDOWS\System32\AozDF.exe

    The startup name between brackets is 14 characters long and starts with a number ranging from 2 to 6

    Special instructions

    Download and run this file to fix Peper Trojan:
    The program needs internet access to complete the removal.
    Last edited: Apr 11, 2004
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    IRC trojan that attaches itself to the System(32) folder using a random filename.


    Log example:
    O4 - HKLM\..\Run: [leuimnd] rundll32 C:\WINDOWS\System32:leuimnd.dll,Init 1
    O4 - HKLM\..\RunOnce: [*leuimnd] rundll32 C:\WINDOWS\System32:leuimnd.dll,Init 1

    The name consist of seven letters (a-z)

    Special instructions

    Click "Start" > "Run" > type or copy&paste rundll32 <path to this DLL>,Uninstall > "OK"
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Adware and hijacker requiring special instructions

    MS T-Media Display

    Total Velocity Hijacker also called, MS T-Media Display, is an adware and hijacker component. It is bundled with a program called Memory Meter. Total Velocity Hijacker connects to (

    Log example:

    Special instructions

    Go offline and uninstall: 'MS T Media Display' in Add/Remove Software
    That is msmgt.exe.
    Reboot, Find and delete: C:\WINDOWS\MSMGT.EXE

    Then have HijackThis Fix:

    and delete MSMGT.exe and TINYINSTALLER.exe in the same directory.

  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Generates porn-popups and hijacks IE, using random filenames.


    Version one (there are more :( ) uses filenames that are 6-8 numbers long.

    Log example:
    O4 - HKLM\..\Run: [32577151.exe] C:\WINNT\System32\32577151.exe
    O4 - HKLM\..\Run: [18626040.exe] C:\WINNT\System32\18626040.exe
    O4 - HKLM\..\Run: [88517397.exe] C:\WINNT\System32\88517397.exe

    The filesize is 36 kb and they show winpup under properties.

    Special instructions

    Endtask the process, fix the startup-entry in HijackThis and after rebooting find all the files with the above properties in the System(32) directory.
    Note: the filenames may not correspond with the ones showing in the log.

    Then use the regfile below:



    Write-up done by FreeAtLast.
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Adware that uses random filenames starting up, that check if nCase has been removed. It offers to reinstall the original program.


    Log examples:
    O4 - HKLM\..\Run: [AKVC] C:\WINDOWS\AKVC.exe
    O4 - HKLM\..\Run: [ISAN] C:\WINDOWS\ISAN.exe
    O4 - HKLM\..\Run: [ALVCQ] C:\WINDOWS\ALVCQ.exe
    O4 - HKLM\..\Run: [GQLVDN] C:\WINDOWS\GQLVDN.exe

    The above are from one log. They often come in groups.

    The name between brackets and the name of the exe are always in capitals and always identical.

    The original program will show up like this:
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Advertiser suspected of spying, using random filenames. Some installs come bundled with

    FreeScratchCards (FreeScratchAndWin variant)

    Log example:
    O4 - HKLM\..\Run: [fxwnccbr] C:\WINDOWS\SYSTEM\fxwnccbr.exe

    Always uses 8 letter filenames and is located in the System(32) folder. In the same folder you will find another exe file that has a dollar sign ($) as an icon.
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Downloads and displays advertisements.

    Purityscan/Clickspring (version 1)

    Besides the winservn variant described here they also use a lot (maybe even random) 4 letter filenames as a startup entry.

    Log examples:
    O4 - HKCU\..\Run: [Ahst] C:\Documents and Settings\[username]\Application Data\iebs.exe

    O4 - HKCU\..\Run: [Soar] C:\Documents and Settings\[username]\Application Data\rwod.exe
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Hijacks to and changes the function of the F9 key.


    Uses a Windows filename as a startup entry.

    Log example:

    O2 - BHO: (no name) - {BD51AEC6-7991-4A60-94D6-D5FEBB655D10} - C:\WINDOWS\SYSTEM32\IEMsg.dll
    O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
    O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM

    Fix the entries above and delete the CSRSS.EXE in the Windows directory, not the one in System(32).
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Changes your AIM profile and redirects to talkstocks dot com and/or realphx dot com

    TalkStocks trojan

    Besides the executables random named BHO´s are installed.

    Log examples:

    O2 - BHO: (no name) - {4A2D7B5F-4E9E-839C-AC5C-768688C7DE8B} - C:\windows\system\itstgblg.dll

    O2 - BHO: (no name) - {CB3B59F7-43E6-A0D6-956F-3673E9738AA6} - C:\WINDOWS\system32\ntmccdds.dll

    The BHO´s can be recognized because they call themselves IEloader Module.

  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Hijacker and advertiser that uses randomly named BHO's with random CLSID's


    Log examples:

    O2 - BHO: (no name) - {230E68F5-3CB6-4144-8A3D-360216EE3B2C} - C:\WINDOWS\System32\insatfunc.dll

    O2 - BHO: (no name) - {A64C7BBA-EBDF-4AA2-9212-B601CD508D3B} - C:\WINDOWS\System32\oexts.dll

    O2 - BHO: (no name) - {AA3832A0-02DC-11D8-A667-0004754CD6E5} - C:\WINDOWS\SYSTEM\MOCIOLE.DLL

    O2 - BHO: (no name) - {8DC6F55B-AA4E-4FE0-9F6B-91C77BF7DCED} - C:\WINDOWS\System32\igcm32.dll

    There are two variants. One has a filesize of 100 KB and a MD5 value of 1ff2edc905384d75ead352a56bc9466a
    The other has a filesize of 120 KB and a MD5 value of 31ff532b8363d531f75583466ef49dd3

    Research by mjc :
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Spyware that slows down your computer, and sometimes disables the possibility to close windows with the X-button. Uses random filenames for the BHO and the running executable.

    roings jimmyloader

    Log examples:

    O2 - BHO: (no name) - {6430BC19-3DA0-44CB-86A6-9BA9DFAFE16C} - C:\WINDOWS\f5QK.dll
    O4 - HKLM\..\Run: [xGQH7sL] C:\WINDOWS\g176X9J.exe

    O2 - BHO: (no name) - {F999B30F-6A4B-4E4F-8610-0D06FFD93B3E} - C:\WINNT\hkH4TG.dll
    O4 - HKLM\..\Run: [iQusLz] C:\WINNT\fAhg6Ofp.exe

    How to recognize:
    Under properties > Version tab the Original filename for the exe will show load.exe and the BHO will be wat.dll

    In the log also look for:
    O16 - DPF: {B8A04596-1C1B-48B6-9268-F2F86C9D55BC} (jimmyloader.jimmyform) - hxxp://

    O16 - DPF: {65B818E1-F4D8-4F96-A1DF-35F3D1C86194} (limmyloding.limmyform) - hxxp://
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Downloads and displays advertisements. Produces a lot of popups.

    PurityScan/Clickspring (Version 2)

    Usually found in the company of version 1 (see Reply #12)

    Log examples:

    O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsu.exe
    O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstssu.exe
    O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe

    There seems to be some consistency in the filenames but they sure look the same. (See attachment)
    The description is always sear1 MFC Application.

    Attached Files:

  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Generates porn-popups and hijacks IE, using random filenames. Winpup renames itself each time the process is started, making it both hard to find and remove.

    Winpup (aka Atoque)

    Version two (there are more) uses filenames that are 6-8 digits long.

    Log example:
    O4 - HKLM\..\Run: [tmsmgrn] C:\WINDOWS\System32\tmsmgrn.exe
    O4 - HKLM\..\Run: [xdiagnd] C:\WINDOWS\System32\xdiagnd.exe
    O4 - HKLM\..\Run: [tildllu] C:\WINDOWS\System32\tildllu.exe

    On the version tab these have the name pupdate.exe

    Special instructions

    Endtask the process, fix the startup-entry in HijackThis and after rebooting find all the files with the above properties in the System(32) directory.
    Note: the filenames may not correspond with the ones showing in the log.

    Then use the regfile below:




    Credits to Unzy and
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Hijacker that uses random CLSID's for it's BHO and Toolbar.

    Mirar aka NetNucleaus

    The filenames are WinNB4*.dll where * ranges from 0 to 2 (for the moment) and the file itself is in the System(32) folder

    Log examples:
    O2 - BHO: (no name) - {FADEEE2B-A045-4B68-9903-69D873EA9B18} - C:\WINDOWS\SYSTEM\WINNB42.DLL
    O3 - Toolbar: Related Page - {FADEEE2A-A045-4B68-9903-69D873EA9B18} - C:\WINDOWS\SYSTEM\WINNB42.DLL

    O2 - BHO: (no name) - {F464C39B-AEF3-4605-B865-6A9E75683A67} - C:\WINDOWS\System32\WinNB42.dll
    O3 - Toolbar: Related Page - {F464C39A-AEF3-4605-B865-6A9E75683A67} - C:\WINDOWS\System32\WinNB42.dll
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Dutch porndialer. The filenames are not really random, but using so many of them that it may seem that way.

    Switch dialer

    Log examples

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/MS-Connect/Portal/portal.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Startportal/Portal/portal.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Onlinedirect/Portal/portal.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/QuickPage/Portal/portal.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/NowOnline/Portal/portal.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/FirstEnter/Portal/portal.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/First2Enter/Portal/portal.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Plus18Point/Portal/portal.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MStartEnter/Portal/portal.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MStart2Page/Portal/portal.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/EnterOne/Portal/portal.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/PageOn1/Portal/portal.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/eMakeSV/Portal/portal.html

    O4 - HKLM\..\Run: [MS-Connect] C:\WINDOWS\System32\msite18.exe
    O4 - HKLM\..\Run: [MS-Connect] C:\WINNT\System32\cdm.exe
    O4 - HKLM\..\Run: [MS-Connect] C:\WINDOWS\System32\game.exe
    O4 - HKLM\..\Run: [MS-RunKey] C:\WINDOWS\System32\arr.exe
    O4 - HKLM\..\Run: [Diskstart] C:\WINNT\system32\code.exe
    O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\System32\cat.exe
    O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\SYSTEM\HIT.EXE
    O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\SYSTEM32\snt.exe
    O4 - HKLM\..\Run: [Quicktlme] C:\WINDOWS\System32\ru.exe
    O4 - HKLM\..\Run: [QuickZip] C:\WINDOWS\System32\ls.exe
    O4 - HKLM\..\Run: [QuickZip] C:\WINDOWS\System32\lu.exe
    O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\sed.exe
    O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\msgplus.exe
    O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\com.exe
    O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\dll.exe
    O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\plugin.exe
    O4 - HKLM\..\Run: [Open2Enter] C:\WINDOWS\System32\runme.exe
    O4 - HKLM\..\Run: [Open2Enter] C:\WINDOWS\System32\runme2.exe
    O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\run_21.exe
    O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\srv.exe
    O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\srv2.exe
    O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\intl.exe
    O4 - HKLM\..\Run: [Classes] C:\WINDOWS\System32\int1.exe
    O4 - HKLM\..\Run: [Classes] C:\WINDOWS\system32\mstart.exe
    O4 - HKLM\..\Run: [Classes] C:\WINDOWS\SYSTEM\MSTAR2.EXE
    O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\System32\mcmgr32.exe
    O4 - HKLM\..\Run: [OpenMstart] C:\WINDOWS\System32\mmgr32.exe
    O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\System32\m2gr32.exe
    O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\system32\ntcpl.exe
    O4 - HKLM\..\Run: [NvCplD] C:\WINDOWS\system32\ntopengl.exe
    O4 - HKLM\..\Run: [rCron] C:\WINDOWS\System32\rcron.exe
    O4 - HKLM\..\Run: [rCron] C:\WINDOWS\System32\dservice.exe

    Other reported filenames: web.exe, patch.exe, cp.exe

    You will have to end-task the running process or boot into safe mode to be able to remove the exe file.
    Also remove the folder in the Program Files directory that holds the Portal subfolder.
    Last edited: Apr 21, 2005
  22. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    This malware makes the infected system act as an HTTP proxy. It also opens TCP ports 6690 and 5590, possibly to notify a third party.

    Agent.X trojan

    Log example:


    On every subsequent execution, this Trojan drops another copy of itself in the SR64 directory using a different random file name, which is always 8 characters long.

    Fix the entry in HijackThis and delete the entire sr64 folder in the System(32) directory.

    Credits to TrendMicro
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    This Trojan Horse installs itself as a BHO and steals online banking information from web forms.


    Log example:

    O2 - BHO: (no name) - {DE862734-0DD8-49A2-91BD-0B98BB1718F9} - C:\WINDOWS\System32\lcnnn.dll

    The BHO uses a random name with up to 8 lower-case characters, e.g., "abcde.dll" or "qrstuvwx.dll". The file is 45056 bytes in length.
    The CLSID is random as well. The dll will be found in the System(32) folder.

    Removal instructions and write-up by Symantec
  24. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Adware that uses contextual advertising. It uses a BHO that can be randomly named.

    Midaddle by AdSypre

    Log examples:
    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} -
    C:\Program Files\Common Files\midaddle\midaddle.dll

    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\6PSEAG.dll

    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Owner\Local Settings\Temp\nz.dll

    The CLSID is always the same (for now).
  25. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Adware causing popups, specifically from


    Log examples:

    When they were not random they looked like this:
    O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\system32\SWin32.dll
    O4 - HKLM\..\Run: [Adstartup] C:\WINNT\system32\automove.exe

    Now they have random filenames and CLSID's and look like this:
    O2 - BHO: SDWin32 Class - {E9079510-297A-44DA-960E-6040FD3BD74D} - C:\WINDOWS\System32\igpir.dll
    O4 - HKLM\..\Run: [igpirc] C:\WINDOWS\System32\igpirc.exe

    The name of the exe has a "c" extra at the end of the filename of the dll.
    Original filename of the dll is still SWin32.DLL
    Original filename for the exe: localFilemove.EXE
Thread Status:
Not open for further replies.