Microsoft security software detects and removes this threat.

This family of trojans displays pop-up advertisements depending on keywords you enter and your browsing history.

It can also monitor your actions on your PC, download applications, and send information about your PC to a remote server.

What to do now

The following Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Threat behavior


Trojan:Win32/Wintrim may arrive on your PC bundled with the Mailskinner application. It uses rootkit techniques to make system changes that you cannot see. It usually arrives as a .exe file with a random file name.

It adds a registry entry in the following subkeys so that it runs each time you start your PC:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall

Variants of Trojan:Win32/Wintrim may also create the following registry subkeys as part of their installation processes:

  • HKLM\Software\LanConfig
  • HKLM\Software\livesvc\navtime
  • HKLM\Software\exts
  • HKLM\Software\mc

The trojan may drop a .dll file into the <system folder>, for example:

  • MCv2DLL.dll
  • msclock32.dll
  • msegcompid.dll
  • msplock32.dll
  • mstmpreg32.dll
  • mswbm32.dll

Displays pop-up advertisements

Trojan:Win32/Wintrim  variants usually download a .xml file, which contains keywords and URLs related to which pop-up advertisements they display. The .xml file also includes a blacklist, which may be used to prevent legitimate web sites and search results from being displayed.

Wintrim then hijacks ads displayed by certain browsers and applications and replaces them with its own advertisements based on the received .xml file. The affected applications and browsers include:


The displayed pop-up advertisements are based on the keywords you enter in these browsers, and may be pornographic in nature.

To stop its advertisements from being blocked, it adds a registry entry in the following subkeys to register itself as a trusted publisher:

In subkey: HKLM\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A
Sets value: "electronic-group"
With data: "goicfboogidikkejccmclpieicihhlpo jimddp"

Monitors your activities

Wintrim hooks the following APIs to gain information about your actions:

  • NTEnumerateKey
  • NTEnumerateValueKey
  • NTQueryDirectoryFile
  • NTQuerySystemInformation

It also uses the rasmon.exe application to monitor your remote access activities.

Steals sensitive data

Trojan:Win32/Wintrim sends the following information about your PC to a remote server:

  • Version of Internet Explorer
  • Version of Windows
  • Your geographic locale
  • Navipromo install date
  • Navipromo running mode
  • Name of antivirus or antimalware software installed
  • URLs located in your browser's Favorites list
  • URLs located in your browser's history

Disables applications

Trojan:Win32/Wintrim disables Norton Ghost, a backup utility.

Downloads and installs software

It connects to the website to download updates for itself.

It may also ask you to download the program NewPromoRemover to remote its advertising capabilities.

Additional information

It creates the following mutexes:

  • eshmemg_mutex
  • mymutsglwork

This could be an infection marker to prevent more than one copy of the threat running on your PC.

Analysis by Jaime Wong and Geoff McDonald


The following could indicate that you have this threat on your PC:

  • You see pop-up ads, particularly ones that are pornographic in nature, or you're redirected to search results you didn't intend to visit
  • You have these files in the <system folder>:
    • MCv2DLL.dll
    • msclock32.dll
    • msegcompid.dll
    • msplock32.dll
    • mstmpreg32.dll
    • mswbm32.dll
  • You can't run the program Norton Ghost


Alert level: Severe
First detected by definition:
Latest detected by definition: 1.177.1617.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Dec 08, 2006
This entry was updated on: Oct 11, 2013

This threat is also detected as:
No known aliases