Welcome to Merijn.nu

Older news is kept archived here. Knock yourself out. :)

All website content has been migrated to the domain Merijn.nu. Both the domain and hosting are under my control so earlier problems with expiring domains and disappearing owners should be fixed. :)

The static mirror at merijn.castlecops.com will stay online until.. well, until Paul Laudanski takes it down, I guess. His help is very much appreciated.

For some reason, my FTP account to the website has been disabled, so I am unable to update files or pages on this domain. For the time being, I will post new versions of programs on my CastleCops upload page. A working mirror of the website is available at merijn.castlecops.com but I don't have FTP access there either (yet).

BFU v1.12 is available. Changes:

• Fixed HostsFileReset
• FileWrite now inserts a linebreak first before appending data to files
• FileWrite, HostsFileAddLine, SystemMsgBox, SystemRestart now accept \t and \n when applicable (see the BFU manual for details)

*Update*: With a lot of help from cnm and Sam, I now have full access to the server and database once again. A round of applause to the both of them, thanks so much. Also thanks to the people who offered alternative hosting without me even asking. :)

A new version of BFU is available. Changes in v1.11:

• Added RegSetExpandValue to set REG_EXPAND_SZ values
• Added RegDeleteKeyIfNameContainsText/Hex to delete keys matching a mask
• Online scripts can now be executed from the commandline (i.e. bfu.exe http://www.example.com/test.bfu)
• Fixed RegResetPermissions (and others) not being recognized
• Added OptionShowLog command to force showing the logfile after script completion
• Added OptionSaveLog command to save the logfile to disk after script completion
• More extensive logging
• Fixed bug in CRC32 module with leading zeroes
• Updated CRC32 module to read files ~3 times faster

Lately a lot of people have been asking me what HijackThis is and how it got onto their system. I've answered this question so often now and pointed people to the relevant answer on my FAQ so many times, that I'm adding it here on the front page:

HijackThis is a free antispyware program for computer experts. If you paid for HijackThis, you were either scammed or sold something else. HijackThis does not automatically remove bad things, you need to decide for yourself what is good or bad in the scan results. If you want an automated antispyware program, get Spybot Search & Destroy.

If you found HijackThis on your system and you did not put it there, someone else did. HijackThis is not automatically installed, ever. If you recently brought your computer in for repairs or upgrading or fixing, or someone helped you clean up the computer of malware, most likely they installed HijackThis and forgot to remove it. BestBuy's Geeksquad uses HijackThis, and most likely more computer shops do.

If the entry in the Add/Remove Software list is not working, the person who installed HijackThis on your system did not remove it correctly. Old versions of HijackThis (1.9x and older) can be removed by running this Registry script.

I no longer own, maintain or support HijackThis. In March 2007, I sold HijackThis to TrendMicro. This includes the complete rights, the source code and customer support. I can no longer help you with error messages in HijackThis, bugs or missing features. If you use an older version of HijackThis, upgrade. If you find a bug, contact TrendMicro.

Thanks for your understanding.

A new version of BFU (Brute Force Uninstaller) is available! The new version offers better logging commands, better wildcard support and some bugfixes.
Changelog:

• Added wildcard for all Registry functions that need it
• Added: RegDelValueIfNameContainsText, RegDelValueIfNameContainsHex and RegDelValueIfDataContainsText, RegDelValueIfDataContainsHex to replace RegDelValueIfContains[x] for clarity
• Added: OptionShowLog to force show log after the script ends
• Added: LogIfFileMD5Match, LogIfFileSHA1Match, LogIfFileMD2Match, LogIfFileMD4Match, LogIfFileCRC32Match
• Added: LogIfFileExist, LogIfRegKeyExist, LogIfRegValExist
• Added: FolderClear, will attempt delete to delete all files and folders in a given folder
• Added: RegKeyResetPermissions, resets all permissions on a Registry key to the defaults (if possible)
• Added: OptionBFUExit, quits BFU
• Added: %Favorites% environment variable
• Changed FolderDelete so it uses FolderClear on fail and deletes the folder on reboot (if that option is set)
• Changed: OptionRunSilent is ignored if scriptfile is passed as commandline parameter, for safety
• Changed: Any file commands with wildcards will apply to any matches in subfolders as well
• Fixed: Windows 2003 SBS was detected as Windows XP 64-bit
• Fixed: CRC32 checksum was reversed
• Fixed: lines with unexpanded environment variables are skipped
• Removed OptionSetStatusOn command, the first OptionSetStatus triggers the status messages

As usual, the manual for all commands and their syntax is available here.
Thanks for Pieter, Mark and Savvas for helping me testdrive the betas!

I just got word that the popup on my website isn't because the server was hacked, but because Zoneedit is adding them. Since they were acquired by Dotster, they are forcing popups onto free Zoneedit accounts.

The ever awesome Paul Laudanski of CastleCops.com has contacted me about hosting merijn.org.

A quick heads-up: the popup on my website is not my doing - I have no idea how it got here. I don't run any advertising on this website, period. I'm in the process of finding out what's going on. Feel free to write an angry letter to Casalamedia, since it's their popup.

August 27: it appears one or more of the mirrors that host my website has been compromised in some way that makes the popup appear sometimes, but not always. Since Mike Healan is the only one who can do anything about this and he's not available, the next best thing I can do is change hosting. Suggestions are welcome.

Meanwhile, the popup should never appear if you use www.spywareinfo.com/~merijn to visit my website. My apologies for the inconvenience, and thanks for your understanding.

We have RSS feeds now! Like almost everything on this website, I wrote it myself. :)

• RSS 1.0
• RSS 2.0
• Atom 1.0

HijackThis 1.99.1 has just been awarded the 100% Quality And Clean Award by FileCluster! The download page is here.
Thanks FileCluster! :)

As some of you might have seen several IT news websites are offering Trend Micro HijackThis 2.00 beta. An official statement will be posted on their website soon, but since this is a public beta of theirs I figured it'd be best if I answered the question I'm going to get asked a lot, right now.
This is not fake, I sold HijackThis to TrendMicro. Their product incorporates all changes, updates and fixes that I was planning on adding in the v1.99.2 release. I made sure of that and I hope no one will be disappointed with it.
While TrendMicro does not officially support HijackThis yet, I expect they will once it goes final.

I sold HijackThis because I had been sitting on an unfinished update for over a year and I still could not make enough time to finish it. My uni classes are taking up a lot of time and I want to set my goals a bit wider than just the antispyware business (though I still love it). Sitting on an unfinished product until it becomes obsolete is not useful, so I decided to transfer the responsibility to TrendMicro (who have also taken care of my CWShredder) so they can give it proper attention and support. Where the will take HijackThis, I do not know - but I am sure they will respect its goals and what it stands for.

Like some of you might already know, Marcin (RubberDucky) from malwarebytes.org started a program that removes rogue antispyware programs. I have to admit I had been playing with the idea (mostly SmitRem) and I was very surprised to see Marcin release this. The program took off like a rocket and his database currently detects and removes 207 rogues!

This is really amazing and a superb job, and I recommend everyone paying him a visit and check it out. The freeware version is fully functional and the paid version has a resident components that can alert you immediately when a rogue is installing on the system.

Kazaa has updated its client again to version 3.2.7 (and, very briefly, 3.2.5), so in response I updated KazaaBegone to remove that as well. This new version 1.30 also prompts you to use Bullguard's own uninstaller to remove it, since it's hard for KazaaBG to remove a fully functional and installed firewall by itself.

Download KazaaBegone 1.30

A new version of Startuplist is now available. New in version 2.02 are:

• Bugfix for AppInit_DLLs listing
• Added /autosavepath: parameter to use together with /autosave. Remember to enclose paths containing spaces with quotes.

Download StartupList v2.02.

So here I am, sitting on an update for the website layout. It's all shiny and new, with PHP and MySQL and XHTML 1.0 compliancy... but it misses something. I have tried various layouts and color schemes over the past few months, but none were particularly satisfying. I've had three different people help me design something new at some point, but none turned out to be something I was really satisfied enough with to put online. It just missed that certain something I couldn't put my finger on.
But when someone emailed me, saying the Downloads page was not W3C compliant, it hit me: why change a winning team? I'll just keep the old layout and convert it!

So here it is, the new layout: all XHTML1.0 and CSS, no tables whatsoever, a more readable font size, consistent and clean. Large pages like the news pages, downloads page, FAQ and forums list are fetched from the database. This may seem pretty natural to most web designers out there, but this website was still very 1997. :)

Other new stuff:

• Added more stuff to the Frequently Asked Questions page
• Revamped the Downloads page for clarity
• Added quickmenus to several items in the navigation bar to the left
• Dropped the CWS Chronicles from the Articles page, linking to InterMute's version instead.
• Changed the animated logo to a static version.

Anyway, enjoy the new layout!

In the past few days, I noticed an increasing number of emails about my StartupList application. It appears that James Coates mentioned it in his August 15 column, which is pretty cool. (And incidentally, my birthday as well!)

So to all who are looking for it, you can download StartupList right here. It requires the Visual Basic runtime libraries and the Common Control library, but if you have Windows XP you probably already have both installed.

If you need any help finding out what all the listed programs are and what they do, try Googling the filename, or look it up at CastleCops StartupList database. Their Class ID database is very helpful as well.

Please note that there was a small error in Coates' article: StartupList only lists autostarting items, it can't remove them.

Howdy! Today I am proud to present an update to one of my long-forgotten programs, thanks to someone who told me that BFU scripts aren't simple enough for some people apparently: KazaaBegone!

It took me a while to get back into this but I updated the whole thing right up to the current Kazaa 3.2.2 version. Strangely, during the week I was busy with this project, Sharman Networks Ltd. actually released a new version of Kazaa! (When I started they were still at 3.0.) I'm pretty sure I didn't just miss 4 or more versions, I my guess is the folks over at Sharman are some kind of version freaks.

Anyway, the new KazaaBegone 1.20 removes Kazaa versions 1.0 through 3.2.2, including all bundled software that comes with it. This is including, but not limited to, CyDoor, CommonName, BDE, Altnet, P2P Networking, Gator, Bullguard, InstaFinderK, Need2Find, RX Toolbar aka Semantic Insight and a spot of Skype. KazaaBegone does not remove KazaaLite, Grokster, iMesh or any P2P software that is not Kazaa or one of its bundles. The old bug that could break your Internet connection is fixed as well.

Enjoy!

Oh, and to let people know I'm still working on it, here is a screenshot of the latest HijackThis 1.99.2 build... in Spanish!

I'd just like to point everyone to this article on SpywareGuide.com, where Jayaraj Muthu Samy details his research on the current incarnation of the phonies that run Hijack-This.net. I wrote about this site earlier, and it seems they offer up bogus antispyware tools that change every few weeks. Currently it's something called 'SpyOnThis', and they recommend it in favor of HijackThis, pretending they own that product as well and claiming it is a good alternative for non-expert users.

Do not buy this program! As you can read from both the blog post at SpywareGuide.com and Eric Howes' Rogue Antispyware List, it will only find false positives and then urge you to buy the full product. The site also misuses the copyrighted name HijackThis.

Well, Marcin told me to update, so I will. I've got a few updates to several projects queued, and since the last one (BFU) is taking me a bit longer than I expected, I'll put up the others early.

First off, ADS Spy 1.11 is updated to fix a buffer overflow bug in files with lots of streams.

Next, BHO List 1.5 has been rewritten from scratch to take advantage of the XML feed version of the CLSID list from Paul at CastleCops. It also downloads the entire library to the local system, and instead of displaying everything at once, it displays only what you search for, allowing for a massive speed boost. Suffice it to say it's not smart to search for something like '{' since the list of CLSIDs is several megabytes by now, and several thousand of items long. (This is also why the older version of BHOList was no longer able to load the list.)

Finally, StartupList 2.01 is here! I've gotten very good feedback from several users and changed a few things as well as adding some:

• Large hosts files and large Trusted/Restricted sites list are now auto-skipped, unless the user explicitly opts not to.
• Added mIRC to the 3rd-party autoruns. Shows aliases, remotes and mirc.ini.
• Fixed bug where Running Processes wouldn't be shown in Windows NT4.
• Added 'My Computer' zone to Trusted/Restricted/etc sites list.
• Added Cancel/Refresh buttons to the main window. The scan no longer automatically restarts when changing an option.
• Various assorted bugs.

I haven't forgotten about HijackThis, nor have I stopped development on it. The 1.99.2 update will arrive eventually, but I'm up to my head into classes and, sorry to say, those are my priority.

Ladies and gentlemen, it is with great pleasure that I present to you: StartupList version TWO!



The new version shows a ton of new autostart locations in a nice treeview, along with help text for each section. The right-click menu of each item offers options to show the file or Registry key, or copy the information to the clipboard.
A very special thanks to TonyKlein for his Collection of Autostart Locations, and Andrew 'SilentRunners' Aronoff's list of launch points.

Note that this new version requires the MSCOMCTL.OCX file, which is available from SpywareInfo here.

Happy new year! :)

Updated BFU to version 1.00.9 to fix a few bugs, and add support for SHA1, MD2 and MD4 checksum testing of files and processes (see the BFU manual for details).

It also came to my attention that all checksum test functions will not work properly on Windows 95, since it seems that IE6 is needed for this to work (the tests worked on Win98SE + IE6SP1), even though Microsoft says you only need IE3 or higher. The CRC32 checksum test methods will work regardless of IE version, so those can be used as a replacement function.

A vulnerability has been discovered in Windows Regedit that can cause it to hide certain Registry values. I am aware that this vulnerability also exists in HijackThis, as well as a lot of other programs that use the Registry (!).
Working on a fix/workaround.

New program added to the Downloads! The Brute Force Uninstaller (BFU) is a program to help forcibly remove unwanted software and the likes from a system. It's basically a scripting engine that can execute commands from a file, much like a batch file. The list of commands is very complete and powerful, and scripts are easy to write.
For the curious: I have already converted the old KazaaBegone to several BFU script files. Take a look at them if you would like to write your own script files. Documentation for the BFU script format is available here (RTF).

God, it's been so long since I posted something. Truth is, there was either nothing to post or no time to do something to post about. Spring break did not mean as much free time as I expected since I decided not to take a break from my job. :)

Anyway, two updates today:
Itty Bitty Process Manager has been updated to v1.03, which has several important updates. First of all, I finally fixed the bug with killing multiple processes at once. Secondly, before any process is killed, it is suspended first, stopping it from doing anything. This is very useful for Peper-like malware that uses multiple processes that keep each other alive when you kill the other one. I also added a right-click menu to the app for some easier access to some functions. All these functions will probably also be added to the IBProcMan integrated into HijackThis 1.99.2, which is currently in development.
BHOList has been bumped to v1.41.1 to fix an annoying bug loading lists. The lists are still taken from CastleCops, by the way.

McAfee is at is again, unfortunately. Yes, I am aware of the fact that McAfee detects HijackThis 1.99.1 as a generic worm. For the fourth time. Yes, I am aware of the fact that McAfee detects the StartupList standalone as an mhtml exploit webpage. This makes respectively the fifth and sixth time McAfee has mistakenly detected one of my programs as some brand of virus. And I'm getting pretty tired of this. Am I supposed to email each and every new version of a program I publish to McAfee so they can verify that UPX compression does not automatically equal a scary virus??

Thanks to the excellent help of Richard Germain, the versions of rundll32.exe on the Windows Files page are now also available in French!

Update: The owner of HijackThis.nl has resigned and the site is now run by Erik and Jahewi. I have discussed the matter with the new admins and it seems things will turn out ok after all. :) For their announcement, see here (Dutch).

Update on the previous post:
I just received word from Paretologic (who own XoftSpy) that the affiliate responsible for the page has been terminated and the site will be taken down.

Just a short note on the domain HIJACK-THIS.NET: this is not mine! It has been registered by an affiliate of XoftSpy (who are also on the Rogue Antispyware List on SpywareWarrior.com) and they are luring people into downloading their software believing it is HijackThis. Also, they have registered a few AdWords at Google leading to the same result. We'll see where this goes.
In the meantime, if you want to download any of my programs, the official domain is and always will be www.merijn.org.

Eep, it seems it has been a month and a half since I posted something on the frontpage. Better get something to write about.
First off, CHIP Online has assigned HijackThis a 5-Star Award for being the most popular download. :) Don't want to toot my own horn, but still... *beep* *beep*! Other stuff... been working on the inevitable HijackThis 1.99.2 update, which will fix several bugs and issues, but nothing major.
A new program which I've been working on for sometime now is the Brute Force Uninstaller, which basically is a scripting engine able to execute commands on an infected system, similar to the way Spybot S&D's definitions files work. I have already converted KazaaBegone to 20 script files (one for each existing Kazaa version), each about 5 kilobyte in size. And these don't have the Winsock bug KazaaBegone has :)
More to follow.

Well, it took a bit longer to finish, but finally HijackThis 1.99.1 is available! This version has a boatload of improvements and fixes a lot of bugs, the most important being the crash bug on the O23 method ('HijackThis has generated errors and needs to be closed') on certain systems.

In other news, several big antispyware companies have dropped detection of WhenU's Save! program, without notifying anyone. After WhenU partnering with Aluria it seems WhenU is up to something. Read more about it here.
[Update] It seems McAfee is detecting the new HijackThis version as W32/Generic.worm!p2p. It is not the first time this happened and probably not the last time either. There is no virus in HijackThis. McAfee incorrectly detects the PE compression method I use on all of my programs as a generic Kazaa worm. I will try to contact McAfee about this and see if the incorrect detection can be removed in their next update.
[Update 2] Success! McAfee has put out new definitions that no longer detect HijackThis 1.99.1 as a virus. ^_^

Happy new year to all!

First off, UniteTheCows has been added as a mirror for most programs at the Downloads page. They will definitely be able to take the load off the other servers.

Secondly, I am aware that what I released as the 'final' HijackThis v1.99.0 is not nearly perfect. A beta of version 1.99.1 is already being worked on that fixes over a dozen bugs and adds about another dozen more features. Expect it ready within two weeks.

In the last post, I blamed HijackThis crashes on the Ms4Hd rootkit parasite, but it seems these same crashes also occur on clean, normal systems. My apologies if I got people upset with this indirect hint that their system could be infected. If all goes well the 1.99.1 update of HijackThis will also fix this crash on clean systems. Meanwhile the old 1.98.2 version should work as a workaround either way.

Finally, I really need to update the layout on this site. I don't know about you, but the animated GIF is getting slightly on my nerves after this long. :)
I already have a general idea of the new layout, but if anyone has some fancy suggestions (within the W3C standards of course), feel free to let me know.

Well, my SpywareInfo email has been fixed, but unfortunately all email in the account was deleted (324 MB of it, probably 90% spam/viruses).

Everyone have a great Christmas and a happy New Year!

Small update: I've been seeing more and more cases of infections by trojans that kill any antivirus or antispyware programs you try to use and remove them. For such cases, I created a standalone version of the 'Itty Bitty Process Manager' inside HijackThis. It should be a bit harder for trojans to detect, since it has no window caption. If they do start targeting it by filename, rename the executable before running it and you should be good to go.
Download Itty Bitty Process Manager (IBProcMan.zip)