My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus




Trickler key found in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

Bandwidth usage even when all network/internet applications are closed/idle.

Removal instructions:

Identify the trickler executable from HKLM\Software\Microsoft\Windows\CurrentVersion\Run and stop its process. Then remove its key from Run and delete the executable file itself.

Also delete HKLM\Software\ and HKLM\SOFTWARE\Classes\CLSID\{21F5A790-53EA-3D73-86C3-A5BA6CF65FE9}.

Analyzed By

Theodor-Iulian Ciobanu, virus researcher

Technical Description:

This executable is part of the Gator/GAIN advertising system. It almost never comes as standalone, but with some other ad-supported applications. Upon installation of this programs, the trickler is ran, which adds itself to HKLM\Software\Microsoft\Windows\CurrentVersion\Run, to be run at each startup, under the key Trickler.

The file name varies, depending on the version being installed. It usually resides in the temporary folder created by the installer that dropped it there, but sometimes will be copied to a separate folder by the installer.

When ran, the trickler will slowly download the rest of GAIN (Gator Advertising and Informational Network) or update it after install. It has a very low bandwidth usage in hope its traffic will remain unnoticed.

It keeps its settings under HKLM\Software\ and HKLM\SOFTWARE\Classes\CLSID\{21F5A790-53EA-3D73-86C3-A5BA6CF65FE9}.