The Application Database suggests you which Windows startup programs are usefual and which are bad. The recommended tool for quickly removing the useless programs is RegRun Startup Optimizer. www.startupapps.com

---

Purchase RegRun Suite Download RegRun Suite

Search Database for:

RegRun > Greatis Startup Application Database > Dangerous > W

 

w32_ss.exe
wave.exe
wbecheck.exe
wcheckup.exe
wcupdater.exe
wdrun32.exe
web ex 1.4.exe
web ex[1.2].exe
web ex[1.3].exe
webcheck.exe
webdl.exe
webrebates0.exe
wgt.exe
wgtstarter.exe
whack.exe
whackamole.exe
whakamole170.exe
whakmole.exe
wilokyl.exe
win.exe
win32.exe
win32app.exe
win32cfg.exe
win32config.exe
win32snd.exe
win86.exe
win98nuke.exe
wina2b3.pif
winboot.exe
win-bugsfix.exe
wincalc.exe
wincfg.exe
wincfg32.exe
wincmp32.exe
wincrash.exe
wincrash-e.exe
windll.dll
windll.exe
windll32.exe
windns32.exe
window.exe
windown.exe
windows.exe
windowscfg.exe
windowxs.exe
windowz.exe
windriv32.exe
windriver.exe
windvd98.exe
winexe.exe
winexec32.exe
winext.exe
winfat32.exe
winfont.exe
winfunctions.exe
winguard.exe
winhe1p.exe
winhelp.exe
winhlpp32.exe
wininfo.exe
wininit.exe
winipx.exe
winipxa.exe
winitr32.exe
winkernel.exe
winkernel32.exe
winket.exe
winkif.exe
winkit.exe
winkrnl386.exe
winlink32.exe
winload32.exe
winloader.exe
winlogon.exe
winlogon.scr
winlogonn.exe
winmain.exe
winmap.exe
winmgm32.exe
winmine.exe
winmsg32.exe
winmsrv32.exe
winmuschi.exe
winn321.exe
winnuke.exe
winoldap.exe
winppr32.exe
winprot.exe
winprotecte.exe
winpsd.exe
winpup32.exe
winreg.exe
winrpc.exe
winrpcsrv.exe
winrun.exe
winsatan.exe
winsaver.exe
winserv.exe
winservices.exe
winservs.exe
winspc13.exe
winspy.exe
winsrvc.exe
winssk32.exe
winstat.exe
winstop32.exe
winsvrc.exe
winsys.exe
winsys32dll.vbs
winsyst.exe
wintask.exe
wintftp.exe
wintlb.exe
wintour.exe
winup.exe
winupd.exe
winupdsdgm.exe
winupdt.exe
winuser32.exe
winvmm32.exe
winxp.exe
winz32.exe
winzipp.exe
wkernel.exe
wmiprvsw.exe
wmmon32.exe
wsasrv.exe
wscan.exe
wsct.exe
wsct2.exe
wspool.exe
wstart32.exe
wstat32.exe
wtoolsa.exe
wuamgrd16.exe
wucmdex.exe
wupdated.exe
wupdater.exe
wupdmgr32.exe

w32_ss.exe

Trojan Haxdor.
Once launched, the program installs itself in the Windows system directory as
w32_ss.exe
It then installs the other program modules to the victim machine:
debugg.dll - main module
sdmapi.sys *
boot32.sys *
c3.dll *
c3.sys *
c4.sys *
The Trojan installs itself in the system registry.

In systems running Windows 9x:

[HKLM\System\CurrentControlSet\Control\MPRServices\TestService]
DllName="debugg.dll"
EntryPoint="MemManager"
StackSize=0

In systems running Windows NT/2000/XP:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\debugg]
DllName="debugg.dll"
Startup="MemManager"
Impersonate=1
Asynchronous=1
MaxWait=1

wave.exe

PsYber Stream Server

wbecheck.exe

Spyware trojan Floid.dll.
Integrates with Internet Explorer.
1. Remove from startup.
2. Restart computer.
3. Delete Floid.dll and wbeCheck.exe.

wcheckup.exe

Steals passwords
Win-Bugsfix.exe was the name Onel de Guzman used when we wrote LoveLetter. When the mail had been executed Barock was supposed to be downloaded and run on the vitimґs computer.

wcupdater.exe

Remote Access / Steals passwords
Alters Win.ini (v 2.0).

wdrun32.exe

Gaobot Trojan.
Spreads in local network via open shares.
Also it uses DCOM RPC vulnerability (135,445 ports) and WebDav vulnerability (port 80).
Allows to control the victim computer by IRC.
Terminates well known antiviral software.
Removal:
install the patches from Microsoft:
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
Set the strong passwords for network shares.
Use RegRun "Terminate" feature to erase the virus body files.
They are located in Windows\System32 folder.
Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe (with capital letter 'i')
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe

Free removal tool:
http://securityresponse.symantec.com/avc...

web ex 1.4.exe

Remote Access / FTP Server

web ex[1.2].exe

Remote Access / FTP Server

web ex[1.3].exe

Remote Access / FTP Server

webcheck.exe

Troj/Soromo-A is a browser-hijacking Trojan.
In order to run automatically when Windows starts up the Trojan copies itself to one of the following filenames in the Windows system folder:
update.exe; explorer.exe; winlogon.exe; system.exe; taskman.exe; taskmon.exe; svchost.exe; services.exe; wupdmgr.exe; winspool.exe; webcheck.exe; wininet.exe

Troj/Soromo-A periodically starts up a browser and directs it to a URL chosen randomly from a list of websites configured by the author.

Manual removal:
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System Update
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Update
and delete them if they exist.

webdl.exe

Remote Access / Downloading trojan
The default file downloaded by the trojan is The Infector (they are written by the same person). This could easily be changed to any file anywhere on the Web. The perpetrator just enter the URL where the wanted trojan is, and his ICQ UIN to receive notification when the infected user is online. The sender is able to destroy WebDownloader after it has downloaded itґs trojan file.

webrebates0.exe

Adware.
Displays advertising information on your computer.
Stop the processes:
arupdate.exe
\program files\web_rebates\disp1150.exe
\program files\webrebates\webrebates1.exe
systemroot\2805e.exe
unregister.exe
unstsa3.exe
webrebates0.exe
Remove it from startup if their exist.

Remove BHO items:
adroar.dll
systemroot\3_0_1browserhelper3.dll
systemroot\neti.dll
systemroot\system32\imgconv.dll
systemroot\system32\vic32.dll

Read more:
http://www.pestpatrol.com/PestInfo/t/top...

wgt.exe

Steals passwords
At first Ring0 came as an attached file to Winsock Version Checker. When itґs active and the computer is connected to the Internet, the trojan searches for proxyservers and tries to send the collected information to an FTP server in Russia.

wgtstarter.exe

Steals passwords
At first Ring0 came as an attached file to Winsock Version Checker. When itґs active and the computer is connected to the Internet, the trojan searches for proxyservers and tries to send the collected information to an FTP server in Russia.

whack.exe

Remote Access / Trojan dropper
Disguised as a game. Installs NetBus server 1.60 or 1.70 while you play a game, trying to shoot at a bear.

whackamole.exe

Remote Access / Trojan dropper
Disguised as a fake game and installs a NetBus Pro server.

whakamole170.exe

Remote Access / Trojan dropper
Disguised as a game. Installs NetBus server 1.60 or 1.70 while you play a game, trying to shoot at a bear.

whakmole.exe

Remote Access / Trojan dropper
Disguised as a game. Installs NetBus server 1.60 or 1.70 while you play a game, trying to shoot at a bear.

wilokyl.exe

Remote Access
It kills more than 20 antivirus programs in memory and also four dedicated antitrojan softwares. The trojan can redirect ports and connect to several servers at the same time. It can also be used as a port scanner. Cafeini can also take another programґs place in the Registry. The server will automatically be updated using HTTP.

win.exe

Name: Shorm
Worm / Steals passwords / Network trojan
Propagates to all shared discs. Autostarts using Windows Startup directory. Passwords and users names are mailed to two addresses in Russia. The .exe file is compressed using ASPack. It connects to a Web page in Russia, both to receive IP addresses to scan and to update itself.

win32.exe

Troj/StartPa-GH is a StartPage Trojan. Aliases Trojan.Win32.StartPage.gh.

Copies itself to the Windows folder with the filename WIN32.EXE
and sets a registry value at the following location in order to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Sets the following registry entry in order to change the StartPage in Internet Explorer:
HKCU\Software\Microsoft\Internet Explorer\Main\
Start Page = "http://martfinder.com/index.htm"

Sometimes appends this value with "?aff=" and a value read from the file WIN32.DAT in the same folder as it.
Sets the following registry entry to instruct Internet Explorer to use a personalised stylesheet:
HKCU\Software\Microsoft\Internet Explorer\Styles\Use My Stylesheet = "1"

Troj/StartPa-GH then sets the following registry entry to point to the file WIN32.BMP in the same folder as it:
HKCU\Software\Microsoft\Internet Explorer\Styles\User Stylesheet

Automatic removal:
Use RegRun Startup Optimizer.

win32app.exe

Win32.HLLC.Nan

win32cfg.exe

Remote Access / Steals passwords
Alters Win.ini (v 2.0).

win32config.exe

W32.Paps.A@mm is a mass-mailing worm that sends itself as an attachment to the email addresses that it finds on your computer.
The email will have a variable subject and file attachment.
The attachment will have a .exe file extension:
- Pics.JPG.exe
- MailMessage.Msg.exe
- Filesharing_details.DOC.exe
- Trojan_removal_tool.exe
- Report.DOC.exe
- Documents.DOC.exe
- Removal_tool.exe

Creates the following files: %Windir%\Win32config.exe; %Windir%\Win32apps3.txt; %Windir%\Kernel32.dll; %Windir%\Ntbtlog.txt; iphist.dat.
This file is created in the same folder as the original worm file.

Adds the value: "Win32Config" = "%Windir%\win32config.exe"
in the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Scans the following file types on all the local drives for email addresses: .doc; .txt; .wab; .rtf; .htm; .html; .dbx; .xml; .msg; .php; .cgi; .pst; .nk2

Attempts to access the following Web sites:
http: //www.google.de
http: //www.hausaufgaben.de
http: //www.referate.de
http: //www.eselfilme.com
Attempts to access http: //www.whatismyip.com to get the IP address of the local system.

Automatic removal:
Use RegRun Startup Optimizer to remove this worm.

win32snd.exe

W32/Rbot-DQ is a worm which attempts to spread to remote network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

Copies itself to the Windows system folder as WIN32SND.EXE
Creates entries at the following locations in the registry so as to run itself on system startup, trying to reset them every minute:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Rbot-DQ tries to delete the C$, D$, E$, IPC$ and ADMIN$ network shares on the host computer every 2 minutes.
W32/Rbot-DQ attempts to terminate certain processes related to anti-virus and security programs including REGEDIT.EXE, MSCONFIG.EXE and NETSTAT.EXE.

Manual removal:
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and remove any reference to WIN32SND.EXE.

win86.exe

Troj/Small-PB
Aliases: TrojanDownloader.Win32.Small.pb, Downloader-KH trojan, TROJ_SYSGOTEM.A
It is a Trojan that executes the files System87.dll and System86.dll.
If the files do not exist, the Trojan downloads System86.dll from a preconfigured URL and executes it.

In order to run automatically each time Windows is started, the Trojan sets the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinInit = Win86.exe

Please, remove it with RegRun.

win98nuke.exe

Remote Access / ICQ trojan / IRC trojan

wina2b3.pif

I-Worm.Winevar.
Dangerous virus.
Creates execution file with random name like "WINAB3.pif" in C:\\WINDOWS\\SYSTEM.
Also installs "explorer.pif" to the desktop.
To remove:
stop process "winab3" and remove from startup.
Delete dangerous "pif" files.

winboot.exe

Vampire 1.2 trojan

win-bugsfix.exe

Worm / IRC Trojan / Mail trojan / Destructive trojan / Steals passwords
The worms spread through mail or IRC. It will also try to destroy all files with the extensions .vbs, .vbe, .js, jse,.css, .wsh, .sct, .hta and jpg, jpeg, mp3 and mp2 files. May be updated from the Internet.

wincalc.exe

Backdoor.Paproxy is a Backdoor Trojan horse that allows the infected computer to be used as a network proxy.
Opens a backdoor onto the computer.

Copies itself to %System%\Wincalc.exe.
Attempts to connect to http:/ /www.yahoo.com on port 80 using a POST method.
Attempts to connect to smtp.westcowboy.com on port 80.

Manual removal:
Navigate to the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunService
and delete the value: "LogService"="%System%\Wincalc.exe"

Navigate to the key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
and delete the values:
"ProxyServer" = ";"
"ProxyEnable" = "1"

Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
and change the value: "Shell"="Explorer.exe %System%\Wincalc.exe"
to "Shell"="Explorer.exe"

wincfg.exe

FTP server (?) / Remote Access

wincfg32.exe

Worm Ronoper trojan.
Stop this process and remove from startup.

wincmp32.exe

Asylium Family (0.1 & 0.11 & 0.12 & 0.13) trojan
Copies to C:\WINDOWS\SYSTEM\wincmp32.exe
[System.ini]
shell=explorer.exe wincmp32.exe
This is the default starting method, note that these are fully customisable including the filename
and registry keynames.

wincrash.exe

Remote Access / Steals passwords
Alters Win.ini (v 2.0).

wincrash-e.exe

Remote Access / Steals passwords
Alters Win.ini (v 2.0).

windll.dll

Backdoor.BO trojan

windll.exe

Steals passwords

windll32.exe

Remote Access

windns32.exe

W32.Gaobot.WX is a worm that attempts to spread through network shares that have weak passwords.
It allows attackers to access an infected computer through IRC.

Also Known As: WORM_AGOBOT.WN, Backdoor.Agobot.li, W32/Gaobot.worm.gen.g

Copies itself as %System%\Windns32.exe.
Adds the value: "WinDNS" = "windns32.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Connects to an IRC server and listens for commands.
Allows an attacker to control an infected computer:
- Download and execute files
- Steal system information
- Steal CD keys for various video games
- Take screenshots
- Terminate processes
- Run a SOCKS server on a compromised system

Uses a list of user names and passwords.
Ends many processes that are associated with the antivirus and firewall software.
Attempts to delete the files and registry values associated with other worms.

Use RegRun Startup Optimizer to remove it from startup.

window.exe

Remote Access
Renamed and modified versions of Sub Serven.

windown.exe

Remote Access / Steals passwords
Also has a function called ""Burn Monitor"". This option constantly resets the Screenresolution.

windows.exe

Worm.P2P.Kazmor.a
Kazmor is a P2P (peer to peer) and network worm with backdoor abilities.
This worm is very closely related to another worm - Worm.Win32.Apart.

The backdoor routine allows a remote master to perform the following actions on victim computers:
- send out detailed computer information
- steal cached passwords, MSN account login and password, as well as .NET Messenger information.
Kazmor also performs the following routines, it:
- spreads over local networks and to P2P networks
- receives files or download files from a Web site
- executes a file
- performs DoS attacks on remote computers
- pings a remote computer
- scans ports and IP addresses
- redirects PC ports
- sends spam messages through AOL Instant Messenger and to a mIRC channel

Manual removal:
Find and delete the following key in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows = %WindowsDir%\Windows.exe

windowscfg.exe

This is variation of trojan Backdoor.Sdbot.
Stop this process using Process Manager afetr that remove it from startup by Start Control, delete file.

windowxs.exe

W32/Sdbot-KT
This is an IRC backdoor Trojan and network worm which can run in the background as a service process and allow unauthorised remote access via the IRC channel.
It copies itself to the Windows System folder as WINDOWXS.EXE and creates the following registry entries so that this worm is run automatically on system restart:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\winlog = windowxs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winlog = windowxs.exe

W32/Sdbot-KT remains resident listening for commands from the remote hacker.
If the appropriate commands are received the worm will begin scanning the internet for network shares with weak administrator passwords and will attempt to copy itself to these shares.
This worm can also initiate SYNFlood attacks, exploit computers infected with W32/MyDoom and attempt to steal CD keys from several computer games.

Use RegRun Startup Optimizer to remove it from startup.

windowz.exe

W32.Randex.AEV is a network-aware worm that tries to connect to a predetermined IRC server.
If this worm is successful, it will wait for instructions from the attacker.

Copies itself as %System%\Windowz.exe.
Generates a random IP address.
The worm then attempts to log in to the remote computer as Administrator.

Adds the value: "Microsoft Windows GUI"="Windowz.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Connects to an IRC server and waits for commands from a remote attacker.
The attacker can:
- Perform Distributed Denial of Service (DDOS) attacks.
- Scan for computers to infect.
- Retrieve system information from the infected computer, such as CPU speed, available memory, and Windows version.
- Download and execute files from the Internet.
- Perform IRC functions, such as removing other users from the IRC channel.

Use RegRun Startup Optimizer to remove it from startup.

windriv32.exe

Troj/Small-BA is a proxy Trojan for the Windows platform.
Allows a malicious user to route information through an infected computer.
When executed it copies itself to the Windows system folder as WinDriv32.exe and then runs the copy which attempts to report the infection to a webpage.
Creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinDriv32 C:\WINDOWS\System32\WinDriv32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinDriv32 C:\WINDOWS\System32\WinDriv32.exe

Remove it from startup with RegRun Startup Optimizer.

windriver.exe

W32/Lovgate-AP is a worm which spreads by emailing itself via its own SMTP engine and by copying itself to network shares.
The worm also allows unauthorised remote access to the computer via a network.

W32/Lovgate-AP copies itself to the Windows system folder as windriver.exe and winexe.exe and adds entries to the registry at the following locations to run itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

The worm also modifies the entry in the registry at the following location to run itself before files with an EXE extension:
HKCR\exefile\Shell\open\command

windvd98.exe

W32.HLLW.Cult.P@mm is a mass-mailing worm that uses its own SMTP engine to send itself to randomly generated email addresses.
The worm also has IRC Trojan functionality that allows an attacker to control infected computer by using Internet Relay Chat (IRC).
The commands allow the attacker to perform any of the following actions:
Deliver system and network information to the attacker
Download and execute files
Dynamically update the installed worm
Send the worm to other IRC channels to attempt to compromise more computers
Trigger a mass-mailing function
Send email that contains the worm to any email address

Variants: W32.HLLW.Cult.M@mm

The email message has the following characteristics:
Subject: Hello , I sent you a beautiful Love Card ^_*

Body:
To see your Card, Please open the attachment
If you want to send a reply, please visit
http:/ /www.Love-card.com/Love/index.html

Thank You...

Attachment: BeautyLove.pif


Copies itself as %System%\Windvd98.exe.

Adds the value:
"dvd98"="windvd98.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
so that the worm runs when you start Windows.

Automatic Removal:
Use RegRun Startup Optimizer to remove it from the system registry.

winexe.exe

Steals passwords / ICQ trojan / Mail trojan
"Copies itself to your outgoing email as an attachment." (MooSoft)

winexec32.exe

Virus W32.HLLW.Redist.B.
It's spreaded by e-mail or by file sharing network.
Copies its body to the files:
# %Windir%\Winexec32.exe
# %System%\Wininet32.ocx
# %System%\Mscab1_32.cab
# %System%\Mscab2_32.cab
# %System%\Mscab3_32.cab
# %System%\Mscab4_32.cab
# %System%\Mscab5_32.cab
# %System%\Mscab6_32.cab
# %Windir%\.exe
# %Windir%\.pif
# %Windir%\Card_0.pif
# %Windir%\JokeBook.pif
# %Windir%\Hackers.pif
# %Windir%\P2PInstall.exe
# %Windir%\New WinZip File.pif
# %Windir%\New Microsoft Word Document.pif
# %Windir%\New Microsoft Excel Worksheet.pif
# %Windir%\New Microsoft PowerPoint Presentation.pif
# %Windir%\New Text Document.pif
# %Windir%\New Bitmap Image.pif
Where %Windir% is your Windows folder.
Terminates known antivirus programs/
More info:
http://securityresponse.symantec.com/avc...
Remove it from startup by Start Control.

winext.exe

Worm / Mail trojan
Alters Win.ini. The worm is encrypted. It propagates to users who earlier has mailed the user of the infected computer.

winfat32.exe

Worm / IRC Trojan / Mail trojan / Destructive trojan / Steals passwords
The worms spread through mail or IRC. It will also try to destroy all files with the extensions .vbs, .vbe, .js, jse,.css, .wsh, .sct, .hta and jpg, jpeg, mp3 and mp2 files. May be updated from the Internet.

winfont.exe

Destructive trojan
Formats the hard drive.

winfunctions.exe

Remote Access
The trojan is encrypted.

winguard.exe

Worm / Mail trojan

winhe1p.exe

It is a result of the QQPASS.E Virus.

It is a password-stealing Trojan Horse that steals passwords and user information.
The Trojan is a Visual Basic application that requires the presence of Microsoft Visual Basic run-time libraries for it to run.

It copies itself as any or all of the following file names:
C:\Windows\Winhe1p.exe
C:\Program Files\Windows.exe
C:\Winnt\System\Command.exe

Adds these values:
"Winhelp"="C:\Windows\winhe1p.exe"
"Rundll32"="C:\Program Files\Windows.exe"
"COMMAND"="C:\Winnt\system\command.exe"
"Scanreg"="name of file from which the Trojan was originally run"
to these registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the Trojan runs when you start Windows.

Opens ports 12880, 12881, 12882, and 12888 to send data to an address in China.
If it cannot open these ports, the Trojan then randomly opens ports until data can be sent.
Creates executables in the %Windir%\temp folder named PKGxxxxx.exe, where xxxxx may be any character or number.
(The file names are not always 8 characters long).


To manual removal, please navigate to each of these keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the values:
"Winhelp"="C:\Windows\winhe1p.exe"
"Rundll32"="C:\Program Files\Windows.exe"
"COMMAND"="C:\Winnt\system\command.exe"
"Scanreg"="name of file from which the Trojan was originally run"

Or use RegRun Startup Optimizer to automatic remove it from startup.

winhelp.exe

The W32.HLLW.Lovgate.O@mm worm is a variant of W32.HLLW.Lovgate@mm.
This variant is also a mass-mailing worm that attempts to reply to all the email messages in the Microsoft Outlook Inbox.
The "sender" of the email is spoofed and its subject line and message vary.
The attachment name varies with a .exe, .pif, or .scr file extension.
This worm also attempts to copy itself to all the computers on a local network using the weak passwords to attempt to log in as an Administrator
and to the Kazaa-shared folders.

Copies itself as the following: %Windir%\Systra.exe; %System%\iexplore.exe; %System%\Media32.exe; %System%\RAVMOND.exe; %System%\WinHelp.exe; %System%\Kernel66.dll

Creates a file named AUTORUN.INF in the root folder of all the drives, except the CD-ROM drives, and copies itself as COMMAND.EXE into that folder.
Creates a zip file . in the root folder of all the drives, unless the drive letter is A or B. For example: setup.rar or pass.zip.
Creates the following files: %System%\ODBC16.dll, %System%\msjdbc11.dll, %System%\MSSIGN30.DLL
These files are all the same—they are backdoor components of the worm.

Modifies the (Default) value of the registry key: HKEY_CLASSES_ROOT\exefile\shell\open\command
to: %System%\Media32.exe "%1" %* so that the worm runs when you execute any .exe files.
Terminates all the processes that contains any of the following strings:
KV, KAV, Duba, NAV, kill, RavMon.exe, Rfw.exe, Gate, McAfee, Symantec, SkyNet, rising

Manual removal:
In the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
please delete the values:
"Program in Windows"="%system%\iexplore.exe"
"VFW Encoder/Decoder Settings"="RUNDLL32.exe MSSIGN30.DLL ondll_reg"
"Winhelp"="%System%\WinHelp.exe"

Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
and delete the value:
"Systemtra"="%Windir%\Systra.exe"

In the key:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
delete the value:
"run"="RAVMOND.exe"

And delete the subkey, if exists:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ZMXLIB1

winhlpp32.exe

Gaobot Trojan.
Spreads in local network via open shares.
Also it uses DCOM RPC vulnerability (135,445 ports) and WebDav vulnerability (port 80).
Allows to control the victim computer by IRC.
Terminates well known antiviral software.
Removal:
install the patches from Microsoft:
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
Set the strong passwords for network shares.
Use RegRun "Terminate" feature to erase the virus body files.
They are located in Windows\System32 folder.
Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe (with capital letter 'i')
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe

Free removal tool:
http://securityresponse.symantec.com/avc...

wininfo.exe

W32.Kwbot.C.Worm.
When it works you can't see start menu/taskbar at Windows start.
The W32.Kwbot.C.Worm attempts to send itself through the KaZaA and iMesh file-sharing networks.
Also this worm may used by hacker to take control of the computer - trojan capability.

Can be in 3 different registry locations:

HKLM\..\Run: [,main drive Loader] wininfo.exe
HKLM\..\RunServices: [,main drive Loader] wininfo.exe
HKCU\..\Run: [,main drive Loader] wininfo.exe

You must delete all three instance of wininfo.exe.
Greatis Startup Optimizer will help you to do it quickly.

wininit.exe

Check up manufacturer of this file.
If it is Microsoft component, if no, you do have Worm / Destructive trojan / Network trojan.
It alters Win.ini. It is also found in Windows Startup Directory. Msinit spreads itself through open network shares and disables infected computers from the network. Most of the files are packed using different versions of UPX. Dnetc is a legitimite program that may have been installed previously. In this case itґs used illegally. usly. In this case itґs used illegally. 86.exe.

winipx.exe

Virus / Hacking tool
Opens port 531 for communication. One of very few viruses with hacking capabilities. Notepad.exe is is given the new name Notepadx.exe and the virus take the old name. When installed, the virus notifyes its creator on one of four different IP addresses in New Zealand.

winipxa.exe

Virus / Hacking tool
Opens port 531 for communication. One of very few viruses with hacking capabilities. Notepad.exe is is given the new name Notepadx.exe and the virus take the old name. When installed, the virus notifyes its creator on one of four different IP addresses in New Zealand.

winitr32.exe

W32/Forbot-C is a worm which attempts to spread to remote network shares.
The worm also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels.
It moves itself to the Windows system folder as winitr32.exe and creates the following registry entries to run itself on system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32 Wmls Driver = winitr32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 Wmls Driver = winitr32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32 Wmls Driver = winitr32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win32 Wmls Driver = winitr32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win32 Wmls Driver = winitr32.exe

Attempts to spread to network machines using various exploits including the LSASS vulnerability.
Also, attempts to terminate several processes related to anti-virus and security related software.

Remove it from startup with RegRun Startup Optimizer.

winkernel.exe

Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.

winkernel32.exe

Remote Access

winket.exe

Dangerous trojan.
Use Process Manager to kill it in memory, after that remove from startup.

winkif.exe

Klez virus
It adds files with random names: "Wink*"
Remove it.

winkit.exe

Dangerous trojan.
Use Process Manager to kill it in memory, after that remove from startup.

winkrnl386.exe

Also Known as TrojanProxy.Win32.Zebroxy [KAV]
Backdoor.Zebroxy is a Trojan that opens port 8173 and runs as a proxy server under Windows 2000/XP.

When Backdoor.Zebroxy is run, it does the following:

1. Adds the string value:
"Microsoft Windows Kernel Services"="%System%\winkrnl386.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trojan runs when you start Windows.

2. Modifies the string value:
"EnableDCOM"="N"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
to diseble remote connections using DCOM

3. Opens TCP port 8173 and runs as a proxy server.

Following the instructions to remove this trojan:

1. Restart the computer in Safe mode.
2. Open your antiviral application and run a full system scan and delete all the files detected as Backdoor.Zebroxy.
3. Deleting the value from the registry:

a. Select the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value:
"Microsoft Windows Kernel Services"="%System%\winkrnl386.exe"

b. After that navigate to the key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value:
"Microsoft Windows Kernel Services"="%System%\winkrnl386.exe"

c. And go to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
set the value for "EnableDCOM" to:
"EnableDCOM"="Y"

winlink32.exe

W32.Gaobot.AAY is a minor variant of W32.Gaobot.SY.
Also known as: W32.HLLW.Gaobot.gen, W32/Gaobot.worm.gen.d, Backdoor.Agobot.kr
This worm attempts to spread through network shares with weak passwords.
It also allows attackers to access an infected computer using a predetermined IRC channel.
Sniffs HTTP, FTP, and IRC traffic.
Disables other worms by deleting their files, associated registry values, and by terminating their processes.
Steals the Windows product ID and CD keys from some video games.
The worm uses multiple vulnerabilities to spread, including:
DCOM RPC, WebDav, Workstation service buffer overrun, etc.

Sending itself to the backdoor ports that the Beagle and Mydoom families of worms open.

Copies itself as:
%System%\winlink32.exe

Adds the string value: "Winlink"="winlink32.exe"
to these registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Terminates a long list of processes, including: irun4.exe; i11r54n4.exe; winsys.exe; bbeagle.exe; taskmon.exe
Make any attempts to connect to some Web sites fail.
Starts an FTP server on a randomly selected TCP port.

Manual removal:
Navigate to each of the following keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
and delete the value: "Winlink"="winlink32.exe"

winload32.exe

Remote Access / Steals passwords / EXE Binder
May alter Win.ini and/or System.ini. Based on SubSeven. Some of the files are packed with the UPX 1.01. It comes with several different skins and supports plug-ins, so features may change. With Undetected, the hacker is able to write and execute different types of scripts, such as .bat and .vbs files, on the infected machine.

winloader.exe

Remote Access / Steals passwords / EXE Binder
May alter Win.ini and/or System.ini. Based on SubSeven. Some of the files are packed with the UPX 1.01. It comes with several different skins and supports plug-ins, so features may change. With Undetected, the hacker is able to write and execute different types of scripts, such as .bat and .vbs files, on the infected machine.

winlogon.exe

I-Worm.Netsky.d worm that infect computers through internet as an attachment to infected emails.

Infected email message has the following characteristics:
Random header.

Body is one of the following:
Here is the file.
Please have a look at the attached file
Please read the attached file.
See the attached file for details.
Your document is attached.
Your file is attached.

Attachment: all_document.pif, application.pif, document.pif, document_4351.pif, document_excel.pif, document_full.pif, document_word.pif, etc.

Copies itself to the %System% folder as "winlogon.exe"
and adds the value to the registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
Searches for the email addresses in the files with the following extensions: adb, asp, dbx, doc, eml, htm, html, msg, oft, php, pl, rtf, sht, tbb, txt, uin, vbs, wab.
Attempts to send email messages using its own SMTP list.
Some of them:
145.253.2.171
151.189.13.35
193.141.40.42
193.189.244.205
193.193.144.12
and so on.

Attempts to remove Mydoom worm from the infected machine.
Also it deletes the keys:
"KasperskyAv" and "system."
from the system registry.

winlogon.scr

W32.Netsky.AA@mm is a variant of W32.Netsky.Z@mm that scans for email addresses on all non-CD-ROM drives on the infected computer.
It uses its own SMTP engine to send itself to to xdfggra@yahoo.com the email addresses that it finds.
Its Subject, Message, and Attachment vary. The attachment has a .pif extension.

Also Known As: WORM_NETSKY.AA, W32/Netsky.aa@MM, Win32.Netsky.AA, W32/Netsky-AA
Variants: W32.Netsky.X@mm, W32.Netsky.Y@mm, W32.Netsky.Z@mm

Copies itself as %Windir%\Winlogon.scr.
Adds the value: "SkynetRevenge"="%Windir%\winlogon.scr"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

If the file name does not contain the string "scr", it will display the following message:
Title: Error
Message: Out of system memory

Scans drives (excluding CD-ROM drives) and retrieves email addresses from any files that have predefined extensions.

Use RegRun Startup Optimizer to automatically remove this virus.

winlogonn.exe

W32.Randex.FC is a network-aware worm that will copy itself as the following files:
\Admin$\system32\GT.exe
\c$\winnt\system32\GT.exe

The worm receives instructions from an IRC channel on a predetermined IRC server. One such command will trigger the aforementioned spreading.
Steals the CD key of some popular games.

It does the following:
Copies itself as %System%\Winlogonn.exe.

Calculates a random IP address for a computer that it will try to infect.
Attempts to authenticate itself to the randomly generated IP addresses.
Copies itself to computers that have weak administrator passwords, at the following locations:
\\\Admin$\system32\GT.exe
\\\c$\winnt\system32\GT.exe

Remotely schedules a task to run the worm on a newly infected computer.

For manual removal, please delete value: "Windows mangement"="winlogonn.exe"
from the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Removal:
Use RegRun Startup Opimizer.

winmain.exe

One of the first of a new breed of malware.
When run it immediately loads MSHTA.EXE from the Windows folder, placing it on "hot standby", ready to accept HTA scripting within a web page and then EXECUTE what is embedded IN the page as a program! In other words, it's possible for a "rogue" website to actually embed trojans, worms and/or viruses directly into a web page. BOClean's HTA Stop offers an easy way to toggle this capabiltity, or rather vulnerability, on and off. I suggest you leave it disabled!

It's now possible for a "rogue" website to actually embed trojans, worms and/or viruses directly into a web page. In the past, pages that offer seemingly attractive downloads which contain such malware required you to click to start any download to your computer. Now it's become automatic, using features in the Windows operating system known as scripting. These scripts can load programs without you knowing, and then they run immediately. All you have to do is visit the site, without doing anything besides viewing the page.

HTAstop acts as a brickwall against these scripts, disabling them so the download doesn't occur. HTAstop protects you against one variety of script, our IEClean covers all twenty seven.

winmap.exe

Remote Access
Compressed using the packer UPX. Is able to start your browser at a specified address that could be changed from time to time.

winmgm32.exe

I-Worm.Sobig.
Installs backdoor program \windows\DWN.DAT.
Stop the processes: winmgm32 and dwn.
Remove from startup.

winmine.exe

Worm / Network trojan / DoS tool / Destructive trojan
Alters Win.ini. The worm propagates using shared drives. After completing an installation it sends a message to the newsgroup ""alt.horror"". Also tries to connect to computers with SubSeven or NetBus installed. Kills ZoneAlarm firewall.

winmsg32.exe

Remote Access

winmsrv32.exe

W32.Gaobot.AFJ is a worm that spreads through open network shares, backdoors that the Beagle and Mydoom worms install, and several Windows vulnerabilities.
The worm can also act as a backdoor server program and attack other systems.
Additionally, the worm attempts to stop the process of many antivirus and security programs.

Copies itself as one of the following:
%System%\msiwin84.exe
%System%\Microsoft.exe
%System%\WinMsrv32.exe
%System%\soundcontrl.exe
%System%\msawindows.exe

Adds one of these values:
"Microsoft Update"="msiwin84.exe"
"Microsoft Update"="Microsoft.exe"
"WinMsrv32"="WinMsrv32.exe"
"soundcontrl"="soundcontrl.exe"
"Microsoft Update"="msawindows.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Copies itself and executes on any remote shares to which it successfully authenticates.

Use RegRun Startup Optimizer to automatically remove this worm.

winmuschi.exe

WINMUSCHI dialler.
When Dialer.Winmuschi runs, it displays a window inviting you to access "my webcam" using a premium rate telephone number.
This dialer program is installed through various Web sites, mainly with pornographic contents.
It copies itself as %Windir%\Winmuschi.exe.
It also creates a link to itself on the Windows desktop and adds itself to the Start menu.
Manual removal:
Delete the link on the Windows desktop and from the Start menu.
Auto remove:
Use RegRun Startup Optimizer to remove it from startup.

winn321.exe

Dangerous trojan. Remove it.

winnuke.exe

Trojan dropper
A fake nuker that installs the F0replay server.

winoldap.exe

Remote Access / Virus dropper / Virus
Virusserver actually binds to other .exe files by infecting them.

winppr32.exe

Worm Sobig.f.
Spreads via e-mail as attached file.
Usually used message subjects:
Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Approved
Re: Re: My details
Re: Details
Your details
Thank you!
Re: Thank you!
Attached file names:
movie0045.pif
wicked_scr.scr
application.pif
document_9446.pif
details.pif
your_details.pif
thank_you.pif
document_all.pif
your_document.pif
Also it spreads via local network using open shares.
Removal:
Kill it using Greatis Startup Optimizer.

winprot.exe

Remote Access / Destructive trojan
Alters Win.ini.

winprotecte.exe

Steals passwords
Gets the Dial Up Networking passwords via e-mail.

winpsd.exe

I-Worm.Mydoom.q
Mydoom.q is an Internet worm that spreads via an email attachment.
Email characteristics:
Subject: photos
Body text: LOL!;))))
Attachment name: photos_arc.exe
Scans the infected machine for files with email adresses.
Mydoom.q attempts to download Backdoor.Win32.Surila.g, a Trojan, from a list of infected sites contained in the body of the worm.
It is programmed to stop spreading on August 20 at 21:11:11 (according to the local machine time).
However, Backdoor.Win32.Surila.g does not have an expiration date, meaning that infected machines remain open to remote adminstration unless the Trjoan is removed.

Manual removal:
Please, find the key in the system registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value: "winpsd"="\winpsd.exe"

winpup32.exe

Hiddenly installed on your computer using IE security hole.
Displays advertising information. A lot of popups may cause freezing of user computer.
Remove it from startup by Start Control.

winreg.exe

Gaobot Trojan.
Spreads in local network via open shares.
Also it uses DCOM RPC vulnerability (135,445 ports) and WebDav vulnerability (port 80).
Allows to control the victim computer by IRC.
Terminates well known antiviral software.
Removal:
install the patches from Microsoft:
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
Set the strong passwords for network shares.
Use RegRun "Terminate" feature to erase the virus body files.
They are located in Windows\System32 folder.
Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe (with capital letter 'i')
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe

Free removal tool:
http://securityresponse.symantec.com/avc...

winrpc.exe

Lovgate worm (also known as Supnot)
Worm copies have the following names:
rpcsrv.exe, syshelp.exe, winrpc.exe, WinGate.exe, WinRpcsrv.exe
Installs backdoor program to your computer for remote control.
Remove it from startup.

winrpcsrv.exe

Lovgate worm (also known as Supnot)
Worm copies have the following names:
rpcsrv.exe, syshelp.exe, winrpc.exe, WinGate.exe, WinRpcsrv.exe
Installs backdoor program to your computer for remote control.
Remove it from startup.

winrun.exe

Remote Access / Virus dropper / Virus
Virusserver actually binds to other .exe files by infecting them.

winsatan.exe

FTP server / IRC trojan
Described as a security checker for SATAN. Tries to connect to one of nine IRC servers and send information about the infected computer to them.

winsaver.exe

Steals passwords / AOL trojan
Alters Win.ini and System.ini. Steals passwords from AOL accounts and sends them one of several hotmail addresses.

winserv.exe

Remote Access / Keylogger

winservices.exe

I-Worm.Lentin
Stop this process via RegRun Process Manager and remove from startup.
Check your IE homepage via Control Panel->IE Settings.

winservs.exe

Advertising Spyware.
1. End process WINSERVS.
2. Remove it from startup.

winspc13.exe

Remote Access / ICQ trojan
Version 1.6 autoloads through changes in System.ini and Win.ini. 1.5 uses Registry and System.ini to autoload

winspy.exe

Steals passwords

winsrvc.exe

Destructive trojan
Rasmin uses up all the memory and the infected computer crashes regularly.

winssk32.exe

This is SOBIG worm.
Read full information at:
http://www.lurhq.com/sobig-e.html
Remove it from startup by RegRun Startup Optimizer.

winstat.exe

Steals passwords / ICQ trojan
Displays a Firework and simultanlously starts in the backround. Sends the passwords encrypted via e-mail

winstop32.exe

Remote Access
Alters Win.ini and System.ini. A servereditor makes it possible for an intruder to change the port used and the UIN to notify upon a new succesful installation.

winsvrc.exe

Worm / Mail trojan / Destructive trojan
When executed, Navidad displays an Error box with the text "UI". After the user has pushed OK, a blue eyes icon is placed in the Taskbar. Due to a misstake from the authorґs side, when it writes to Hkey_Classes_Root, the system may crasch and become unusable. Suppresses the running of any .exe files. Reads incomming mails and sends itself back in return.

winsys.exe

Remote Access / Steals passwords / ICQ trojan
Alters System.ini.

winsys32dll.vbs

I-Worm.Horillka
This malicious worm spreads via the Internet in the form of a file attached to infected messages.

It copies itself to the Windows system directory under the name WinSys32dll.vbs, and registers this file in the system registry autorun key.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinSys32dll.
The virus mass mails all addresses found in the Microsoft Outlook address book.

Characteristics of infected messages:
Message header:
Внимание!
Message body:
Выпущено новое vbs обновление для поиска вирусов в памяти ОС Windows!
Оно помогает бороться с вирусами, рассылающимися по почте.
Антивирусный модуль написан на скрипт-языке, что помогает перехватывать
vb и js вирусы, прежде чем они начнут деструктивную деятельность.
Достаточно открыть файл и программа по устранению вирусов проведет поиск
вредоносных программ в памяти компьютера.
Attachment:
WinSys32.dll.vbs

Once messages have been sent, the virus sends its author a message which includes all .pwl (password) files found in the Windows directory.
The virus copies itself to all disks and all directories under the name of Folderdll.vbs and marks these files as hidden.
It searches the Windows folder for files with the following extensions: .vbs; .jpg; .jpeg; .gif; .bmp; .htm; .html; .avc; .txt; .doc; .mp3; .wav; .dbf

- Horilka overwrites .vbs files with its own code.
- It replaces .jpg, .jpeg, .gif and .bmp files with a GIF format graphic contained in the body of the virus.
- It adds the following code to .htm and.html files:
object id='test' data='#' width='100%' height='100%' type='text/x-scriptlet' VIEWASTEXT
- .avc files are overwritten with the phrase:
Vyatka was here
.txt and .doc files are overwritten with the following text:
Уважаемые господа! Вас хакнул вирус из Вятки - задницы России.
Dear friends! You was hacked by virus from Vyatka (situated in deep ass of Russia)
..:: Xpi1oT ::..
- .mp3 and .wav files are replaced by sound files contained in the body of the worm
- If the worm finds any files with a .dbf extension, it deletes them

The virus displays the announcement: COOOOOOOOL
on 11th December every year, and overwrites the autoexec.bat file with the commands to format your hard disks.

Use RegRun Startup Optimizer to automatically remove this registry item.

winsyst.exe

W32/Rbot-DL is a network worm and backdoor Trojan for the Windows platform.
Allows a malicious user remote access to an infected computer.
W32/Rbot-DL spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
W32/Rbot-DL can be controlled by a remote attacker over IRC channels.

Manual removal:
Go to the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and delete the value:
Microsoft Update = winsyst.exe

wintask.exe

Worm / Mail trojan / Destructive trojan
When executed, Navidad displays an Error box with the text "UI". After the user has pushed OK, a blue eyes icon is placed in the Taskbar. Due to a misstake from the authorґs side, when it writes to Hkey_Classes_Root, the system may crasch and become unusable. Suppresses the running of any .exe files. Reads incomming mails and sends itself back in return.

wintftp.exe

W32/Sdbot-KE is a network worm and backdoor for the Windows platform.
The backdoor component allows a malicious user remote access to an infected computer via IRC.
The worm spreads by exploiting network shares with weak passwords.
W32/Sdbot-KE copies itself to wintftp.exe in the system folder on remote computers and runs the copy.

Manual removal:
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and delete the value:
Win FTP = wintftp.exe

wintlb.exe

ServeMe
FTP server

wintour.exe

Remote Access
Modified Acid Shiver Server.

winup.exe

W32/Sdbot-LS is a member of the W32/Sdbot family of worms with backdoor component.
When active the worm attempts to connect to a remote IRC server and allows a malicious user remote access to the infected computer.
In order to run automatically when Windows starts up the worm copies itself to the file winup.exe in the Windows system folder and adds the some registry entries.
These entries can be easily removed with RegRun.

winupd.exe

Status: This is a trojan.
Read more:
http://www.dark-e.com/archive/trojans/en...

Recommendation: Stop its running and delete winupd.exe.

winupdsdgm.exe

Gaobot Trojan.
Spreads in local network via open shares.
Also it uses DCOM RPC vulnerability (135,445 ports) and WebDav vulnerability (port 80).
Allows to control the victim computer by IRC.
Terminates well known antiviral software.
Removal:
install the patches from Microsoft:
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
Set the strong passwords for network shares.
Use RegRun "Terminate" feature to erase the virus body files.
They are located in Windows\System32 folder.
Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe (with capital letter 'i')
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe

Free removal tool:
http://securityresponse.symantec.com/avc...

winupdt.exe

W32/Rbot-FP is a worm that also has backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels.
Spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate commands from a remote user.

Also set the registry entries below:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM="N"
HKLM\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous=dword:00000001
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous=dword:00000001

It will try to delete network shares on the infected system and will terminate running processes related to anti-virus, computer security and system administration that could potentially be used to remove W32/Rbot-FP from the infected system.

Remove it by using RegRun Startup Optimizer.

winuser32.exe

W32/Sdbot-KF
Aliases: Backdoor.Spyboter.gen, W32/Spybot.worm.gen.a, Win32/Spyboter.M
It is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels.
Copies itself to the Windows system folder as WINUSER32.EXE

Creates entries in the registry at the following locations so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Attempts to terminate some processes relating to antivirus and security programs including REGEDIT.EXE, PING.EXE and NETSTAT.EXE.
Attempts to set the following registry entry to prevent access to some registry tools:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ DisableRegistryTools = 1

Spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user, copying itself to NTLORD.EXE on the local computer at the same time.

W32/Sdbot-KF may log user keystrokes to a file called KEYLOG.TXT and network information to a file called SCANZ.TXT.

You can automatical remove it from startup with RegRun Startup Optimizer.

winvmm32.exe

Remote Access / Steals passwords
The VB6 files kan be tricked on a victim when he/she runs the game Father Jack Simulator (JackSim.exe).

winxp.exe

I-Worm.Bagle.ai
Spreads via the Internet as an attachment to infected messages and also via P2P networks.
Searches disks for files with some extensions and sends itself to all addresses harvested from these files.
The worm can send itself as a password protected ZIP archive. If it does this, the password will be shown in the message body. The password may be in text or graphical format.
Opens port 1080 and another port chosen at random. It then tracks port activity.
It is programmed to cease activity and self-destruct after 5th May 2006.
It tracks the execution of most well-known antivirus products and firewalls and terminates these processes.
The worm's body contains a list of URLs. It attempts to download from these sites. (At the moment of writing, none of the sites are functioning.)

Manual removal:
Navigate to the key:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
and delete the value: "key"="%system%\winxp.exe"
Also delete the following files in the Windows system directory:
winxp.exeopen
winxp.exeopenopen
winxp.exeopenopenopen
winxp.exeopenopenopenopen

winz32.exe

Added as a result of the SDBOT.Q virus.

Is a Backdoor Trojan Horse that can be controlled through an IRC server.

When Backdoor.SDBot.Q is executed, it attempts to perform the following actions:
Creates a copy of itself as %SYSTEM%\winz32.exe.

And adds the value:
"INTERNET_SERVISES" = "winz32.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Connects to the IRC server, greenz.dyn.nu, joins a predefined channel, and waits for commands from the hacker.

The commands include, but are not limited to, the following:
- Manage the backdoor.
- Control the IRC client on an infected computer.
- Open and close the CD-ROM drive.
- Add files to the KaZaA, Grokster, and Bearshare shared folders. This Backdoor contains a large list of file names, which it attempts to use.
- Download and execute files.
- Start or Terminate processes.
And others.

Manual removal:
Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
"INTERNET_SERVISES"="winz32.exe"

Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.

winzipp.exe

Shadow Phyre
Remote Access / IRC trojan

wkernel.exe

Distributed DoS tool
Stormґs client is able to controll five "zombies" (infected machines).

wmiprvsw.exe

W32.Gaobot.AFC is a worm that spreads through open network shares and several Windows vulnerabilities including:
- The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
- The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
- Exploits the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Securiy Bulletin MS04-011).

The worm also spreads through backdoors that the Beagle and Mydoom worms and the Optix family of backdoors install.
The worm can also act as a backdoor server program and attack other systems.
Additionally, the worm attempts to stop the process of many antivirus and security programs.

Copies itself as %System%\wmiprvsw.exe.

Adds the value: "System Updater Service=wmiprvsw.exe
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Adds the value: "System Updater Service=wmiprvsw.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Automatic removal:
Use RegRun Startup Optimizer.

wmmon32.exe

W32/Agobot-KQ is an IRC backdoor Trojan and network worm.
It is capable of spreading to computers on the local network protected by weak passwords.
When first run it copies itself to the Windows system folder as wmmon32.exe and creates the following registry entries to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSSAConfiguration = wmmon32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\WSSAConfiguration = wmmon32.exe

Each time W32/Agobot-KQ is run it attempts to connect to a remote IRC server and join a specific channel.
Runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.
Attempts to terminate and disable various anti-virus and security-related programs.

You can automatical remove it from startup with RegRun Startup Optimizer.

wsasrv.exe

Remote Access / ICQ trojan
Version 1.6 autoloads through changes in System.ini and Win.ini. 1.5 uses Registry and System.ini to autoload.

wscan.exe

Attack Ftp trojan

wsct.exe

Remote Access / HTTP server
Basically the trojan converts the infected computer into a Web server, which in turn is controlled by the intruders browser.

wsct2.exe

Remote Access / HTTP server
Basically the trojan converts the infected computer into a Web server, which in turn is controlled by the intruders browser.

wspool.exe

Destructive trojan
Rasmin uses up all the memory and the infected computer crashes regularly.

wstart32.exe

W32.HLLW.Gaobot.CA is a minor variant of W32.HLLW.Gaobot.AO.
It attempts to spread to network shares that have weak passwords and allows hackers to access an infected computer through an IRC channel.

The worm uses multiple vulnerabilities to spread, including:
The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135
The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80
Steals CD keys of Computer games.
Allows unauthorized execution of remote commands. Terminates security software programs.
Listens on randomly calculated ports, ranging from 1000 to 3000 and one from above 10000, and waits for other computers to download the worm.
Copies itself to administrative shares on machines with weak passwords as %System%\wstart32.exe.

And adds the value:
"Windows Loader"="wstart32.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
and
"Configuration Loader" = "%System%\wstart32.exe" -service
to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nm

Use RegRun Startup Optimizer to automatically remove it from startup.

wstat32.exe

BAckdoor.IRC.Loonbot is a Trojan horse that has backdoor capabilities.
It can allow an attacker to remotely control your computer using Internet Relay Chat (IRC).
This Trojan can also download and execute files.

Copies itself as %System%\Wstat32.exe and executes that copy.

May display a fake error Message Box titled, "Error-384," with the text:
A valid data link was not found, deleting file
Waits for an Internet connection, and when one is opened, it connects to a remote IRC server, notifies the attacker, and then waits for commands.

This Trojan can perform the following actions:
Remove and uninstall itself
Delete files
Restart the computer
Run specified commands
Rename files
Create or delete folders
List and end processes
Perform an ICMP attack on a specified host

Manual removal:
Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value:
"Wstat32 driver"="%System%\Wstat32.exe"

Use RegRun Startup Optimizer to remove it from startup.

wtoolsa.exe

Browser spyware.
It's a new version of the IBIS Toolbar family
http://www.pestpatrol.com/PestInfo/i/ibi...
Remove it from startup.

wuamgrd16.exe

W32.Gaobot.AQS is a worm that spreads through open network shares and several Windows vulnerabilities.
It can act as a backdoor server program and attack other systems.
It attempts to stop the processes of many antivirus and security programs.
Attempts to end some virus processes.
Attempts to steal the product ID for Windows, and the CD keys of some computer games.

Copies itself to %System%\Wuamgrd16.exe.
Adds the value: "Microsoft Update"="wuamgrd16.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Connects to a remote IRC server and awaits commands from the remote attacker.
Attempts to copy itself to other computers through the following remote administrative SMB shares: c$; d$; e$; print$; admin$
Upon successful authentication it copies itself to the remote system.
Schedules a Network job to run the worm on the remote system.

Use RegRun Startup Optimizer to automatically remove this worm.

wucmdex.exe

W32/Rbot-DO
Aliases: Backdoor.Rbot.gen, BackDoor-CGS trojan
It is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality.
Spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
Moves itself to the Windows system folder as WUCMDEX.EXE
and creates entries in the registry at the following locations to run on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\[x]
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\[x]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[x]

Automatical remove:
Use RegRun Startup Optimizer.

wupdated.exe

This is the MOEGA VIRUS!
The W32.HLLW.Moega executable may appear as the following file: wupdated.exe

When it is executed, it does following:
Copies itself as %System%\Wupdated.exe or %System%\Mplupdate.exe.
%System% = C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Adds the value:
"Configuration Loaded" = "wupdated.exe"
or:
"Windows Update" = "mplupdate.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Then attempts to connect to any computers on the same subnet.
For example, if the infected computer's IP address is A.B.C.D, it will try to connect to all the systems on the local area network, A.B.C.0 ... A.B.C.255.

The worm try to log on to computers on the local area network using the following strings:
Usernames: wwwadmin, user, system, sqlagent, sql, root, owner, guest, database, administrator, admin.
Passwords: 654321, 123456, 1234, 123, 111, 1, wwwadmin, user, system, sqlagent, sql, server, secret, root, password, password123, pass, pass123, owner, hidden, guest,
database, asdfgh, asdf, administrator, admin.

If successful, the worm will copy itself to the remote computer, opens ports 139 and 445 and steals the CD key of the following games:
Red Alert 2
IGI 2
Command & Conquer Generals
FIFA 2003
Need For Speed Hot Pursuit 2
The Gladiators
Soldier of Fortune II
Rainbow Six III RavenShield
Battlefield 1942 Road To Rome
Battlefield 1942
Counter-Strike
Unreal Tournament 2003
Half-Life

Also collects system information about the computer: type of the operating system, amount of memory, and the type of hardware installed.
Connects to an IRC server and can download the files of the hacker's choosing.
Can be used in a Denial of Service (DoS) attack on a Web site of the hacker's choosing.

Steps to remove this virus:

1. Disable System Restore (Windows Me/XP).
2. Restart the computer in Safe mode or VGA mode.
3. Run a full system scan and delete all the files detected as W32.HLLW.Moega.
4. Run Greatis RegRun Startup Manager to delete following registry keys:

a. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
with value: "Configuration Loaded" = "wupdated.exe" or: "Windows Update" = "mplupdate.exe"
b. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
with value: "Configuration Loaded" = "wupdated.exe" or: "Windows Update" = "mplupdate.exe"

wupdater.exe

Wupdater.exe is a spyware program that may have installed with n-CASE, iGetNet,
and KeenValue.exe. This programs were created by eUniverse.
In general, these programs generate popup ads and may hijack web searches.
Wupdater.exe seems to be a background update task.
You'll probably find it in C:\Program Files\Common files\updater\wupdater.exe.
Read more:
http://www.doxdesk.com/parasite/KeenValu...
Removal:
Use RegRun Start Control.

wupdmgr32.exe

It is a result of the DOS.AUTOCAT VIRUS!

DoS.Autocat is a Denial of Service (DoS) hacktool. The DoS is accomplished by ICMP packet flooding.

To remove this virus, please delete register key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
with value "Microsoft Windows Update Service"="%winsys%\wupdmgr32.exe"
You can do it with Greatis Startup Optimizer.

Also you must start your antivirus program, run full system scan and delete all the files detected as DoS.Autocat.

http://www.symantec.com/avcenter/venc/da...