w32tm.exe - Dangerous
%sysdir%\w32tm.exe
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
Realated files:
* %System%\w32tm.exe
* %System%\drct16.dll
* %System%\cz.dll
* %System%\vdmt16.sys
* %System%\hz.dll
* %System%\winlow.sys
* %System%\wz.dll
* %System%\p2.ini
Adds the value:
"Secboot" = "w32tm.exe" to Windows startup registry keys.
Register the service called "memlow" and driver "vdmt16".
Adds the values:
"StackSize" = "21:10"
"Impersonate" = "[TIMESTAMP]"
to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
and
"hws" = "[0xRandom]"
to the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
and
"EnforceWriteProtect" = "0"
to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\Memory Management
in an attempt to disable the kernel from checking for abnormal memory overwrites and allows the Trojan to overwrite parts of the memory.
Modifies the values on Windows 95/98/Me computers:
"DllName" = "draw32.dll"
"EntryPoint" = "MedManager"
"StackSize" = "0"
to the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MPRServices\
TestService
Modifies the values on Windows 2000/NT/XP computers:
"DllName" = "drct16.dll"
"Startup" = "MedManager"
"Impersonate" = "dword:00000001"
"Asynchronous" = "dword:00000001"
"MaxWait" = "dword:00000001"
to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16
Opens the following TCP ports 16661, and two additional high random ports and waits for commands from a remote attacker.
Steals passwords.
Removal:
Stop the service "memlow", disable its autorun using Start Control.
Open RegRun AntiSpyware, got to Winlogon Notification.
Remove "drct16" or "TestService".
Kill w32tm.exe process using RegRun Terminator.