winserv.ila - Dangerous
%windir%\winserv.ila
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
Adds the value:
"Winserv" = "%Windows%\Winserv.ila"
to teh Windows startup registry keys.
Related files:
# %System%\kbdbg.exe
# %System%\bgHacKeR$.exe
# %System%\mymind.exe
# %System%\open.exe
# %System%\Q-We are the champions.exe
# %System%\Microsoft SuxX.exe
# %Windows%\winserv.ila
# C:\free01.exe
# C:\Documents and Settings\All Users\Start Menu\Programs\Startup\sservice.ila
# C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lservice.exe
Chanegs file associations.
Modifies HOSTS file.
Lowers security settings by modifying the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System\DisableTaskMgr = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer\DisallowRun = regedit.exe
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\
DisableCMD = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\3\1803 = 3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\3\1804 = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\4\1803 = 3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\4\1804 = 1
HKEY_CURRENT_USER\Software\Microsoft\Outlook Express\5.0\Mail\Warn on Mapi Send = 0
Remove it from Windows startup.
Restore HOSTS file.