. in the root folder of all the drives, unless the drive letter is A or B. For example: setup.rar or pass.zip. Creates the following files: %System%\ODBC16.dll, %System%\msjdbc11.dll, %System%\MSSIGN30.DLL These files are all the same—they are backdoor components of the worm. Modifies the (Default) value of the registry key: HKEY_CLASSES_ROOT\exefile\shell\open\command to: %System%\Media32.exe "%1" %* so that the worm runs when you execute any .exe files. Terminates all the processes that contains any of the following strings: KV, KAV, Duba, NAV, kill, RavMon.exe, Rfw.exe, Gate, McAfee, Symantec, SkyNet, rising Manual removal: In the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run please delete the values: "Program in Windows"="%system%\iexplore.exe" "VFW Encoder/Decoder Settings"="RUNDLL32.exe MSSIGN30.DLL ondll_reg" "Winhelp"="%System%\WinHelp.exe" Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices and delete the value: "Systemtra"="%Windir%\Systra.exe" In the key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows delete the value: "run"="RAVMOND.exe" And delete the subkey, if exists: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ZMXLIB1 ">

winhelp.exe - Dangerous

winhelp.exe

Jeff's Story:

My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.

I sought a solution on the Internet and discovered your product and tried out the trial.

You quickly found the rootkit and SAVED my PC!

I haven't had any problems since, and I'm extremely grateful.

Free Download

Manual removal instructions:

winhelp.exe
The W32.HLLW.Lovgate.O@mm worm is a variant of W32.HLLW.Lovgate@mm.
This variant is also a mass-mailing worm that attempts to reply to all the email messages in the Microsoft Outlook Inbox.
The "sender" of the email is spoofed and its subject line and message vary.
The attachment name varies with a .exe, .pif, or .scr file extension.
This worm also attempts to copy itself to all the computers on a local network using the weak passwords to attempt to log in as an Administrator
and to the Kazaa-shared folders.

Copies itself as the following: %Windir%\Systra.exe; %System%\iexplore.exe; %System%\Media32.exe; %System%\RAVMOND.exe; %System%\WinHelp.exe; %System%\Kernel66.dll

Creates a file named AUTORUN.INF in the root folder of all the drives, except the CD-ROM drives, and copies itself as COMMAND.EXE into that folder.
Creates a zip file . in the root folder of all the drives, unless the drive letter is A or B. For example: setup.rar or pass.zip.
Creates the following files: %System%\ODBC16.dll, %System%\msjdbc11.dll, %System%\MSSIGN30.DLL
These files are all the same—they are backdoor components of the worm.

Modifies the (Default) value of the registry key: HKEY_CLASSES_ROOT\exefile\shell\open\command
to: %System%\Media32.exe "%1" %* so that the worm runs when you execute any .exe files.
Terminates all the processes that contains any of the following strings:
KV, KAV, Duba, NAV, kill, RavMon.exe, Rfw.exe, Gate, McAfee, Symantec, SkyNet, rising

Manual removal:
In the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
please delete the values:
"Program in Windows"="%system%\iexplore.exe"
"VFW Encoder/Decoder Settings"="RUNDLL32.exe MSSIGN30.DLL ondll_reg"
"Winhelp"="%System%\WinHelp.exe"

Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
and delete the value:
"Systemtra"="%Windir%\Systra.exe"

In the key:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
delete the value:
"run"="RAVMOND.exe"

And delete the subkey, if exists:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ZMXLIB1

Remove winhelp.exe now!