winkrnl386.exe - Dangerous
winkrnl386.exe
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
Backdoor.Zebroxy is a Trojan that opens port 8173 and runs as a proxy server under Windows 2000/XP.
When Backdoor.Zebroxy is run, it does the following:
1. Adds the string value:
"Microsoft Windows Kernel Services"="%System%\winkrnl386.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trojan runs when you start Windows.
2. Modifies the string value:
"EnableDCOM"="N"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
to diseble remote connections using DCOM
3. Opens TCP port 8173 and runs as a proxy server.
Following the instructions to remove this trojan:
1. Restart the computer in Safe mode.
2. Open your antiviral application and run a full system scan and delete all the files detected as Backdoor.Zebroxy.
3. Deleting the value from the registry:
a. Select the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value:
"Microsoft Windows Kernel Services"="%System%\winkrnl386.exe"
b. After that navigate to the key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value:
"Microsoft Windows Kernel Services"="%System%\winkrnl386.exe"
c. And go to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
set the value for "EnableDCOM" to:
"EnableDCOM"="Y"