winuser32.exe - Dangerous
winuser32.exe
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
Aliases: Backdoor.Spyboter.gen, W32/Spybot.worm.gen.a, Win32/Spyboter.M
It is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels.
Copies itself to the Windows system folder as WINUSER32.EXE
Creates entries in the registry at the following locations so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Attempts to terminate some processes relating to antivirus and security programs including REGEDIT.EXE, PING.EXE and NETSTAT.EXE.
Attempts to set the following registry entry to prevent access to some registry tools:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ DisableRegistryTools = 1
Spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user, copying itself to NTLORD.EXE on the local computer at the same time.
W32/Sdbot-KF may log user keystrokes to a file called KEYLOG.TXT and network information to a file called SCANZ.TXT.
You can automatical remove it from startup with RegRun Startup Optimizer.