winz32.exe - Dangerous
winz32.exe
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
Is a Backdoor Trojan Horse that can be controlled through an IRC server.
When Backdoor.SDBot.Q is executed, it attempts to perform the following actions:
Creates a copy of itself as %SYSTEM%\winz32.exe.
And adds the value:
"INTERNET_SERVISES" = "winz32.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Connects to the IRC server, greenz.dyn.nu, joins a predefined channel, and waits for commands from the hacker.
The commands include, but are not limited to, the following:
- Manage the backdoor.
- Control the IRC client on an infected computer.
- Open and close the CD-ROM drive.
- Add files to the KaZaA, Grokster, and Bearshare shared folders. This Backdoor contains a large list of file names, which it attempts to use.
- Download and execute files.
- Start or Terminate processes.
And others.
Manual removal:
Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
"INTERNET_SERVISES"="winz32.exe"
Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.