w32tm.exe - Dangerous
%sysdir%\w32tm.exe
Manual removal instructions:
Antivirus Report of %sysdir%\w32tm.exe:
%sysdir%\w32tm.exe
Trojan Backdoor.Haxdoor.
Realated files:
* %System%\w32tm.exe
* %System%\drct16.dll
* %System%\cz.dll
* %System%\vdmt16.sys
* %System%\hz.dll
* %System%\winlow.sys
* %System%\wz.dll
* %System%\p2.ini
Adds the value:
"Secboot" = "w32tm.exe" to Windows startup registry keys.
Register the service called "memlow" and driver "vdmt16".
Adds the values:
"StackSize" = "21:10"
"Impersonate" = "[TIMESTAMP]"
to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
and
"hws" = "[0xRandom]"
to the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
and
"EnforceWriteProtect" = "0"
to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\Memory Management
in an attempt to disable the kernel from checking for abnormal memory overwrites and allows the Trojan to overwrite parts of the memory.
Modifies the values on Windows 95/98/Me computers:
"DllName" = "draw32.dll"
"EntryPoint" = "MedManager"
"StackSize" = "0"
to the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MPRServices\
TestService
Modifies the values on Windows 2000/NT/XP computers:
"DllName" = "drct16.dll"
"Startup" = "MedManager"
"Impersonate" = "dword:00000001"
"Asynchronous" = "dword:00000001"
"MaxWait" = "dword:00000001"
to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16
Opens the following TCP ports 16661, and two additional high random ports and waits for commands from a remote attacker.
Steals passwords.
Removal:
Stop the service "memlow", disable its autorun using Start Control.
Open RegRun AntiSpyware, got to Winlogon Notification.
Remove "drct16" or "TestService".
Kill w32tm.exe process using RegRun Terminator.
| %sysdir%\w32tm.exe | Malware |
| %sysdir%\w32tm.exe | Dangerous |
| %sysdir%\w32tm.exe | High Risk |
Realated files:
* %System%\w32tm.exe
* %System%\drct16.dll
* %System%\cz.dll
* %System%\vdmt16.sys
* %System%\hz.dll
* %System%\winlow.sys
* %System%\wz.dll
* %System%\p2.ini
Adds the value:
"Secboot" = "w32tm.exe" to Windows startup registry keys.
Register the service called "memlow" and driver "vdmt16".
Adds the values:
"StackSize" = "21:10"
"Impersonate" = "[TIMESTAMP]"
to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
and
"hws" = "[0xRandom]"
to the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
and
"EnforceWriteProtect" = "0"
to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\Memory Management
in an attempt to disable the kernel from checking for abnormal memory overwrites and allows the Trojan to overwrite parts of the memory.
Modifies the values on Windows 95/98/Me computers:
"DllName" = "draw32.dll"
"EntryPoint" = "MedManager"
"StackSize" = "0"
to the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MPRServices\
TestService
Modifies the values on Windows 2000/NT/XP computers:
"DllName" = "drct16.dll"
"Startup" = "MedManager"
"Impersonate" = "dword:00000001"
"Asynchronous" = "dword:00000001"
"MaxWait" = "dword:00000001"
to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16
Opens the following TCP ports 16661, and two additional high random ports and waits for commands from a remote attacker.
Steals passwords.
Removal:
Stop the service "memlow", disable its autorun using Start Control.
Open RegRun AntiSpyware, got to Winlogon Notification.
Remove "drct16" or "TestService".
Kill w32tm.exe process using RegRun Terminator.
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.