ImagePath ObjectName LocalSystem HKLM\SYSTEM\CurrentControlSet\Services\winmdgr\Security Security HKLM\SYSTEM\CurrentControlSet\Services\winmdgr Start dword:00000002 Type dword:00000110 Related files: %WinDir%\winsvcmgr.exe %SysDir%\haxdrv.sys Adds the value: to the Windows startup registry keys. Added to registry: HKLM\SOFTWARE\Microsoft\Security Center AntiVirusDisableNotify dword:00000001 AntiVirusOverride dword:00000001 FirewallDisableNotify dword:00000001 FirewallOverride dword:00000001 UpdatesDisableNotify dword:00000001 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update AUOptions dword:00000001 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile EnableFirewall dword:00000000 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile EnableFirewall dword:00000000 HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotAllowXPSP2 dword:00000001 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions Installed Time Record MeltMe HKLM\SYSTEM\CurrentControlSet\Services\wscsvc Start dword:00000004 W32/Rbot-AAD also changes the following registry entries from the default Windows values: from: HKLM\SYSTEM\CurrentControlSet\Services\Messenger Start dword:00000002 to: HKLM\SYSTEM\CurrentControlSet\Services\Messenger Start dword:00000004 from: HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry Start dword:00000002 to: HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry Start dword:00000004 from: HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr Start dword:00000003 to: HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr Start dword:00000004 from: HKLM\Software\Microsoft\OLE EnableDCOM Y to: HKLM\Software\Microsoft\OLE EnableDCOM N from: HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous 0 to: HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous 1 from: HKLM\SYSTEM\CurrentControlSet\Control WaitToKillServiceTimeout 20000 to: HKLM\SYSTEM\CurrentControlSet\Control WaitToKillServiceTimeout 7000 W32/Rbot-AAD also disables hidden network shares on the infected computer by creating the following registry entries: HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters AutoShareServer dword:00000000 AutoShareWks dword:00000000 HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters AutoShareServer dword:00000000 AutoShareWks dword:00000000 HKLM\Software\Microsoft\Internet Explorer\Main Start Page HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAXDRV\0000 Class LegacyDriver ClassGUID (random Class ID) ConfigFlags dword:00000000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAXDRV\0000\Control ActiveService haxdrv HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAXDRV\0000 DeviceDesc haxdrv Legacy dword:00000001 Service haxdrv HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAXDRV NextInstance dword:00000001 HKLM\SYSTEM\CurrentControlSet\Services\haxdrv DisplayName haxdrv HKLM\SYSTEM\CurrentControlSet\Services\haxdrv\Enum 0 Root\\LEGACY_HAXDRV\\0000 Count dword:00000001 NextInstance dword:00000001 HKLM\SYSTEM\CurrentControlSet\Services\haxdrv ErrorControl dword:00000001 ImagePath HKLM\SYSTEM\CurrentControlSet\Services\haxdrv\Security Security HKLM\SYSTEM\CurrentControlSet\Services\haxdrv Start dword:00000003 Type dword:00000001 ">

winsvcmgr.exe - Dangerous

%windir%\winsvcmgr.exe

Manual removal instructions:

Antivirus Report of %windir%\winsvcmgr.exe:
%windir%\winsvcmgr.exe Malware
%windir%\winsvcmgr.exeDangerous
%windir%\winsvcmgr.exeHigh Risk
%windir%\winsvcmgr.exe
winsvcmgr.exe is rootkit W32/Rbot-AAD.
winsvcmgr.exe is used to hide files, processes and registry.
winsvcmgr.exe is a kernel mode rootkit.
Rootkit contacts remote hacker server using HTTP session.
Rootkit injects itself into other process.
winsvcmgr.exe tries to terminate antiviral programs installed on a user computer.
winsvcmgr.exe created new system drivers:
service name: "winmdgr"
display name: " Microsoft Service Manager"
Added to registry:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMDGR\0000
Class
LegacyDriver

ClassGUID
(random Class ID)

ConfigFlags
dword:00000000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMDGR\0000\Control
ActiveService
winmdgr

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMDGR\0000
DeviceDesc
Microsoft Service Manager

Legacy
dword:00000001

Service
winmdgr

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMDGR
NextInstance
dword:00000001

HKLM\SYSTEM\CurrentControlSet\Services\winmdgr
Description
Moniters Windows Services And Processes

DisplayName
Microsoft Service Manager

HKLM\SYSTEM\CurrentControlSet\Services\winmdgr\Enum
0
Root\\LEGACY_WINMDGR\\0000

Count
dword:00000001

NextInstance
dword:00000001

HKLM\SYSTEM\CurrentControlSet\Services\winmdgr
ErrorControl
dword:00000000

FailureActions


ImagePath


ObjectName
LocalSystem

HKLM\SYSTEM\CurrentControlSet\Services\winmdgr\Security
Security


HKLM\SYSTEM\CurrentControlSet\Services\winmdgr
Start
dword:00000002

Type
dword:00000110



Related files:
%WinDir%\winsvcmgr.exe
%SysDir%\haxdrv.sys
Adds the value:

to the Windows startup registry keys.
Added to registry:
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
dword:00000001

AntiVirusOverride
dword:00000001

FirewallDisableNotify
dword:00000001

FirewallOverride
dword:00000001

UpdatesDisableNotify
dword:00000001

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
AUOptions
dword:00000001

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
dword:00000000

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
dword:00000000

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
dword:00000001

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Installed Time


Record


MeltMe


HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
dword:00000004

W32/Rbot-AAD also changes the following registry entries from the default Windows values:

from:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
dword:00000002

to:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
dword:00000004

from:
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
dword:00000002

to:
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
dword:00000004

from:
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
dword:00000003

to:
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
dword:00000004

from:
HKLM\Software\Microsoft\OLE
EnableDCOM
Y

to:
HKLM\Software\Microsoft\OLE
EnableDCOM
N

from:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
0

to:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

from:
HKLM\SYSTEM\CurrentControlSet\Control
WaitToKillServiceTimeout
20000

to:
HKLM\SYSTEM\CurrentControlSet\Control
WaitToKillServiceTimeout
7000

W32/Rbot-AAD also disables hidden network shares on the infected computer by creating the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
dword:00000000

AutoShareWks
dword:00000000

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
dword:00000000

AutoShareWks
dword:00000000

HKLM\Software\Microsoft\Internet Explorer\Main
Start Page

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAXDRV\0000
Class
LegacyDriver

ClassGUID
(random Class ID)

ConfigFlags
dword:00000000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAXDRV\0000\Control
ActiveService
haxdrv

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAXDRV\0000
DeviceDesc
haxdrv

Legacy
dword:00000001

Service
haxdrv

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAXDRV
NextInstance
dword:00000001

HKLM\SYSTEM\CurrentControlSet\Services\haxdrv
DisplayName
haxdrv

HKLM\SYSTEM\CurrentControlSet\Services\haxdrv\Enum
0
Root\\LEGACY_HAXDRV\\0000

Count
dword:00000001

NextInstance
dword:00000001

HKLM\SYSTEM\CurrentControlSet\Services\haxdrv

ErrorControl
dword:00000001

ImagePath


HKLM\SYSTEM\CurrentControlSet\Services\haxdrv\Security
Security


HKLM\SYSTEM\CurrentControlSet\Services\haxdrv
Start
dword:00000003

Type
dword:00000001

Remove winsvcmgr.exe now!

Dmitry Sokolov:

I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.

Since that time I work every day to fix the issues that antiviruses cannot.

If your antivirus have not helped you solve the problem, you should try UnHackMe.

We are a small company and you can ask me directly, if you have any questions.

Testimonials

You can read UnHackMe testimonials here.