winsvcmgr.exe - Dangerous

%windir%\winsvcmgr.exe

Fix it immediately:

Manual removal instructions:

Antivirus Report of %windir%\winsvcmgr.exe:

%windir%\winsvcmgr.exe	Malware
%windir%\winsvcmgr.exe	Dangerous
%windir%\winsvcmgr.exe	High Risk

%windir%\winsvcmgr.exe

winsvcmgr.exe is rootkit W32/Rbot-AAD.
winsvcmgr.exe is used to hide files, processes and registry.
winsvcmgr.exe is a kernel mode rootkit.
Rootkit contacts remote hacker server using HTTP session.
Rootkit injects itself into other process.
winsvcmgr.exe tries to terminate antiviral programs installed on a user computer.
winsvcmgr.exe created new system drivers:
service name: "winmdgr"
display name: " Microsoft Service Manager"
Added to registry:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMDGR\0000
Class
LegacyDriver

ClassGUID
(random Class ID)

ConfigFlags
dword:00000000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMDGR\0000\Control
ActiveService
winmdgr

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMDGR\0000
DeviceDesc
Microsoft Service Manager

Legacy
dword:00000001

Service
winmdgr

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMDGR
NextInstance
dword:00000001

HKLM\SYSTEM\CurrentControlSet\Services\winmdgr
Description
Moniters Windows Services And Processes

DisplayName
Microsoft Service Manager

HKLM\SYSTEM\CurrentControlSet\Services\winmdgr\Enum
0
Root\\LEGACY_WINMDGR\\0000

Count
dword:00000001

NextInstance
dword:00000001

HKLM\SYSTEM\CurrentControlSet\Services\winmdgr
ErrorControl
dword:00000000

FailureActions

ImagePath

ObjectName
LocalSystem

HKLM\SYSTEM\CurrentControlSet\Services\winmdgr\Security
Security

HKLM\SYSTEM\CurrentControlSet\Services\winmdgr
Start
dword:00000002

Type
dword:00000110

Related files:
%WinDir%\winsvcmgr.exe
%SysDir%\haxdrv.sys
Adds the value:

to the Windows startup registry keys.
Added to registry:
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
dword:00000001

AntiVirusOverride
dword:00000001

FirewallDisableNotify
dword:00000001

FirewallOverride
dword:00000001

UpdatesDisableNotify
dword:00000001

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
AUOptions
dword:00000001

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
dword:00000000

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
dword:00000000

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
dword:00000001

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Installed Time

Record

MeltMe

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
dword:00000004

W32/Rbot-AAD also changes the following registry entries from the default Windows values:

from:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
dword:00000002

to:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
dword:00000004

from:
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
dword:00000002

to:
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
dword:00000004

from:
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
dword:00000003

to:
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
dword:00000004

from:
HKLM\Software\Microsoft\OLE
EnableDCOM
Y

to:
HKLM\Software\Microsoft\OLE
EnableDCOM
N

from:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
0

to:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

from:
HKLM\SYSTEM\CurrentControlSet\Control
WaitToKillServiceTimeout
20000

to:
HKLM\SYSTEM\CurrentControlSet\Control
WaitToKillServiceTimeout
7000

W32/Rbot-AAD also disables hidden network shares on the infected computer by creating the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
dword:00000000

AutoShareWks
dword:00000000

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
dword:00000000

AutoShareWks
dword:00000000

HKLM\Software\Microsoft\Internet Explorer\Main
Start Page

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAXDRV\0000
Class
LegacyDriver

ClassGUID
(random Class ID)

ConfigFlags
dword:00000000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAXDRV\0000\Control
ActiveService
haxdrv

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAXDRV\0000
DeviceDesc
haxdrv

Legacy
dword:00000001

Service
haxdrv

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAXDRV
NextInstance
dword:00000001

HKLM\SYSTEM\CurrentControlSet\Services\haxdrv
DisplayName
haxdrv

HKLM\SYSTEM\CurrentControlSet\Services\haxdrv\Enum
0
Root\\LEGACY_HAXDRV\\0000

Count
dword:00000001

NextInstance
dword:00000001

HKLM\SYSTEM\CurrentControlSet\Services\haxdrv

ErrorControl
dword:00000001

ImagePath

HKLM\SYSTEM\CurrentControlSet\Services\haxdrv\Security
Security

HKLM\SYSTEM\CurrentControlSet\Services\haxdrv
Start
dword:00000003

Type
dword:00000001

Remove winsvcmgr.exe now!

Dmitry Sokolov:

I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.

Since that time I work every day to fix the issues that antiviruses cannot.

If your antivirus have not helped you solve the problem, you should try UnHackMe.

We are a small company and you can ask me directly, if you have any questions.

Testimonials

You can read UnHackMe testimonials here.

winsvcmgr.exe - Dangerous

%windir%\winsvcmgr.exe

Fix it immediately:

Manual removal instructions:

Dmitry Sokolov:

Testimonials

Download for free

Links

Select