eschlp.exe - Dangerous
eschlp.exe
Manual removal instructions:
Antivirus Report of eschlp.exe:
eschlp.exe
W32.Blaster.T.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The worm targets only Windows 2000 and Windows XP computers. W32.Blaster.T.Worm does not have a mass-mailing functionality.
For additional information, read the Microsoft article, "What You Should Know About the Blaster Worm and Its Variants."
We recommend that you block access to TCP port 4444 at the firewall level. Also block the following ports if you do not use either DCOM RPC or TFTP:
The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (windowsupdate.com).
This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.
Changes the Internet Explorer start page to http:/ /www.getgood.biz.
Also Known As: W32/Blaster-G, WORM_MSBLAST.I, W32/Blaster.worm.k
Copies itself as the following files:
%System%\eschlp.exe
%System%\svchosthlp.exe
Adds the values:
"Helper" = "%System%\eschlp.exe /fstart"
"MSUpdate" = "%System%\svchosthlp.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Creates the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Sysuser
Automatic removal:
Use RegRun Startuip Optimizer to remove this worm from your computer.
eschlp.exe | Malware |
eschlp.exe | Dangerous |
eschlp.exe | High Risk |
The worm targets only Windows 2000 and Windows XP computers. W32.Blaster.T.Worm does not have a mass-mailing functionality.
For additional information, read the Microsoft article, "What You Should Know About the Blaster Worm and Its Variants."
We recommend that you block access to TCP port 4444 at the firewall level. Also block the following ports if you do not use either DCOM RPC or TFTP:
The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (windowsupdate.com).
This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.
Changes the Internet Explorer start page to http:/ /www.getgood.biz.
Also Known As: W32/Blaster-G, WORM_MSBLAST.I, W32/Blaster.worm.k
Copies itself as the following files:
%System%\eschlp.exe
%System%\svchosthlp.exe
Adds the values:
"Helper" = "%System%\eschlp.exe /fstart"
"MSUpdate" = "%System%\svchosthlp.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Creates the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Sysuser
Automatic removal:
Use RegRun Startuip Optimizer to remove this worm from your computer.
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.