winhe1p.exe - Dangerous
winhe1p.exe
Manual removal instructions:
Antivirus Report of winhe1p.exe:
winhe1p.exe
It is a result of the QQPASS.E Virus.
It is a password-stealing Trojan Horse that steals passwords and user information.
The Trojan is a Visual Basic application that requires the presence of Microsoft Visual Basic run-time libraries for it to run.
It copies itself as any or all of the following file names:
C:\Windows\Winhe1p.exe
C:\Program Files\Windows.exe
C:\Winnt\System\Command.exe
Adds these values:
"Winhelp"="C:\Windows\winhe1p.exe"
"Rundll32"="C:\Program Files\Windows.exe"
"COMMAND"="C:\Winnt\system\command.exe"
"Scanreg"="name of file from which the Trojan was originally run"
to these registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the Trojan runs when you start Windows.
Opens ports 12880, 12881, 12882, and 12888 to send data to an address in China.
If it cannot open these ports, the Trojan then randomly opens ports until data can be sent.
Creates executables in the %Windir%\temp folder named PKGxxxxx.exe, where xxxxx may be any character or number.
(The file names are not always 8 characters long).
To manual removal, please navigate to each of these keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the values:
"Winhelp"="C:\Windows\winhe1p.exe"
"Rundll32"="C:\Program Files\Windows.exe"
"COMMAND"="C:\Winnt\system\command.exe"
"Scanreg"="name of file from which the Trojan was originally run"
Or use RegRun Startup Optimizer to automatic remove it from startup.
winhe1p.exe | Malware |
winhe1p.exe | Dangerous |
winhe1p.exe | High Risk |
It is a password-stealing Trojan Horse that steals passwords and user information.
The Trojan is a Visual Basic application that requires the presence of Microsoft Visual Basic run-time libraries for it to run.
It copies itself as any or all of the following file names:
C:\Windows\Winhe1p.exe
C:\Program Files\Windows.exe
C:\Winnt\System\Command.exe
Adds these values:
"Winhelp"="C:\Windows\winhe1p.exe"
"Rundll32"="C:\Program Files\Windows.exe"
"COMMAND"="C:\Winnt\system\command.exe"
"Scanreg"="name of file from which the Trojan was originally run"
to these registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the Trojan runs when you start Windows.
Opens ports 12880, 12881, 12882, and 12888 to send data to an address in China.
If it cannot open these ports, the Trojan then randomly opens ports until data can be sent.
Creates executables in the %Windir%\temp folder named PKGxxxxx.exe, where xxxxx may be any character or number.
(The file names are not always 8 characters long).
To manual removal, please navigate to each of these keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the values:
"Winhelp"="C:\Windows\winhe1p.exe"
"Rundll32"="C:\Program Files\Windows.exe"
"COMMAND"="C:\Winnt\system\command.exe"
"Scanreg"="name of file from which the Trojan was originally run"
Or use RegRun Startup Optimizer to automatic remove it from startup.
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.