|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: wmon16.exe
From: KUIJPERS Jimmy (jimmy.kuijpers
swift.com)
Date: Mon May 10 2004 - 10:36:45 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Perhaps you can use "Hijack this" or "Super Geek Protector" or similiar software to prevent your hostfile from being modified like
that.
Depending on your operating system you might be able to restrict access to the hostsfile itself.
Perhaps using Process explorer from SysInternals you can identify the proccess running wmon16.exe and kill it. I hope it has not set
any dependencies to the explorer process, if that's the case you will have to edit the registry to remove these dependencies.
Using regedit supplied by TuneUp utilities will allow you to search the entire registry for any referances to this executable and
delete them.
Possible you will have to boot the machine in safe mode to be able to perform all these actions.
I'm willing to guide to step-by-step in the removal of this bugger. Can you perhaps e-mail my personal address with this executable
so that I can infect my own system and then find a way to remove it? (hopefully :-D )
Best regards,
Jimmy
Jason High wrote:
> I believe that I have a HUGE problem, and I can't find anything anywhere.
> Here are our symptoms:
>
> - C:\winnt\system32\wmon16.exe appeared and began running (no idea what it
> is or does)
> - hosts file was altered to redirect antivirus sites to 127.0.0.1 (similar
> to Trojan.QHOST but nothing else matches
> - disables antivirus
> - creates lots of connections to network computers using microsoft-ds and
> netbios ports
>
> I am completely lost. No removal tools have worked, no A/V is picking it
> up. I've got about four hosts with these symptoms (so far) and I'm just
> unplugging network cables at this point. Anyone with any pointers?
>
> Jason E. High,RHCT,GSEC,MCP
> http://www.alwaysright.org
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar – get it now!
> http://toolbar.msn.com/go/onm00200415ave/direct/01/
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]