Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: wmon16.exe
From: KUIJPERS Jimmy <jimmy.kuijpers () swift com>
Date: Mon, 10 May 2004 17:36:45 +0200
Perhaps you can use "Hijack this" or "Super Geek Protector" or similiar software to prevent your hostfile from being 
modified like
that.

Depending on your operating system you might be able to restrict access to the hostsfile itself.

Perhaps using Process explorer from SysInternals you can identify the proccess running wmon16.exe and kill it. I hope 
it has not set
any dependencies to the explorer process, if that's the case you will have to edit the registry to remove these 
dependencies.

Using regedit supplied by TuneUp utilities will allow you to search the entire registry for any referances to this 
executable and
delete them.

Possible you will have to boot the machine in safe mode to be able to perform all these actions.

I'm willing to guide to step-by-step in the removal of this bugger. Can you perhaps e-mail my personal address with 
this executable
so that I can infect my own system and then find a way to remove it? (hopefully :-D )


Best regards,
Jimmy


Jason High wrote:


I believe that I have a HUGE problem, and I can't find anything anywhere.
Here are our symptoms:

- C:\winnt\system32\wmon16.exe appeared and began running (no idea what it
is or does)
- hosts file was altered to redirect antivirus sites to 127.0.0.1 (similar
to Trojan.QHOST but nothing else matches
- disables antivirus
- creates lots of connections to network computers using microsoft-ds and
netbios ports

I am completely lost.  No removal tools have worked, no A/V is picking it
up.  I've got about four hosts with these symptoms (so far) and I'm just
unplugging network cables at this point.  Anyone with any pointers?

Jason E. High,RHCT,GSEC,MCP
http://www.alwaysright.org

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar – get it now!
http://toolbar.msn.com/go/onm00200415ave/direct/01/

---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]