winsrv.exe

  • Thread starter Thread starter Gale
  • Start date Start date
G

Gale

Found the following line in the registry "C:\winnt\system32
\hiddenrun.exe WinSrv.exe" under the run statement. Is
the winsrv.exe a valid microsoft file required for WIN
2000? Any comments
 
Gale wrote in
Found the following line in the registry "C:\winnt\system32
\hiddenrun.exe WinSrv.exe" under the run statement. Is
the winsrv.exe a valid microsoft file required for WIN
2000? Any comments
Click to expand...

Did you Google?
About 44 hits on "winsrv.exe". Possible evidence of Worm! Maybe
Opaserv or other.

It appears that the "winsrv.exe" and "hiddenrun.exe" _may_ also have
legitimate uses.
 
Gale said:
Found the following line in the registry "C:\winnt\system32
\hiddenrun.exe WinSrv.exe" under the run statement. Is
the winsrv.exe a valid microsoft file required for WIN
2000? Any comments
Click to expand...

This is a Trojan of some type. I am currently investigating and have
sent samples to SARC for testing.

You should be able to delete the line in the registry and there is
probably a second one "C:\winnt\system32> \hiddenrun.exe NTSrv.exe."
You will also find a service for ServU FTP service that needs to be
stopped and removed from the registry. I don't know what other
problems this thing causes. But in one of my client networks, Windows
9x machines were prevented from logging on to the network.

AL
 
Back
Top