Winzsq.exe ??

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

This is a process running on two machines that I know of. There is no
reference to it on MS Support or by Google search. I also looked at it with
Process Explorer, as well. Does anyone know what it is?

Thanks!
 
There is no
reference to it on MS Support or by Google search.
Click to expand...

Usually a good indication that the file is malware.

What do your antivirus and anti-spyware apps say?

Locate Winzsq.exe and right click it | Properties | Version tab

There should be a description on both General and Version tabs.

This info is part of the file and not all files have real good info.
Especially if it is spyware or a virus.

Click a category on the left to display the information on the right.

Other version information
Item Name:
Company
File Version
Internal Name
Language
Original File Name
Product Name
Product Version

If the file is legit, there ought to be some clues.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Wes,

I've tried all of your suggestions and in the Run area of HKLM found
"NetworkDiskRun" that launches winzsq.exe. Somehow I missed it the first
tiime through.

There are no characteristics of the file to help identify what it is other
than it appears to be DOS. It resides in c:\windows\system32. It is 10,752
bytes in size.

I scanned it with Ad-aware, Spybot, CWShredder and McAfee VirusScan, all
with the latest definitions.

I guess that's about all I can do for now.

Thanks.
 
Gene said:
Wes,

I've tried all of your suggestions and in the Run area of HKLM found
"NetworkDiskRun" that launches winzsq.exe. Somehow I missed it the
first tiime through.

There are no characteristics of the file to help identify what it is
other than it appears to be DOS. It resides in c:\windows\system32. It
is 10,752 bytes in size.

I scanned it with Ad-aware, Spybot, CWShredder and McAfee VirusScan,
all with the latest definitions.

I guess that's about all I can do for now.
Click to expand...

You can submit the file to VirusTotal:
http://www.virustotal.com/flash/index_en.html

Let us know what they say.

Malke
 
Gene,

NetworkDiskRun brings up as many results in Google as Winzsq.exe does.

Five will get you ten that it's malware.

See Malke's advice.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Why not search your HD for the file. When it is found, rename it to:

winzsq.001 (you might need to stop the process before renaming it)

Reboot the system and see what happens. you will need to continue using
the system for about a week and if it does not material affect the
system then you can safely delete the file completely from the system.

hth
 
Here are the results from Virustotal. A mixed bag of info, but interesting,
nonetheless:

Server response

--------------------------------------------------------------------------------

Results of a file scan
This is a report processed by VirusTotal on 12/06/2005 at 02:12:54 (CET)
after scanning the file "winzsq.zip" file.
Antivirus Version Update Result
AntiVir 6.32.1.63 12.05.2005 TR/IRC.Ryknos.C
Avast 4.6.695.0 12.05.2005 no virus found
AVG 718 12.05.2005 BackDoor.Generic.XNV
Avira 6.32.1.63 12.05.2005 TR/IRC.Ryknos.C
BitDefender 7.2 12.05.2005 BehavesLike:Win32.IRC-Backdoor
CAT-QuickHeal 8.00 12.05.2005 Backdoor.Breplibot.l
ClamAV devel-20051108 12.05.2005 Trojan.Brepibot.G-2
DrWeb 4.33 12.05.2005 no virus found
eTrust-Iris 7.1.194.0 12.06.2005 Win32/Outsbot.10752!Trojan
eTrust-Vet 11.9.1.0 12.05.2005 no virus found
Fortinet 2.48.0.0 12.06.2005 W32/DcomRpc.B0A5-exploit
F-Prot 3.16c 12.05.2005 no virus found
Kaspersky 4.0.2.24 12.06.2005 Backdoor.Win32.Breplibot.l
McAfee 4643 12.05.2005 W32/Brepibot
NOD32v2 1.1312 12.05.2005 probably a variant of Win32/IRCBot.PH
Norman 5.70.10 12.05.2005 W32/Ryknos.E
Panda 8.02.00 12.05.2005 Bck/Ryknos.G
Sophos 4.00.0 12.05.2005 Troj/Stinx-G
Symantec 8.0 12.06.2005 Backdoor.Ryknos
TheHacker 5.9.1.049 12.05.2005 no virus found
VBA32 3.10.5 12.05.2005 Backdoor.Win32.Breplibot.l
 
Hi Gene,

None of the AV companies use the same name for any virus. Probably just to
confuse us.

And my question is, what flavor of AV are you running? Avast, DrWeb,
eTrust-Vet, F-Prot or TheHacker? All with no virus found.

Bingo!!!!!!!!!!! winzsq.exe and NetworkDiskRun!!!!!!!!!

[[When first run Troj/Stinx-G copies itself to <System>\winzsq.exe and
creates the following files:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
NetworkDiskRun
winzsq.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NetworkDiskRun
winzsq.exe ]]
Sophos virus analysis: Troj/Stinx-G
http://www.sophos.com/virusinfo/analyses/trojstinxg.html

Just did a search and look at what Google finds now.
http://www.google.com/search?hl=en&q=NetworkDiskRun&btnG=Google+Search

http://www.google.com/search?hl=en&lr=&q=winzsq.exe&btnG=Search

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Wesley said:
Hi Gene,

None of the AV companies use the same name for any virus. Probably
just to confuse us.

And my question is, what flavor of AV are you running? Avast, DrWeb,
eTrust-Vet, F-Prot or TheHacker? All with no virus found.

Bingo!!!!!!!!!!! winzsq.exe and NetworkDiskRun!!!!!!!!!

[[When first run Troj/Stinx-G copies itself to <System>\winzsq.exe and
creates the following files:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
NetworkDiskRun
winzsq.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NetworkDiskRun
winzsq.exe ]]
Sophos virus analysis: Troj/Stinx-G
http://www.sophos.com/virusinfo/analyses/trojstinxg.html

Just did a search and look at what Google finds now.
http://www.google.com/search?hl=en&q=NetworkDiskRun&btnG=Google+Search

http://www.google.com/search?hl=en&lr=&q=winzsq.exe&btnG=Search
Click to expand...
Thank goodness for VirusTotal. And once again, virus-like activity turns
out to be caused by - ta dah! - a virus.

Malke
 
If it looks like a duck, walks like a duck and quacks like a duck... ;-)

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
Malke said:
Wesley said:
Hi Gene,

None of the AV companies use the same name for any virus. Probably
just to confuse us.

And my question is, what flavor of AV are you running? Avast, DrWeb,
eTrust-Vet, F-Prot or TheHacker? All with no virus found.

Bingo!!!!!!!!!!! winzsq.exe and NetworkDiskRun!!!!!!!!!

[[When first run Troj/Stinx-G copies itself to <System>\winzsq.exe and
creates the following files:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
NetworkDiskRun
winzsq.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NetworkDiskRun
winzsq.exe ]]
Sophos virus analysis: Troj/Stinx-G
http://www.sophos.com/virusinfo/analyses/trojstinxg.html

Just did a search and look at what Google finds now.
http://www.google.com/search?hl=en&q=NetworkDiskRun&btnG=Google+Search

http://www.google.com/search?hl=en&lr=&q=winzsq.exe&btnG=Search
Click to expand...
Thank goodness for VirusTotal. And once again, virus-like activity turns
out to be caused by - ta dah! - a virus.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Click to expand...
 
Today's update: It’s a duck :-) When I logged onto my system this morning,
VirusScan 7.0 with definition version 4643 caught and deleted winzsq.exe
immediately. It did not delete the registry entries though, so I did that
manually. Definition version 4642 didn't catch it for sure.

Everyone, thanks for your help!


Wesley Vogel said:
If it looks like a duck, walks like a duck and quacks like a duck... ;-)

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
Malke said:
Wesley said:
Hi Gene,

None of the AV companies use the same name for any virus. Probably
just to confuse us.

And my question is, what flavor of AV are you running? Avast, DrWeb,
eTrust-Vet, F-Prot or TheHacker? All with no virus found.

Bingo!!!!!!!!!!! winzsq.exe and NetworkDiskRun!!!!!!!!!

[[When first run Troj/Stinx-G copies itself to <System>\winzsq.exe and
creates the following files:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
NetworkDiskRun
winzsq.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NetworkDiskRun
winzsq.exe ]]
Sophos virus analysis: Troj/Stinx-G
http://www.sophos.com/virusinfo/analyses/trojstinxg.html

Just did a search and look at what Google finds now.
http://www.google.com/search?hl=en&q=NetworkDiskRun&btnG=Google+Search

http://www.google.com/search?hl=en&lr=&q=winzsq.exe&btnG=Search
Click to expand...
Thank goodness for VirusTotal. And once again, virus-like activity turns
out to be caused by - ta dah! - a virus.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Click to expand...
Click to expand...
 
Glad you got the chicken coop cleaned out.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
Gene said:
Today's update: It’s a duck :-) When I logged onto my system this
morning, VirusScan 7.0 with definition version 4643 caught and deleted
winzsq.exe immediately. It did not delete the registry entries though, so
I did that manually. Definition version 4642 didn't catch it for sure.

Everyone, thanks for your help!


Wesley Vogel said:
If it looks like a duck, walks like a duck and quacks like a duck... ;-)

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
Malke said:
Wesley Vogel wrote:

Hi Gene,

None of the AV companies use the same name for any virus. Probably
just to confuse us.

And my question is, what flavor of AV are you running? Avast, DrWeb,
eTrust-Vet, F-Prot or TheHacker? All with no virus found.

Bingo!!!!!!!!!!! winzsq.exe and NetworkDiskRun!!!!!!!!!

[[When first run Troj/Stinx-G copies itself to <System>\winzsq.exe and
creates the following files:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
NetworkDiskRun
winzsq.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NetworkDiskRun
winzsq.exe ]]
Sophos virus analysis: Troj/Stinx-G
http://www.sophos.com/virusinfo/analyses/trojstinxg.html

Just did a search and look at what Google finds now.
http://www.google.com/search?hl=en&q=NetworkDiskRun&btnG=Google+Search

http://www.google.com/search?hl=en&lr=&q=winzsq.exe&btnG=Search

Thank goodness for VirusTotal. And once again, virus-like activity turns
out to be caused by - ta dah! - a virus.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Click to expand...
Click to expand...
Click to expand...
 
Back
Top