KillWind.exe found and need help!!!

Hello everyone, last night my avast scanner was conducting a virus scan when it found 2 viruses. It told me to move them to the virus chest and to disconnect my internet connection if I was connected to any network. I wasn’t but just to be safe I disconnected. Anyways, the two viruses it found were:

-KillWind.exe

-A0056766.exe

At the moment, both of these viruses are in my virus chest and I was hoping you guys could help me out from here. I would really appreciate it if anyone could let me know what the next steps are in making my computer safe again and getting rid of these threats. Thanks in advance. Peace.

P.S.- My virus chest also has some other files in it but they’re not identified with the skull and crossbones virus symbol. I’m guessing since they’re in the virus chest that they’re viruses and how can I remove these as well? By the way, my PC is working just fine but I still want to play on the side of caution.

I suggest a forum search for killwind.exe as this been two forum topics that I can recall recently. It may be a false positive or rather (riskware as it is a tool which coule be used for good or evil).

You could follow one of those topics and add any information there as required, like the location of killwind.exe.

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

  1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).

  2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

  4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
    If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

  5. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

  6. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

  7. After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

  8. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

Leave them in the Chest (they can’t do any harm there) for a week or two so as to ensure that there are no harmful effects from them having been moved there (incorrect detection, etc.). This gives you time to investigate if at all possible (Google search, ask here, etc.) to confirm. You can then delete, restore or move them from within the chest, whichever is appropriate. Right click the avast icon and select Program Settings… then select Chest.

You will notice the avast Chest is in three sections:

  1. Infected Files, speaks for itself, any files detected by avast that you chose Move to Chest as the action.

  2. System files, back-up copies of important system files. There are (generally) files in the System Folder of the Chest: command.com, kernel 32.dll and wsock32.dll. During the installation, avast! copies some critical system files into the Chest, under the “System files” category. Those files might cause the operating system to crash if they get infected by a virus. If needed, those files can be restored from the Chest to their original location. Should an unknown virus infect the computer despite the extensive protection from the avast! antivirus package and alter an important system file, it can then be easily restored to its original state.

  3. User Files, an area for the user to import suspicious files that haven’t been detected so they can do no harm and can be sent by email to Alwil for further analysis.

If you have a HP system it is one of their “tools”
A0056766.exe this is a downloader

I’m not certain that that is totally correct for A0056766, whilst there are two google hits for that, one is a downloader, the other a backdoor and I’m not sure of either of them.

If this is in the System Volume Information folder then this is a file name generated by system restore and could relate to anything.

Thank you very much for the advice everyone. I’ll leave the virus chest alone for about a week and then I’ll delete the two trojans. Thanks again.

Let us know the location of the killwind.exe file, did you do a forum search as suggested ?
Here http://forum.avast.com/index.php?topic=29137.0 and
here http://forum.avast.com/index.php?topic=29086.0.

It could simply be a tool depending on location and if so you would want to keep it and exclude it from scan. In a week or more it is likely it will still be detected so you would possibly be deleting a legitimate tool.

Killwind.exe is a normal file for HPs and Compaqs (same manufacturer these days), as essexboy says. If you have one of these leave the file alone It’s not really a trojan.

Hey there, the KillWind.exe file was found in C:\hp\bin. The A0056766.exe file was found in C:\system volume information_restore. My sister was recently backing up some pictures and movies, could this be the case for the latter (or both)? And just some more information, both files are identified as being Win32:Trojan-gen. {VC}. Does any of this shine some light on the situation? Please let me know cuz I’m really concerned.

P.S. I did another Avast virus scan this morning and zero infected files were found.

I had found the same thing on my computer. It usually pops up. I don’t know how it got on my computer. I don’t understand all the posts. It won’t let me delete them in the chest. Can someone help me understand all the technical terms in plain? I am not a computer wiz and very confused. I don’t understand the chest option and what to do with virus in it when it won’t delete it. I would appreciate any help in understanding it.

UPDATE: Hey guys, I found something on the KillWind.exe “trojan.” I did a Google search and this is what I found. I’ve also included the url below the post in case you would like to research further:

who_i_am (Member) | Posted: 3 years ago

I did a little search of my own… and came up with this…

I was assisting someone with a problem with her computer and came across these files. I contacted HP and was told that the killwind, terminator, cloaker, spawn and fondlewindow executables are part of the Backweb program that HP installs on all Pavilion PC’s. Backweb enables HP to connect directly to a PC while it is online (simply connected to an ISP - doesn’t matter if the browser is open or not) so that it can “push” content and program updates.

While the tech support person who wrote back to me when I emailed them said that the files were “essential” for proper system operation, further investigation using HP’s own support documentation shows that you can uninstall the Backweb program through the Add/Remove Programs utility in Windows Control Panel. HP, of course, does not recommend doing this.

My take is that if your system is out of warranty, is operating properly, and Mr. Gerrans’ sense of humor in naming and describing the files offends you, just uninstall Backweb. Of course, this is just my personal opinion, does not reflect HP’s recommendations, etc…

Its an extract from a discussion of Killwind… you can find the entire thread here. 0xeb065f938a10d6118ff40090279cd0f9%2C00.html,http://bizforums.itrc.hp.com/cm/QuestionAnswer/1,,0xeb065f938a10d6118ff40090279cd0f9,00.html

*http://www.geek.com/forums/topic.php?id=32978&page

By the way, I still haven’t found anything relevant on the A0056766.exe file. Please be sure to post in case you come across something important. Thanks.

If it is in restore (my error did not see that part) then it can be left as it is part of windows ordering system

If you found killwind.exe on your computer and your computer is either a Compaq or HP, this is generally nothing to worry about. Killwind is a tool Compaq and HP install on their computers for use by their tech support people (and for updates according to what jiffy1 found).

If you found the other file we’ve been talking about, or you found killwind.exe and your computer is not a Compaq/HP, then we should investigate more. You could start a new thread for this.

Did you follow this?