Taken from: http://www.2-spyware.com/remove-wootbot-trojan.html

Full name: WootBot Trojan

Type: Trojans

Also known as: Trojan.WootBot, WootBot

Related files: navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe

Severity scale: (67 / 100)

WootBot Trojan description: This dangerous parasite is especially dangerous for PC gamers. WootBot tries to steal the CD-keys from various games and send these keys to the specified location. But not only this technique is a potential threat for the user of an infected machine; this parasite also tries to connect to the Internet and download various parasites from there. In case of success, even more problems may occur on the computer.

WootBot Trojan properties:
• Connects itself to the internet
• Hides from the user
• Stays resident in background

WootBot Trojan manual removal:
Kill processes:
navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe

Delete files:
navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken from: http://www.2-spyware.com/file-ctfnom-exe.html


ctfnom.exe description:
File ctfnom.exe is related to trojan WootBot Trojan.

Files related to ctfnom.exe: navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, symantec32.exe, syshelper.exe, mqguard.exe

File ctfnom.exe removal: WARNING!!! File ctfnom.exe is related to spyware. This is serious violation of your privacy, your system is under security threat.

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken from: http://www.sophos.com/virusinfo/analyses/w32rbotwx.html

Desciption:
W32/Rbot-WX is a network worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-WX spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.

W32/Rbot-WX can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-WX can be instructed by a remote user to perform the following functions:


    * start an FTP server

    * start a Proxy server

    * start a web server

    * take part in distributed denial of service (DDoS) attacks

    * log keypresses

    * capture screen/webcam images

    * packet sniffing

    * port scanning

    * download/execute arbitrary files

    * start a remote shell (RLOGIN)


The worm copies itself to a file named lsassx.exe in the Windows system folder and creates the following registry entries:

HKCU\Software\Microsoft\OLE\
Windows Taskmanager=
"lsassx.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Taskmanager=
"lsassx.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Taskmanager=
"lsassx.exe"

Aliases: Backdoor.Win32.IRCBot.y

Affected operating systems: Microsoft Windows Operating Systems

Side effects::
    *  Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

To scan your computer for  W32/Rbot-WX, please check ARNIT Free Online Virus scanner at http://www.arnit.net/security/tplarnit.php?page=vscan