Anonymous
Anonymous asked in Computers & InternetSecurity · 1 decade ago

What is Killwind.exe?

I'm a big player of world of warcraft and lately i've been getting hacked due to a keylogger, i ran a program called the cleaner where it found C:/hp/bin/killwind.exe. Could this be the result of a keylogger?

3 Answers

Relevance
  • 1 decade ago
    Favorite Answer

    "The purpose of HP's BackWeb suite of programs is to allow their tech support people to help you via a remote connection. If you rely on their tech support, or think your chances of doing so in the future is "more than average", then you should probably keep these programs. Otherwise you can quarantine or delete any of them as you see fit.

    So what does this have to do with KillWnd?

    It is a program that can stop another program that is already running. It does not stop programs FROM being ABLE to run -- it shuts down (possibly "runaway") programs that are already running.

    You can already do this yourself without KillWnd. In the Windows Task Manager, there is an "End Task" button on the "Applications" tab, and an "End Process" button on the "Processes" tab. (I am not going to go into the difference between Applications and Processes here.)

    Both of those buttons do pretty much the same thing. If you have a program that is causing a problem: for example, slowing down your system too much, or partially or completely "hanging", you might not be able to just go to the program and tell it to quit normally. It might be a program like Microsoft Word, which has a "File / Exit" menu choice --- but the program is just not responding to you, the user. OR, it might be a program ("process", "TSR", "service", etc.) that doesn't have a window and theres no way for you to control it directly. So you'd use the task manager to ask Windows to tell the program to end. Techie-speak for doing this is to "kill the process".

    So if that's in the Windows Task Manager, why does HP BackWeb need KillWnd? Well, it just makes it easier for their tech support person to see what processes are running on your machine and to shut down something that is possibly "runaway" (i.e. causing some problem). Tech support people often need to do that sort of thing, and it is a LOT easier if they can do most everything themselves instead of asking the user to do it; the user may be VERY new to computers or at least technically naive.

    So, can BackWeb, or just the KillWnd part of it, be abused by HP or someone else. You Bet! It allows someone to do things remotely that they normally would have to be sitting at the computer, logged in as Administrator, to do.

    Is it Malware? No.

    Is it totally insecure? You'll need to search the web and decide for yourself. Consider, though, that if HP didn't apply SOME security to BackWeb to keep unwanted others out, they would be leaving themselves open to a major class-action lawsuit once such a totally-open backdoor was exploited.

    Threat Profile: RemAdm-PSKill

    Risk Assessment

    - Home Users: N/A

    - Corporate Users: N/A

    Date Discovered: 2/27/2002

    Date Added: 12/23/2002

    Origin: Sysinternals

    Length: 77,824 bytes

    Type: Program

    SubType: -

    DAT Required: 4190

    Program Characteristics

    This detection is an application type, for a "potentially unwanted application". The program can terminate processes on local or remote WinNT or Win2K systems. This tool was built for use by administrators to do remote system administration.

    However, this application has been used by many trojans, such as the Egghead trojan for malicious purposes.

    The current command-line scanner detects such applications with the additional /PROGRAM switch, as does VirusScan 7 (via configuration pages).

    Symptoms

    N/A This is a "potentially unwanted application""

    • Commenter avatarLogin to reply the answers
  • Lv 5
    1 decade ago

    Killwind is a program to terminate TSR's in windows. (What's a TSR, you ask: http://en.wikipedia.org/wiki/Terminate_and_Stay_Re... ) It is preinstalled by HP, and is not considered dangerous, unless hijacked by a virus. In that case it could be used to terminate programs or processes, such as your A/V program.

    A more understandable description:

    "KillWind.exe is a utility program that HP includes in their software packages. It is part of their BackWeb software. Software that allows their tech's to call into your machine when you have a problem and try to fix it (under warranty). The KillWind.exe file is a program they may use that "kills" or terminates any running or background process. So it is just a HP software utility."

    As for ensuring there is nothing Hijacked, download (what else) HijackThis (http://free.antivirus.com/hijackthis/ ). It will scan your registry, processes startup items etc. Obvious problems will be flagged, and you can upload the log to TrendMicro for detailed analysis by a PC expert.

    • Commenter avatarLogin to reply the answers
  • 1 decade ago

    It's just a poorly named tool by HP. It can be used to kill processes. There are about 3 or 4 filenames from them picked up by scanners. Another one is name terminator.exe. They are not problems

    • Commenter avatarLogin to reply the answers
Still have questions? Get your answers by asking now.