How do I know if the pocess win128.exe is malware? And if it is how do
I safely remove it from my pc?

Hi sea_sprite,

Yes, it is.

This is a malware, or unsafe, program.
"Added by the W32/Forbot-ES WORM/backdoor Trojan, which allows
unauthorized access to the PC using the IRC network and registration
of a new service process "Windows 128 Module".
http://www.bleepingcomputer.com/startups/win128.exe-7527.html

Three steps to follow:

1) HouseCall, a very thorough online virus scan:
http://housecall.trendmicro.com/

2) Ad-Aware SE, download (be sure to "check for updates" before running):
http://lavasoft.element5.com/default.shtml.en

3) W32/Forbot-ES: Manual Removal:
http://www.sophos.co.uk/virusinfo/analyses/w32forbotes.html


Additional Links of Interest:

How to: Spyware, Trojan And Virus Removal
http://forums.majorgeeks.com/showthread.php?t=35407

KRC Anti-Spyware Tutorial
http://www.greyknight17.com/spyware.htm

I hope this helps. If you have any questions, please post a
clarification request *before* closing/rating my answer and I'll be
happy to reply.

Thank you,
hummer

Google Search Terms Used: win128.exe

---

Request for Answer Clarification by sea_sprite-ga on 14 Mar 2005 06:17 PST

How do I remove references to registry entries I delete?

---

Clarification of Answer by hummer-ga on 14 Mar 2005 10:39 PST

Hi sea_sprite,

The "and remove any reference to any file you deleted." is not
necessary to do if you are running Windows NT/2000/XP.

1) Close everything you have open. 

2) How to back up the Windows registry
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617

3) Click Start / Run / type REGEDIT, then press Enter.
Navigate to each of the following and in the right panel. locate and
delete the entry: Windows 128 Module.
       HKLM\Software\Microsoft\Windows\CurrentVersion\Run
       HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
       HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Each user has a registry area named HKEY_USERS\[code number indicating
user]\. For each user delete Windows 128 Module:
       HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
       HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

4) Close the registry editor. 
http://www.sophos.co.uk/virusinfo/analyses/w32forbotes.html

5) Disable System Restore
http://www.trendmicro.com/en/security/advisories/win_me_clean.htm

6) Reboot and then re-enable your System Restore and set a new restore point. 

Good luck,
hummer

I was extremely impressed with the promptness of your response and the
amount of information you sent me along with it.

I have recently helped friends and family their Windows XP
installations of spyware using Microsoft Anti-Spyware. It works
extremely well and is a free download. After all, who knows Windows
best than the makers themselves?

http://www.microsoft.com/ look for Windows AntiSpyware

Best of all, it keeps itself updated and is alert to any suspicous
behaviour by any programs. It also reports any spyware it finds to a
central database. Therefore, you are made aware of any threats others
have been exposed to.

Hope that helps - download it and scan your PC now!

Thank you for your nice note, rating, and tip, sea_sprite - I'm happy
you are happy. Even if all is well now, it would be a good idea to run
HouseCall and Ad-aware (update first!) today and then do so on a
regular basis. Also, read -

"Keeping your computer safe and secure"
http://forums.majorgeeks.com/showthread.php?t=35407

Spyware Prevention
http://www.greyknight17.com/spyware.htm

Take care, hummer