Microsoft security software detects and removes this threat.

This trojan can change the start page of your web browser.

It is installed on your PC by software bundlers that advertise free software or games.

What to do now

This trojan creates an uninstaller that can be accessed from the Control Panel.
  • For Windows 8, open the Start screen, type Uninstall and then go to Settings. In the search results, go to Uninstall a program.
  • For Windows 7 and Vista, open the Start menu and navigate to Control Panel then Programs and then Uninstall a Program
  • For XP, open the Start menu and navigate to Control Panel then Add or Remove Programs

The entry for this program may be called "Wsys Control <version number>".

If an uninstaller is not available, does not work properly, or you do not want to use it, you can use the following free tools to detect and remove this program and other unwanted software from your PC:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Threat behavior


Trojan:Win32/Wysotot.B is usually installed on your PC by software bundlers that advertise free software or games. One installer that we have seen distribute Win32/Wysotot is shown below:

Once installed the trojan adds itself as a service with the name “Wsys Service” or “DProtect Service”.

It might add an uninstall entry with the name “Wsys Control <version number>". Running this uninstaller might remove Win32/Wysotot.B from your PC.


Changes browser settings

Win32/Wysotot.B checks if you click on any of the shortcuts for these browsers:

  • Internet Explorer
  • Firefox
  • Chrome
  • Opera

When you open one of these browsers, the trojan will redirect you to one of a list of websites instead of your standard browser homepage. Examples of the web pages redirected to include:


Win32/Wysotot.B does this by changing what your browser shortcut points to. For example, a shortcut file to:

C:\Program Files\Internet Explorer\iexplore.exe

Will be changed to:

"C:\Program Files\Internet Explorer\iexplore.exe" hxxp://<some text>&ts=<some timestamp>

The trojan also changes the following registry key to redirect the start menu entry for Internet Explorer:

In subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\
Sets value: "command"
With data: ""C:\Program Files\Internet Explorer\iexplore.exe"<some text>&ts=<some timestamp>"

Additional information

Win32/Wysotot.B sends the status of any security software on your PC to a command-and-control (C&C) server.

It can also download, run, and kill processes. Commands include:

  • start
  • run
  • stop
  • uninstall
  • kill
  • restart

Analysis by Geoff McDonald



The following could indicate that you have this threat on your PC:

  • Your web browser redirects to an unexpected page when you open it
  • You see an uninstaller called "Wsys Control":


Alert level: Severe
First detected by definition: 1.161.1631.0
Latest detected by definition: 1.197.920.0 and higher
First detected on: Nov 07, 2013
This entry was first published on: Oct 30, 2013
This entry was updated on: Nov 12, 2013

This threat is also detected as:
No known aliases