TDS3 tells me I'm infected with a RAT.Haxdoor trojan (file trace in C:\WINNT\System32\w32tm.exe).I've sent the file to DiamondCS but apparently my mail client is knocked out. I've told TDS to delete the file - it seems unable to do so.
I have also googled for this RAT.Haxdoor - unknown.Please advise. :-[

RAT = Remote Admnistration Tool.
Haxdoor is pretty famous.
try googling "haxdoor removal"

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.html

Hi, I'm a bit late in answering because I perused the Symantec instructions for removal and then went to the registry to delete all the registry entries added by the RAT.
Well, there weren't any : I think that ProcessGuard must have closed the door. Very interesting!
Thank you very much for your help no13 ! ;D

I suggest you have a look here: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.d.html

That's in fact your particular 'guest'...

I have the exact same problem. Checked and I also found no reg. entries - but I get the same warning every time I scan:

File Trace: Default trojan filename: RAT.Haxdoor
File: C:\WINNT\System32\w32tm.exe

when I tell TD3 to delete the file, it lists it as deleted, but it shows up again as soon as I scan .... Is it still there? Is it still a problem?

It would be best to post in one of the forums still offering spyware/malware removal services. Here are a few good ones:

CastleCops: http://castlecops.com/forums.html
Spyware Warrior Forums: http://www.spywarewarrior.com/index.php
SpywareInfo: http://www.spywareinfoforum.com/

Thanks Tony. I didn't know this forum had stopped offering those services. I'll check out the links you posted.

You're welcome. Do check out that Symantec link I posted though; it may help.

same problem with w32tm.exe , no reg entries , also scanned with Pest Patrol which is supposed to find and delete Rat.Haxdoor , it didn't find anything , tried a couple of online scans again nothing . Could this be a false positive .

I am also wondering if this Rat is a false alarm. I just updated the radius TD-3 and then found it on two PC. None of the other AV or AT programs picks up anything and while I can find the files on my PCs, the last modification date according to explorer was 23/8/01 and 21/9/03 respectively.
One PC is running XP, hardware and software firewall, NOD32 and as I am testing AT programs it's also running Ewido and Spywaresweeper. Apart from TDS-3 none of the other program has given me any alert. I even downloaded Trojanhunter to check and nothing is shown.

The other PC is W2000 with NAV. According to the earlier link, Symantec detects this trojan and can remove it. However when I run a scan with the latest updates, NAV does not show any RAT or Backdoor...

I am a bit frustrated as I feel running all these programs does not make me feel more secure just more paranoid >:(

Hi,

Just only to make sure: are you running TDS-3 as admin?
Please have a look at this thread from Gavin:
http://www.wilderssecurity.com/showthread.php?t=29034

I don't know whether this is the culprit in this case, but it could be....

hi


guys the haxdoor drops several files when installed, exe's, dll's, and sys files

the other components reload the exes

scan with tds in safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406), do all possible scans in tds's menu


set the heuristic sensitivity to max before scanning

and before deleting anything post the scandump.txt for us to see...then delete everything with positive identification

@Fanj - thanks for that link. While it sounded promising ( as the alert is trace related), it does not help me (or I don't know how to do it properly).
When doing it on PC 1, my normal account has admin privileges and if trying to use the other option by typing in administrator I get the following error message: "the service cannot be started, either because it is enabled or because it has no devices associated with".
On the other PC (W2000) there is no run as option when rightclicking TDS-3. :'(

@Illuka, I have run the scan several times but it only shows up one file trace.

Have you tried to scan that file at :

KAV online scanner:
http://www.kaspersky.com/remoteviruschk.html

Jotti online scanner:
http://virusscan.jotti.org/

What do those scans say?
Please let us know; thanks !

Thanks for the great link - I ran both scans and nothing showed up at Kapersky or Jotti. :D
Feeling a bit more relaxed now though these two scans of course do not necessarily proof anything. Would a trojan even show up there as these are virus scans?

-{ Quote: "Thanks for the great link - I ran both scans and nothing showed up at Kapersky or Jotti. :D
Feeling a bit more relaxed now though these two scans of course do not necessarily proof anything. Would a trojan even show up there as these are virus scans?" }-

Hi Beethoven,

Thanks for letting us know :D

As for KAV: usually you would say, yes indeed it would tell you so.
There is of course always a chance that something is not yet in the defs of a scanner.

I had a liitle bit the feeling that, when I saw several people posting here in this thread about the same warning on the same file, there could be a false positive from TDS-3 (that can happen to all scanners).
Maybe others with that same warning, could also post the results on those online scanners.

I really don't know whether it is indeed a false positive or not
I guess we have to wait for Gavin to have a closer look at it.
But since it is Australian Day, a public holiday in Australia, we might have to wait until tomorrow.

As for your question about running TDS-3 as admin:
all I can do, is point to that thread from Gavin; I myself have only W98SE, so it would make no sense when I would try to tell more about it.
I hope others can help you here.


EDIT :
I want to make clear that I wrote:
I really don't know whether it is indeed a false positive or not.

you should boot from the windows boot CD, use the repair console and delete the dropper file, maybe the w32tm.exe file or other infected files. Note: It is possible that many AT/AV scanners cannot remove the trojan files of the haxdoor family, also not in the safe mode.

Today TDS-3 found this "Trojan" on my machine, too.
I think it is a false alarm because no TCP-Port 7080,8008 or 16601 is open and no flie c3.sys, boot32.sys, smtapi.sys etc. can be found.
BTW I am waiting for the signatures from today.

WTM32.EXE
SIZE: 61,440 bytes
CREATED: 15 April 2004
VERSION: 5.0.2195.6824

I started the program, the cmd-box will open, but nothing happens any more.
After starting also no infection found

TDS-3 found this one in my PC too, but only in WINNT/System32 and it turned out to be a normal Windows fiile. I scanned with Norton AV with today's definition files, nothing was found. Then I scanned with Trend Micro, same result. I think that TDS-3 simply reacted to the file name and gave a warning "default trojan filename". I tried to submit the file, but could not understand the procedure. Some of TDS's instructions are cryptic. I hope that this is cleared up in the next definition update

I vote for a false positive on W32tm.exe as the reason.

After I first posted that this might be a false positive I spent the rest of the day scanning with everything you can imagine the out come still nothing . Like Beethoven & Dieter I checked the dates on the rogue files and they are 2001 & 2004 . Also as Dieter mentions none of the suspect ports are open . I did send an email to the TDS guys and waited all day for some kind of answer - Australia Day holiday of course no one at work , silly me I am an Australian and didn't realize . So now as well as being paranod I'm apparently unpatriotic , boy you can get lost on a wild goose chase . Got so caught up even missed the cricket _ now that is serious . My money is still on a false positive .

Just did a MD5 check on w32tm.exe and compared it with the same on a machine saying its clean , both numbers the same .

;D Just got my response from TDS - it's a false alarm and will be removed soon ;D
Thanks everybody for their support and thanks to TDS for getting back so quickly :-*

just recieved an email from TDS ;

False alarm, this file exists if you have the Windows Time service enabled
Removing the detection today

well that was enough excitment for a few days hey folks

Well, I nearly dropped there as i had this when I opened TDS :'( :'( Just found this post (had to delay going out as I felt sick :'( )

Will read again later but now I see about the false positive as it has something to do with w32time.dll (not too sure why time service is running - thought I disabled this but will check)

Are you sure it is a false positive? TD3 picked up this file on my system yesterday & I deleted it only to have it return. Ad-Aware was telling me I had 24 running processes and over 2000 process modules. I have been having long delays shutting down and startup has been getting longer. I went into safe-mode and deleted the file. After startup, I now had 22 running processes and 900 odd process modules. Shutdown is now fast & smooth, as is startup.
I am behind a router with NAT and run Outpost Pro firewall on my Win 2000 system. The log from Outpost is comprehensive and I could find no illicit connections, however I believe that this trojan may have been timed to run in the shutdown phase, after the firewall was turned off. At any rate, I am glad TD3 detected this file for me!
I checked through all the registry keys that were listed for rat.haxdoor (and every Haxdoor file I could find) under google and none were there. Perhaps there is a dormant bug on your system?

Regards
Phil J.

I have scanned my system completely with the new reference files just now and nothing was found at all this time. I only opened TDS this morning to update it and this was when the alert arrived - I reloaded after the updates ran a full system scan and everything was clear.

I have not noticed the long delays etc but now I am not sure what to do as I didn't delete anything - just re-scanned with TDS and everything was normal again ??? ??? Do I need to delete files etc I am behind a router and Outpost - my AV is clear and so is Ad-aware and Spybot and now TDS with today's references ??? ???

It is very likely that you have no problem, but it does not hurt to be careful. I have had 2 other trojans (not detected by Adaware or Spybot or Grisoft) detected by TD3 in the last 6 weeks. I believe they got into my system when I foolishly scanned a privately burnt CD for a friend, who is not security concious.

Regards
Phil J.

-{ Quote: "just re-scanned with TDS and everything was normal again " }- Robyn, try a full scan in safe mode, ensure that all of the tests in Scan Control are ticked and that you scan all physical drives. The scan will take some time but it should give you peace of mind if nothing is found.

To get to Safe mode press F8 several times when rebooting just prior to when windows starts to load.

HTH Pilli :)

Thanks Pilli, anything for peace of mind - will do this now.

Back again Pilli and nothing nasty reported with the full bells and whistles scan in safe mode :) hope this is the peace of mind I need! It actually served me well as I made use of the time with a good tidy of paper and files ::)

:) Good show

Thanks (relieved now) ;)

TDS detected RAT.Haxdoor, W32tm.exe running on my W2K machine. No other AV, RAT, Spyware, Pest, or Adware detector identified this file as a RAT.

Here is what I did to find out if this was a false alarm or not:

Checked all registry entries identified by Symantec as being created or modified by Haxdoor. None of the registry modifications were found.

Used netsat -a to look for ports opened by Haxdoor, couldn't find any.

Checked MS KB and found that W32tm.exe is a legitimate program used to synchronize clocks on a network.

Submitted the file to TDS for analysis. TDS's response was that this was a false alarm.

I would say that, if TDS identifies this file as a Rat but no other program does, and if you don't find any of the registry changes, chances are this is a false alarm.

Hi bcom It is an FP - From an earlier post by Beethoven:
Just got my response from TDS - it's a false alarm and will be removed soon
Thanks everybody for their support and thanks to TDS for getting back so quickly

Pilli

Great!

Sorry I missed the earlier post.

WElllll, now that I've read all of this, I'm relieved I don't have the Trojan, BUT After spending hours and more hours and ruining RegRun so that it won't reinstall AND finally deleting w32tm.exe, uhh,now what? How do I get the file back? POOIE. :-(

-{ Quote: "AND finally deleting w32tm.exe, uhh,now what? How do I get the file back? POOIE. :-(" }-

Would this be it?

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_times_tools.asp



snowbound

Yes that is it, but I don't think I really need the file as it says it's for xp and 2003 serv, but I am using 2000. Hmmm.. Don't think I am all that upset as I realize things happen and I don't want to sound unappreciative for your help and TDS. I think what I really am going to miss is RegRun. Since I am knew to these programs I did a lot of things that I wasn't sure of and now RegRun hangs in the start up process. Live and learn. Thanks again for your help :-)

Hello ENT,

The file that you are looking for w32tm.exe is in a service pack. You will will find information on this page here (http://support.microsoft.com/default.aspx?kbid=316430). I found it in a page seach in the browser. This is the download here (http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=30e454ca-260c-4ff0-a657-fa36fb379994&displaylang=en) .
Hope this helps you out.

I would get more advice before I proceeded.

Just for the record, I had PrevX pop up about this too. So TDS3 wasn't the only one reporting it as malware. I disallowed it with PrevX Home, it's not a running process on my W2K system.
Jim

thought this might be worth mentioning , in one of my last posts about this I said I did a MD5 check on the w32tm.exe file and the hash number was the same as w32tm.exe from a clean machine . I wish I had of thought of this straight away as it shows that the file had not changed , if it had the hash number would have been different .
Just one to keep in mind for next time .

I should have done this before my post above, the PrevX warning was the result of TDS-3 trying to access w32tm.exe, PrevX did not warn about the file itself, sorry.
Jim