Hi all, TDS has found a trace of DDos.RAT.Rbot in my wins.exe file. I have emailed the file to DiamondCS for advice on what to do, however as they are taking a no doubt well earned break, I am wondering, whilst I am awaiting their reply, if anyone can tell me if this is a particularly nasty beast or an ordinary nuisance. Thanks in advance
Hi SailorSam, When rbot traces are found and shown in the lower console window you should be able to right click and then delete. HTH Pilli
Hi Philli, I originally tried deleting the file through TDS window. However it wouldn't delete wins.exe. Checking the size of the file against a clean version it is one kb larger. I also tried renaming the file to .old and replacing it with the clean one. This also failed to work. The same trace was found by TDS. Should I have made this change in "safe mode" Thanks for your help,
Yes, doing this would make sense as the file might be locked by another process, so rescan in safe mode and let us know how you get on. Thanks. Pilli
What operating system are you using Don't delete the wins file yet I suspect you might be trying to delete the wrong wins.exe file SomeO/S have a genuine version and this trojan doewsn't overwrite it usually but drops a different one in a diferent folder please do this go to here and download 'Hijack This!'. double click on the file and it will self extract to C:\program files\hijackthis. Go to that folder then doubleclick the Hijackthis.exe Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log. Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply. It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet. Someone here will be happy to help you analyze the results.
Hi Philli & Derek, Here is the hackthis log. Logfile of HijackThis v1.98.2 Scan saved at 6:07:25 AM, on 7/01/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\termsrv.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\msdtc.exe C:\WINNT\system32\crypserv.exe C:\Program Files\ProcessGuard\dcsuserprot.exe C:\WINNT\System32\tcpsvcs.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\hidserv.exe C:\WINNT\System32\llssrv.exe C:\WINNT\system32\mgabg.exe E:\Program Files\Protector Plus\PPAVMon.exe E:\Program Files\Protector Plus\PPServ.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\slserv.exe C:\WINNT\System32\snmp.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\lserver.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wins.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Dfssvc.exe C:\WINNT\System32\dns.exe C:\WINNT\System32\inetsrv\inetinfo.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE E:\Keyboard\SpeedKey.exe E:\PROGRA~1\PROTEC~1\PPTbc.EXE E:\PROGRA~1\PROTEC~1\PPInupdt.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe E:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe E:\Zone Labs\ZoneAlarm\zlclient.exe E:\Program Files\Protector Plus\POPSCAN.EXE C:\Program Files\ProcessGuard\pgaccount.exe C:\Program Files\ProcessGuard\procguard.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\WINNT\system32\QuickTime\QuickTimeUpdateHelper.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe E:\Hackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hww.melbpc.org.au/motd/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hww.melbpc.org.au/search/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com.au/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pcworld.idg.com.au R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hww.melbpc.org.au/search/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hww.melbpc.org.au/search/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINNT\system32\inetsrv\iisadmin\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://news.google.com.au/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - e:\Program Files\Xi\NetTransport 2\NTIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "e:\Keyboard\SpeedKey.exe" O4 - HKLM\..\Run: [PP2000 Taskbar Control] E:\PROGRA~1\PROTEC~1\PPTbc.EXE O4 - HKLM\..\Run: [PP2000 InstaUpdate] E:\PROGRA~1\PROTEC~1\PPInupdt.exe O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [TDS3] E:\Program Files\TDS3\TDS-3.exe O4 - HKLM\..\Run: [SBAutoUpdate] "E:\Program Files\SpywareBlaster\sbautoupdate.exe" O4 - HKLM\..\Run: [Zone Labs Client] "E:\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe" O4 - HKLM\..\Run: [QuickTime Task] "e:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add O8 - Extra context menu item: Download all by Net Transport - E:\Program Files\Xi\NetTransport 2\NTAddList.html O8 - Extra context menu item: Download by Net Transport - E:\Program Files\Xi\NetTransport 2\NTAddLink.html O8 - Extra context menu item: Download using LeechGet - file://E:\Program Files\LeechGet 2004\\AddUrl.html O8 - Extra context menu item: Download using LeechGet Wizard - file://E:\Program Files\LeechGet 2004\\Wizard.html O8 - Extra context menu item: Parse with LeechGet - file://E:\Program Files\LeechGet 2004\\Parser.html O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://e:\AUTOCADLT02\AcDcToday.ocx O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://e:\AUTOCADLT02\InstBanr.ocx O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://e:\AUTOCADLT02\InstFred.ocx O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://e:\AUTOCADLT02\AcPreview.ocx Thanks for your help, Ian
I can't see any start up for the wins.exe so it is likely it's the genuine version you have running I would like to see a hjt log from the latest version 1.99 though to check and please send me a copy of the wins.exe so I can check it out for you send to submit@thespykiller.co.uk preferably zipped so the mail servers won't reject it It is unusual for the wins.exe to be overwritten or infected but it might have happened but because you are having problems deleting it, it suggets that it is the genuine windows version
That wins appears to be the genuine wins.exe from M$ I can't see any malicious code inside it No antivirus or anmtitrojan flags it and it doesn't look like it's been altered in any way It is ususal to have 2 copies as you say in the email C:\winnt\system32 is it's normal place but a back up copy is always kept in C:\winnt\system32\dllcache so that the Windows file protection system can replace the original copy if it ever detects anything wrong with it I can only assume that the tds detection was a flase positive If you have the tds scan log please either post it or send me a copy by email and I'll see what I think
The only thing I find slightly disturbing about it is the file date of it's creation and modified of 2 december 2004 did you install w2K on that date I will have the file examined by Kapersky and see what they come up with just in case Unfortunately I use XP so don't have a wins file to compare it to as XP doesn't use it
Hi Derek, Attached is the log file from TDS3 08:26:21 [Init] Trojan Defence Suite v3.2.0 - Registered to ***** 08:26:21 [Init] Started 07-01-05 08:26:21 AUS Eastern Standard Time (UTC: -10), Internet Time @934.97 08:26:21 [Init] Loading TDS-3 Systems ... 08:26:21 [Init] • Priority : OK. 08:26:21 [Init] Token successfully adjusted. 08:26:21 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 08:26:21 [Init] • Plugins : OK. Loaded 13 08:26:21 [Init] • Exec Protection : OK. Installed 08:26:21 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 08:26:25 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 08:26:25 [Init] • Systems Initialised [44216 references - 20387 primaries/11695 traces/12134 variants/other] 08:26:25 [Init] Radius Systems loaded. <Databases updated 07-01-2005> 08:26:25 [Init] TDS-3 Ready. <Administrator@210.49.113.47, 127.0.0.1 - Australia> 08:26:25 [Tip Of The Day] Shopping for DiamondCS services and software is easy! Simply visit http://www.diamondcs.com.au/shop.php 08:26:25 [TDS] Good morning Administrator. 08:26:28 [Mutex Memory Scan] Started... 08:26:30 [Mutex Memory Scan] Finished (no trojan mutexes found). 08:26:30 [Trace Scan] Started... 08:26:44 [Trace Scan] Finished. 08:26:45 [CRC32] Started - verifying 29 files ... 08:26:45 [CRC32] File doesn't exist: C:\autoexec.bat 08:26:46 [CRC32] Test finished. 08:26:56 [Screen Text] Saved to E:\Program Files\TDS3\scr1.txt In the alarm window below the main scan control window is: Scan Control Dumped @ 08:30:28 07-01-05 File Trace: Default trojan filename: DDoS.RAT.rBot File: C:\WINNT\System32\wins.exe I am happy to hear that it is probably a false positive. Thanks again Cheers, Ian
I missed the question on the date of the windows installation. Windows was installed a few years ago. I first noticed the alarm on or around the 22nd December. If my memory serves me correctly zone alarm asked for permission for WINS.exe to access the internet (with a particular IP address - didn't take much notice at the time). I granted permission and I think that the next scan picked up the trace. These two matters could be unrelated. Cheers, Ian
Ah File Trace: Default trojan filename: DDoS.RAT.rBot File: C:\WINNT\System32\wins.exe It isn't saying that the file is infected just that it has the same name as a known trojan that runs from that location in other versions of windows I think it's because one version of DDoS.RAT.rBot does use the name wins.exe and as only WIN2000 use wins.exe legitimately and runs it from system32 folder it's a reasonable detection I hope when Gavin comes back from holidays he will try and alter the detection to exclude win2000 but how I don't know
I have just heard back from Kapersky that the wins.exe is completely clean and IS the standard windows file and not a trojan one
Nice to see you back Gavin Hopefully refreshed from a nice break and ready for another year of battles against the baddies
Well, I found out I also got this trojan/worm, and I fixed it by removing the WINS service and rebooting the server then I re-installing WINS service and its seems to have fixed this issue, Don't know how it got loaded in the first place. Hope this helps..!