Please help: who is this RAT ?

Well, I nearly dropped there as i had this when I opened TDS Just found this post (had to delay going out as I felt sick )

Will read again later but now I see about the false positive as it has something to do with w32time.dll (not too sure why time service is running - thought I disabled this but will check)

 

Are you sure it is a false positive? TD3 picked up this file on my system yesterday & I deleted it only to have it return. Ad-Aware was telling me I had 24 running processes and over 2000 process modules. I have been having long delays shutting down and startup has been getting longer. I went into safe-mode and deleted the file. After startup, I now had 22 running processes and 900 odd process modules. Shutdown is now fast & smooth, as is startup.
I am behind a router with NAT and run Outpost Pro firewall on my Win 2000 system. The log from Outpost is comprehensive and I could find no illicit connections, however I believe that this trojan may have been timed to run in the shutdown phase, after the firewall was turned off. At any rate, I am glad TD3 detected this file for me!
I checked through all the registry keys that were listed for rat.haxdoor (and every Haxdoor file I could find) under google and none were there. Perhaps there is a dormant bug on your system?

Regards
Phil J.

 

I have scanned my system completely with the new reference files just now and nothing was found at all this time. I only opened TDS this morning to update it and this was when the alert arrived - I reloaded after the updates ran a full system scan and everything was clear.

I have not noticed the long delays etc but now I am not sure what to do as I didn't delete anything - just re-scanned with TDS and everything was normal again Do I need to delete files etc I am behind a router and Outpost - my AV is clear and so is Ad-aware and Spybot and now TDS with today's references

 

It is very likely that you have no problem, but it does not hurt to be careful. I have had 2 other trojans (not detected by Adaware or Spybot or Grisoft) detected by TD3 in the last 6 weeks. I believe they got into my system when I foolishly scanned a privately burnt CD for a friend, who is not security concious.

Regards
Phil J.

 

Robyn, try a full scan in safe mode, ensure that all of the tests in Scan Control are ticked and that you scan all physical drives. The scan will take some time but it should give you peace of mind if nothing is found.

To get to Safe mode press F8 several times when rebooting just prior to when windows starts to load.

HTH Pilli

 

Thanks Pilli, anything for peace of mind - will do this now.

 

Back again Pilli and nothing nasty reported with the full bells and whistles scan in safe mode hope this is the peace of mind I need! It actually served me well as I made use of the time with a good tidy of paper and files

 

Good show

 

Thanks (relieved now)

 

Re: RAT.Haxdoor, W32tm.exe may be false alarm

TDS detected RAT.Haxdoor, W32tm.exe running on my W2K machine. No other AV, RAT, Spyware, Pest, or Adware detector identified this file as a RAT.

Here is what I did to find out if this was a false alarm or not:

Checked all registry entries identified by Symantec as being created or modified by Haxdoor. None of the registry modifications were found.

Used netsat -a to look for ports opened by Haxdoor, couldn't find any.

Checked MS KB and found that W32tm.exe is a legitimate program used to synchronize clocks on a network.

Submitted the file to TDS for analysis. TDS's response was that this was a false alarm.

I would say that, if TDS identifies this file as a Rat but no other program does, and if you don't find any of the registry changes, chances are this is a false alarm.

 

Hi bcom It is an FP - From an earlier post by Beethoven:
Just got my response from TDS - it's a false alarm and will be removed soon
Thanks everybody for their support and thanks to TDS for getting back so quickly

Pilli

 

Great!

Sorry I missed the earlier post.

 

WElllll, now that I've read all of this, I'm relieved I don't have the Trojan, BUT After spending hours and more hours and ruining RegRun so that it won't reinstall AND finally deleting w32tm.exe, uhh,now what? How do I get the file back? POOIE. :-(

 

Would this be it?

http://www.microsoft.com/resources/...2003/all/techref/en-us/w2k3tr_times_tools.asp



snowbound

 

Yes that is it, but I don't think I really need the file as it says it's for xp and 2003 serv, but I am using 2000. Hmmm.. Don't think I am all that upset as I realize things happen and I don't want to sound unappreciative for your help and TDS. I think what I really am going to miss is RegRun. Since I am knew to these programs I did a lot of things that I wasn't sure of and now RegRun hangs in the start up process. Live and learn. Thanks again for your help

 

Hello ENT,

The file that you are looking for w32tm.exe is in a service pack. You will will find information on this page here. I found it in a page seach in the browser. This is the download here .
Hope this helps you out.

I would get more advice before I proceeded.

 

Just for the record, I had PrevX pop up about this too. So TDS3 wasn't the only one reporting it as malware. I disallowed it with PrevX Home, it's not a running process on my W2K system.
Jim

 

thought this might be worth mentioning , in one of my last posts about this I said I did a MD5 check on the w32tm.exe file and the hash number was the same as w32tm.exe from a clean machine . I wish I had of thought of this straight away as it shows that the file had not changed , if it had the hash number would have been different .
Just one to keep in mind for next time .

 

I should have done this before my post above, the PrevX warning was the result of TDS-3 trying to access w32tm.exe, PrevX did not warn about the file itself, sorry.
Jim