Sbot.200 Trojan infection?

Discussion in 'malware problems & news' started by Bdiamond, Jul 21, 2003.

Thread Status:
Not open for further replies.
  1. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    I would like some help! My system "crashed" last week for reasons that were not clear. I thought it was somehow related to installing and uninstalling various AV apps in trying to evaluate them. In any case I was unable to get back into Windows and wound up reformatting the HD and doing a clean install.

    That seemed to work pretty well; however, recently, the system has been intermittently "freezing" forcing an occasional "hard restart" of the system, The resident TH Guard went off earlier today with a message that the "Trojan Sbot.200 was identified and erased." On a second occasion I received the message"Unable to get a handle to process 3344 (C:\ Windows\system32\dwwint.exe).

    A deep scan with TH fails to turn up anything. Similar results with TDS-3; however it is the trial version since I lost the registration info for my registered version and am currently trying to get theappropriate registration information.

    I dont know what to make of all this and would appreciate any advice or help. I can't find much on Sbot.200

    Thanks

    Bdiamond
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Had you ever reformatted and reinstalled on that system before? I ask because sometimes the media provided to reinstall windows does not always bring you back to the identical state of the original factory install (again assuming that you were previously running on a factory install)...

    All of this leads me to a point regarding whether you have all the right drivers installed following the reinstall? On a fresh install from original media, I don't any real Trojan's are going to turn up. So, I'm wondering what you did following the fresh install. Did you go out to the various vendor sites and get any needed drivers and updates? Did you apply all the MS patches, as well?

    Are you certain about all the software items you've installed since the reformat? Where did you get the kits from? Were some of them possibly copied from the previous system? If you aren't too far into this, you might consider reformatting again, getting just patches and driver updates, then getting new install kits for everything unless you've got original media (from box kits).
     
  3. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    I "reinstalled" WinXP a couple of times about a year ago. This is the first time I have ever reformatted the drive and done a completely clean install, though. Actually, Win installed all the drivers and I didn't explicitly install any drivers and there were no requests for drivers or error statements.

    The point is, most of my apps are downloaded so the majority of them remain unistalled because I am still running around trying to get user names, passwords, serial numbers, Keys and I dont know what all so I can reinstall them without having to repurchase them.

    If the question of the Trojan were not there I would probably be willing to waste a little more time fiddling with the apps , tuning, etc before throwing in the towel. However, it the Trojan is likely then I suspect the better part of valour is to do another clean install-even if the thought does bring tears to my eyes lol. I have spent almost two days now trying to locate all the things I need.

    I dont know what to make of the TH resident scanner data given hard scans with TH and YDS-3 were negative.
    I did a Google search and got back only 2 hits on Sbot.200 and it wasnt clear what they were talking about.

    Anyway, as I write this I think your suggestion is probably the best idea. I am just tired now after all this time trying to get everything back .

    Thanks for the suggestion.

    Bdiamond
     
  4. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi BDiamond,

    I couldn't find anything definitive on it either but the name implies an IRC bot and since these usually accompany some other malware you should look more closely at the system. I could not find anything on dwwint.exe and given what has happened I would say that is the main bot exe. What I would suggest is

    1. Search for all bat or cmd files on your system and look for any that reference that file. If you find one then that is probably the install script and may point to other backdoors in place. Also, you need to note the create/modify dates of the file as we can then do a search for any other file on the system created/modified at the same time.

    2. Download a good Port to Application mapper. I strongly recommend Diamondcs's Port Explorer which has a trial version available. You want to pay particular attention to items listed in the Listening tab (especially those in red) as well as any external hosts shown in the Established tab (especially watch for sockets with dest ports 6666-6669)

    3. Download and run Diamondcs's AutoStart Viewer and make sure all three top options in the "Main" menu are selected and then press "Save" and copy/paste the log here

    Please edit out any personal info of any log output or screenshots you post.

    Thanks,

    Dan
     
  5. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    I am working on these things. I have registered versions of both TDS-3 and PE, I lost the key files and keywords during the crash and have just received them tonight so I am getting them functional again.

    dwwin.exe 162,128 8/18/2001 8:00 AM C\WINDOWS\$NtServicePackUninstall$

    dwwin.exe 180,224 8/29/2002 6:41 AM C\WINDOWS\$NtUninstallKB821253$\

    dwwin.exe 180,224 8/29/2002 6:41 AM C\WINDOWS\ServicePackFiles\i386\

    dwwin.exe 180,224 6/9/2003 2:06 PM
    C\WINDOWS\system32\

    The four listings above are all the "hits" for *.cmd.

    Bdiamond
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  7. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    Jooskie! How are you? I have missed you in all my recent "adventures".

    I really appreciate the references and will be looking them up. Its getting late here, but hope I see you again tomorrow .

    Thanks again for the help.

    Oh by the way-Netsec sen me a copy of their letter back to MS. They advised them to answer the questions I was asking. That was 3 or 4 days ago-so I am just waiting to hear from MS now.

    Bdiamond
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Copernicus gave me the search results for Sbot.200 only as additions to the TH definitions update at the GAV forum and ComputerCops. So it might excist under other names elsewhere or code looking like other code (not to name false positive) eventually..... but it can have been real too, hard to say without a sample.
    So if the thing is there, anywhere in your software, a next scan would be able to find it.
    Sorry you reformatted and all the extra work, as it might have been solvable in much easier and less time consuming way..............

    I gave you for MS the cached version as it is lot of text and so the keyword shows up colored to ease reading.

    I was here and reading all that's been happening.


    Edit:
    just found more on this dwwin thing:
    http://www.annoyances.org/exec/forum/winxp/t1034136809
     
  9. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    Well I appreciate very much the references. Oh about the reformat-I didnt have much choice because I was not able to access Windows after rebooting. I mean by any of the things I knew to do. So I just decided to "start fresh". I have no idea if that was related to Sbot,200 or not.

    In you last note you mentioned a scan might find it. Do you mean like with a deep scan using TDS-3? I will give that a try first thing in the morning.

    Hope I will see you again tomorrow> Its almost 4 am here so I am going to stop for now,

    Nice to see you again

    Bye.
    Bdiamond
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    If you have any of thousands of SDBot variants, TDS should detect them :) Run a Process Memory Scan, you will detect DDoS.RAT.SDBot

    Yes this is an open source IRC bot, some variants have lots of extra capabilities - this is a very popular bot that has had lots of addons made for it.
     
  11. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    Thanks Gavin. I ran the "deepest" scan i know how and it was "negative". I feel a little better.

    Also I downloaded the Autostart explorer and activated it with the first three categories checked. I then copied the results to note pad and saved it as a .txt file. Its pretty long. Will it be ok to just paste the entire thing into the window on the "post reply" module for the forum?

    Thanks everyone.

    Bdiamond
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Of course! Post ahead!
     
  13. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    Good Morning and Thanks (as always) Jooske! I just copied the entir thing-I hope I did everything correctly. Anyway - here it is:

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Bdiamond, 07-22-2003
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\wininit.ini [rename]
    NUL=C:\WINDOWS\TBCDATA\vtbspudc.dll
    NUL=C:\WINDOWS\TBCDATA\vtbspudc.dll
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\System32\logon.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\System32\logon.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SmcService
    C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
    RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\THGuard
    C:\Program Files\TrojanHunter 3.5\THGuard.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TraySantaCruz
    C:\WINDOWS\System32\tbctray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kaspersky Anti-Virus Lite
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Lite\AvpM.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mmtask
    c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MMTray
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS
    C:\Program Files\Messenger\msmsgs.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SurfinGuard Pro.lnk
    C:\Program Files\Finjan\SurfinGuard Pro\bin\winsfcm.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\System32\dcsws2.dll
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINDOWS\INF\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}\
    C:\WINDOWS\System32\rundll32.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINDOWS\system32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
    C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\ERSvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\Fallback\
    C:\WINDOWS\System32\DRIVERS\fallback.sys
    HKLM\System\CurrentControlSet\Services\Fsks\
    C:\WINDOWS\System32\DRIVERS\fsksnt.sys
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\K56\
    C:\WINDOWS\System32\DRIVERS\k56nt.sys
    HKLM\System\CurrentControlSet\Services\KAVMonitorService\
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Lite\AvpM.exe /service
    HKLM\System\CurrentControlSet\Services\KDATA\
    \??\C:\WINDOWS\System32\drivers\KDATA.SYS
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\NsEngine\
    C:\Program Files\NovaStor\NovaBackup\7\NSENGINE.exe
    HKLM\System\CurrentControlSet\Services\NVSvc\
    C:\WINDOWS\System32\nvsvc32.exe
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SmcService\
    C:\Program Files\Sygate\SPF\Smc.exe
    HKLM\System\CurrentControlSet\Services\SoftFax\
    C:\WINDOWS\System32\DRIVERS\faxnt.sys
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Tones\
    C:\WINDOWS\System32\DRIVERS\tonesnt.sys
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\UPS\
    C:\WINDOWS\System32\ups.exe
    HKLM\System\CurrentControlSet\Services\V124\
    C:\WINDOWS\System32\DRIVERS\v124nt.sys
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\wg3n\
    C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WmdmPmSp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Let me know if you need anything to make it more "readable". I hope, at least, I did everything needed.

    Bdiamond.

    Edited out personal info
     
  14. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    ROFL, well one "mystery" is solved; I couldn't figure out a legitimate use for dwwin but I just realized it is Dr Watson for Windows :rolleyes: I never cared much for it but I should'nt go so far as to call it malware ;)

    Regarding the asviewer output...

    Hmmm,

    Of the ones that I could not recognize I found that

    is due to a dbProbe Product Install

    is a SurfunGuard component

    is a modem driver

    is an nVidia video card component

    but I could not identify the following

    Do you recognize what this may belong to?
     
  15. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    perhaps wormguard 3 from DCS? i'm not at home so I can't check for that file on my system. (don't have WG here)
     
  16. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hey! ;)

    but I have WG on my system and do not have that device here. It probably is innocuous though, I just can't identify it :(

    Thanks!

    Dan
     
  17. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    It looks like Sygate Personal Firewall has a "wg3n.vxd" component on win9x systems so this is likely the counterpart for NT/2k/XP systems?
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    From my system:

    HKLM\System\CurrentControlSet\Services\Wg1n\
    H:\WINDOWS\SYSTEM32\Drivers\Wg1n.sys
    HKLM\System\CurrentControlSet\Services\Wg2n\
    H:\WINDOWS\SYSTEM32\Drivers\Wg2n.sys
    HKLM\System\CurrentControlSet\Services\wg3n\
    H:\WINDOWS\SYSTEM32\Drivers\wg3n.sys
    HKLM\System\CurrentControlSet\Services\wg4n\
    H:\WINDOWS\SYSTEM32\Drivers\wg4n.sys
    HKLM\System\CurrentControlSet\Services\wg5n\
    H:\WINDOWS\SYSTEM32\Drivers\wg5n.sys
    HKLM\System\CurrentControlSet\Services\wg6n\
    H:\WINDOWS\SYSTEM32\Drivers\wg6n.sys
    HKLM\System\CurrentControlSet\Services\wg8n\
    H:\WINDOWS\SYSTEM32\Drivers\wg8n.sys
    HKLM\System\CurrentControlSet\Services\wg9n\
    H:\WINDOWS\SYSTEM32\Drivers\wg9n.sys

    Sygate PF on Windows XP

    Regards,

    Pieter
     
  19. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Ah, great, thanks Pieter!

    Well, BDiamond, I think then that, unless someone sees something in the asviewer output that I don't and assuming that the PortExplorer output shows nothing we can somewhat safely say that you dodged the bullet this time :D
     
  20. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    Dan, I am really grateful for the time and effort you have spent to help me with this. Its really an education for me.

    I ran the PE all day and never any "edtablished" connections or any connections that were red for more than a few seconds. In addition, none of the remote connections involved Port Numbers greater than 2000.

    Here is a copy of the "search" results for the file on my system:
    C:\Program Files\Sygate\SPF\Netport\
    C:\Windows\system32\drivers\
    wg3n.sys 8023 System file 1/7/2002

    In addition, when I looked at the file properties-Each file was definitely a Sygate file.

    What do you make of the fact that the TH resident scanner picked this up and identified it as the Sbot.200 Trojan and associated it with the wnnt.exe file? Its the only time in almost 2 years that the TH Guard scanner has ever been activated. Thats what really bothered me because it certainly isnt something TH does with any frequency at all.

    Again, thank you avery much for your courtesy and time.

    Regards,
    Bdiamond

    Bdiamond
     
  21. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi,

    We're always glad to help but I'm a bit confused on your question;

    You had an initial positive indication by TH of the bot with the statement that it was deleted (is that the wnnt.exe file or is the latter a typo?) then you had a (non-TH?) message indicating a problem with the Dr Watson process. If these two errors were in close proximity then the second was probably due to TH's yanking the bot exe and Dr Watson being at a loss on how to deal with it :D Please let me know if I misunderstood the sequence of events here.

    Regarding PE, you might also doublecheck any and all listening sockets. Judging from the asviewer entries I don't think there is a problem but PE gives a very good independent appraisal on the possibility of backdoors such as a renamed netcat process, etc. Gavin, knows far more than I on the possible auxilliary apps of these bots so he can offer more definitive input on this.

    Thanks,

    Dan
     
  22. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    I doubt this is relevant at all but it may be why I was having trouble with things "hanging" on my machine. I discovered completely by accident while checking into things this morning that the e-mail scanning component of NOD32 v2. was still "present" and active this morning even though I had "quit" NOD. I mean I had completely shut it down but did not removed it through an "uninstaller"

    When I was looking at my mail this morning I was absolutely astonished to see at the bottom of the page the line saying it had been examined etc. by NOD32 and found to be virus free. There was no evidence NOD was running at all and I didn't recognize anything suggesting it was in the Task Manager process list. In any case the "hanging" of applications did stop entirely when I ran the uninstaller to finally stop the thing.

    In any case, its the only abnormality I can definiteluy establish to be present while all these other thigs were happening. Whether it had anything to do with TH , etc I dont know. It clearly was causing interference with other programs though.

    Bdiamond
     
  23. OvEr

    OvEr Guest

    wg3n.sys Is a part of Sygate Personal Firewall
     
Loading...
Thread Status:
Not open for further replies.