Sbot.200 Trojan infection?

I would like some help! My system "crashed" last week for reasons that were not clear. I thought it was somehow related to installing and uninstalling various AV apps in trying to evaluate them. In any case I was unable to get back into Windows and wound up reformatting the HD and doing a clean install.

That seemed to work pretty well; however, recently, the system has been intermittently "freezing" forcing an occasional "hard restart" of the system, The resident TH Guard went off earlier today with a message that the "Trojan Sbot.200 was identified and erased." On a second occasion I received the message"Unable to get a handle to process 3344 (C:\ Windows\system32\dwwint.exe).

A deep scan with TH fails to turn up anything. Similar results with TDS-3; however it is the trial version since I lost the registration info for my registered version and am currently trying to get theappropriate registration information.

I dont know what to make of all this and would appreciate any advice or help. I can't find much on Sbot.200

Thanks

Bdiamond

 

I "reinstalled" WinXP a couple of times about a year ago. This is the first time I have ever reformatted the drive and done a completely clean install, though. Actually, Win installed all the drivers and I didn't explicitly install any drivers and there were no requests for drivers or error statements.

The point is, most of my apps are downloaded so the majority of them remain unistalled because I am still running around trying to get user names, passwords, serial numbers, Keys and I dont know what all so I can reinstall them without having to repurchase them.

If the question of the Trojan were not there I would probably be willing to waste a little more time fiddling with the apps , tuning, etc before throwing in the towel. However, it the Trojan is likely then I suspect the better part of valour is to do another clean install-even if the thought does bring tears to my eyes lol. I have spent almost two days now trying to locate all the things I need.

I dont know what to make of the TH resident scanner data given hard scans with TH and YDS-3 were negative.
I did a Google search and got back only 2 hits on Sbot.200 and it wasnt clear what they were talking about.

Anyway, as I write this I think your suggestion is probably the best idea. I am just tired now after all this time trying to get everything back .

Thanks for the suggestion.

Bdiamond

 

Hi BDiamond,

I couldn't find anything definitive on it either but the name implies an IRC bot and since these usually accompany some other malware you should look more closely at the system. I could not find anything on dwwint.exe and given what has happened I would say that is the main bot exe. What I would suggest is

1. Search for all bat or cmd files on your system and look for any that reference that file. If you find one then that is probably the install script and may point to other backdoors in place. Also, you need to note the create/modify dates of the file as we can then do a search for any other file on the system created/modified at the same time.

2. Download a good Port to Application mapper. I strongly recommend Diamondcs's Port Explorer which has a trial version available. You want to pay particular attention to items listed in the Listening tab (especially those in red) as well as any external hosts shown in the Established tab (especially watch for sockets with dest ports 6666-6669)

3. Download and run Diamondcs's AutoStart Viewer and make sure all three top options in the "Main" menu are selected and then press "Save" and copy/paste the log here

Please edit out any personal info of any log output or screenshots you post.

Thanks,

Dan

 

I am working on these things. I have registered versions of both TDS-3 and PE, I lost the key files and keywords during the crash and have just received them tonight so I am getting them functional again.

dwwin.exe 162,128 8/18/2001 8:00 AM C\WINDOWS\$NtServicePackUninstall$

dwwin.exe 180,224 8/29/2002 6:41 AM C\WINDOWS\$NtUninstallKB821253$\

dwwin.exe 180,224 8/29/2002 6:41 AM C\WINDOWS\ServicePackFiles\i386\

dwwin.exe 180,224 6/9/2003 2:06 PM
C\WINDOWS\system32\

The four listings above are all the "hits" for *.cmd.

Bdiamond

 

Googled on that last filename: is part of the windows error reporting.
http://www.annoyances.org/exec/forum/winxp/t1029715523
http://www.google.nl/search?q=cache:AvYxIMLHTWIJ:www.microsoft.com/resources/satech/cer/GettingStartedMNU.asp+%22dwwin+exe%22&hl=nl&ie=UTF-8
http://www.google.nl/search?sourceid=navclient&hl=nl&q=%22dwwin+exe%22

 

Jooskie! How are you? I have missed you in all my recent "adventures".

I really appreciate the references and will be looking them up. Its getting late here, but hope I see you again tomorrow .

Thanks again for the help.

Oh by the way-Netsec sen me a copy of their letter back to MS. They advised them to answer the questions I was asking. That was 3 or 4 days ago-so I am just waiting to hear from MS now.

Bdiamond

 

Copernicus gave me the search results for Sbot.200 only as additions to the TH definitions update at the GAV forum and ComputerCops. So it might excist under other names elsewhere or code looking like other code (not to name false positive) eventually..... but it can have been real too, hard to say without a sample.
So if the thing is there, anywhere in your software, a next scan would be able to find it.
Sorry you reformatted and all the extra work, as it might have been solvable in much easier and less time consuming way..............

I gave you for MS the cached version as it is lot of text and so the keyword shows up colored to ease reading.

I was here and reading all that's been happening.


Edit:
just found more on this dwwin thing:
http://www.annoyances.org/exec/forum/winxp/t1034136809

 

Well I appreciate very much the references. Oh about the reformat-I didnt have much choice because I was not able to access Windows after rebooting. I mean by any of the things I knew to do. So I just decided to "start fresh". I have no idea if that was related to Sbot,200 or not.

In you last note you mentioned a scan might find it. Do you mean like with a deep scan using TDS-3? I will give that a try first thing in the morning.

Hope I will see you again tomorrow> Its almost 4 am here so I am going to stop for now,

Nice to see you again

Bye.
Bdiamond

 

Hi,

If you have any of thousands of SDBot variants, TDS should detect them Run a Process Memory Scan, you will detect DDoS.RAT.SDBot

Yes this is an open source IRC bot, some variants have lots of extra capabilities - this is a very popular bot that has had lots of addons made for it.

 

Thanks Gavin. I ran the "deepest" scan i know how and it was "negative". I feel a little better.

Also I downloaded the Autostart explorer and activated it with the first three categories checked. I then copied the results to note pad and saved it as a .txt file. Its pretty long. Will it be ok to just paste the entire thing into the window on the "post reply" module for the forum?

Thanks everyone.

Bdiamond

 

Of course! Post ahead!

 

Good Morning and Thanks (as always) Jooske! I just copied the entir thing-I hope I did everything correctly. Anyway - here it is:

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Bdiamond, 07-22-2003
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\wininit.ini [rename]
NUL=C:\WINDOWS\TBCDATA\vtbspudc.dll
NUL=C:\WINDOWS\TBCDATA\vtbspudc.dll
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\logon.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\logon.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SmcService
C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\THGuard
C:\Program Files\TrojanHunter 3.5\THGuard.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TraySantaCruz
C:\WINDOWS\System32\tbctray.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kaspersky Anti-Virus Lite
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Lite\AvpM.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mmtask
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MMTray
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS
C:\Program Files\Messenger\msmsgs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SurfinGuard Pro.lnk
C:\Program Files\Finjan\SurfinGuard Pro\bin\winsfcm.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\System32\dcsws2.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINDOWS\INF\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}\
C:\WINDOWS\System32\rundll32.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\system32\ie4uinit.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\ERSvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\Fallback\
C:\WINDOWS\System32\DRIVERS\fallback.sys
HKLM\System\CurrentControlSet\Services\Fsks\
C:\WINDOWS\System32\DRIVERS\fsksnt.sys
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\K56\
C:\WINDOWS\System32\DRIVERS\k56nt.sys
HKLM\System\CurrentControlSet\Services\KAVMonitorService\
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Lite\AvpM.exe /service
HKLM\System\CurrentControlSet\Services\KDATA\
\??\C:\WINDOWS\System32\drivers\KDATA.SYS
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\NsEngine\
C:\Program Files\NovaStor\NovaBackup\7\NSENGINE.exe
HKLM\System\CurrentControlSet\Services\NVSvc\
C:\WINDOWS\System32\nvsvc32.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SmcService\
C:\Program Files\Sygate\SPF\Smc.exe
HKLM\System\CurrentControlSet\Services\SoftFax\
C:\WINDOWS\System32\DRIVERS\faxnt.sys
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Tones\
C:\WINDOWS\System32\DRIVERS\tonesnt.sys
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\UPS\
C:\WINDOWS\System32\ups.exe
HKLM\System\CurrentControlSet\Services\V124\
C:\WINDOWS\System32\DRIVERS\v124nt.sys
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\wg3n\
C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WmdmPmSp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs

Let me know if you need anything to make it more "readable". I hope, at least, I did everything needed.

Bdiamond.

Edited out personal info

 

ROFL, well one "mystery" is solved; I couldn't figure out a legitimate use for dwwin but I just realized it is Dr Watson for Windows I never cared much for it but I should'nt go so far as to call it malware

Regarding the asviewer output...

Hmmm,

Of the ones that I could not recognize I found that

is due to a dbProbe Product Install

is a SurfunGuard component

is a modem driver

is an nVidia video card component

but I could not identify the following

Do you recognize what this may belong to?

 

perhaps wormguard 3 from DCS? i'm not at home so I can't check for that file on my system. (don't have WG here)

 

Hey!

but I have WG on my system and do not have that device here. It probably is innocuous though, I just can't identify it

Thanks!

Dan

 

It looks like Sygate Personal Firewall has a "wg3n.vxd" component on win9x systems so this is likely the counterpart for NT/2k/XP systems?

 

From my system:

HKLM\System\CurrentControlSet\Services\Wg1n\
H:\WINDOWS\SYSTEM32\Drivers\Wg1n.sys
HKLM\System\CurrentControlSet\Services\Wg2n\
H:\WINDOWS\SYSTEM32\Drivers\Wg2n.sys
HKLM\System\CurrentControlSet\Services\wg3n\
H:\WINDOWS\SYSTEM32\Drivers\wg3n.sys
HKLM\System\CurrentControlSet\Services\wg4n\
H:\WINDOWS\SYSTEM32\Drivers\wg4n.sys
HKLM\System\CurrentControlSet\Services\wg5n\
H:\WINDOWS\SYSTEM32\Drivers\wg5n.sys
HKLM\System\CurrentControlSet\Services\wg6n\
H:\WINDOWS\SYSTEM32\Drivers\wg6n.sys
HKLM\System\CurrentControlSet\Services\wg8n\
H:\WINDOWS\SYSTEM32\Drivers\wg8n.sys
HKLM\System\CurrentControlSet\Services\wg9n\
H:\WINDOWS\SYSTEM32\Drivers\wg9n.sys

Sygate PF on Windows XP

Regards,

Pieter

 

Ah, great, thanks Pieter!

Well, BDiamond, I think then that, unless someone sees something in the asviewer output that I don't and assuming that the PortExplorer output shows nothing we can somewhat safely say that you dodged the bullet this time

 

Dan, I am really grateful for the time and effort you have spent to help me with this. Its really an education for me.

I ran the PE all day and never any "edtablished" connections or any connections that were red for more than a few seconds. In addition, none of the remote connections involved Port Numbers greater than 2000.

Here is a copy of the "search" results for the file on my system:
C:\Program Files\Sygate\SPF\Netport\
C:\Windows\system32\drivers\
wg3n.sys 8023 System file 1/7/2002

In addition, when I looked at the file properties-Each file was definitely a Sygate file.

What do you make of the fact that the TH resident scanner picked this up and identified it as the Sbot.200 Trojan and associated it with the wnnt.exe file? Its the only time in almost 2 years that the TH Guard scanner has ever been activated. Thats what really bothered me because it certainly isnt something TH does with any frequency at all.

Again, thank you avery much for your courtesy and time.

Regards,
Bdiamond

Bdiamond

 

Hi,

We're always glad to help but I'm a bit confused on your question;

You had an initial positive indication by TH of the bot with the statement that it was deleted (is that the wnnt.exe file or is the latter a typo?) then you had a (non-TH?) message indicating a problem with the Dr Watson process. If these two errors were in close proximity then the second was probably due to TH's yanking the bot exe and Dr Watson being at a loss on how to deal with it Please let me know if I misunderstood the sequence of events here.

Regarding PE, you might also doublecheck any and all listening sockets. Judging from the asviewer entries I don't think there is a problem but PE gives a very good independent appraisal on the possibility of backdoors such as a renamed netcat process, etc. Gavin, knows far more than I on the possible auxilliary apps of these bots so he can offer more definitive input on this.

Thanks,

Dan

 

I doubt this is relevant at all but it may be why I was having trouble with things "hanging" on my machine. I discovered completely by accident while checking into things this morning that the e-mail scanning component of NOD32 v2. was still "present" and active this morning even though I had "quit" NOD. I mean I had completely shut it down but did not removed it through an "uninstaller"

When I was looking at my mail this morning I was absolutely astonished to see at the bottom of the page the line saying it had been examined etc. by NOD32 and found to be virus free. There was no evidence NOD was running at all and I didn't recognize anything suggesting it was in the Task Manager process list. In any case the "hanging" of applications did stop entirely when I ran the uninstaller to finally stop the thing.

In any case, its the only abnormality I can definiteluy establish to be present while all these other thigs were happening. Whether it had anything to do with TH , etc I dont know. It clearly was causing interference with other programs though.

Bdiamond

 

wg3n.sys Is a part of Sygate Personal Firewall