wins32.exe - virus? trojan? malware?

  • Thread starter Thread starter MJ
  • Start date Start date
M

MJ

We noticed the other day that no one could access any network shares on one
of our W2k servers. This happened once before, and we found a
virus/worm/trojan (whatever you want to call it) that was the culprit. So
we ran new virus scans and spyware scans and found nothing. However, in the
registry under HKLM/Software/Microsoft/Windows/CurrentVersion/Run - there
was an entry for wins32.exe. Googling this filename turned up many results
listing the file as a worm/trojan, but none of the descriptions of where to
find it and how to get rid of it worked. In the registry the name is
wins32.exe and the data says C:\Windows\System32\wins32.exe. When we delete
the registry entry, it recreates itself. In the system32 folder you can
only see it if you uncheck "Hide protected operating system files". We
renamed it there, whacked the registry entry again, but it still returns -
recreating itself as a hidden system32 file and in the registry. Luckily,
this server is not critical to our day-to-day operations, so we've unplugged
it from the network. This file does not exist in any of our other W2k
Servers, so we're pretty sure it's a bad file. We are just at our wits end
trying to remove it!! Any help/ideas would be greatly appreciated!!

MJ
 
We noticed the other day that no one could access any network shares on one
of our W2k servers. This happened once before, and we found a
virus/worm/trojan (whatever you want to call it) that was the culprit. So
we ran new virus scans and spyware scans and found nothing. However, in the
registry under HKLM/Software/Microsoft/Windows/CurrentVersion/Run - there
was an entry for wins32.exe. Googling this filename turned up many results
listing the file as a worm/trojan, but none of the descriptions of where to
find it and how to get rid of it worked. In the registry the name is
wins32.exe and the data says C:\Windows\System32\wins32.exe. When we delete
the registry entry, it recreates itself. In the system32 folder you can
only see it if you uncheck "Hide protected operating system files". We
renamed it there, whacked the registry entry again, but it still returns -
recreating itself as a hidden system32 file and in the registry. Luckily,
this server is not critical to our day-to-day operations, so we've unplugged
it from the network. This file does not exist in any of our other W2k
Servers, so we're pretty sure it's a bad file. We are just at our wits end
trying to remove it!! Any help/ideas would be greatly appreciated!!
Click to expand...

I suppose you tried this removal procedure?:

http://www.spywareguide.com/product_show.php?id=615

Working with just file names and no malware name is difficult since
often there are several different malwares that use the same file
name(s). Your best bet is to do a scan of the drive(s) using a real
"heavy hitter" like KAV, assuming you haven't. Requests for
help should always include the names of the av and spyware
products you've already tried since their capabilities vary. Did
you try Trend's Sysclean, for example?

Also, it's best to post such help requests on alt.comp.virus

Art

http://home.epix.net/~artnpeg
 
Thanks for the info. We've already ran McAfee Virus Scan, TrendMicro's
online scan, Spybot S&D, and The Cleaner by Moosoft. We've been to they
spywareguide site you included a link to and tried the removal process
suggested there, and it's not the SurferBar. What we've found when we've
googled the filename is that it could be masquerading as Microsoft Update
Machine (added by the RBOT.EZ Worm), task_mng_help (added by the
W32/AGOBOT-JB WOrm), win32_usb2 (added by a variant of the WIN32.RBOT Worm)
or SurferBar. However, in reading about these various program names, and
how to remove, the file is not in any of the directories that they list. It
is only in 2 places - a hidden system file in the System32 folder, and in
the registry (path specified in original post below).
 
Hi

Sorry to hear about the virus/malware....

Now logic would dictate that if the offending item only occurred in the 2 places you mention then removing it from those two places would there fore remove it so one has to conclude that it or one of its components is elsewhere too

there are many ways to start an app/service in windows including the startup folder and run key you mentioned, is there anything in runonce or runservices in the regisrty. Also is there anything in win.ini and system.ini referring to the malware, there are also many other ways like scheduling a task calling the file explorer.exe which will be automatically loaded etc etc and numerous other registry keys which i cant remeber off the top of my head

once you have removed the entry frm the run key and deleted the item in system32 folder use msconfig.exe in diagnostic startp mode and see if it comes back

msconfig.exe is not included my default in 2k but can be copied from and xp machine easily


HTH

S
 
Try contacting your antivirus vendor via phone or email to see what they
have to say about it or if they have any further recommendations. Also make
sure that any program you use to scan for malware or parasites is current as
of this afternoon as some vendors may update more than once a day. It may
also help to run the malware/parasite scans in safe mode. Since this seems
to be a reoccurring problem I suggest that you read Microsoft's Antivirus in
Depth Guide which is an excellent read on detecting, cleaning [at least
trying to], and preventing malware. Microsoft's AntiSpyware program would
also be worth a try in my opinion and is available at the last link
below. --- Steve

http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx
http://www.microsoft.com/technet/security/default.mspx
http://www.microsoft.com/athome/security/spyware/software/default.mspx
 
Thanks for the info. We've already ran McAfee Virus Scan, TrendMicro's
online scan, Spybot S&D, and The Cleaner by Moosoft. We've been to they
spywareguide site you included a link to and tried the removal process
suggested there, and it's not the SurferBar. What we've found when we've
googled the filename is that it could be masquerading as Microsoft Update
Machine (added by the RBOT.EZ Worm), task_mng_help (added by the
W32/AGOBOT-JB WOrm), win32_usb2 (added by a variant of the WIN32.RBOT Worm)
or SurferBar. However, in reading about these various program names, and
how to remove, the file is not in any of the directories that they list. It
is only in 2 places - a hidden system file in the System32 folder, and in
the registry (path specified in original post below).
Click to expand...

Try uploading suspicious files here:

http://www.virustotal.com/flash/index_en.html

See if any of the antivirus products alert, and note the malware names
and the av vendor.

If you are quite certain that a particular file name is not legit, and
the scanners don't alert, you may then be onto some new malware
for which they don't yet have detection. In that case, submit copies
of the suspect files to your av vendor for analysis. Remember that
antivirus products now detect all kinds of malicious code, and they
overlap somewhat with the spware specific scanners.

Art

http://home.epix.net/~artnpeg
 
Spy Sweeper got it! Go figure...............

Thanks to all of you for your help!
Click to expand...

Did you upload suspect files to Virus Total? Did any av product
alert?

I wouldn't be surprised if Kaspersky decided to add detection
if you sent them a sample to analyze. They supply so-called
extra defs that can be downloaded from certain of their
update sites. Using them results in detection of many
kinds of unwanted code in addition to viruses, Trojans,
worms and RATs.

Art

http://home.epix.net/~artnpeg
 
Back
Top