Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

wins32.exe - a virus? trojan? malware?

Status
Not open for further replies.
mjstanton

mjstanton

Technical User
Aug 28, 2001
107
US
We noticed the other day that no one could access any network shares on one of our W2k servers. This happened once before, and we found a virus/worm/trojan (whatever you want to call it) that was the culprit. So we ran new virus scans and spyware scans and found nothing. However, in the registry under HKLM/Software/Microsoft/Windows/CurrentVersion/Run - there was an entry for wins32.exe. Googling this filename turned up many results listing the file as a worm/trojan, but none of the descriptions of where to find it and how to get rid of it worked. In the registry the name is wins32.exe and the data says C:\Windows\System32\wins32.exe. When we delete the registry entry, it recreates itself. In the system32 folder you can only see it if you uncheck "Hide protected operating system files". We renamed it there, whacked the registry entry again, but it still returns - recreating itself as a hidden system32 file and in the registry. This file does not exist in any of our other W2k Servers, so we're pretty sure it's a bad file. We are just at our wits end trying to remove it!! Any help/ideas would be greatly appreciated!!

MJ
 
Sort by date Sort by votes
Thanks for the response. One of the first things we did was go to Windows Update to download and install whatever was listed. Is it possible that the patch you mention could have been overlooked (cause we update on a fairly regular basis)?

BTW, what we have done so far to no avail is:
run McAfee virus scan
run Spybot S&D
run TrendMicro's online scan
run The Cleaner by Moosoft

We followed the instructions for removal at to no avail.

None of the above have worked. I'll install the patch you mentioned, but will it remove this pest?

Thanks again!
MJ
 
Upvote 0 Downvote
Thanks, but we tried those removal steps. What we've found when we've googled the filename is that it could be masquerading as Microsoft Update Machine (added by the RBOT.EZ Worm), task_mng_help (added by the
W32/AGOBOT-JB WOrm), win32_usb2 (added by a variant of the WIN32.RBOT Worm) or SurferBar. However, in reading about these various program names, and how to remove, the file is not in any of the directories that they list. We have only found 2 instances of it - in the System32 folder as a hidden file and in the registry (registry key specified in original post).

We disconnected the server from the network as soon as we suspected this, and we've determined that no other servers or workstations are infected.

MJ
 
Upvote 0 Downvote
diable system restore then delete it

Do not take life too seriously, because in the end, you won't come out alive anyway
 
Upvote 0 Downvote
Correct me if I'm wrong, but there is no System Restore feature in Windows 2000 Server.....
 
Upvote 0 Downvote
You are absolutely correct. Restore is only an ME/XP feature.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
Do you see any random alpha/alphanumeric dll's in the system32 folder of recent vintage? I've run into these before that actually facilitate the respawning...deletion of same has solved the problem.
Also, have you checked all Temp folders for any indication of the source .exe/any suspicious .exe having approximately the same modified date as the wins32?

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
have you tried removing it via a safe mode boot or via the recovery console?

basically from an angle where only critical OS files are loaded on boot

Gurner
 
Upvote 0 Downvote
Carr, I'm not sure what you mean by "random" but there are quite a lot of alpha/numeric dll's in the system32 folder, but none with the same create date as the wins32s.exe file.

Gurner, we tried to remove it in safe mode, but that didn't do the trick, either.

We deleted the file again while watching the processes tab in Task Manager to see if any process went away when we deleted the file, but nothing changed.

We're still exploring other solutions.......
 
Upvote 0 Downvote
Sounds like you need to boot up with a CD so that you are not booting the OS on the hard drive. Google for BartPE to allow you to create a bootable CD. This is an invaluable tool.

Once you boot with the CD, you can manually access the C: drive and delete the rogue program. Then reboot normally and the system will complain about the missing file, but it won't be loaded in memory so you should be able to remove the registry entries at that point.

Also check the "Shell" parameter in HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon

This should only be Explorer.exe.

I've seen ad/spyware hide there too which means it gets loaded even when booting in safe mode.


R.Sobelman
 
Upvote 0 Downvote
Well, it's gone! Spy Sweeper seemed to do the trick for us. Thank you all for your help!

MJ
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
283
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
244
Sparrow4
Sparrow4
quar
  • Locked
  • Question
Moving a rule
Replies
2
Views
158
iggsterman
iggsterman
quar
  • Locked
  • Question
Moving a rule
Replies
0
Views
58
quar
quar
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
301
Johnkite
Johnkite

Part and Inventory Search

Sponsor

Back
Top