Re: ? WINS\*.EXE installed as part of Windows

From: Bill Sanderson (Bill_Sanderson_at_msn.com.plugh.org)
Date: 12/01/03 

Date: Sun, 30 Nov 2003 18:34:50 -0500

If these files are under the path you quote, they are products of infection.

If you connect an unpatched XP machine to the Internet without enabling the
XP Firewall on the connection, it will be infected within seconds.

You need to unplug the Internet connections while installing until you
ensure that the firewall is enabled on the connection. Then download and
apply all critical patches via WindowsUpdate. If you need access to the
machine for file and print sharing, you could turn the firewall off at that
point, but your situation sounds like one where it would be better left on.

Apparently, you either have no firewall to the Internet, or have a raft of
infected machines on the local network--even one will accomplish this. Have
you checked your local network using the tools to detect unpatched/infected
machines?

http://support.microsoft.com/default.aspx?kbid=827363

"Alec Soroudi" <a@a.com> wrote in message
news:eOej$R4tDHA.1876@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> You know that whole WINS thing? %systemroot%\WINS\DLLHOST.EXE &
> %systemroot%\WINS\SVCHOST.EXE? Well I'm a bit confused about it. Are
they
> actual Windows files that have been exploited or are they files that a
virus
> puts in there? The reason I ask is that I recently did a clean install of
> Windows XP Professional on a bunch of machines and after the second reboot
> (after it does the "Saving settings" part, before the part where you set
up
> the users and stuff), the two files are THERE! I booted into DOS mode
after
> each and every reboot during the install and after the second one, the
files
> were there.
>
> So, what's the deal? Are they system files? Is the installation CD
> infected? Is it the MBR, or some other part of the system that's
infected?
> I could swear they weren't there the first time I installed XP when we
first
> got it...
>
>
> Thanks.
>
> --
> Alec
> asoroudi@synetech.cjb.net
>
>
>
>

Relevant Pages

  • Re: Probes on Port 135 and 445 continue
    ... The house has a slow DSL connection, ... We removed more than 3000 viruses from their machines when they arrived ... about it, and you have to believe you need it, to install it. ... virus spammer infection - sending about 250 email's out from 6 infected ...
    (comp.security.misc)
  • Re: Probes on Port 135 and 445 continue
    ... The house has a slow DSL connection, ... We removed more than 3000 viruses from their machines when they arrived ... about it, and you have to believe you need it, to install it. ... virus spammer infection - sending about 250 email's out from 6 infected ...
    (comp.security.unix)
  • Re: lsass.exe termination error
    ... You connected to the internet without enabling the Windows firewall. ... You also have no antivirus software installed. ... > prevent infection from the SASSER worm would have been on your system ... Install a reputable Antivirus program. ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: |WINDOWSsystem32lsass.exe exception
    ... You also have no antivirus software installed. ... >prevent infection from the SASSER worm would have been on ... Install a reputable Antivirus program. ... >re-connecting to the internet, and thereafter you MUST ...
    (microsoft.public.windowsxp.general)
  • Re: keep getting DCOM intrusions
    ... the XP machines, you should have the ICF firewall enabled on the ICS ... connection which would block this infection from the Internet side. ... It won't, however, prevent your bringing the infection into the network ...
    (microsoft.public.security.virus)