Microsoft winlogon.exe is Downloading Trojans,Viruses,Spyware&Co

[cTreamer]

Hallo at first to all, I've got big problem with my own Windows XP Pro Installations CD which I made with nLite tool. After the first Windows installation from that CD was everything OK at first look. After some weeks past away Windows began itself downloading TROJANS,VIRUSES and all this stuff you know. I didn't immediatly understood what's going on first 2-3 days, after I decided to lookup into my System Memmory with one Professional TaskManager. I took AnVir Task Manger Pro and move into the Processes Section. Same time below Processes Section there are shown all TCP/UDP Connections from all that small system services that are loaded into DDR-Ram. What I saw at the first look is that all services are doing their jobs well, except one that Microsoft NT Login and Logout Service called winlogon.exe. Instead that winlogon.exe service do only that what it should do, it's connecting to one IP Adresses:58.65.234.90 in Hong Kong after I seeing "connection established" winlogon.exe is downloading some small files and this filles are all TROJANS,VIRUSES,SPYWARE (rs32net.exe,reader_s.exe,head1041.exe,V1215.TEMP) and many hundred. I've burnned more than 20 CD's and every time the same you know. After WLan USB Stick Driver installing and connecting my Router, within half second recognize that winlogon.exe that I am connected to the Internet begginig that Game from the begin.At first I know now what ist the reason for that TROJAN downloading&Co and that's OK.

The Problem is how I get out it from my Computer. Each time I am making my own Windows Installations CD with nLite and burnning it on CD, is also that winlogon.exe hiden without my knowledge also burnned on CD (C:\i386\). I've tried to UNPACK it you know but I get the Error"It's not possible because Visual C++ 6.0,8.0" it's look like native Microsoft file but it isn't. So what should I do, with which AntiSpyware-Virus can I fined out what is going on.I hadn't such problems with Service Pack 2 you know over 3 Years, only since I am trying to SlipStream SP3 with Windows I have this problem.

Thank You all that are trying to Help me !!!

cTreamer

Edited January 17, 2009 by cTreamer

[DigeratiPrime]

Ok, winlogon.exe is actually an extremely important file included with Windows since NT. It is supposed to be in the I386 folder of your install source and during setup it is expanded to the System32 folder. However the winlogon process on your system has been hijacked by malware. Most likely you can suspend and then kill the rouge threads using Sysinternals Process Explorer. Then you can try running some AV software or a manual cleaning. I think you were doing the right thing though going for a reinstall or repair install, because it is difficult to know the extent your computer has been infected. Just backup everything to a secondary drive or partition.

[mara-]

Well, I think your computer on which you built nLite CD is infected. So, that malware infected your CD and every time you install Windows with that CD, malware is there. You will need to clean the computer on which you are building nLite cd and then to create new nLited Windows from scratch.

Cheers

[cTreamer]

I found now with AntiRootkit Freeware GMER litle bit more stuff.At a connection trying from winlogon.exe GMER shows me next:

HOST: ircd.zief.pl

PORT: 80

of caurse I've selected block allways this connection to Host. At moment I can use the internet because GMER blocked that, and I have Peace in my brain.

The main Problem is still remaining so that for I gonna take some strong AntiVirus&Spyware and scan all my HARDDISCS,Partitions&Co. When that problem is fixed I gonna post again the results. First I try Sunbelts-VIPRE v3.3 and than the others, so what are you thinking good choice or not ???

cTreamer

[Tarun]

Please download my Anti-Malware Toolkit and get the Professional package. Then follow the directions in the PC Cleanup guide. After that, please post a HijackThis log.

[cTreamer]

I've already saw your advice and scanned with Ewido,Anti Malware,SUPERAntiSpyware. It took more than 4-Hour and all 3 Programs are finding nothing.

So what's next step ?

[Tarun]

Using every program listed with the recommended settings in the Professional Package/PC Cleanup guide and posting a HijackThis log.

[cTreamer]

So hier is it:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:28:23, on 26.01.2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20935)

Boot mode: Normal

Windows folder: C:WINDOWS

System folder: C:WINDOWSSYSTEM32

Hosts file: C:WINDOWSSystem32driversetchosts

Running processes:

C:WINDOWSSystem32smss.exe

C:WINDOWSsystem32winlogon.exe

C:WINDOWSsystem32services.exe

C:WINDOWSsystem32lsass.exe

C:WINDOWSsystem32svchost.exe

C:WINDOWSSystem32svchost.exe

C:WINDOWSsystem32spoolsv.exe

C:WINDOWSsystem32nvsvc32.exe

C:WINDOWSExplorer.EXE

C:WINDOWSsystem32RUNDLL32.EXE

C:WINDOWSsystem32kxmixer.exe

F:All TreiberNetgearW-Lan USB Stick WG 111 v3WG 111 v3WG111v3.exe

F:Browser&CoMozilla Firefox 3.0.5Mozilla Firefoxfirefox.exe

F:Anti Adware,Maleware,SpyWare,Aureate,Radiate&CoTrend Micro-HijackThis 2.0.2HiJackHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = about:blank

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://research.sunbeltsoftware.com/RMP/th...nkid=SBVIPRE_EN

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:ProgrammeJavajre6binssv.dll (filesize 320920 bytes, MD5 35E6FB6E6003BD54A5D69C9C1C762192)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:ProgrammeJavajre6binjp2ssv.dll (filesize 34816 bytes, MD5 5D57FD3DF32DC69CEC3D1D54B4C43162)

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:ProgrammeJavajre6libdeployjqsiejqs_plugin.dll (filesize 73728 bytes, MD5 F68EDAFE003F2B3523C0742CD3B8D673)

O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup (filesize 142848 bytes, MD5 1F5F14678F42E84413BA03BF55E25D99)

O4 - HKLM..Run: [nwiz] nwiz.exe /install (filesize 1642496 bytes, MD5 BB54DEC1905B69FD4E5B75D881570715)

O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit (filesize 142848 bytes, MD5 1F5F14678F42E84413BA03BF55E25D99)

O4 - HKLM..Run: [kX Mixer] C:WINDOWSsystem32kxmixer.exe --startup (filesize 541696 bytes, MD5 8DBDBCB810557BC7879BBC8AB9B78095)

O4 - HKCU..RunOnce: [Privacy Suite] "F:Daten Erase,Vernichten,Fesplatten Seuberung&CoCyberScrub Privacy Suite Professional Edition 5.0.0.126Cyber Privacy SuiteCyberScrub Privacy SuiteCSPSeraser.exe" "/R:C:Dokumente und EinstellungenAdministratorAnwendungsdatenCyberScrubPrivacy Suite" (filesize 872080 bytes, MD5 4B853B35B60CEB12CB21071E40B34516)

O4 - HKUSS-1-5-20..RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETZWERKDIENST')

O4 - HKUSS-1-5-20..RunOnce: [iE7] rundll32 advpack.dll,LaunchINFSection IE7.inf,FirstUserStart (User 'NETZWERKDIENST')

O4 - HKUSS-1-5-20..RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETZWERKDIENST')

O4 - HKUSS-1-5-18..RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS.DEFAULT..RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = F:All TreiberNetgearW-Lan USB Stick WG 111 v3WG 111 v3WG111v3.exe (filesize 1540096 bytes, MD5 F7E1DA8AE2FB2C286CCD8ACB523C3864)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe (filesize 634368 bytes, MD5 94154ACA90B388970978966A30E0E0AA)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe (filesize 634368 bytes, MD5 94154ACA90B388970978966A30E0E0AA)

O15 - ESC Trusted Zone: http://*.update.microsoft.com

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:ProgrammeJavajre6binjqs.exeC:ProgrammeJavajre6binjqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exeC:WINDOWSsystem32nvsvc32.exe

--

End of file - 6224 bytes

===== Post Nº 2 =====

You know by the way there is also one thing that I forgot to write. When I install some Anti Virus Suite like Alwil-Avast,Avira&Co at the next System-Start they are all Replaced,Coruppted,Damaged by "something". Kaspersky is that only one which has self protecting Mechanism against Malware, and I can use it without errors. I have something in my System that is very hard to beat and destroy. God Help me Please.

cTreamer

Edited February 8, 2009 by Yzöwl
Posting without reply; Posts merged.

[Tarun]

Did SUPERAntiSpyware or Malwarebytes find anything?

[cTreamer]

No their both have reported falls Positive. But Sunbelts VIPRE v3.3 has found 12 Malware's from which 8 were Heuristic mistakes and 4 real Trojans. I've deleted all that 4 files and rest 8 leaved in Peace because their all are Normal Files and not Trojans&Spyware. You know what I think maybe is all that about CONFICKER-Worm because the Symptoms are very same spreading around over the Port-445 RPC. I don't know maybe somebody is from outside conntacting my winlogon.exe and than infecting it. Normally in all UpdatePacks intergrated into CD should be also that one Patch from October-2008 against CONFICKER-Worm. I'm hearing for this first now you know 2-3 Months later and I've yesterday downloaded this Security Fix and installed.What do you think about CONFICKER-Worm and its 3 arts (a,b,c)???

Greets

cTreamer

[Tripredacus]

I've not found Conflicker doing anything to winlogon.exe. Also unless something has changed in the past week, Conflicker hasn't been activated last I knew. If you have Conflicker, unhide your protected system files, go into Recycler and see if you can find a folder with SID in it... I forget which one, also your root volumes of all drives will have this in it, and an autorun.inf that points to that SID.

[cTreamer]

No I am clever , I am always deleting "System Volume Information" than "Recycler Bin" on all mine HardDiscs&Partitions and Windows "Backup Function" is deactivated for all Partitions because I have my own Favourite one. Exactly because of it I have NightMares you know, I don't understand where could yet hide such Trojan-Virus when I am doing everything Perfect on my System. My Acces Point is an expansive one, with Professional HardwareFirewall Functions-Options that you can only dream. Inclusive IDS,IPS,SPI normally it should block all unwanted Incomming Connections. I've tested it with very Hardened Online Tests you know, they are all saying you are Perefect Hiden no chance to connect to your computer"Note-Excellent".Also I've put it under Stress tests like DoS,DDoS and more, it is not crushing down,restarting nothing very stable Router that I ever owned. DLink-DSL 2741B W-Lan 300Mbit Router. There must be some reason why is this happening you know, I must find out it.

Greetings

cTreamer

[DigeratiPrime]

Can you mount the hard disk in another computer, that is not subverted, and scan it from there? I would suggest booting from WinPE since it would be in RAM and not susceptible to whatever is on your system.

Rootkits, especially kernel mode ones, can modify windows api so they are invisible to any other processes. Only way to see and remove them, other than a reformat, is with a better kernel mode driver or by analyzing the disk 'offline' as I suggested above.

[Tarun]

At this point in time I'd say format and reinstall using an official Windows XP cd.

[cTreamer]

So you look at next: I've got one 500Gb Harddisc splited into 2x250Gb Partitions F and G.The F is allround Files Partition and the G is Multimedia one (Videos,Music,Mp3,Internet Radio Streams,CD Copies,Peer2Peer) only. So there is another Harddisc Maxtor S-ATA 120Gb Partition H. The H is extension for F that mean wen Place not enough the files are stored on H. Normally I wannt to install Windows on Separated Harddisc on its own Partition but I've had some Harddisc crush and waiting for new one Seagate IDE 320Gb Harddisc that gonna be used only for all kind of Operating Systems Installation Windows,Linux,Unix and Mac OS. Momently I am Installing Windows on some small 5Gb Partition from that 500Gb WD Harddisc you know. All together I have 3 normally Partitions F:\,G:\,H:\, and + C:\ Windows own Partition. Now its a clear for you to understand where is what hidden or could be hidden.

I've scanned with more than 45 Known and Unknown AntiViril,Spyware,Addware,Malware,Trojans,AntiRootkits and they finding nothing on all 3 Partitions F,G,H you know. Also with all kind of Internet Security Suites Kasperasky,Avira,F-Secure,G-Data,Eset Nod32 and more. All possible AntiSpyware Suites from smallest until robust one like Sunbelts CounterSpy v2,3 which has most Definitions over 500.000. Second Computer I've not got but perhaps I had it don't think that it could something change you know. Maybe has somebody broken my Router W-Lan SSID Password which is over 32 Letters long 99% uncrackable WPA2-PSK AES 256Bit this was an idea from one Police Department Officer with whom I spoke too about this Problem you know. What could be else wenn my W-Lan is Safe and not broken,on my Harddiscs and Partitions I am finding nothing,Boot Sectors are clean MBR,MFT&Co. The last version is that somhow is somebody or something(Zombies,Domains,Infected Networks PC's) is scanning my PC after findings leakage in DCom,RPC Services is sending commands into winlogon.exe which should connect IP Adresses in Hong Kong you know. But every time before the connection has been established with some IP's in Hong Kong there is nothing have been downloaded before, cause I think that first must be downloaded some small files which finally are infecting-manipulating theirself winlogon.exe which is doing that what this all Cyber-Mafija is wanting. I've done some Trace Route with Professional Tools&Soft maybe it is interesting for:

Host: ircd.zief.pl - behind this Host are 2 IP's 58.65.234.90 and 61.235.117.80 winlogon.exe is connecting to one of them and downloading all that Crap!

Port: 80

Name: ircd.zief.pl

IP-Addrese: 58.65.232.34

Location: Hong Kong SAR (22.283N, 114.150E)

Netzwerk: APNIC-58

See Registrant Pane for registrant contact information.

NeoTrace Trace Version 3.25 Results

Target: ircd.zief.pl

Date: 05.02.2009 (Thursday), 13:50:25

Nodes: 18

Node Data

Node Net Reg IP Address Location Node Name

18 1 1 58.65.232.34 Hong Kong SAR ircd.zief.pl

Packet Data

Node High Low Avg Tot Lost

18 387 387 387 1 0

Network Data

Network id#: 1

OrgName: Asia Pacific Network Information Centre

OrgID: APNIC

Address: PO Box 2131

City: Milton

StateProv: QLD

PostalCode: 4064

Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 58.0.0.0 - 58.255.255.255

CIDR: 58.0.0.0/8

NetName: APNIC-58

NetHandle: NET-58-0-0-0-1

Parent:

NetType: Allocated to APNIC

NameServer: NS1.APNIC.NET

NameServer: NS3.APNIC.NET

NameServer: NS4.APNIC.NET

NameServer: TINNIE.ARIN.NET

NameServer: NS.LACNIC.NET

NameServer: NS-SEC.RIPE.NET

Comment: This IP address range is not registered in the ARIN database.

Comment: For details, refer to the APNIC Whois Database via

Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl

Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry

Comment: for the Asia Pacific region. APNIC does not operate networks

Comment: using this IP address range and is not able to investigate

Comment: spam or abuse reports relating to these addresses. For more

Comment: help, refer to http://www.apnic.net/info/faq/abuse

RegDate: 2004-05-04

Updated: 2005-05-20

OrgTechHandle: AWC12-ARIN

OrgTechName: APNIC Whois Contact

OrgTechPhone: +61 7 3858 3188

OrgTechEmail: search-apnic-not-arin@apnic.net

ARIN WHOIS database, last updated 2009-01-26 19:10

Registrant Data

Registrant id#: 1

This is the RIPE Whois query server 3.

The objects are in RPSL format.

Rights restricted by copyright.

See http://www.ripe.net/db/copyright.html

The object shown below is NOT in the RIPE database.

It has been obtained by querying a remote server:

(whois.dns.pl) at port 43.

To see the object stored in the RIPE database

use the -R flag in your query

REFERRAL START

DOMAIN: zief.pl

registrant's handle: sibr62259 (INDIVIDUAL)

nameservers: dns1.zief.pl. [58.65.232.33]

dns2.zief.pl. [58.65.232.34]

created: 2005.07.25 15:58:55

last modified: 2008.09.25 10:49:06

no option

REGISTRAR: Consulting Service

ul. Domaniewska 35A lok.1B

02-672 Warszawa

Polska/Poland

+48.22 8538888

domeny@ConsultingService.pl

WHOIS displays data with a delay not exceeding 15 minutes in relation to the .pl Registry system

Registrant data available at http://dns.pl/cgi-bin/en_whois.pl

_____

NeoTrace Copyright ©1997-2001 NeoWorx Inc

So at first winlogon.exe is connecting with some server with Domain ircd.zief.pl of this Internet Consulting Firma in Poland which is probably infected,than getting redirrected to IP's in Hong Kong. Are Hackers behind all this Mysterie or just a Infected Networks and their Computers in China.

Greetings

cTreamer

Edited January 29, 2009 by cTreamer