Jump to content

Microsoft winlogon.exe is Downloading Trojans,Viruses,Spyware&Co

cTreamer
 Share

Recommended Posts

jobe111

jobe111

Posted
Posted

I have become infected with this as well. According to VIPRE, it has attached itself to winlogon.exe with the above listed IP's.

Prevex lists my alg.exe and regedit.exe as infected by rootkits.

If there is anything I can do or submit to help get this looked at, let me know.

Link to comment
Share on other sites

cTreamer

cTreamer

Posted
  • Author
Posted (edited)

jobe111:

Yes of caurse I hate this things like Insects and Parasits. So the Biggest Problem is what we all 3 have(cTreamer,Glaukus,Jobe111) is to find in all our normal Partitions (Excluded C:) where is that somebody or somehing hidden. Because that somebody or something is exactly that one connecting to IRC-Channel on Port:80 and downloads the "Final Executor" this small file called 0032.exe or 0032.exePING. So that for first we must DEFEAT that hidden file or files, so after that when "the Mother dies the Children are dying Automatically". I mean Guilty is not directly 0032.exe file that is infecting all Windows System Services one after one inclusivly winlogon.exe, Guilty is that one which is downloading at first from Hog Kong IP Aresses all this Dangerous TROJANS,WORMS,VIRUSES,SPYWARE,MALWARE&Co and it's Normally after that when you have got some 0032.exe -TROJANS&Co in your Computer that they are Manipulating-Infecting Windows OS. Look at this screenshot that aprove that this file belongs to Most Agressive Binaries and is Recognised only by its MD5-Hash Algorytm even Name haven't got this file because Experts don't know which VIRUS,TROJANS&Co are inside of this file. Here are

post-227861-1233921458_thumb.png post-227861-1233921479_thumb.png

post-227861-1233921527_thumb.png post-227861-1233921541_thumb.png

post-227861-1233921581_thumb.png

I think we have to do in this Case with Most Dangerous BOTNET-ZOMBIES infections, our Computers are commanding other Peoples-Hackers.This 58.65.234.90 IP in Hong Kong is Residence Palace of Hackers from here out they are sending Commands into this hidden file-files in our Partitions. So from the other IP 61.235.117.80 other ISP are getting finally files donwloaded as like 0032.exe or 0032.exePING. And this 0032.exe file or something like this is finaly downloading all that Crap TROJANS,VIRUSES,ROOTKITS,WORMS,SPYWARE&Co. So we have here I think 3 Main Steps before there Appears some VIRUS,TROJAN&Co in any Task Manager. But Most Dangerous of all 3 Steps is "Step Number One" this unknow-hidden Bot-Net Program so called "BOT-NET Server" and this is what is Responsible for all Night Mares. Short sad we must delete that hidden file that gives Hackers from all Around a World Access to our Computers turning these into ZOMBIE-Computers. I don't know with which Anti-Software should yet

try to find that BOT-NET Server small Programm????

So this gonna take very long time untill we 3 guys had find out such Misterious Top Secret called BOT-NET Server binary.

Greetings

cTreamer

Good Luck to all that have this Problem!!!

CoffeeFiend:

You are wrong!!! First here we have not to do with normal RootKits and this can defeat even some small freeware AntiRootkit. Second Formatting is not Overwriting of whole Partition cause that there is very Big Chance something get a survived on Partition. Third the Partition C: has nothing to do in this case and Formatting it brings nothing. Because that Dangerous file is not a standart RootKit recognised from all AntiVirus&Co Companys, it is a BOT-NET Server binary which is controlled and commanded from BOT-NET Clients located at Hackers Residence Palace OK(IRC Servers&Co). So that for there is nothing on Windows C: Partition and shouldn't-couldn't be deleted because the C: is clean in this Case.

Edited by cTreamer
Multiple sequential posts merged
Link to comment
Share on other sites
jobe111

jobe111

Posted
Posted

I would also like to note that either this, or one of the infections it downloads, appears to have the ability to root itself inside random executables on your hard drive.

I am already to the point of reinstalling Windows on another HD, and when I attached the infected drive to pull off what files I could, it then infected my new build of XPSP3. It was just a random file (Foxit reader 3.0 installer) that I had stored, and when running it, it did its magic all over again.

Link to comment
Share on other sites
cTreamer

cTreamer

Posted
  • Author
Posted (edited)

Exactly this have I done already on my other Computer-Notebook, with same own SlipStreamed XP Pro SP3+AiO. I'd got same Symptoms on my Notebook in other Room untill I decided to bring Notebook near to me some Computer Technic Services you know. I don't know what he has done and how, he has Installed another XP Home from other CD and make a scan with G-Data AntiVirus 2008. Over 5000 infections he has find what normally was I think that G-Data AntiVirus has also Deleted but Unattended that BOT-NET Server binary in these 5000 files you know.So Notebook has now a Peace winlogon.exe is not connecting any more and all this stuff in Task Manager. So but when I for example would now again Install XP from my own CD I am not sure if the Notebook gonna have same Problems or not you know. I mean if G-Data Soft did really find and deleted that Bastard BOT-NET Server binary whatever Windows versions Now would I install there should be no Problems any more. So probably is that BOT-NET Server also Hacking some Windows System files before ISO Image is maden and Burnned on CD.

Greetings

cTreamer

Edited by cTreamer
Link to comment
Share on other sites
Glaukus

Glaukus

Posted
Posted

Mcafee is now able to detect this and in some cases even clean the infected/rooted exe's

They gave me an extra.dat which I have been testing for a few days. I think they will publish this in their regular DAT file in the next 48 hours.....

Link to comment
Share on other sites
cTreamer

cTreamer

Posted
  • Author
Posted (edited)

How do you mean Glaukus??? Is that something like small Anti Bot-NET Tool or what. I mean you must say to your McAfee Specialists that they should make this Anti-Tool in way that it's not only deleting the "Second Step,Third Step" as I mentioned above. That should also find and delete the Mother of this Night Mare "Step Number One" BOT-NET Server binary that's in some .Setup or .Msi probably hidden.

jobe111:

How did you mean that with PDF Reader Foxit Free Edition???. Was it already Manipulated as like Trojan Dropper or so. I don't know if this McAfee small Utility gonna help us 3. Waiting now for Results from Glaukus and than we gonna look further.

cTreamer

Edited by cTreamer
Posts merged again!
Link to comment
Share on other sites
jobe111

jobe111

Posted
Posted

It was a file that I've had stored that was weeks old, so this rootkit sought out random executables and attached itself to them in order to keep itself from being wiped out. I was using Norton 360 to try and clean things up when this happened. After it started to clean infections, Norton listed dozens, possibly hundreds of files that had quickly become infected thereafter, so this rootkit spread itself all over.

Link to comment
Share on other sites
cTreamer

cTreamer

Posted
  • Author
Posted (edited)

Yeah but in this Case things are more Difficult. There is not only a RootKit you know, a BOT-NET Server which is himself injected into other files and the RootKit for it is only hiding its Residence in DDR-Ram so that user can't see how is it manipulating winlogon.exe. I gonna check up some Setup and Msi Installations that I've downloaded maybe there is it hidden. I have all Legal Software you know, how is it Possible that very known Software Freeware-Shareware getting downloaded that before has been already Manipulated and putten on the Server. Are these Hackers Intruding into Web Servers from all around a world and injecting BOT-NET Binaries into the Setup Installations??? Are these Web Provider-Owner,Computer Magazines,Freeware Sites,Open Source BLIND or what!!! Does they controll theirs FTP-WEB Servers to see if there some Programms-Software been Manipulated. Now aday you can not trusting even a Legall sites you know. It's a Big Catastrophe and Shame for all Security Labors-Centers how few knowledge they have got and can not Analyze even some small file to find out where from is it comming you know. I hope that Glaukus has some Resolution about this and his McAfee is going to make a very good Tool against this binaries. I am wishing Good Luck for all 3 us!!!

cTreamer

Edited by cTreamer
Link to comment
Share on other sites
CoffeeFiend

CoffeeFiend

Posted
Posted (edited)
First here we have not to do with normal RootKits

Except he does say he does have one or more.

this can defeat even some small freeware AntiRootkit

No. There isn't an app in the world that will make you 100% sure it's all gone. No such thing.

Second Formatting is not Overwriting of whole Partition cause that there is very Big Chance something get a survived on Partition.

Here's where you're completely wrong. Nothing will survive even the most simple format. Nothing ever "survives", it just doesn't work like that. Sure, it doesn't work for stuff on other partitions (I never claimed so), but your install is clean.

Third the Partition C:\ has nothing to do in this case and Formatting it brings nothing.

Eh? Your infected winlogon is on C: (unless you installed elsewhere -- and him too), and it semingly infects other .exe's everwhere in his case (so even more right), and reformatting the nasties sure works.

it is a BOT-NET Server binary

The two are not mutually exclusive. It sounds like you have a nice mix of malware rather. Rootkit + IRC backdoor and what not. You also mentioned viruses and spyware... The botnet stuff mostly acts as a delivery method if I can say so (makes your PC download even more nasties, update, and do other bad stuff)

CoffeeFiend: You are wrong!!!

If you say so :rolleyes:

Either ways, I won't waste time arguing any further with you, as you've also completely ignored all relevant advice from other very knowledgeable members i.e. DigeratiPrime & Tarun. You obviously think you know better than us all, and you're not looking for help or advice. No skin off my back, *I* am malware-free :thumbup

Edited by CoffeeFiend
Link to comment
Share on other sites
jellyhead

jellyhead

Posted
Posted (edited)

I too have been fighting this problem for about a week now. I think I finally managed to eliminate it. I use restore images rather than reinstalling Windows. I first restored a known clean image and was infected soon after. I then extracted a clean copy of winlogon.exe from the image and create an sfv check file so I could determine if the system32\winlogon.exe was infected again. I blocked the IPs in my router, then restored a clean image again. I immediately scanned my system and found numerous occurrences of W32.Virut.CF virus throughout my partitions. Symantec Endpoint Protection was able to clean most infected files. I checked the winlogon.exe file to see if it had been modified again. It was clean and I haven't seen any signs for a few days now. I am pretty sure this started with a downloaded game (yes piracy is evil, I'm so ashamed).

Edited by jellyhead
Link to comment
Share on other sites
Glaukus

Glaukus

Posted
Posted

The only thing I would like to add is that the latest Mcafee EXTRA.DAT files are fully detecting this Virus. From the bot-net to the rest of the rootkits it drops. Based on my reading most other antivirus companies are detecting this as well.

If you are infected still you may want to remove your drives and scan it from a clean PC with a fully updated AV software.

They provided me a stinger as well to clean infected machines. It detected most things but infected machines sometime have in excess of 1000 infected files including core files lile explorer.exe. Therefore such machines had to be rebuilt.

Link to comment
Share on other sites
cTreamer

cTreamer

Posted
  • Author
Posted (edited)

Kell:

Yes of caurse is LEGALL. I've bough it on : www.sienersoft.de. This is very big Software Reseller here in Germany. I can this Reseller from some Computer Magazine. So that for I have paid 260 Euros 2003 with Original Microsoft Hologram on it and mine own Licence. So when I want to SlipStream something I make copy from Original CD XP Pro on the Harddisc and include all that files that I wanna Updates,AddonsPacks,Tunings,Tweaks ,SP3 so on.

I know such Problems I am very carefully when I download something exactly because of it I con not understand what have I downloaded wrong with this BOT-NET Sever binary inside of it. I think it's enough for your Question to make short Kell !!!

jellyhead:

First I thought I can resolve this Problem only with IP blocking. So I've done it the IP:58.65.234.90 in mine Hardware Firewall Router is blocked to all 65535 Ports Local and Remote. After that I thought oh thanks God I've resolved this Problem. Ha Ha Ha after some days of no more connecting winlogon.exe to all Crap, this BOT-NET Server binary has recognised that I have blocked IP 58.65.234.90 . That for it has changed the IP for infecting and my winlogon.exe is connecting now to IP:61.235.117.80 also in Hong Kong. I just wanna say that I am wondering that such small binary is so Intelligent to recognise all this you know. This is an example that behind of all such binaries are sitting Professional Cyber Criminals and IT Specialists-Hackers with very lot of skills over 150%.

jellyhead:

I gonna try now with that what you sad Symantec Endpoint Protection. Scan all my Partitions and hope that this Anti Virus find this injected binary.

I have another Question on which Partition did find Symantec Endpoint Protection this hidden file on C: (BootSector) or your normal Partitions(Software,Music,Video). And was it injected into some EXE,DLL,SETUP,MSI,COM,SYS,INI,INF,DAT,REG files what has shown you your AntiVirus where was hidden that Main Infector of winlogon.exe. Thanks for your infos!!!

Jobe111 have you somehow Resolve your Problem(Our Problem)???

Glaukus what you mean with that McAfee EXTRA.DAT files, the virus Database of Mcaffe or what. How are your Experience now after some days of Testing EXTRA.DAT definitions??? I have launched Stinger ,but it is making to many Heuristic for files that are even not infected. So which version has McAfee Provided to you??? I have Avert Stinger v10.0.0.482 and yours is newer one or not. As you can see now we are a 4 Persons who have this difficult Problem. So that one whoes first succesfully DEFEATS and DESTROYS this Problem ,should also make some Screenshots so that other can also follow the right way you know. Thanks a lot for Helping !

Greetings

cTreamer

Edited by cTreamer
Please stop Multiposting, use the Edit Function
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...