Microsoft winlogon.exe is Downloading Trojans,Viruses,Spyware&Co

[itaka29]

Hi there,

for me is exact same behaviour... seems to spreed around.

Hope someone finds a solution soon

Found this interesting Page so far http://www.publicsafety.gc.ca/prg/em/ccirc...09-007-eng.aspx and http://www.symantec.com/business/security_...-99&tabid=3

This helped a little bit and I´m scanning my system now trough the night http://www.bleepingcomputer.com/combofix/how-to-use-combofix

now is quite late, will go on tomrow morning :-) greetings from germany

Itaka

[cTreamer]

So Itaka29 you are Welcome. As much user with same Problem, the better can be Resolution of some Problem. That for I think it's good that I've opened this discussion and should be spreaden to the other Forums. We have to make a Pressure on Security Software Firms that they should open theirs "Eyes" because time has changed and Cyber Criminals also with theirs Methods. People have no Time to wait over 3-Months and breaking theirs heads as just like me you know AntiVirus Firms should React faster and working with Goverement Specalists together(FBI,CIA,NSA). Over three Months ago I have detected this Problem you know, AntiVirus Firms are first now discovering and giving a Names to this threat. Are they are "Sleeping or What" lazy Manufactures. I am Scanning my Computer now Day-Night untill I have founded that small bastard. So Good Luck and thanks for your infos !!!

Greetings

cTreamer

Edited February 8, 2009 by cTreamer

[Guest kopyp]

I had the same problem. I don't know how it got in. I use Firefox, I am very careful with attachments, autorun is disabled, all file extensions are shown, etc. The only thing I can think of is Java installation, but that might be a red herring. Spent a whole night trying to get rid of it as I wanted to back up my files.

Things I tried:

Tried using Last known good configuration, safe mode, etc - all were infected. C

Couldn't run System Restore (rstrui.exe) as I couldn't start up any program.

Browsing certain folders in explorer triggered a verclsid.exe + dwwin.exe error.

Tried AV software(AVG, Kaspersky), rootkit analysers (GMER, IceSword - http://www.antirootkit.com/software/index.htm ), etc. but none of them were able to solve the problem.

I couldn't run sfc /scannow - ALL the tools (including notepad, msconfig, regedit, sysdm.cpl, etc.) were affected.

Found that C:\WINDOWS\system32\drivers\etc\hosts file had a new entry: 127.0.0.1 www.teenpassage.com

Two pieces of software helped me a lot: Process Explorer ( http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx ) to kill all the very annoying DrWatson and dwwin.exe error messages which multiplies and won't go away. Right-clicking and killing process tree got rid of them. This helped me seek help from the internet and eventually I stumbled across this. I found that this is a recent happening though the same name had popped between 2005 and 2007.

Windows Malicious Software Removal tool ( http://www.microsoft.com/security/malwareremove/default.mspx ) found a couple of files. But that didn't solve it.

Tried to replace winlogon.exe from the XP install cd using expand winlogon.ex_ winlogon.exe This only worked in recovery console and came up with dwwin.exe errors in any other boot up including safe mode.

Tried to replace windows files from the CD in recovery console (painstaking when you don't have autocomplete, copy and paste, no knowledge of batch run commands). Eventually I was stuck with an installation which got past the Microsoft Windows progress bar screen but didn't get to the Login screen and got stuck in a limbo with a blank desktop background and a moveable pointer/mouse. This happened in all modes, including Safe mode.

Tried to get some help from IRC folks but all apps were infected - so used mibbit.com/chat AJAX client to get advise - there are some helpful people on freenode #windows though they couldn't solve the problem.

Since the whole windows OS was infected and the only way to completely get rid of it was to do a fresh install. But I didn't want to lose my files as I needed to back them up. I tried to run Windows Repair Install (as opposed to going into Recovery Console - which is not very useful in this situation) but that option didn't appear. So I decided to take a risk and install windows in the same partition without formatting. It asked me to select the WINDOWS directory. I chose to install it in C:\NEWNAME (where NEWNAME is anything but the default WINDOWS or the previous installation directory). This worked because it preserved my C:\Documents and Settings\Administrator directory which contained all my previous installations' profile My Documents and Desktop files and folders which were yet to be backed up. The new installation was clean.

(The problem now was to find a way to access the old profile's directory which was owned by the old profile. It turns out that I have to change the ownership but then I had a new problem where changing the ownership of a parent folder didn't propagate to all its subfolders (sub-sub folders, etc) and files. I used xcacls to try to change this but this didn't work very effectively. I'll wait till I can get a USB-IDE connector, rip out the HD and then connect it to another win/linux system where I can recover the files without being bothered by access restrictions.)

But now in the new installation (original XP without SP upgrades), as soon as I connected to the internet, I was being bombarded with intrusions as shown by connections to port 80 on svchost.exe and winlogon.exe using TCPview. That installation was corrupt within an hour with the same problem. The next time, I would be prepared.

After installing again (in the third WINDOWS installation directory on the same partition/harddrive), I immediately grabbed Sygate Personal Firewall ( http://en.wikipedia.org/wiki/Sygate_Personal_Firewall ) which is still an excellent tool regardless of lack of updates and installed it. I blocked explorer.exe and certain svchost.exe services which are not required for a net connection (and windows update). The first thing that I did was to update Windows. ( http://windowsupdate.microsoft.com ) Grabbed XP SP3. Downloaded all the critical updates available. This worked though I had to keep a constant watch on TCPview, Sygate and Process Explorer to make sure that nothing unwanted was running or connecting. And now I've made sure that all files and their extensions are visible (including system files), disabled autorun, stopped & disabled a lot of unwanted services (services.msc) and a few other tweaks courtesy of TweakUI ( http://www.microsoft.com/windowsxp/Downloa...ppowertoys.mspx ) and XP Antispy ( http://www.xp-antispy.org/index.php/lang-en ). This is my first bad experience with viruses/trojans/rootkits as I am very careful of what I click and double-click. Hopefully I will be able to back up my files in the coming week when I have more time. Though I should write this up for others out there with a similar experience.

Edited February 8, 2009 by kopyp

[jellyhead]

I have another Question on which Partition did find Symantec Endpoint Protection this hidden file on C: (BootSector) or your normal Partitions(Software,Music,Video). And was it injected into some EXE,DLL,SETUP,MSI,COM,SYS,INI,INF,DAT,REG files what has shown you your AntiVirus where was hidden that Main Infector of winlogon.exe. Thanks for your infos!!!

The W32.VIRUT.CF virus was found on all partitions only in exe files and it seemed rather random the files that were infected. I believe the original source of the infection was a downloaded game but I deleted it and the virus still reappeared. I think this was because the W32.VIRUT.CF virus was spread throughout my system at this point and when I accessed the exes on partitions not reformatted, I reinfected winlogon.exe. I think Symantec just added detection for this virus on the latest updates because it was never detected before. At the last format when I scanned the entire system, around 100 infected files were found on 4 partitions. I blocked all of the IPs mentioned

218.93.202.114

61.235.117.81

58.65.232.34

211.95.79.6

I had previously blocked 61.235.117.81 since I had detected winlogon.exe trying to connect to this IP.

In my case, I had downloaded a warez copy of SimCity 4 Deluxe Edition using bittorrent. I already had a purchased copy with the expansion pack but wanted the updated version. When I ran the setup.exe I imediately knew there was some sort of malware present because the system hung for several seconds. I imediately checked the startup options and saw 5 or 6 new entries. I deleted these and the associated files but failed to catch the winlogon.exe infection since this was a normal Windows file and needed no startup option added. I deleted the downloaded game but still had my legit copy on my HDD. I began creating my own Deluxe version of this game by merging the original and expansion pack into one setup but these game setup files were now infected. I installed the game a few times to test it and make changes. Every time I did this the virus was spread yet again. during this process I had restored a backup image twice and been reinfected each time. After the last restore, Symantec began finding this virus and was able to clean it from all but 2 or 3 files. I then checked the game setup which was still on my HDD and every exe for the disc was infected.

Edited February 11, 2009 by jellyhead

[cTreamer]

jellyhead:

I have got Problems to install Symantec Endpoint Protection v11.0, each time I get a following Message in some small frame:

Do you know why???

[jellyhead]

You normally only see that message if you have recently installed a program or updates that require a reboot. If you rebooted your PC and are still getting that error then there is a problem with your system. You could try running the setup as administrator and see if that works but you shouldn't need to do that. I have installed this program on many computers and never had a problem with it.

This may help

http://service1.symantec.com/SUPPORT/ent-s...pen&seg=ent

Edited February 10, 2009 by jellyhead

[cTreamer]

Now it is working some another Norton, but it not matter I've updated the New Virus Definitions over 60MByte so I think that W32.VIRUT.CF dat is also on Board. So Now I am Scanning&Deleting&Quarantining and so on untill I have cleaned up all Infected Setup's and Msi's and simillar files. So at a first success gonna Post immediatly that winlogon.exe is no more connecting and downloading, till that very long hard way for me to go. Good Luck to All !!!

Greetings

cTreamer

[jellyhead]

I just cleaned up this mess on another computer with somewhat different results. In this case the W32.VIRUT.CF virus was spread to virtually every exe file on the system. Symantec went a little crazy in cleaning it and actually deleted explorer.exe and the registry entry to start explorer. The system would start but the screen was black. I opened taskmanger and realized explorer wasn't running. I tried to start it manually and got an error saying explorer not found. I had to copy the explorer.exe and userinit.exe files from another system to the Windows folder and replace the reg keys.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Shell"="Explorer.exe"

"Userinit"="C:\Windows\system32\userinit.exe,"

I also found that numerous Windows files were missing. Many of the Windows program start menu shortcuts were linked to files in the winsxs folder instead of the program folders. I noticed this with windows media player, windows mail, windows DVD maker, internet explore and several other shortcuts. Rather than spend hours trying to find all of the missing files, I just chose to run the Vista setup again in upgrade mode..

Edited February 13, 2009 by jellyhead

[cTreamer]

Yes at me similar Problems. I've installed my Own Windows XP again and gonna scan again all 3 Partitions. So that for I hope this time I gonna get from Symantec Norton 360 v2.5 only False-Positives not such like Infected Win32.Virut.U or N or whatever. When is Symantec doing its Job well so I think gonna finally have success after 3 Months since October 2008. I wanna be just a quite sure you know and not to early say Ha Ha HA-He He He and this Bastard was still hidden in some EXE or DLL laughing to me that I haven't DEFEATED-DESTROYED him you know. I think I am very near to get out it of my System-Computer so till that nice Moment little bit of Passion is needed. I gonna Post again as earlier I can, if I had 100% Success or just Not you know. I have detected on the www.malwarebytes.org-Forum during my Searchings Actions in Google&Co some Person who has also same Problem and nobody had right answer for him, I've gave him a link to my Thread at msfn.org and sad that we have Resolution for him. So that's Great when somebody

can help another one so you helped me and I am helping now the others as much I can.

Greetings

cTreamer

[jellyhead]

Norton and Symantec are two very different antivirus even though they're owned by the same compny. I much prefer Symantec, it's too bad you couldn't get it to work for you. The only issue I have with Symantec Enpoint Protection is that the firewall doesn't function normally. SEP is intended more for a corporate environment were system administrators manage it. The firewall works great but you have to manually set the rules to block or allow sites or programs through. In this case, it didn't even alert me that winlogon.exe was connecting to an outside IP.

Glad to hear you're beating this thing.

[ness151]

Hello all, first time poster, long time lurker.

I've got a laptop infected with this, unfortunetly I didn't know about the transfer of the files to the memory stick, however I put said memory stick on lock so it was read only (would this even matter, I wonder?)

I've been fighting this all day, I see that it's relatively new so, hopefully we find a fix!

[alrichdesa]

Your Computer Seems To Be Seriously Infected.....

I Guess You Got Spoofed Into Installing A Fake Anti-Spyware(Which Is Spyware Itself) And It Is causing All Sorts Of Mayhem.

Any Attempts To Scan For Malware Will Surely Give You No Results As These Items Run At Boot Time And Reside In Your Memory(RAM)(Rootkits)

The Best Way To Get Rid Of This Nuisance Is A Fresh Install Of Windows. (Repair Would Suffice But Clean Install Recommended) But While Doing This You Will Lose All Data On The System Drive. Backing Up This Data Will Result Is Backing Up The Malware Too.....

Try Using Alternative Boot Methods Like BartPE, Ultimate BootCD And Then Scan Off The Disk As This Will Prevent The Infected File From Executing.

Take Your Hard Drive To A Friend Who Has A Strong Antivirus (Like ESET Or Avira) And Get It Cleaned, Back Up Your Data And Then Install Windows From A Different Source Than Your Created Disk. You Could Also Try Online Scanners Like House Call Incase The System Is Not Allowing You To Install Antivirus.

Best= Format, Clean Install

Second Best= Scan, Backup, Repair

Good Luck!

Edited February 20, 2009 by alrichdesa