PDA

View Full Version : actual winlogon.exe is connecting to http



AlexLehm
2005-11-10, 18:17
Hi,

I recently removed a spyware infestation from a PC of a colleague of mine which mainly consisted of some CoolWWW components and a program trying to appear as a security center application that displays spyware warnings.

I think I got rid of most of the components after running spybot s+d in Safe Mode in Windows 2000, however one thing still remains. After I have installed Kerio personal firewall I found that the actual winlogon.exe is connecting to two different IP-Adresses via http, one is owned by a internet service in Ukraine, the other one is owned by an internet service in the US.

If I allow the connection to go through, the program apparently downloads a file that is detected by Antivir as a trojan, which is stored in \windows\system32\1024\LXXX.tmp\LXXX.tmp (something like that) (the file is identified as TR/Dialer.MI.1)

I wonder if this is a known threat, I tried to locate the program by the HiJackThis logfile, but everything looked OK to me.

I have scanned the computer with Antivir, McAfee and ClamAV and run Spybot 1.4 and Adaware lite before saving the HijackThis log

bye, Alexander


Logfile of HijackThis v1.99.1
Scan saved at 17:04:51, on 10.11.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\atiptaxx.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINNT\system32\HPJETDSC.EXE
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://office.arcor-online.net/arcor/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = arcor-online.net,germany.net,arcor.de
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = arcor-online.net,germany.net,arcor.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = arcor-online.net,germany.net,arcor.de
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe

LonnyRJones
2005-11-10, 22:36
Hi

Make a list of the contents of that folder for us
an easy way is to make a batch
Copy the bolded below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
Dir C:\windows\system32\1024 >>logit.txt
start notepad logit.txt
Run check.bat and post the log that will open please

AlexLehm
2005-11-10, 23:37
I'm pretty sure the actual program is not stored in this directory, the program just downloads one file to the dir and tries to start it.

I will post the result tomorrow

AlexLehm
2005-11-11, 18:55
ok, I did some more tests and I think I found some programs in \windows\system32, see below

When I sniffed the outgoing connection I found that the winlogon connects to the domain ware2006.com and accesses 3 URLs, the one returns a windows executable that is probably the trojan horse that is detected by the virus scanner.


as requested where are the suspect files as dir:

Datentr„ger in Laufwerk C: ist System
Datentr„gernummer: 2CC2-8DBD

Verzeichnis von c:\winnt\system32\1024

11.11.2005 13:08 <DIR> .
11.11.2005 13:08 <DIR> ..
11.11.2005 13:07 31.776 ld2213.tmp
1 Datei(en) 31.776 Bytes
2 Verzeichnis(se), 10.948.587.520 Bytes frei

Datentr„ger in Laufwerk C: ist System
Datentr„gernummer: 2CC2-8DBD

Verzeichnis von c:\winnt\system32\adware

11.11.2005 15:50 <DIR> .
11.11.2005 15:50 <DIR> ..
11.11.2005 10:56 15.360 ld1B5.tmp
11.11.2005 13:03 15.360 ld8DD.tmp
08.11.2005 19:53 10.832 mscornet.exe
11.11.2005 13:06 5.120 msvol.tlb
11.11.2005 13:08 188 ncompat.tlb
11.11.2005 13:06 12.744 nvctrl.exe
11.11.2005 13:07 4.286 ot.ico
08.11.2005 20:02 102.400 svchosts.dll
11.11.2005 13:07 4.286 ts.ico
9 Datei(en) 170.576 Bytes
2 Verzeichnis(se), 10.948.583.424 Bytes frei

please note that the files are initially in the dir \winnt\system32, I just moved them to adware to disable the programs in safe mode



bye

LonnyRJones
2005-11-11, 19:16
Hi

Are you seeing the symtoms and registry modifacations mentioned here?
Symantec Security Response - Adware.TopAV:
Last Updated on: November 10, 2005 01:19:13 PM
http://sarc.com/avcenter/venc/data/adware.topav.html

AlexLehm
2005-11-12, 01:01
thats not quite the same thing, the program doesn't change the wallpaper but displays something in the system tray.

I also checked for the registry keys mentioned on the page, but it doesn't exist.

bye

LonnyRJones
2005-11-12, 04:38
Hi
Download and run this tool

Download smitRem.exe (http://noahdfear.geekstogo.com/click%20counter/click.php?id=1) and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

tashi
2005-11-17, 19:31
Due to lack of a response this topic will be archived.
If you need to have the topic reopened please pm your volunteer helper.