PDA

View Full Version : Windows Startup: ShowWnd.exe and SensLogn



RonTheCon
2006-05-28, 03:24
My Windows computer came with ShowWnd.exe which is known to be sending personal information probably to the microsoft website. They have been sued previous for it in Windows 95 or 98 and got away with it... :mad:

Description:
showwnd.exe is a process which is registered as the Unclassified Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

Process Information (http://www.liutilities.com/products/wintaskspro/processlibrary/showwnd/) - DISABLE AND REMOVE IMMEDIATELY

--------------------------------

SensLogn is a function in the WlNotify.dll and it's also spyware. It came from a Windows Update not to long ago.

Description:
SensLogn is an advertising program by AbetterInternet Spyware. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This program is a registered security risk and should be removed immediately.

Process Information (http://www.processlibrary.com/directory/files/senslogn/) - DISABLE AND REMOVE IMMEDIATELY

I have removed these two from startup using Spybot (advanced) > Tools > System Startup. I rebooted and my computer works fine and a little faster.

I hope this is in new releases of Spybot. Thank you very much.

~Ron

RonTheCon
2006-05-31, 03:49
bumping

RonTheCon
2006-06-04, 00:46
No feedback on this?

Teesa
2006-09-05, 08:01
:bigthumb:

I would like to bump this in hopes that there will be feedback as I have questions on this 'SensLogn' as well.

Sorry, Ron, that you didn't get any replies, maybe now we'll both get something feedback-wise that'll help us :)

I have a few 'wlnotify's' in my Spybot startup, that I don't like being there, and I believe that I have been having problems because of this.

My prob's started last week [last week of Aug. 2006] because I did the Windows updates and because of this, Microsoft discovered that I'm not using Service Pack 2. I did download it once way back when I was 'supposed' to, but was having major prob's with my puter and it was suggested to me to remove it completely. Which I did.

Now, starting last week, I was getting a little popup window balloon [just like the little one you get from AVG saying you need to do their updates], and had a new item in my task bar by my Date and Time. It was from Microsoft, telling me I HAD to download Service Pack 2, and a little icon would stay forever down there. It would popup ALL the time and was VERY annoying :mad:. I went through H-E-double toothpick to get rid of those.

Maybe I'm just a little paranoid, but co-incidence seems to point right to the root of the problem, but now, since I won't do the Service Pack 2 update, IE doesn't work half the time. Doesn't matter WHAT type of website I try to view, I get a 'Page Cannot be Displayed' or 'www.website.com' cannot be found. Yet, I could view these site using Netscape and/or Firefox.

Now today, I'm trying to find out information this these files on my puter - ScCertProp, Shedule, termsrv, Senslogn, WgaLogon and wlballoon [all wlnotify.dll's]. Google works JUST FINE... I can type in ANYTHING and get hits, but not ONE website would work. There was no such site as a Spybot forum, WilderSecurity did not exist, liutilities doesn't exist - as well as many other 'main' sites that I go to first for advice/help/information lookup on puter related things. Not as popular sites [at least not to me] didn't exist, and if I did happen to get a webpage up, it only said 'Page Cannot be Displayed'.

If I clicked on 'Cached' instead of the main URL, I could get the site up. And some sites I could actually get into once, but if I tried again the site was suddenly not in existance. What was REALLY ticking me off, was the SAME thing was happening in Netscape and Firefox. I did have internet connection the whole time, there wasn't any hiccoughs [sorry, can't think of an other word for that, lol] in my connection, I was sending and receiving just fine.

I don't think it's right that I'm being forced to download something that I don't WANT to download. It messed up my puter the first time, I'm not THAT stupid that I'm gonna just download it again! :mad:.

I'm MORE than perfectly willing to tell my IE to go to a VERY warm spot and just use Netscape and Firefox from now on. I'm considering getting rid of ALL my updates to tell Microsoft where to go, but since this is affecting my Netscape and Firefox as well, and I don't know HOW, I guess I can't do that.

I'm so :banghead: :devilpoin: and :mad: that it's not even funny.

Thanks for reading and putting up with my little 'rant' and hope to hear from someone :)

Teesa

pigkeeper
2007-04-20, 22:04
Hi, I found this thread when I was going through my start-up programs with SpyBot Search & Destroy. I'm (hopefully) nearing the end of a major disinfection campaign when I was hit with several Spyware programs and Trojans all at once. I have several of the programs / .dll's you are talking about and I've fussed about on google looking for information about them.

When it comes down to it, I've found that the following are STANDARD if you have Windows XP with service Pack 2:


The following Windows components use Winlogon notifications and their registration will exist in a default installation.

Windows XP SP 2:


Crypt32chain: crypt32.dll
Cryptnet: cryptnet.dll
Cscdll: cscdll.dll
ScCertProp: wlnotify.dll
Schedule: wlnotify.dll
Sclgntfy: sclgntfy.dll
Senslogn: wlnotify.dll
Termsrv: wlnotify.dll
Wlballoon: wlnotify.dll

This is from http://technet2.microsoft.com/WindowsVista/en/library/6ec4ec6d-6b84-44c9-b3af-116589a42b861033.mspx?mfr=true

From the wikipedia page for Winlogon: (http://en.wikipedia.org/wiki/Winlogon)

In computing, Winlogon is the component of Microsoft Windows operating systems that is responsible for handling the secure attention sequence, loading the user profile on logon, and optionally locking the computer when a screensaver is running (requiring another authentication step). The actual obtaining and verification of user credentials is left to other components. Winlogon is a common target for several threats that could modify its functioning and its memory usage. An increased memory usage for this process might indicate that it has been captured by a hijack. In Windows Vista and later operating systems, Winlogon's roles and responsibilities have changed significantly.


It's been an annoying investigation because if you google, for example "Senslogn", the first thing you get are two sites telling you that Senslogn is an advertising program by AbetterInternet Spyware. After rooting around more, I can tell you this: Maybe there's spyware that takes the same name, but definitely this senslogn is supposed to be there as a part of XP Service Pack 2.

Another thing that was really annoying was that senslogn called WlNotify.dll, not wlnotify.dll. What's with the Caps? It makes it look like it's W-I-N, not W-L-N. Google WINotify, and you get warned that that is malware. However, I finally found my way to the regedit entry for senslogn, copied and paste the process name into Word, and hit All-caps. It is in fact WLNOTIFY, not WINOTIFY, so we're cool.

Anyway, the upshot is this: I think most users shouldn't worry about these programs being in your start-up file.

Maybe you don't want to have SP2 on your system for some reason. Maybe you don't trust it. I won't argue with you there, and I'd be the first to agree that Microsoft Corp has ties to the devil. But SP2 works for a lot of people, including me. And if you have it, these processes are supposed to be there.

I don't think, as the first commenter suggested, that ShowWnd.exe is "sending personal information". Again, it's liutilities.com that is saying that--they were also the ones with the bogus information about senslogn.

Bleepingcomputer.com says otherwise. (http://www.bleepingcomputer.com/startups/ShowWnd.exe-9519.html) See also here (http://www.bleepingcomputer.com/forums/topic27411.html) for a user who says
The fact that all of my searches on the Internet for "showwnd.exe" say that it is a Trojan and should be removed has caused me lots of grief.

In my campaign to clean my computer, I got some key help from bleepingcomputer.com. Spybot.info has also helped. However, I've found liutilities.com to provide incomplete and misleading information. And they're sure trying to sell you something!

I've gotten so much help from information provided by altruistic anonymous souls out there on the Net in my "Virus Battle". I took the time to write this as a sort of general "thank you", and in hopes that some other poor folk might find it in a google search and save some time.

Mad Love,

Pigkeeper

pigkeeper
2007-04-20, 22:24
an email to uniblue support:


Hi there,

Your pages on senslogn and showwnd.exe say that both are trojans. This is inaccurate information. Senslogn is a normal part of Windows XP Service Pack 2. Your site is at the top of a google search for senslogn, and I'm sure you're causing a lot of people a lot of pain when you're telling them they have a trojan and need to remove this. Are you doing this intentionally to try to sell your product? Or have you just made a mistake? Anyway, you need to fix up your act. You cost me more than two hours of wasted time and could have caused me to screw up my computer if I'd acted on your advice.

Cheers,

pigkeeper.

mrsarkar
2007-04-29, 09:33
I have SP1(a, I think) and am preparing to migrate the XP OS to SP2.
Strangely, all those startup items pigkeeper mentioned in the 4th post- are present in my Spybot SnD v1.4 startup items view.

bitman
2007-04-29, 19:23
Yup, they've existed since Windows 2000, which you'll find documented in one of the links pigkeeper provided above. Win XP Service Pack 1 is no longer supported by Microsoft, so it isn't included in the list.

It's recommended that you upgrade to Win XP SP2 so you'll be able to acquire Critical Security updates for your OS. Without these you will become infected by any of the more recent exploits that haven't been patched on SP1 since mid-2006.

http://technet2.microsoft.com/WindowsVista/en/library/6ec4ec6d-6b84-44c9-b3af-116589a42b861033.mspx?mfr=true

The following Windows components use Winlogon notifications and their registration will exist in a default installation.

Windows XP SP 2:
Crypt32chain: crypt32.dll

Cryptnet: cryptnet.dll

Cscdll: cscdll.dll

ScCertProp: wlnotify.dll

Schedule: wlnotify.dll

Sclgntfy: sclgntfy.dll

Senslogn: wlnotify.dll

Termsrv: wlnotify.dll

Wlballoon: wlnotify.dll


Windows 2000 SP 4:
Crypt32chain: crypt32.dll

Cryptnet: cryptnet.dll

Cscdll: cscdll.dll

Sclgntfy: sclgntfy.dll

Senslogn: wlnotify.dll

Termsrv: wlnotify.dll

Wzcnotif: wzcdlg.dll

tashi
2007-04-29, 20:22
Just a reminder to anyone who follows this topic.

If one has a malware infected machine and SP2 is not already installed, the computer must be free from infection before upgrading to Service Pack2. ;)

http://forums.spybot.info/showpost.php?p=25290&postcount=4

Cheers.

Almery
2007-06-08, 23:13
deleted most of my original post because I wonder if I'm just overreacting...

anyway, I have the following come up in Spybot in my System Startup.

The font is really tricky to read, I can't tell if the second entry has an upper case i or a lower case L in there, and thus if it's legit or nasty.

Anyone able to offer me some advice here?


edit: hunting around registry it looks like it's just a fluke of capitalisation and it is W-lowercase L-N rather than a capital i. Phew!

md usa spybot fan
2007-06-09, 00:48
Almery:

When you go into Spybot > Mode > Advanced mode > System Startup you can right click on the listing and select either "Export" or "Copy to Clipboard". Working with a text file may make it easier to distinguish among different characters and also allow you to copy and paste for searches.

Almery
2007-06-09, 01:19
Ah right, thanks, I didn't realise that :)