-
actual winlogon.exe is connecting to http
Hi,
I recently removed a spyware infestation from a PC of a colleague of mine which mainly consisted of some CoolWWW components and a program trying to appear as a security center application that displays spyware warnings.
I think I got rid of most of the components after running spybot s+d in Safe Mode in Windows 2000, however one thing still remains. After I have installed Kerio personal firewall I found that the actual winlogon.exe is connecting to two different IP-Adresses via http, one is owned by a internet service in Ukraine, the other one is owned by an internet service in the US.
If I allow the connection to go through, the program apparently downloads a file that is detected by Antivir as a trojan, which is stored in \windows\system32\1024\LXXX.tmp\LXXX.tmp (something like that) (the file is identified as TR/Dialer.MI.1)
I wonder if this is a known threat, I tried to locate the program by the HiJackThis logfile, but everything looked OK to me.
I have scanned the computer with Antivir, McAfee and ClamAV and run Spybot 1.4 and Adaware lite before saving the HijackThis log
bye, Alexander
Logfile of HijackThis v1.99.1
Scan saved at 17:04:51, on 10.11.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\atiptaxx.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINNT\system32\HPJETDSC.EXE
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://office.arcor-online.net/arcor/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = arcor-online.net,germany.net,arcor.de
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = arcor-online.net,germany.net,arcor.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = arcor-online.net,germany.net,arcor.de
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
-
Hi
Make a list of the contents of that folder for us
an easy way is to make a batch
Copy the bolded below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
Dir C:\windows\system32\1024 >>logit.txt
start notepad logit.txt
Run check.bat and post the log that will open please
-
I'm pretty sure the actual program is not stored in this directory, the program just downloads one file to the dir and tries to start it.
I will post the result tomorrow
-
ok, I did some more tests and I think I found some programs in \windows\system32, see below
When I sniffed the outgoing connection I found that the winlogon connects to the domain ware2006.com and accesses 3 URLs, the one returns a windows executable that is probably the trojan horse that is detected by the virus scanner.
as requested where are the suspect files as dir:
Datentr„ger in Laufwerk C: ist System
Datentr„gernummer: 2CC2-8DBD
Verzeichnis von c:\winnt\system32\1024
11.11.2005 13:08 <DIR> .
11.11.2005 13:08 <DIR> ..
11.11.2005 13:07 31.776 ld2213.tmp
1 Datei(en) 31.776 Bytes
2 Verzeichnis(se), 10.948.587.520 Bytes frei
Datentr„ger in Laufwerk C: ist System
Datentr„gernummer: 2CC2-8DBD
Verzeichnis von c:\winnt\system32\adware
11.11.2005 15:50 <DIR> .
11.11.2005 15:50 <DIR> ..
11.11.2005 10:56 15.360 ld1B5.tmp
11.11.2005 13:03 15.360 ld8DD.tmp
08.11.2005 19:53 10.832 mscornet.exe
11.11.2005 13:06 5.120 msvol.tlb
11.11.2005 13:08 188 ncompat.tlb
11.11.2005 13:06 12.744 nvctrl.exe
11.11.2005 13:07 4.286 ot.ico
08.11.2005 20:02 102.400 svchosts.dll
11.11.2005 13:07 4.286 ts.ico
9 Datei(en) 170.576 Bytes
2 Verzeichnis(se), 10.948.583.424 Bytes frei
please note that the files are initially in the dir \winnt\system32, I just moved them to adware to disable the programs in safe mode
bye
-
Hi
Are you seeing the symtoms and registry modifacations mentioned here?
Symantec Security Response - Adware.TopAV:
Last Updated on: November 10, 2005 01:19:13 PM
http://sarc.com/avcenter/venc/data/adware.topav.html
-
thats not quite the same thing, the program doesn't change the wallpaper but displays something in the system tray.
I also checked for the registry keys mentioned on the page, but it doesn't exist.
bye
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules