Results 1 to 8 of 8

Thread: actual winlogon.exe is connecting to http

  1. #1
    Junior Member
    Join Date
    Nov 2005
    Location
    Germany
    Posts
    1

    Default actual winlogon.exe is connecting to http

    Hi,

    I recently removed a spyware infestation from a PC of a colleague of mine which mainly consisted of some CoolWWW components and a program trying to appear as a security center application that displays spyware warnings.

    I think I got rid of most of the components after running spybot s+d in Safe Mode in Windows 2000, however one thing still remains. After I have installed Kerio personal firewall I found that the actual winlogon.exe is connecting to two different IP-Adresses via http, one is owned by a internet service in Ukraine, the other one is owned by an internet service in the US.

    If I allow the connection to go through, the program apparently downloads a file that is detected by Antivir as a trojan, which is stored in \windows\system32\1024\LXXX.tmp\LXXX.tmp (something like that) (the file is identified as TR/Dialer.MI.1)

    I wonder if this is a known threat, I tried to locate the program by the HiJackThis logfile, but everything looked OK to me.

    I have scanned the computer with Antivir, McAfee and ClamAV and run Spybot 1.4 and Adaware lite before saving the HijackThis log

    bye, Alexander


    Logfile of HijackThis v1.99.1
    Scan saved at 17:04:51, on 10.11.2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Programme\AVPersonal\AVGUARD.EXE
    C:\WINNT\System32\Ati2evxx.exe
    C:\Programme\AVPersonal\AVWUPSRV.EXE
    C:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINNT\system32\atiptaxx.exe
    C:\Programme\AVPersonal\AVGNT.EXE
    C:\WINNT\system32\HPJETDSC.EXE
    C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
    C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Dokumente und Einstellungen\Administrator\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://office.arcor-online.net/arcor/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
    O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = arcor-online.net,germany.net,arcor.de
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = arcor-online.net,germany.net,arcor.de
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = arcor-online.net,germany.net,arcor.de
    O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
    O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
    O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    Make a list of the contents of that folder for us
    an easy way is to make a batch
    Copy the bolded below into a new notepad document (not wordpad).
    Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
    Dir C:\windows\system32\1024 >>logit.txt
    start notepad logit.txt

    Run check.bat and post the log that will open please

  3. #3
    Junior Member
    Join Date
    Nov 2005
    Location
    Germany
    Posts
    1

    Default

    I'm pretty sure the actual program is not stored in this directory, the program just downloads one file to the dir and tries to start it.

    I will post the result tomorrow

  4. #4
    Junior Member
    Join Date
    Nov 2005
    Location
    Germany
    Posts
    1

    Default

    ok, I did some more tests and I think I found some programs in \windows\system32, see below

    When I sniffed the outgoing connection I found that the winlogon connects to the domain ware2006.com and accesses 3 URLs, the one returns a windows executable that is probably the trojan horse that is detected by the virus scanner.


    as requested where are the suspect files as dir:

    Datentr„ger in Laufwerk C: ist System
    Datentr„gernummer: 2CC2-8DBD

    Verzeichnis von c:\winnt\system32\1024

    11.11.2005 13:08 <DIR> .
    11.11.2005 13:08 <DIR> ..
    11.11.2005 13:07 31.776 ld2213.tmp
    1 Datei(en) 31.776 Bytes
    2 Verzeichnis(se), 10.948.587.520 Bytes frei

    Datentr„ger in Laufwerk C: ist System
    Datentr„gernummer: 2CC2-8DBD

    Verzeichnis von c:\winnt\system32\adware

    11.11.2005 15:50 <DIR> .
    11.11.2005 15:50 <DIR> ..
    11.11.2005 10:56 15.360 ld1B5.tmp
    11.11.2005 13:03 15.360 ld8DD.tmp
    08.11.2005 19:53 10.832 mscornet.exe
    11.11.2005 13:06 5.120 msvol.tlb
    11.11.2005 13:08 188 ncompat.tlb
    11.11.2005 13:06 12.744 nvctrl.exe
    11.11.2005 13:07 4.286 ot.ico
    08.11.2005 20:02 102.400 svchosts.dll
    11.11.2005 13:07 4.286 ts.ico
    9 Datei(en) 170.576 Bytes
    2 Verzeichnis(se), 10.948.583.424 Bytes frei

    please note that the files are initially in the dir \winnt\system32, I just moved them to adware to disable the programs in safe mode



    bye

  5. #5
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    Are you seeing the symtoms and registry modifacations mentioned here?
    Symantec Security Response - Adware.TopAV:
    Last Updated on: November 10, 2005 01:19:13 PM
    http://sarc.com/avcenter/venc/data/adware.topav.html

  6. #6
    Junior Member
    Join Date
    Nov 2005
    Location
    Germany
    Posts
    1

    Default

    thats not quite the same thing, the program doesn't change the wallpaper but displays something in the system tray.

    I also checked for the registry keys mentioned on the page, but it doesn't exist.

    bye

  7. #7
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi
    Download and run this tool

    Download smitRem.exe and save the file to your desktop.
    Double click on the file to extract it to it's own folder on the desktop.
    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.
    The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

  8. #8
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,485

    Default

    Due to lack of a response this topic will be archived.
    If you need to have the topic reopened please pm your volunteer helper.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •