cTreamer Posted January 17, 2009 Share Posted January 17, 2009 (edited) Hallo at first to all, I've got big problem with my own Windows XP Pro Installations CD which I made with nLite tool. After the first Windows installation from that CD was everything OK at first look. After some weeks past away Windows began itself downloading TROJANS,VIRUSES and all this stuff you know. I didn't immediatly understood what's going on first 2-3 days, after I decided to lookup into my System Memmory with one Professional TaskManager. I took AnVir Task Manger Pro and move into the Processes Section. Same time below Processes Section there are shown all TCP/UDP Connections from all that small system services that are loaded into DDR-Ram. What I saw at the first look is that all services are doing their jobs well, except one that Microsoft NT Login and Logout Service called winlogon.exe. Instead that winlogon.exe service do only that what it should do, it's connecting to one IP Adresses:58.65.234.90 in Hong Kong after I seeing "connection established" winlogon.exe is downloading some small files and this filles are all TROJANS,VIRUSES,SPYWARE (rs32net.exe,reader_s.exe,head1041.exe,V1215.TEMP) and many hundred. I've burnned more than 20 CD's and every time the same you know. After WLan USB Stick Driver installing and connecting my Router, within half second recognize that winlogon.exe that I am connected to the Internet begginig that Game from the begin.At first I know now what ist the reason for that TROJAN downloading&Co and that's OK.The Problem is how I get out it from my Computer. Each time I am making my own Windows Installations CD with nLite and burnning it on CD, is also that winlogon.exe hiden without my knowledge also burnned on CD (C:\i386\). I've tried to UNPACK it you know but I get the Error"It's not possible because Visual C++ 6.0,8.0" it's look like native Microsoft file but it isn't. So what should I do, with which AntiSpyware-Virus can I fined out what is going on.I hadn't such problems with Service Pack 2 you know over 3 Years, only since I am trying to SlipStream SP3 with Windows I have this problem. Thank You all that are trying to Help me !!!cTreamer Edited January 17, 2009 by cTreamer Link to comment Share on other sites More sharing options...
DigeratiPrime Posted January 18, 2009 Share Posted January 18, 2009 Ok, winlogon.exe is actually an extremely important file included with Windows since NT. It is supposed to be in the I386 folder of your install source and during setup it is expanded to the System32 folder. However the winlogon process on your system has been hijacked by malware. Most likely you can suspend and then kill the rouge threads using Sysinternals Process Explorer. Then you can try running some AV software or a manual cleaning. I think you were doing the right thing though going for a reinstall or repair install, because it is difficult to know the extent your computer has been infected. Just backup everything to a secondary drive or partition. Link to comment Share on other sites More sharing options...
mara- Posted January 18, 2009 Share Posted January 18, 2009 Well, I think your computer on which you built nLite CD is infected. So, that malware infected your CD and every time you install Windows with that CD, malware is there. You will need to clean the computer on which you are building nLite cd and then to create new nLited Windows from scratch.Cheers Link to comment Share on other sites More sharing options...
cTreamer Posted January 18, 2009 Author Share Posted January 18, 2009 I found now with AntiRootkit Freeware GMER litle bit more stuff.At a connection trying from winlogon.exe GMER shows me next:HOST: ircd.zief.plPORT: 80of caurse I've selected block allways this connection to Host. At moment I can use the internet because GMER blocked that, and I have Peace in my brain.The main Problem is still remaining so that for I gonna take some strong AntiVirus&Spyware and scan all my HARDDISCS,Partitions&Co. When that problem is fixed I gonna post again the results. First I try Sunbelts-VIPRE v3.3 and than the others, so what are you thinking good choice or not ???cTreamer Link to comment Share on other sites More sharing options...
Tarun Posted January 19, 2009 Share Posted January 19, 2009 Please download my Anti-Malware Toolkit and get the Professional package. Then follow the directions in the PC Cleanup guide. After that, please post a HijackThis log. Link to comment Share on other sites More sharing options...
cTreamer Posted January 19, 2009 Author Share Posted January 19, 2009 I've already saw your advice and scanned with Ewido,Anti Malware,SUPERAntiSpyware. It took more than 4-Hour and all 3 Programs are finding nothing.So what's next step ? Link to comment Share on other sites More sharing options...
Tarun Posted January 19, 2009 Share Posted January 19, 2009 Using every program listed with the recommended settings in the Professional Package/PC Cleanup guide and posting a HijackThis log. Link to comment Share on other sites More sharing options...
cTreamer Posted January 19, 2009 Author Share Posted January 19, 2009 (edited) So hier is it:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 18:28:23, on 26.01.2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.20935)Boot mode: NormalWindows folder: C:WINDOWSSystem folder: C:WINDOWSSYSTEM32Hosts file: C:WINDOWSSystem32driversetchostsRunning processes:C:WINDOWSSystem32smss.exeC:WINDOWSsystem32winlogon.exeC:WINDOWSsystem32services.exeC:WINDOWSsystem32lsass.exeC:WINDOWSsystem32svchost.exeC:WINDOWSSystem32svchost.exeC:WINDOWSsystem32spoolsv.exeC:WINDOWSsystem32nvsvc32.exeC:WINDOWSExplorer.EXEC:WINDOWSsystem32RUNDLL32.EXEC:WINDOWSsystem32kxmixer.exeF:All TreiberNetgearW-Lan USB Stick WG 111 v3WG 111 v3WG111v3.exeF:Browser&CoMozilla Firefox 3.0.5Mozilla Firefoxfirefox.exeF:Anti Adware,Maleware,SpyWare,Aureate,Radiate&CoTrend Micro-HijackThis 2.0.2HiJackHijackThis.exeR1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = about:blankR1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htmR1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://research.sunbeltsoftware.com/RMP/th...nkid=SBVIPRE_ENO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:ProgrammeJavajre6binssv.dll (filesize 320920 bytes, MD5 35E6FB6E6003BD54A5D69C9C1C762192)O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:ProgrammeJavajre6binjp2ssv.dll (filesize 34816 bytes, MD5 5D57FD3DF32DC69CEC3D1D54B4C43162)O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:ProgrammeJavajre6libdeployjqsiejqs_plugin.dll (filesize 73728 bytes, MD5 F68EDAFE003F2B3523C0742CD3B8D673)O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup (filesize 142848 bytes, MD5 1F5F14678F42E84413BA03BF55E25D99)O4 - HKLM..Run: [nwiz] nwiz.exe /install (filesize 1642496 bytes, MD5 BB54DEC1905B69FD4E5B75D881570715)O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit (filesize 142848 bytes, MD5 1F5F14678F42E84413BA03BF55E25D99)O4 - HKLM..Run: [kX Mixer] C:WINDOWSsystem32kxmixer.exe --startup (filesize 541696 bytes, MD5 8DBDBCB810557BC7879BBC8AB9B78095)O4 - HKCU..RunOnce: [Privacy Suite] "F:Daten Erase,Vernichten,Fesplatten Seuberung&CoCyberScrub Privacy Suite Professional Edition 5.0.0.126Cyber Privacy SuiteCyberScrub Privacy SuiteCSPSeraser.exe" "/R:C:Dokumente und EinstellungenAdministratorAnwendungsdatenCyberScrubPrivacy Suite" (filesize 872080 bytes, MD5 4B853B35B60CEB12CB21071E40B34516)O4 - HKUSS-1-5-20..RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETZWERKDIENST')O4 - HKUSS-1-5-20..RunOnce: [iE7] rundll32 advpack.dll,LaunchINFSection IE7.inf,FirstUserStart (User 'NETZWERKDIENST')O4 - HKUSS-1-5-20..RunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETZWERKDIENST')O4 - HKUSS-1-5-18..RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')O4 - HKUS.DEFAULT..RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = F:All TreiberNetgearW-Lan USB Stick WG 111 v3WG 111 v3WG111v3.exe (filesize 1540096 bytes, MD5 F7E1DA8AE2FB2C286CCD8ACB523C3864)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe (filesize 634368 bytes, MD5 94154ACA90B388970978966A30E0E0AA)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe (filesize 634368 bytes, MD5 94154ACA90B388970978966A30E0E0AA)O15 - ESC Trusted Zone: http://*.update.microsoft.comO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:ProgrammeJavajre6binjqs.exeC:ProgrammeJavajre6binjqs.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exeC:WINDOWSsystem32nvsvc32.exe--End of file - 6224 bytes===== Post Nº 2 =====You know by the way there is also one thing that I forgot to write. When I install some Anti Virus Suite like Alwil-Avast,Avira&Co at the next System-Start they are all Replaced,Coruppted,Damaged by "something". Kaspersky is that only one which has self protecting Mechanism against Malware, and I can use it without errors. I have something in my System that is very hard to beat and destroy. God Help me Please.cTreamer Edited February 8, 2009 by Yzöwl Posting without reply; Posts merged. Link to comment Share on other sites More sharing options...
Tarun Posted January 20, 2009 Share Posted January 20, 2009 Did SUPERAntiSpyware or Malwarebytes find anything? Link to comment Share on other sites More sharing options...
cTreamer Posted January 21, 2009 Author Share Posted January 21, 2009 No their both have reported falls Positive. But Sunbelts VIPRE v3.3 has found 12 Malware's from which 8 were Heuristic mistakes and 4 real Trojans. I've deleted all that 4 files and rest 8 leaved in Peace because their all are Normal Files and not Trojans&Spyware. You know what I think maybe is all that about CONFICKER-Worm because the Symptoms are very same spreading around over the Port-445 RPC. I don't know maybe somebody is from outside conntacting my winlogon.exe and than infecting it. Normally in all UpdatePacks intergrated into CD should be also that one Patch from October-2008 against CONFICKER-Worm. I'm hearing for this first now you know 2-3 Months later and I've yesterday downloaded this Security Fix and installed.What do you think about CONFICKER-Worm and its 3 arts (a,b,c)???GreetscTreamer Link to comment Share on other sites More sharing options...
Tripredacus Posted January 21, 2009 Share Posted January 21, 2009 I've not found Conflicker doing anything to winlogon.exe. Also unless something has changed in the past week, Conflicker hasn't been activated last I knew. If you have Conflicker, unhide your protected system files, go into Recycler and see if you can find a folder with SID in it... I forget which one, also your root volumes of all drives will have this in it, and an autorun.inf that points to that SID. Link to comment Share on other sites More sharing options...
cTreamer Posted January 21, 2009 Author Share Posted January 21, 2009 No I am clever , I am always deleting "System Volume Information" than "Recycler Bin" on all mine HardDiscs&Partitions and Windows "Backup Function" is deactivated for all Partitions because I have my own Favourite one. Exactly because of it I have NightMares you know, I don't understand where could yet hide such Trojan-Virus when I am doing everything Perfect on my System. My Acces Point is an expansive one, with Professional HardwareFirewall Functions-Options that you can only dream. Inclusive IDS,IPS,SPI normally it should block all unwanted Incomming Connections. I've tested it with very Hardened Online Tests you know, they are all saying you are Perefect Hiden no chance to connect to your computer"Note-Excellent".Also I've put it under Stress tests like DoS,DDoS and more, it is not crushing down,restarting nothing very stable Router that I ever owned. DLink-DSL 2741B W-Lan 300Mbit Router. There must be some reason why is this happening you know, I must find out it.GreetingscTreamer Link to comment Share on other sites More sharing options...
DigeratiPrime Posted January 29, 2009 Share Posted January 29, 2009 Can you mount the hard disk in another computer, that is not subverted, and scan it from there? I would suggest booting from WinPE since it would be in RAM and not susceptible to whatever is on your system.Rootkits, especially kernel mode ones, can modify windows api so they are invisible to any other processes. Only way to see and remove them, other than a reformat, is with a better kernel mode driver or by analyzing the disk 'offline' as I suggested above. Link to comment Share on other sites More sharing options...
Tarun Posted January 29, 2009 Share Posted January 29, 2009 At this point in time I'd say format and reinstall using an official Windows XP cd. Link to comment Share on other sites More sharing options...
cTreamer Posted January 29, 2009 Author Share Posted January 29, 2009 (edited) So you look at next: I've got one 500Gb Harddisc splited into 2x250Gb Partitions F and G.The F is allround Files Partition and the G is Multimedia one (Videos,Music,Mp3,Internet Radio Streams,CD Copies,Peer2Peer) only. So there is another Harddisc Maxtor S-ATA 120Gb Partition H. The H is extension for F that mean wen Place not enough the files are stored on H. Normally I wannt to install Windows on Separated Harddisc on its own Partition but I've had some Harddisc crush and waiting for new one Seagate IDE 320Gb Harddisc that gonna be used only for all kind of Operating Systems Installation Windows,Linux,Unix and Mac OS. Momently I am Installing Windows on some small 5Gb Partition from that 500Gb WD Harddisc you know. All together I have 3 normally Partitions F:\,G:\,H:\, and + C:\ Windows own Partition. Now its a clear for you to understand where is what hidden or could be hidden.I've scanned with more than 45 Known and Unknown AntiViril,Spyware,Addware,Malware,Trojans,AntiRootkits and they finding nothing on all 3 Partitions F,G,H you know. Also with all kind of Internet Security Suites Kasperasky,Avira,F-Secure,G-Data,Eset Nod32 and more. All possible AntiSpyware Suites from smallest until robust one like Sunbelts CounterSpy v2,3 which has most Definitions over 500.000. Second Computer I've not got but perhaps I had it don't think that it could something change you know. Maybe has somebody broken my Router W-Lan SSID Password which is over 32 Letters long 99% uncrackable WPA2-PSK AES 256Bit this was an idea from one Police Department Officer with whom I spoke too about this Problem you know. What could be else wenn my W-Lan is Safe and not broken,on my Harddiscs and Partitions I am finding nothing,Boot Sectors are clean MBR,MFT&Co. The last version is that somhow is somebody or something(Zombies,Domains,Infected Networks PC's) is scanning my PC after findings leakage in DCom,RPC Services is sending commands into winlogon.exe which should connect IP Adresses in Hong Kong you know. But every time before the connection has been established with some IP's in Hong Kong there is nothing have been downloaded before, cause I think that first must be downloaded some small files which finally are infecting-manipulating theirself winlogon.exe which is doing that what this all Cyber-Mafija is wanting. I've done some Trace Route with Professional Tools&Soft maybe it is interesting for:Host: ircd.zief.pl - behind this Host are 2 IP's 58.65.234.90 and 61.235.117.80 winlogon.exe is connecting to one of them and downloading all that Crap!Port: 80Name: ircd.zief.plIP-Addrese: 58.65.232.34Location: Hong Kong SAR (22.283N, 114.150E)Netzwerk: APNIC-58See Registrant Pane for registrant contact information.NeoTrace Trace Version 3.25 ResultsTarget: ircd.zief.plDate: 05.02.2009 (Thursday), 13:50:25Nodes: 18Node DataNode Net Reg IP Address Location Node Name 18 1 1 58.65.232.34 Hong Kong SAR ircd.zief.plPacket DataNode High Low Avg Tot Lost 18 387 387 387 1 0Network DataNetwork id#: 1OrgName: Asia Pacific Network Information Centre OrgID: APNICAddress: PO Box 2131City: MiltonStateProv: QLDPostalCode: 4064Country: AUReferralServer: whois://whois.apnic.netNetRange: 58.0.0.0 - 58.255.255.255 CIDR: 58.0.0.0/8 NetName: APNIC-58NetHandle: NET-58-0-0-0-1Parent: NetType: Allocated to APNICNameServer: NS1.APNIC.NETNameServer: NS3.APNIC.NETNameServer: NS4.APNIC.NETNameServer: TINNIE.ARIN.NETNameServer: NS.LACNIC.NETNameServer: NS-SEC.RIPE.NETComment: This IP address range is not registered in the ARIN database.Comment: For details, refer to the APNIC Whois Database viaComment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.plComment: ** IMPORTANT NOTE: APNIC is the Regional Internet RegistryComment: for the Asia Pacific region. APNIC does not operate networksComment: using this IP address range and is not able to investigateComment: spam or abuse reports relating to these addresses. For moreComment: help, refer to http://www.apnic.net/info/faq/abuseRegDate: 2004-05-04Updated: 2005-05-20OrgTechHandle: AWC12-ARINOrgTechName: APNIC Whois Contact OrgTechPhone: +61 7 3858 3188OrgTechEmail: search-apnic-not-arin@apnic.net ARIN WHOIS database, last updated 2009-01-26 19:10Registrant DataRegistrant id#: 1 This is the RIPE Whois query server 3. The objects are in RPSL format. Rights restricted by copyright. See http://www.ripe.net/db/copyright.html The object shown below is NOT in the RIPE database. It has been obtained by querying a remote server: (whois.dns.pl) at port 43. To see the object stored in the RIPE database use the -R flag in your query REFERRAL STARTDOMAIN: zief.plregistrant's handle: sibr62259 (INDIVIDUAL)nameservers: dns1.zief.pl. [58.65.232.33] dns2.zief.pl. [58.65.232.34]created: 2005.07.25 15:58:55last modified: 2008.09.25 10:49:06no optionREGISTRAR: Consulting Serviceul. Domaniewska 35A lok.1B02-672 WarszawaPolska/Poland+48.22 8538888domeny@ConsultingService.plWHOIS displays data with a delay not exceeding 15 minutes in relation to the .pl Registry systemRegistrant data available at http://dns.pl/cgi-bin/en_whois.pl_____NeoTrace Copyright ©1997-2001 NeoWorx IncSo at first winlogon.exe is connecting with some server with Domain ircd.zief.pl of this Internet Consulting Firma in Poland which is probably infected,than getting redirrected to IP's in Hong Kong. Are Hackers behind all this Mysterie or just a Infected Networks and their Computers in China.GreetingscTreamer Edited January 29, 2009 by cTreamer Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now