Virus? Winlogon.exe and rundll32.exe

[dalegtr18]

Hi, folks. Normally, I consider myself fairly self-sufficient when it comes to viruses and spyware but this one is getting a little sticky. After I boot my pc (or just shortly after), I get a notification from ZoneAlarm that winlogon.exe and rundll32.exe are trying to run. This has been going on For about a week now. I did a Panda scan and it found a SurfSidekick ssk.log in one of my Temp IE folders, which I promptly emptied out. I also ran Spybot, AdAware and Microsoft's Antispyware program and they each cleaned a few entries out. Now, when I run Norton AV, Spybot, AdAware and Microsoft Antispyware program, they all tell me I am completely clean. However, I just checked the ZA log and see that rundll2.exe and winlogon are still at it. I've done some google searches but most that refer to viruses list the following, which don't seem to jive with anything I find in the registry:Trojan.StartPage Backdoor.LastdoorW32.Miroot.Worm Unless they are making hidden entries (rootkit infection, perhaps?), I can't find any entries that relate, nor can I find misplaced copies of these files in other folders. Maybe they have replaced the original files???Any ideas? Thanks tons in advance.

[Ed_P]

Windows' Task Manager shows Winlogon running on my system. It has a file date of 8/4/04.I run ZA also and rundll32 is authorized to access the 'net. It has a date of 8/4/04 also. Both files are on a Win XP Home SP2 system.hth

[lewmur]

Windows' Task Manager shows Winlogon running on my system.  It has a file date of 8/4/04.I run ZA also and rundll32 is authorized to access the 'net.  It has a date of 8/4/04 also.  Both files are on a Win XP Home SP2 system.hth

<{POST_SNAPBACK}>

Why should rundll need to access the net? In fact, if you don't turn on automatic updates, why should ANY M$ prorgram need net access?

[dalegtr18]

Just to clarify a bit-- there is a legitmate winlogon.exe process in windows 2000 but I highly doubt the one I'm having trouble with is legit, as it has only been acting this way for the past week, along with rundll32.exe, which shows up in the my running processes.

[lewmur]

Just to clarify a bit-- there is a legitmate winlogon.exe process in windows 2000 but I highly doubt the one I'm having trouble with is legit, as it has only been acting this way for the past week, along with rundll32.exe, which shows up in the my running processes.

<{POST_SNAPBACK}>

Have you tried running Hijackthis?

[dalegtr18]

Hi, lewmur. Thanks for the reply. I ran it last night and had a couple questions about some items that showed up in O8. For the most part it looked good but was curious about one or two things. Should I post the log here when I get back home?

[lewmur]

Hi, lewmur. Thanks for the reply. I ran it last night and had a couple questions about some items that showed up in O8. For the most part it looked good but was curious about one or two things. Should I post the log here when I get back home?

<{POST_SNAPBACK}>

Yes. And you could also post it on the Hijackthis site. If someone here doesn't recognize the culprit, then someone there might.

[TeMerc]

08 entries on a HJT logfile are just for context menu items in IE, hardly something to worry about really, and rarely if ever, have I seen something inserted by any type of virus in that section.

[dalegtr18]

08 entries on a HJT logfile are just for context menu items in IE, hardly something to worry about really, and rarely if ever, have I seen something inserted by any type of virus in that section.

<{POST_SNAPBACK}>

Thanks TeMerc. I will post my HiJackThis log later tonight, tho based on what you said I kind of suspect that I may have to look elsewhere for clues about this. Dale

[TeMerc]

I would strongly advise you try a couple of free trial av scanners, even tho, the virus the exe points to is rather old and should be caught by your resident av.And, after reading this again(this morning my eyes apparently were not quite open)you mayneed to kill the running process before trying to remove\delete it.Here are a couple of links to some free av scanners:KasperskyEwido security SuiteTrojan HunterBe sure and check for updates with each, before running.I'll look for your log tonite.

Edited July 4, 2005 by TeMerc

[dalegtr18]

Thanks TeMerc. I'll check a couple of those out. For the record, Norton comes up clean. Panda also comes up virus free but does complain about finding spywarefinds - an ssk.log file for SurfSidekick. I'm hoping this isn't a rootkit infection (actually, in an odd way, I sort of AM hoping it is. It would be fun to poke around on this!)Dale

[dalegtr18]

OK, here it is. I didn't get a chance to scan for viruses with any of the links yet but will do so as soon as I get time. Thanks!Logfile of HijackThis v1.97.7Scan saved at 11:19:32 PM, on 7/4/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exeC:\WINNT\System32\svchost.exeC:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exeC:\WINNT\system32\MSTask.exeC:\WINNT\System32\tcpsvcs.exeC:\WINNT\System32\snmp.exeC:\WINNT\system32\ZoneLabs\vsmon.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\MsPMSPSv.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\rundll32.exeC:\WINNT\Explorer.EXEC:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exeC:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeC:\Program Files\Winamp\winamp.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Documents and Settings\ds\Desktop\PC\spyware\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exeO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quietO4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Validate XML - C:\WINNT\web\msxmlval.htmO8 - Extra context menu item: View XSL Output - C:\WINNT\web\msxmlvw.htmO9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)O9 - Extra button: Yahoo! Messenger (HKLM)O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO15 - Trusted Zone: http://www.progressiveears.comO16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cabO16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cabO16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cabO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cabO16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc2.cabO16 - DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - http://download.microsoft.com/download/b/d.../WebCleaner.cabO16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://ggpextra.generalgrowth.com/ggp_prod...rces/msddsc.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cabO16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8042.1970138889O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/viz...N-US/msorun.cabO16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cabO16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cabO16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cabO16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/contr...ate/sdkinst.cabO16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab

[TeMerc]

Nothing standing out in your log, aside from those 08 entries, which are of no major concern.You do, however need to update your version of HJT, yours is very behind. This will give us some more info, tho, unsure if it will reveal too much more than is there.Lets update HJT and post a fresh log please.HijackThis! v 1.99.1Also, if you can, try and get those trial apps, little bit more backup of a clean scan can't help.

[dalegtr18]

Thank TeMerc. As I was going thru the ZA log this morning I realized I failed to mention some details about these two files. When ZA popped up with a notice on these, it listed an IP address. I found it belong to my ISP. Could they be behind this??? In the ZA log the Destination DNS is dns1.chgil.sbcglobal.net and the IP is 206.141.192.60; both are using port 53. Thanks!Dale

[TeMerc]

OK, based on what I can find about port 53, its a DNS Servicethat converts URLs to IPs.So it may appear the traffic is normal, perhaps from your ISP.Here are a couple of links for port 53, where I got the info:http://www.linklogger.com/TCP53.htmhttp://www.dshield.org/ports/port53.phpHere is the best answer I found tho, see post #4:http://www.wilderssecurity.com/showthread.php?t=78627

[zlim]

One thing that looks a bit unusual to me...if you notice in the entriesC:\WINNT\system32 which is normal, however, you also haveC:\WINNT\System32Why do you have a system32 and a System32 folder?Do a check and see what is inside the System32 folder - that could be a problem.

Edited July 5, 2005 by zlim

[dalegtr18]

Good catch, Eagle-eye! :-) I don't recall having seen an additional system32 folder (I visit the Winnt directory on a somewhat regular basis) but I will check it when I get home. To get far-fetched, I wonder if I got hit with a rootkit infection that makes its entries invisible.... or it could just be my ISP. I will run those alternate virus scans later tonight, as well.Thanks!Dale

[Ed_P]

Windows doesn't support case sensitive file/folder names. ABC, abc and AbC are all the same to Windows. Apps may write the names to the Registry using mixed case but they are treated the same when actually accessed.

[dalegtr18]

Yep, only one System32 folder under Winnt. I would have thought it odd to find two but hey, when you're troubleshooting you look for small things that don't add up. Still haven't had time to scan yet and have to run to work. Thanks!

[dalegtr18]

Whew! Some very interesting results. Several items foundlooktime.103 adware.shopnav.100trojandownloader.webdown.100htmlredir virusI believe all these have been cleaned. I will look these all up to make all traces are gone.Ewido found 63 items and cleaned 63 (tho it skipped 112,488 times (?))Several items came up as embedded in zip files but I believe these were ok (program files and such, most of them icwconn1.exe)Also, one entry in the registry was not able to be accessed hkcu\software\dsktbI left Norton, Spybot and Microsoft Antispyware running when I left for work (yeah, I probably shouldn't run them simultaneously but didn't have time to run them sequentially before I left this morning.).I was unmable to run Kaspersky as I got an error tha the file downloaded was corrupt each time I tried. I will check my ZA log later today to see if this has made a dent in the winlogon.exe/rundll32.exe

[dalegtr18]

Whew! Some very interesting results. Several items foundlooktime.103 adware.shopnav.100trojandownloader.webdown.100htmlredir virusI believe all these have been cleaned. I will look these all up to make all traces are gone.Ewido found 63 items and cleaned 63 (tho it skipped 112,488 times (?))Several items came up as embedded in zip files but I believe these were ok (program files and such, most of them icwconn1.exe)Also, one entry in the registry was not able to be accessed hkcu\software\dsktbI left Norton, Spybot and Microsoft Antispyware running when I left for work (yeah, I probably shouldn't run them simultaneously but didn't have time to run them sequentially before I left this morning.).I was unmable to run Kaspersky as I got an error tha the file downloaded was corrupt each time I tried. I will check my ZA log later today to see if this has made a dent in the winlogon.exe/rundll32.exe

[dalegtr18]

Hmmmm, well winlogon.exe and rundll32.exe are still running after startup. What's worse is that I got hit with a NASTY virus (courtesy of my daughter's pc which may have caused the orginal problem). Things are running at a crawl now and it is taking forever to run my scans. Hopefully, tonight I will be in better shape otherwise i will reformat and start from scratch.

[TeMerc]

Well, it I'm sorry I havn't had a chance to get here lately, I'm gearing up for a trip.Ewido is a nice little app, and fast becoming a fav around the security forums.Do you know what virus it is that you have? I would search for a removal tool, or, try running Ewdio, see if it catches it.I'd try not to let the scans run at the same time, its more likley to cause problems simpley because the apps may try to access the same files at the same time. It could also be that by them conflicting, they missed something.I would run all the scans independantt of eachother, after checking for updates, I know Exido also recently had a version update to 3.5, so be sure thats current.Reformat really is a last resort. I know users have certainly cleaned up alot worse than you have on your box. I'm sorry I wil be out of town for the next 9 days or so, and won't have time to get back here to offer any more advice.Hope you get to sort things out while I'm gone, or perhaps someone else will be able to guide you the rest of the way.

[dalegtr18]

Thanks. TeMerc. I'm not looking forward to reformatting but the darn pc has slowed to a crawl lately. I have tried running various spyware and antivirus software but it takes HOURS to run a single program at times (even when I'm not getting foolish by running the concurrently). Ewido is pretty nice, thanks for the tip. It seemed to catch things Norton didn't. I'll have to look at the logs to see what got picked up. I left Ewido running when I left for work today. hopefully it will have finished when I get home so I can start a different scan before I go to bed.So far, Norton has come up clean. AdAware picked up a single tracking cookie, Spybot came up clean. I haven't run MSFT's antispyware recently. Ewido picked up three files (was still scanning when I left). I will run the Trojan program, as well as Kaspersky. Does the trial install run Kaspersky in the background? I can't find any entries in the regristry for it but a kavsvc.exe process runs now. If it is, I'm wondering if having Kaspersky and Norton (my default AV program) and then running another spyware/AV program is what's really slowing down my pc. I will run Kaspersky and then probably delete it. Thanks for letting me know you'll be away. I'll play with this in the meantime. have a good trip!Dale

[TeMerc]

Quickly, as I'm packing inbetween posting some last minute things, LOLTry running the scans in sfe mode, alot less stuff will load, and give you some more resources to let the scanner use.Also, be sure none of the other sanners load up, if they do, in safe mode, kill em off.Unsure about what KAV needs to be running.I will be dropping into the forum over the course of the next 10 days tho, just unsure of how much time I'll actually have

[dalegtr18]

Thanks, again, TeMerc. Things seem to be a LOT more under control. I ran Ewido (it took over two days to run!!) and it picked up 3 thingsC:\WINNT\system32\gfmd5query.dll -> Spyware.Look2MeC:\WINNT\system32\mbxoci.dll -> Spyware.Look2MeC:\WINNT\system32\RISAUTO.DLL -> Spyware.Look2MeI also found soem suspicious dll files in System32 that had this weeks date on them. I deleted them for now to see if it affects anything. PC is running rather smoothly at the moment. Things were running so slowly this morning I was convinced I would do a format today. It was really painful to do even the littlest things. I found where Kasperky loads in the background and will turn it off after I run a scan with it. Will also run Panda and MSFT antispyware as well as TrojanHunter one more time after Kaspersky. I'll let you know how this all turns out.

[dalegtr18]

Just for the record- Ewido also found these the first go round a couple days ago:HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2C:\Documents and Settings\ds\Cookies\ds@z1.adserver[1].txt -> Spyware.Cookie.AdserverC:\WINNT\system32\DLCPCSVC.DLL -> Spyware.Look2MeC:\WINNT\system32\redit.cpl -> TrojanDownloader.Qoologic.pC:\WINNT\system32\var.dll -> Spyware.Look2Me

[dalegtr18]

Hey, TeMerc. let's lay this one to rest. After finally removing the viruses this week, I ended up getting registry errors that one of the hives was corrupted. I tried Recovery console and replaced one from Repair. This only gave another error, which I fixed, which gave another error. I got tired of replacing files and decided I would format the drive and start from scratch. i'm currently installin W2000 on another drive so I can access the files before formatting. Thanks for all your help!Dale