Hallo at first to all, I've got big problem with my own Windows XP Pro Installations CD which I made with Freeware nLite tool. After the first Windows installation from that CD was everything OK at first look. After some weeks past away Windows began itself downloading TROJANS,VIRUSES and all this stuff you know. I didn't immediatly understood what's going on first 2-3 days, after I decided to lookup into my System Memory with one Professional TaskManager. I took AnVir Task Manger Pro and move into the Processes Section. Same time below Processes Section there are shown all TCP/UDP Connections from all that small system services that are loaded into DDR-Ram. What I saw at the first look is that all services are doing their jobs well, except one that Microsoft NT Login and Logout Service called winlogon.exe. Instead that winlogon.exe service do only that what it should do, it's connecting to one of 2 IP Adresses:18.104.22.168 or 22.214.171.124 in Hong Kong after I seeing "connection established" winlogon.exe is downloading some small files about 500 Kbyte and these filles are all TROJANS,VIRUSES,SPYWARE (rs32net.exe, reader_s.exe, head1041.exe, V1215.TEMP) and many hundred. I've burnned more than 20 CD's and every time the same you know. After W-Lan USB Stick Driver installing and connecting my Router, within half second recognize that winlogon.exe that I am connected to the Internet beginning that Game from the beginning. At first now I know what ist the reason for that TROJAN downloading&Co and that's OK. The Problem is how I get out it from my Computer. I've tried to UNPACK it you know but I get the Error"It's not possible because Microsoft Visual C++ 6.0,8.0" it looks like native Microsoft winlogon.exe. That for I think somebody or something is so infecting-manipulating my winlogon.exe that it begins downloading all these Dangerous files. In my Profi Task Manager I am not seeing that none file at action how is it manipulating,changing,overwriting,hacking,hijacking my winlogon.exe. When even I can not UNPACK-REVERSE ENGINEER it, how can some VIRUS,TROJAN,ROOKIT,SPYWARE,MALWARE,WORM Disassemble-add its own assembley STRING "Everytime at windows start check if there is Internet Connection, when Yes connect one of these IP Adresses 126.96.36.199 or 188.8.131.52 and download all that Crap" and Assemble it back again. And all these happens in front of mine own eyes in System Memory during I am watching every EXE,DLL,SYS,INI,DAT,INF action with Professional Forensic Software&Toolkits. There is something hiden but not on mine Windows C:\ Partition, on the other Files Partition F,G,H you know. This something is such Intelligent that even with over 35 Anti Rootkit Freeware&Shareware that I own can not see and reveal-unhook it doing its dirty Job. I also finded out that the Domain-Host which Redirect into these 2 IP Adresses in Hong Kong is:
Host: ircd.zief.pl "Exactly This is the Domain to which is connecting my winlogon.exe and downloading Trojans&Viruses"
Location: Hong Kong SAR (22.283N, 114.150E)
But what interesting is that Domain: ircd.zief.pl owner is in Poland. Watch this:
The object shown below is NOT in the RIPE database.
It has been obtained by querying a remote server:
(whois.dns.pl) at port 43.
To see the object stored in the RIPE database
use the -R flag in your query
registrant's handle: sibr62259 (INDIVIDUAL)
nameservers: dns1.zief.pl. [184.108.40.206]
created: 2005.07.25 15:58:55
last modified: 2008.09.25 10:49:06
REGISTRAR: Consulting Service
ul. Domaniewska 35A lok.1B
WHOIS displays data with a delay not exceeding 15 minutes in relation to the .pl Registry system
Registrant data available at http://dns.pl/cgi-bin/en_whois.pl
NeoTrace Copyright ©1997-2001 NeoWorx Inc
What is wanting this Consulting Service Firma from My Computer and from me. Is this small Company Hacking and Infecting my Computer, or there is something behind it more Bigger. So what should I do, with which AntiSpyware-Virus can I fined out what is going on.I hadn't such problems with Service Pack 2 you know over 3 Years, only since I am trying to SlipStream SP3 with nLite to Windows I have this problems.
Thank You all that are trying to Help me !!!
My System: nLite Win XP Pro+SP3+ALL Addons-Updates from Sereby-Dynaletik
Router:D-Link DSL 2741B W-Lan 300 Mbit\s Hardware Firewall IDS-IPS-ALG-SPI
Edited by cTreamer, 02 February 2009 - 04:41 PM.