Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Microsoft winlogon.exe is Downloading Trojans,Viruses,Spyware&Co

  • Please log in to reply
1 reply to this topic

#1 cTreamer


  • Members
  • 2 posts
  • Local time:03:49 PM

Posted 02 February 2009 - 01:06 PM

Hallo at first to all, I've got big problem with my own Windows XP Pro Installations CD which I made with Freeware nLite tool. After the first Windows installation from that CD was everything OK at first look. After some weeks past away Windows began itself downloading TROJANS,VIRUSES and all this stuff you know. I didn't immediatly understood what's going on first 2-3 days, after I decided to lookup into my System Memory with one Professional TaskManager. I took AnVir Task Manger Pro and move into the Processes Section. Same time below Processes Section there are shown all TCP/UDP Connections from all that small system services that are loaded into DDR-Ram. What I saw at the first look is that all services are doing their jobs well, except one that Microsoft NT Login and Logout Service called winlogon.exe. Instead that winlogon.exe service do only that what it should do, it's connecting to one of 2 IP Adresses: or in Hong Kong after I seeing "connection established" winlogon.exe is downloading some small files about 500 Kbyte and these filles are all TROJANS,VIRUSES,SPYWARE (rs32net.exe, reader_s.exe, head1041.exe, V1215.TEMP) and many hundred. I've burnned more than 20 CD's and every time the same you know. After W-Lan USB Stick Driver installing and connecting my Router, within half second recognize that winlogon.exe that I am connected to the Internet beginning that Game from the beginning. At first now I know what ist the reason for that TROJAN downloading&Co and that's OK. The Problem is how I get out it from my Computer. I've tried to UNPACK it you know but I get the Error"It's not possible because Microsoft Visual C++ 6.0,8.0" it looks like native Microsoft winlogon.exe. That for I think somebody or something is so infecting-manipulating my winlogon.exe that it begins downloading all these Dangerous files. In my Profi Task Manager I am not seeing that none file at action how is it manipulating,changing,overwriting,hacking,hijacking my winlogon.exe. When even I can not UNPACK-REVERSE ENGINEER it, how can some VIRUS,TROJAN,ROOKIT,SPYWARE,MALWARE,WORM Disassemble-add its own assembley STRING "Everytime at windows start check if there is Internet Connection, when Yes connect one of these IP Adresses or and download all that Crap" and Assemble it back again. And all these happens in front of mine own eyes in System Memory during I am watching every EXE,DLL,SYS,INI,DAT,INF action with Professional Forensic Software&Toolkits. There is something hiden but not on mine Windows C:\ Partition, on the other Files Partition F,G,H you know. This something is such Intelligent that even with over 35 Anti Rootkit Freeware&Shareware that I own can not see and reveal-unhook it doing its dirty Job. I also finded out that the Domain-Host which Redirect into these 2 IP Adresses in Hong Kong is:

Host: ircd.zief.pl "Exactly This is the Domain to which is connecting my winlogon.exe and downloading Trojans&Viruses"

Port: 80

Name: ircd.zief.pl

Location: Hong Kong SAR (22.283N, 114.150E)
Netzwerk: APNIC-58

But what interesting is that Domain: ircd.zief.pl owner is in Poland. Watch this:

The object shown below is NOT in the RIPE database.
It has been obtained by querying a remote server:
(whois.dns.pl) at port 43.
To see the object stored in the RIPE database
use the -R flag in your query


DOMAIN: zief.pl

registrant's handle: sibr62259 (INDIVIDUAL)

nameservers: dns1.zief.pl. []

dns2.zief.pl. []

created: 2005.07.25 15:58:55

last modified: 2008.09.25 10:49:06

no option

REGISTRAR: Consulting Service

ul. Domaniewska 35A lok.1B

02-672 Warszawa


+48.22 8538888


WHOIS displays data with a delay not exceeding 15 minutes in relation to the .pl Registry system

Registrant data available at http://dns.pl/cgi-bin/en_whois.pl

NeoTrace Copyright 1997-2001 NeoWorx Inc

What is wanting this Consulting Service Firma from My Computer and from me. Is this small Company Hacking and Infecting my Computer, or there is something behind it more Bigger. So what should I do, with which AntiSpyware-Virus can I fined out what is going on.I hadn't such problems with Service Pack 2 you know over 3 Years, only since I am trying to SlipStream SP3 with nLite to Windows I have this problems.

Thank You all that are trying to Help me !!!


My System: nLite Win XP Pro+SP3+ALL Addons-Updates from Sereby-Dynaletik
Router:D-Link DSL 2741B W-Lan 300 Mbit\s Hardware Firewall IDS-IPS-ALG-SPI

Edited by cTreamer, 02 February 2009 - 04:41 PM.

BC AdBot (Login to Remove)


#2 cTreamer

  • Topic Starter

  • Members
  • 2 posts
  • Local time:03:49 PM

Posted 04 February 2009 - 02:29 PM

I have find out what is my Problem from some guy of another Forum:www.msfn.org. Somehow is this small file called 0032exe.PING has been downloaded to my Computer. It changes the Hosts file adding this IP Adrese ( ZieF.pl) into it and also infect .exe files of windows. Than connecting to IRC Channell on Port 80 and waiting for commands from Hackers. So I am searching now for this file in my System.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users