Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Or Routine?


  • Please log in to reply
9 replies to this topic

#1 Rattila

Rattila

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 19 October 2006 - 09:50 PM

I have two puzzling entries in my Spybot S&D Process List Report.
Both have the path: \??\C:\WINDOWS\system32\

PID: 436 ( 380) \??\C:\WINDOWS\system32\csrss.exe
PID: 460 ( 380) \??\C:\WINDOWS\system32\winlogon.exe


Also recurring in my System Startup (even if killed) are two entries related to Log on.
Luckily they can be disabled

Located: System.ini, SensLogn (DISABLED)
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, WRNotifier (DISABLED)
command: WRLogonNTF.dll
file: WRLogonNTF.dll


Finally, I wondered if the user 'Administrator'is legitimate.
It appears only when running in safe mode, with the following comment:

The administrator is only visible on the Welcome screen when no other user accounts exist
(except the guest account), or when you start your computer in safe mode.


Thank you for letting me know what you think.

My System:

Dell Inspiron 1100 (Intel Laptop)
Windows XP SP 2 Home Edition - with automatic updates
Microsoft Internet Explorer 7 Release Candidate 1 - with automatic updates
Microsoft Office Small Business Edition - with automatic updates
Adobe Acrobat, Mediaplayer, QuickTime, RealPlayer - all latest versions fully up to date
Avast! 4.7 Antivirus (shareware version) - with automatic updates
Windows Defender Beta 2 - with automatic updates
ZoneAlarm Firewall (shareware version) - with automatic updates
SpybotSD Resident protection (TeaTimer) - fully up to date
SpywareBlaster Resident protection - fully up to date

Weekly: full and thorough scans with Avast, Ad-Aware SE, Windows Defender, SpybotSD.
Monthly: 3 additional online scans with Panda Software ActiveScan,Trend Micro HouseCall,
and BitDefender Online Virus Scan
'Is there a fix after Rattila clicks?' from Diary of a Computer Mouse

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:46 PM

Posted 19 October 2006 - 11:16 PM

I wondered if the user 'Administrator'is legitimate.
It appears only when running in safe mode, with the following comment:

The administrator is only visible on the Welcome screen when no other user accounts exist (except the guest account), or when you start your computer in safe mode.


This account should be there. If something goes absolutely haywire, with this account you can get into the system in safe mode through this account and fix it.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Rattila

Rattila
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 20 October 2006 - 11:18 AM

Hi Orange Blossom:

Thank you for confirming what I thought (and hoped for): that the 'Administrator' account is native to the OS.

Any ideas about these 2 dll with the path \\??\C:|WINDOWS\system32\ in the running process list?

Any thoughts about the two 'immortal' entries

Located: System.ini, SensLogn (DISABLED)
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, WRNotifier (DISABLED)
command: WRLogonNTF.dll
file: WRLogonNTF.dll



which keep popping up in my System startup after rebooting even if killed?

May your computer always boot and stay healthy! :thumbsup:

Rattila :flowers:
'Is there a fix after Rattila clicks?' from Diary of a Computer Mouse

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:46 PM

Posted 20 October 2006 - 01:39 PM

According to BC's Startup List, WRLogonNTF.dll is used by Webroot Spysweeper 4.5 and is essential to its program

Did you have this program installed at one time? If so, it appears as though part of the program got left behind when it was uninstalled.
------------------
wlnotify.dll

Description:
wlnotify.dll is a library that contains application programming interface (API) functions to receive and handle notifications events generated by Winlogon like Logon, Logoff, Shutdown, and so forth.

From: http://www.liutilities.com/products/wintas...brary/wlnotify/

Also, look here: http://www.auditmypc.com/process/wlnotify.asp This process should not be disabled from what I read, unless it is in a wrong spot, but I haven't heard anything about that with this file. Spybot should be providing information about the files it lists, both start up and process. If you click on the double arrow thingy to the right and hold the mouse button down and drag it somewhat to the left, a window on the right will open that provides descriptions of the file you have highlighted to the left. They will say if they have no information about it.
---------
C:\WINDOWS\system32\csrss.exe
This file and path are legimate. It is part of the service pack 2 files. http://www.bleepingcomputer.com/filedb/csrss.exe-737.html

Also see here: http://www.liutilities.com/products/wintas...slibrary/csrss/

---------------------------
C:\WINDOWS\system32\winlogon.exe

This file and path are legitimate. It is part of the service pack 2 files
http://www.bleepingcomputer.com/filedb/win...n.exe-3031.html

Also see here: http://www.liutilities.com/products/wintas...brary/winlogon/

Hope this helps,

Orange Blossom :thumbsup:

Edited by Orange Blossom, 20 October 2006 - 01:41 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 Rattila

Rattila
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 21 October 2006 - 02:36 AM

Hi Orange Blossom:


I took a quick peek at the forum and want to thank you before I have enough time to read the material you posted:
I really appreciate your help :thumbsup:

What worried me most, since my machine (*) does not exhibit the usual signs of infestation, was the path of these two processes
starting before c:/ and wondering wether the computer was now a 'bot' or 'zombie'.

(*) Actually it's my wife's laptop: I am her Information Technology person... :flowers: :trumpet:

Just to make sure, I'll post a HijackThis log soon.


Best,
Rattila
'Is there a fix after Rattila clicks?' from Diary of a Computer Mouse

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:46 PM

Posted 21 October 2006 - 08:29 AM

Before posting a hijackthis log, please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. About half way down are instructions for downloading HijackThis and creating a log.

When you have done that, post your log in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Rattila

Rattila
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 21 October 2006 - 02:36 PM

Don't worry, Quietman7, I know where and how to post a HijackThis log.

Maybe I am answering an automated post triggered by the word 'HijackThis': luckily, I am not automated...

Rattila :thumbsup:
'Is there a fix after Rattila clicks?' from Diary of a Computer Mouse

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:46 PM

Posted 21 October 2006 - 03:03 PM

Yes Rattila my reply was a standard response which I often provide. I don't like to take for granted that everyone knows how to post a log. Doing that results in spending extra time explaining the proper procedure. That in turn causes a longer delay with getting our members expert assistance as quickly as possible. Plus, repeating the instructions helps to educate others reading through the topics. Good luck with your log. :thumbsup:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Rattila

Rattila
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 21 October 2006 - 03:29 PM

Hello Quietman7:


I just wish to thank you to the BleepingComputer team: I know that I can rely on courtesy and efficiency here. :thumbsup:

Of course, not everybody knows (or cares) about how and where to post a HijackThis log, and an automated reminder triggered by some posted words makes a lot of sense.

Obviously, your last post was not automated, which proves once again that you are an excellent Bleepin' Janitor. :flowers:


Best from Rattila :trumpet:
'Is there a fix after Rattila clicks?' from Diary of a Computer Mouse

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:46 PM

Posted 21 October 2006 - 03:38 PM

Your quite welcome and thank you for the kind words as they mean a lot to us. :thumbsup:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users