Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.patched.i Has Infected Winlogon.exe


  • Please log in to reply
4 replies to this topic

#1 Jim_Laos

Jim_Laos

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 15 January 2007 - 09:27 PM

After a myriad of problems over the past 6 weeks, A-squared today identified a trojan win32.patched.i together with backdoor win32.ciadoor.13.
I've lived with a very poorly functioning PC for 6 weeks and gone through a host of possible culprits, none of which turned out to be guilty, I'm not sure whether I believe todays results or not and I'd appreciate some expert advice.

Brief history: I replaced my CPU, mainboard and RAM in November and from the start there have been niggling problems. At first there were stop errors at least every day. 99% were MACHINE_CHECK_EXCEPTION errors coded 9c although there was usually a piece of software involved also.

After a long period of posting bug-log texts to another forum we noticed that a video driver was often involved and when we forced the use of MS standard VGA driver the problem stopped - until I bought a new video card, then it started again.

I've done extensive stress tests on the memory (24 hours at a time) and the CPU with no indication of fault. I was going crazy when, about two weeks ago, I heard indirectly that Asus had shipped a bad batch of mainboards out in this part of the world. I'd arranged to take the PC back to the shop but as they wanted it for "a few days" I was waiting for a gap in my schedule to accommodate that.

As is to be expected however, having decided that it was a faulty mainboard the halt errors stopped. I haven't had one for about a week now. What has been happening instead is a series of software errors of the "xxxx attempted to access memory at 0x000000000 which couldn't be written to. xxxxxx will have to close".. The xxxxx in question being Thunderbird a couple of times, Firefox three or four times and seemingly random other programs including my Comodo anti-virus prog and most recently Comodo Firewall. Actually, the firewall didn't crash, it kept failing to start at boot time leaving me with an alert box message that it had tried to access memory that couldn't be read.

Because of the problems I'd been doing a lot of regular scans for adware, spyware, malware and viruses to rule them out before going in for major surgery. Apart from a few tracking cookies, nothing significant was found. A hijack this log taken 4 weeks ago pointed to a couple of possibilities which were then quarantined but didn't bring about any change for the better.

However, a few days ago when the Firewall went down, I started reading the forums (including this one) to identify a good piece of kit to replace Comodo with. I ended up with Avira Personal Edition, Kerio firewall, Spybot S&D as resident security, backed up with unhackme 310, blacklight rootkit, McAffee Stinger - some others I can't remember and ASquared Free version for regular check ups.

It was earlier today that I decided to do some housekeeping and A2 found the trojans I've already mentioned, several tracking cookies and a number of references to the Firefox cache. I was able to delete all but winlogon.exe which is carrying the trojan win 32 and which A2 says is quarantined but can be seen in the system32 folder. (It's dated 2004 by the way and has the correct icon but, thinking back, it was always in memory whenever I had a stop error).

That's the background. I now have no idea what to do. I've followed the protocols of the forum and used most of the suggested tools and some others that I had already downloaded including Ad aware SE. I'm also about to post my hijack this log. Incidentally, I have a log from when the problems first started and can post that too if it will help.

In the past 12 hours or so I've wasted all my temp files, all cookies, the program containing the backdoor trojan, a Heuristic.Dialer found in prog files\powerpro\dundial.exe, a 'POSSIBLE_VIRUS_SPYWARE_KEYL_ASTLOG' as discovered by Housecall, my two kids and my dog.

What's left now is some potential vulnerability with ASP.NET and XML core services according to the scan at Housecall.

Could someone please help, I'm now totally lost.

(Sorry I've written so much - I'll put the log into the next post.)

BC AdBot (Login to Remove)

 


#2 Jim_Laos

Jim_Laos
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 15 January 2007 - 09:31 PM

Logfile of HijackThis v1.99.1
Scan saved at 09:29:09, on 1/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Windows folder: C:\XPOS
System folder: C:\XPOS\SYSTEM32
Hosts file: C:\XPOS\System32\drivers\etc\hosts

Running processes:
C:\XPOS\System32\smss.exe
C:\XPOS\system32\csrss.exe
C:\XPOS\system32\winlogon.exe
C:\XPOS\system32\services.exe
C:\XPOS\system32\lsass.exe
C:\XPOS\system32\svchost.exe
C:\XPOS\system32\svchost.exe
C:\XPOS\System32\svchost.exe
C:\XPOS\system32\svchost.exe
C:\XPOS\system32\spoolsv.exe
C:\XPOS\system32\svchost.exe
G:\AntiVir PersonalEdition Classic\sched.exe
G:\AntiVir PersonalEdition Classic\avguard.exe
C:\XPOS\System32\alg.exe
C:\XPOS\Explorer.EXE
C:\XPOS\system32\CTHELPER.EXE
C:\XPOS\system32\VTTimer.exe
G:\AntiVir PersonalEdition Classic\avgnt.exe
G:\Winamp\winampa.exe
G:\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Tech\Wheel Mouse\5.3\MOUSE32A.EXE
C:\XPOS\system32\wbem\wmiprvse.exe
G:\EditPadPro5\EditPadPro.exe
G:\D Opus\DOpus.exe
G:\Sunbelt Software\Personal Firewall\kpf4ss.exe
G:\Sunbelt Software\Personal Firewall\kpf4gui.exe
G:\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\XPOS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
L:\CAB\Install\Protection\hijackthis\HijackThis.exe
C:\Program Files\Mozilla Thunderbird Beta 1\thunderbird.exe
G:\a-squared Free\a2free.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ESigil Browser Helper - {A968A4B4-C492-4834-B651-17602C3885C8} - G:\Comodo\VEngine\ESigil.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [UpdReg] C:\XPOS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] G:\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [avgnt] "G:\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] "G:\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SmartDefrag] "G:\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKCU\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKCU\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.3\MOUSE32A.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [HijackThis startup scan] L:\CAB\Install\Protection\hijackthis\HijackThis.exe /startupscan
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O15 - Trusted Zone: http://*.gmail.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC1FAF0A-C194-482A-98BB-720F79FDDC62}: NameServer = 202.136.240.1 202.136.241.1
O18 - Protocol: msnim - (no CLSID) - (no file)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\XPOS\system32\wpdshserviceobj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - G:\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - G:\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - G:\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: wampapache - Unknown owner - N:\wamp\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - N:\wamp\mysql\bin\mysqld-nt.exe

#3 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 15 January 2007 - 09:46 PM

False positive

http://forum.emsisoft.com/Default.aspx?g=posts&t=1757
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#4 Jim_Laos

Jim_Laos
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 15 January 2007 - 10:26 PM

MFDnSC - I think you might be right.
I was following this thread http://www.bleepingcomputer.com/forums/t/78130/how-can-i-get-rid-of-trojanwin32patchedi/, similar story, so went and uploaded winlogon.exe to the Kaspersky file scanner. Came back clean.
In a way I was hoping that I'd found the problem. Ah well, back to square one....................
........unless anyone has any ideas....

#5 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 15 January 2007 - 10:34 PM

Hold on for a few days and then update A2
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users