Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ad-aware "winlogon" Vulnerability For C:\windows\explorer.exe "shell"


  • This topic is locked This topic is locked
4 replies to this topic

#1 ceruleandaze

ceruleandaze

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 30 January 2007 - 06:34 AM

Ever since I've installed SP2 I've encountered various problems, some big, some small. This Ad-Aware issue here predates my trying to install SP2, yet... may be related to the problems below.

Prior to running Ad-Aware and HJT, I scanned my system with AntiVir PE Classic, Spy Sweeper with AntiVirus, Spybot S&D, Microsoft's latest Malware Removal Tool, and now Ad-Aware SE, all with the latest updates and defs. I also have SpywareBlaster updated. I've also cleaned out my registry with various tools: RegistryFix 5.5, RegScrubXP, Advanced WindowsCare V2 Personal, and TuneUp Utilities 2004. I also run Outpost Firewall Pro, the latest ver. 4.0.1007.7323 (591), as well as PeerGuardian 2, just updated today with the latest updates.


Ad-Aware is the only one of the above antivirus/spyware/malware/adware programs to show this "problem" with Winlogon, and every time I've gotten it in the past I've ignored it rather than "clean" it, afraid of deleting something vital to the system. I've scoured the Net trying to determine whether this is a false positive or for real, but haven't gotten anywhere so far. I'm hoping this write-up and HJT log here will bring some answers.

Windows Object Recognized!
Type : RegData
Data : c:\windows\explorer.exe
TAC Rating : 3
Category : Vulnerability
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : c:\windows\explorer.exe



General system problems I've been experiencing:

* SP2 install continually crashes on AppName=update.exe (v5.5.1005.0), ModName=ntdll.dll (v5.1.2600.2180), during the "Performing cleanup" phase. In my attempts to "fix" my system, I've probably manually (because of Windows Update problem below) reinstalled SP2 from a file (KB835935) about 5 times, always crashing at the same place.

* Windows now takes about 15 minutes to shutdown, and about 10-15 minutes to startup. Sometimes it takes a really long time just to get the three buttons (Stand By, Turn Off, Restart) from which to reboot. I've run a Bootvis scan and can share the results here if anyone's interested. Not quite sure what I'm looking for in these results, but it looks OK as far as I can tell.

* Windows Update (auto or manual) has never worked for me since early SP1 days. Always the same error, number: 0x80248011, with page text "The website has encountered a problem and cannot display the page you are trying to view. Take the following steps to try solving the problem....". This is not perhaps related to the Ad-Aware vulnerability caught, but then maybe it is.

* My latest problem is suddenly my C drive available space has dipped to just 700 MB, and I'm not able to paste files that I copied or cut from anywhere on ANY logical or physical drive to any other location, be it elsewhere on the same drive or another logical or physical drive. I also cannot now drag & drop files to or from anywhere on any drive. The DCOM Server Process Launcher is on Automatic and Started (which I think I read is necessary for various drag & drop functions in apps and the system). Note: I will try rebooting after posting this in an attempt to fix this, so this may be OK by the time I come back to this forum.

* Ever since I first tried installing SP2, the Windows Installer service keeps stopping on its own, whether in Automatic or Manual mode.


For the record...
* I religiously (small 'r') manually download and install all applicable Microsoft security updates month by month, since before SP1 to the present.

* I don't use System Restore, so this has never been an option for me to recover from major problems, and I've been fine so far without it.


OK, here's my HJT log, done right after running Ad-Aware with the error above:

------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 18:34:17, on 2007/01/30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\System32\PGPserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Qlock\Qlock.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MailWasher Pro\MailWasher.exe
L:\# Programs\PeerGuardian2\pg2.exe
L:\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
G:\UltraEdit-32\uedit32.exe
C:\WINDOWS\regedit.exe
I:\# SOFTWARE\! Windows\System\# System security\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=C:\WINDOWS\Explorer.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - L:\# Programs\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [Controlled StartUp] "H:\# Programs\StartUp Organizer\Ctrl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O4 - Global Startup: Qlock.lnk = C:\Program Files\Qlock\Qlock.exe
O4 - Global Startup: Google Talk.lnk = C:\Program Files\Google\Google Talk\googletalk.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - L:\# Programs\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - L:\# Programs\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102706435592
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163557192140
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...815/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\System32\PGPserv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

------------------------------


I've included a lot of other info here in the possibility some of it may be related. Sorry for the clutter otherwise. If any unnecessary items are identified above, please let me know that too.

(E.g., I've tried deleting PGP 8.1 from my system since trying to clean it up after my SP2 install attempts, but it won't go away completely: the pgpsdk.sys driver remains, as do all the PGP application files, yet, it no longer appears in the Add/Remove Program list in Control Panel.)


Thanks for any help!

BC AdBot (Login to Remove)

 


#2 ceruleandaze

ceruleandaze
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 30 January 2007 - 09:21 PM

A few updates....

My problem with the C drive's free space suddenly dipping from about 1.5 GB to just 700 MB is better now (1.2 GB), but the cause still eludes me. For now, I'll leave that for another day.

For reference, and possibly to help decipher my HJT log (and though some of this info is available on my profile and in my first post above), here's a quick summary of my system:

* OS: Windows XP SP2 (WinNT 5.01.2600) (English)
* RAM: 512 MB
* East Asian language support installed (for Japanese, mainly)
* MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Browser used: Firefox 2.0.0.1
* E-mail: Thunderbird 1.5.0.9
* Also running MS Office 2000, MailWasher Pro
* Firewall: Outpost Firewall Pro, latest version (1/25/2007, v4.0 (1007.591.145))
* All MS security updates, both system & Office, up to date


The IME entries in the HJT log are because of the installed Japanese support. Outpost pro firewall includes a toolbar for IE, which is possibly the unnamed O3 toolbar in the HJT log. I haven't had a chance to confirm the GUID yet.


HTH.

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:53 PM

Posted 06 February 2007 - 03:08 PM

Hello ceruleandaze and welcome to the BC HijackThis forum. I see no signs of viruses or malware in the log. It is clean.

There are a couple of entries for Adobe that are missing files so we can clean those out while you are here.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Other than that, everything looks fine.

The winlogon item that AdAware is flagging is a valid entry and must be there. If it is removed the system will not startup past the logon screen. Do not remove that.

I would suggest posting in the XP forum here: http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/ . They can dig around in the system to see what might be causing the issues you describe. Let them know that you have been to this forum and that no malware was found.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 ceruleandaze

ceruleandaze
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 06 February 2007 - 08:28 PM

Hello ceruleandaze and welcome to the BC HijackThis forum. I see no signs of viruses or malware in the log. It is clean.

Good news. Thanks for checking it.

There are a couple of entries for Adobe that are missing files so we can clean those out while you are here.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Thanks.
I'm at the office today but will get to this tomorrow.

The winlogon item that AdAware is flagging is a valid entry and must be there. If it is removed the system will not startup past the logon screen. Do not remove that.

So, it sounds like this error below from Ad-Aware is a false positive. Good to know.

Windows Object Recognized!
Type : RegData
Data : c:\windows\explorer.exe
TAC Rating : 3
Category : Vulnerability
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : c:\windows\explorer.exe

I've read, though, that trojans or other malware can masquerade as explorer.exe, but admittedly don't understand much about this. I just wanted to be sure about what Ad-Aware was saying, especially considering no other malware/spyware/adware/virus checks I've run -- online or off -- detected this as problem.

I would suggest posting in the XP forum here: http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/ . They can dig around in the system to see what might be causing the issues you describe. Let them know that you have been to this forum and that no malware was found.

Thanks. I'll definitely look into this considering my machine is worse off lately after recently going through 14-some hours on the phone with Microsoft "technicians". (Thankfully, I wasn't charged.)

(I had tried upgrading my XP SP1 to SP2 but it caused a number of minor and major problems, some very annoying like drag & drop in Explorer suddenly quitting, occasional app crashes for so apparent reason, etc. They recommended I uninstall SP2, and reinstall it using the Administrator account in safe mode [even though my lone user account supposedly already has full administrator rights], so now I can't install Office updates or other things from my main account in normal mode, saying things like "no access". In fact, I can't even uninstall Office now in an attempt to reinstall it... Also, my IE now says it's an SP2 version but my system says it's SP1, so there seems to be a nasty mishmash of SP1 & SP2 files and/or settings internally. My system is running reasonably OK, but seems more unstable now. Grrr... Whoops... sorry, I'll take all this to the XP forum. Thanks again.)


CD

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:53 PM

Posted 09 February 2007 - 05:14 PM

Something definitely sounds hosed up. I'm not sure what they will say about that. They might want to try a repair install of SP1 to see if it works but if the system thinks it is (or at least part of it is) SP2 I'm not sure that that would work.

They have alot of talented people over there so I am sure that they will figure it out.

I will now close this topic. If you have any new malware related questions or issues in the future please start a new topic.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users