Solved

Possible malicious program - winlogon.exe 100% CPU usage

Posted on 2007-11-14
18
3,208 Views
Last Modified: 2009-04-04
Greetings all...
I am working on a customer's PC and I'm pretty stuck trying to diagnose what is happening. Winlogon.exe uses 50% to 100% of the CPU processing time as soon as Windows loads.

Info:
I started work on the PC after the customer reported his computer was very slow, often froze and even fell victim to the dreaded BSOD. I ran Ewido Micro, SpyBot S&D and Ad-Aware, both in Safe Mode and with Windows loaded normally. They picked up quite a few malicious programs and happily deleted them all.

Running the anti-spyware scans again showed the PC to be clean but there were still symptoms of infection. If I connected it to the network and launched IE7, a fake anti-spyware program would launch with an icon in the system tray. It showed a warning that the PC was infected and then openned a new IE browser showing the website for the fake software. Unfortunately I did not take any notice of the program's name and force quit the advert. The system tray icon seemed to disappear at the same time and I can't get it to show itself any more.

It was at this point that I noticed winlogon.exe was using so much of the CPU. I have been searching for solutions on Google and found nothing that would point to an easy fix. I did how ever, find that malicious programs may use the winlogon.exe shell to run. I came across many people suffering from this file taking up a lot of CPU usage but the only progress they made was by posting their story on a site such as this!

Here are the HijackThis details from the PC:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:19:42, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\alg.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\DWRCST.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINNT\System32\DLA\DLACTRLW.EXE
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O1 - Hosts: 170.46.20.102 swater01
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {465C55EC-203F-44F6-8482-E0A3A99A24DF} - c:\winnt\system32\d3d9w.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59CD51E3-D51B-487D-BBA7-CEF23E380D7A} - C:\WINNT\system32\atitvo32v.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [DLA] C:\WINNT\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\Conversions Plus\MacLic.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-21-1614895754-1284227242-839522115-1114\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://apps.quantumclothing.com
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://noteswm01.quantumclothing.com/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193060166093
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://eu.ntrsupport.com/inquiero/mod/setup/ntractivex118_24.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WATERMELON.UK.COM
O17 - HKLM\Software\..\Telephony: DomainName = WATERMELON.UK.COM
O17 - HKLM\System\CCS\Services\Tcpip\..\{ACC9790A-0785-440A-A30A-1CF07F955D83}: NameServer = 170.46.20.102
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WATERMELON.UK.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WATERMELON.UK.COM
O20 - Winlogon Notify: niluinyl - C:\WINNT\SYSTEM32\d3d9w.dll
O20 - Winlogon Notify: tt - C:\WINNT\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\Conversions Plus\FORMATM.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8344 bytes

Thank you for any help or ideas!
Charlie.
0
Comment
Question by:blueboxit
  • 5
  • 4
  • 4
  • +2
18 Comments
 
LVL 66

Expert Comment

by:johnb6767
ID: 20280000
O20 - Winlogon Notify: niluinyl - C:\WINNT\SYSTEM32\d3d9w.dll
O20 - Winlogon Notify: tt - C:\WINNT\

These 2 are more than likely responsible for the high CPU usage...

Install the following and update it. Then boot to Safe Mode to run it....

SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!
http://www.superantispyware.com/
One of the best on the market (and it is free, although you can upgrade and get Real Time Protection).
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 20280036
Do you recognize this entry here as well?
O1 - Hosts: 170.46.20.102 swater01 (based on your 017 entries)

No info on Google.....
O2 - BHO: (no name) - {59CD51E3-D51B-487D-BBA7-CEF23E380D7A} - C:\WINNT\system32\atitvo32v.dll

This is odd...
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYGB


0
 
LVL 66

Expert Comment

by:johnb6767
ID: 20280064
Also, do this for me....

Start>run>cmd

paste the following line in....

reg query "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"

Curious to see whether or not there might be other things under Winlogon.....
0
 
LVL 8

Expert Comment

by:devil_himself
ID: 20280240
Your hijackthis log has multiple infections

-----------------------------------------------------------------------------------------------------------------
Please download VundoFix.exe to your desktop.
-----------------------------------------------------

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt

--------------------------------------------------------------------------------------------------------------------
Download Combofix and save it to your desktop.
----------------------------------------------------

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Note: It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Upload the Log To any Free web Hosting

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
-------------------------------------------------------------------------------------------------------------------------
0
 

Author Comment

by:blueboxit
ID: 20280981
Thank you for your quick responses.

johnb6767:
SUPERAntiSpyware found 6 malicious items and around 60 tracking cookies, which were deleted.
'swater01' is the name of the customer's server so that shouldn't be a problem.
Running the reg query displayed the following: http://img.photobucket.com/albums/v109/Rozzo/Winlogonregquery.jpg

devil_himself:
VundoFix found nothing! Probably because I ran SUPERAntiSpyware before it. The log is as follows.

VundoFix V6.6.1
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Scan started at 15:26:16 11/14/2007
Listing files found while scanning....
No infected files were found.

The ComboFix log can be downloaded here: http://files.filefront.com/ComboFixtxt/;9041492;/fileinfo.html


The computer still suffers from the original problem. Here is an up-to-date HijackThis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:56, on 2007-11-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\DWRCST.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINNT\System32\DLA\DLACTRLW.EXE
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [DLA] C:\WINNT\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\Conversions Plus\MacLic.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-21-1614895754-1284227242-839522115-1114\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://apps.quantumclothing.com
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://noteswm01.quantumclothing.com/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193060166093
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://eu.ntrsupport.com/inquiero/mod/setup/ntractivex118_24.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WATERMELON.UK.COM
O17 - HKLM\Software\..\Telephony: DomainName = WATERMELON.UK.COM
O17 - HKLM\System\CCS\Services\Tcpip\..\{ACC9790A-0785-440A-A30A-1CF07F955D83}: NameServer = 170.46.20.102
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WATERMELON.UK.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WATERMELON.UK.COM
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tt - C:\WINNT\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\Conversions Plus\FORMATM.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7991 bytes

Mank thanks for your support.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 20281156
Did you run SAS in Safe mode?

Did you intentionally install Nircmd.exe? If not, remove it....

Verify these are in fact gone....
C:\WINNT\system32\atitvo32v.dll
C:\WINNT\system32\d3d9w.dll
C:\WINNT\system32\d3d9w.dll.bak
C:\WINNT\system32\drivers\drvvoybu.dat
C:\WINNT\system32\drivers\drvvoybu.sys
C:\WINNT\system32\drivers\shuvagwt.dat
C:\WINNT\system32\drivers\shuvagwt.sys


Look in regedit under the following keys for the services and drivers listed........

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

-------\LEGACY_IOUOKFJJ
-------\LEGACY_POOF
-------\LEGACY_WMRLHJHI
-------\iouokfjj
-------\wmrlhjhi

Or just search the registry for the above values....

DO ALL THIS IN SAFE MODE!!


0
 
LVL 8

Expert Comment

by:devil_himself
ID: 20281469
It is good we use CFscript to delete all the bad items using combofix ... but as you have done it manually so now just leave it ...

do some online scans
----------------------------------------------------------------------------------------------------------------
Run Kaspersky online virus scan Kaspersky Online Scanner.
http://www.kaspersky.com/virusscanner

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".

Note: You have to use Internet Explorer to do the online scan.

--------------------------------------------------------------------------------------------------------------
After the scan post a new hijackthis log ...
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20297174
Just by looking at the hijackthis log......haven't read the combofix log yet...the upload link is really slow on my pc..it's still loading.

Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following text(all text between the lines below):

-----------------------------------------------------------------------------------------------------------
Files to delete:
C:\WINNT\SYSTEM32\d3d9w.dll

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\niluinyl
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tt
------------------------------------------------------------------------------------------------------------

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.


And have Hijackthis fixed these entries below: (usually hiajckthis can manage to get rid of 02 entries as long as there are no 020 match, unless the match is hiding.
O2 - BHO: (no name) - {465C55EC-203F-44F6-8482-E0A3A99A24DF} - c:\winnt\system32\d3d9w.dll
O2 - BHO: (no name) - {59CD51E3-D51B-487D-BBA7-CEF23E380D7A} - C:\WINNT\system32\atitvo32v.dll
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20297449
-------\LEGACY_IOUOKFJJ
-------\LEGACY_POOF
-------\LEGACY_WMRLHJHI
-------\iouokfjj
-------\wmrlhjhi
those drivers/services are bad yeah....

C:\WINNT\system32\pmhtvoet.dat<-- this file also looks very bad.


>>Did you intentionally install Nircmd.exe? If not, remove it....<<
that file is okay, it's one of the files that combofix installed.


Was the hijackthis scan done before combofix? combofix.txt shows that the file I suggested to be deleted has already been deleted.

Try running SDFix and we'll see what it comes up with.
Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back


Also run this one, let's see what the log shows.(option 1 only list entries and won't delete anything)
Please download Navilog1 by IL-MAFIOSO:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip

* Extract its contents to the desktop.
* Double click on navilog1.exe to install it on your computer.
* When the installation is complete, the tool will start automatically.
* If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.
* Press E for English from the language Menu.
* Type 1 in the next Menu to select Search and press Enter.
* Wait for the Scan to finish (It may take a reasonable amount of time)
* Press any key as requested .
* A new document will be produced: fixnavi.txt.
* Please copy/paste the contents of this report in your next reply.
* The report is also saved in the root of the directory, "%SystemDrive% ixnavi.txt". (usually C: ixnavi.txt)
0
 

Author Comment

by:blueboxit
ID: 20312736
I have had to take the PC back to the customer so he can do some work this week. I will be able to continue work on it on Friday afternoon at the earliest.

Thanks for all the support. I will hopefully be able to post an update with the required data on Friday.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20317206
blueboxit,
I'd thought I'd mentioned, at the moment, Combofix is not to be used till further notice from its developer.
0
 

Author Comment

by:blueboxit
ID: 20483773
Hello, and sorry for not updating the thread.

A workmate of mine took control of the job while I was on holiday. He found that when running Windows Update it kept failing on one item; the Geniune Advantage Tool. He checked Add/Remove Programs and the tool was already installed, yet Windows Update didn't seem to detect it.  

He did some research and discovered that what ever was happening to the Genuine Advantage application could be causing Winlogon.exe to work constantly. As of yet we don't know exactly what is going on but it is too much of a coincidence for these problems not to be related.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20484259
O20 - Winlogon Notify: niluinyl - C:\WINNT\SYSTEM32\d3d9w.dll

The nasty random dll "d3d9w.dll" that was hooked with the winlogon notify key as john6767 first indicated was the obvious likely culprit for the winlogon high cpu to start with. There were other bad files as well that were removed, but that was the one that showed in the log.

Genuine Advantage tool problem must've been on top of those as well.


0
 

Author Comment

by:blueboxit
ID: 20760791
Ok, time for an update!
I've finally had time to work on the PC again and I've made a lot of ground.

The PC looked clean but something was still making winlogon.exe use 100% CPU time (displayed as 50% because of Hyper Threading). I read about Process Explorer and got myself the latest version. This allowed me to view all running processes and see in detail what each of them was doing. One of the threads for winlogon.exe was pointing to wsil32.dll and was using all the CPU time! I could select the thread, suspend it, and suddenly the CPU usage would drop to normal idle levels.

I started doing some research for wsil32.dll (located in %systemroot%/system32/Appcert) and found a forum post from someone with the same problem. He found that winlogon.exe was trying to read a file called wnl32.dll and couldn't find it, so this was causing for it using so much CPU time. He copied wsil32.dll and re-named it wnl32.dll, and the problem was fixed! I did the same and it worked, too!

The only thing left is to find out why this machine has this Appcert folder in system32, and what is trying to read wnl32.dll. AV scanners, etc still find nothing.
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 250 total points
ID: 20761189
RegMon for Windows v7.04
http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx

FileMon for Windows v7.04
http://www.microsoft.com/technet/sysinternals/FileAndDisk/Filemon.mspx

Set teh filter at the top to highlight "access denied", and and try and recreate the errors....Then go to these and look for the red, and it will tell you where the permissions are shot....

Or even use the new and improved utility form Sysinternals, that contains them both....

Process Monitor v1.22
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx

Set the filter at the top to include "Appcert;wsil32.dll" and highlight "Read"

Should give you some insight.....
0
 

Expert Comment

by:ihgirl
ID: 21091459
blueboxit - I wanted to thank you for pointing out the Process Explorer tool. I had a similar virus, only with explorer.exe taking up 100% CPU. The thread that was found to be causing it was wsil32.dll. I had it scanned by http://virusscan.jotti.org/ which identified it as Trojan-downloader.Win32.Agent.hkb virus. Installed and ran ComboFix which removed the virus, including the system32\Appcert folder.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now