Jump to content


Photo
- - - - -

Winlogon.exe and csrss.exe Infections

Winlogon.exe csrss.exe

  • This topic is locked This topic is locked
11 replies to this topic

#1 twotix

twotix

    New Member

  • Members
  • Pip
  • 7 posts

Posted 23 August 2013 - 04:17 AM

RE: Winlogon.exe and csrss.exe infections                

 

Hello,

 

I’m running XP Pro, SP3. I noticed in Glarysoft Pro 3 under processes these two items which appear to be Trojans from my research. One indicator is the executable path which is not my normal system32 folder which on my machine is E:\WINDOWS\system32 folder. The infections have the same file name but with two questionmarks in front. They are also the only two processes that have high priority. My windows system32 folder has the real winlogon.exe that is only 496kb versus the infection file which shows memory of 2554 kb. Same deal for csrss.exe which is 6kb versus the infection at 2764kb. I read that malware files are much larger than the real windows files.

 

Under the Windows Task Manager, they cannot be ended because they are “critical” system processes nor could I end them in Glarysoft 3. Akso, these are not showing up on the attached DDS log.

 

Infections

Name                      Executable

winlogon.exe           \\??\E:\WINDOWS\system32\winlogon.exe

csrss.exe                 \\??\E:\WINDOWS\system32\csrss.exe

 

Also, are these processes legit as they have no information.:

 

System

System Idle Processes

 

I read another thread for troubleshooting winlogon.exe in this forum and ran Roguekiller as was suggested and have attached the report but didn’t delete anything. Thought it might give an indication.

 

I’m running a trial version of Kaspersky Pure 3.0 and MBAM Pro which hasn’t been automatically starting. A few weeks ago, I had to reinstall XP Pro which is why it is on my E partition. I tried to restore a registry backup from Glarysoft and when windows tried to load it would get into a reboot loop. I figured I had nuked the registry.

 

The required dds and attach.txt logs are attached.

 

Thanks!

 

 

Attached Files



#2 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,188 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 23 August 2013 - 06:35 AM

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes)

P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
2. If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.
Failure to remove such software will result in your topic being closed and no further assistance being provided.


MrC


Note:
Please read all of my instructions completely including these.

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly


Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive


<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.


<+>The removal of malware isn't instantaneous, please be patient.


<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs


<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.


------->Your topic will be closed if you haven't replied within 3 days!<--------
(If I don't respond within 24 hours, please send me a PM)


Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#3 twotix

twotix

    New Member

  • Members
  • Pip
  • 7 posts

Posted 24 August 2013 - 11:50 AM

Done.Thanks!

 

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Justin [Admin rights]
Mode : Scan -- Date : 08/24/2013 12:40:50
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[FF][PROXY] s9exjmvz.default-1376154624703 : user_pref("network.proxy.type", 4); -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤
-> C:\windows\system32\config\SYSTEM | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\windows\system32\config\SOFTWARE | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\windows\system32\config\SECURITY | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\windows\system32\config\SAM | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\windows\system32\config\DEFAULT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\Documents and Settings\Admin\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\Documents and Settings\Administrator\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\Documents and Settings\All Users\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> C:\Documents and Settings\Bethie\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\Documents and Settings\Default User\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\Documents and Settings\fbwuser\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\Documents and Settings\Justin\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\Documents and Settings\Justin.NA\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\Documents and Settings\LocalService\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\Documents and Settings\NA\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> C:\Documents and Settings\NetworkService\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\Documents and Settings\User\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> C:\Documents and Settings\User.NA\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST380013A +++++
--- User ---
[MBR] 031099d2871845ab8309953ce80d88af
[BSP] cb5c6d4d10172c38b46246562b823fcc : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 39997 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 81915435 | Size: 36310 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST380013A +++++
--- User ---
[MBR] fbb62b50edccfee2acb93d19dbb15866
[BSP] 99ae7c83941e693fe6415400241f8bbe : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 134003 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 274438395 | Size: 104461 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_08242013_124050.txt >>



 



#4 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,188 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 24 August 2013 - 12:19 PM

Download Malwarebytes Anti-Rootkit from HERE
  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.
more-reply-options.jpg

New window that comes up.
choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
Internet access
Windows Update
Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.


MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#5 twotix

twotix

    New Member

  • Members
  • Pip
  • 7 posts

Posted 24 August 2013 - 01:23 PM

Done. Nothing found. Processes are still running. Please see the attached screen shots from Task Manager and Glary Utilities Process manager. Same issues as explained in first post. Please refer to that for an explanation.Task Manager still won't allow ending processes because they are critical system ones while Glarysoft won't either. The system path with the questionmarks in front and high priority looks like they are disquised and rogue.Thanks.

Attached Files



#6 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,188 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 24 August 2013 - 01:31 PM

Next......

Please download and run ComboFix.
 
The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.
 
Please visit this webpage for download links, and instructions for running ComboFix
 
http://www.bleepingc...to-use-combofix
 
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
 
Information on disabling your malware programs can be found Here.
 
Make sure you run ComboFix from your desktop.  
 
Give it at least 30-45 minutes to finish if needed.
 
Please include the C:\ComboFix.txt in your next reply for further review.
 

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.
 
MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#7 twotix

twotix

    New Member

  • Members
  • Pip
  • 7 posts

Posted 24 August 2013 - 03:49 PM

Combofix log attached. Thx.

Attached Files

  • Attached File  log.txt   12.8KB   0 downloads


#8 twotix

twotix

    New Member

  • Members
  • Pip
  • 7 posts

Posted 24 August 2013 - 06:13 PM

Combofix log attached. Thx.

Oops...sent you the log file. Attached the combofix.txt as requested although probably the same. Thanks!

Attached Files



#9 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,188 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 24 August 2013 - 06:34 PM

I don't see any problems...MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#10 twotix

twotix

    New Member

  • Members
  • Pip
  • 7 posts

Posted 24 August 2013 - 08:42 PM

Both are still there but thanks anyway.



#11 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,188 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 25 August 2013 - 06:39 AM

Being helped here:


http://www.bleepingc...here/?p=3139002

This post will be closed. MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#12 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,163 posts
  • Gender:Male
  • Location:US

Posted 25 August 2013 - 03:19 PM

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users