Strange behaviour with AGL.EXE & WINLOGON.EXE

[roland.bird]

Over the last few days I've slowly been tracking these 2 processes and
some of the strange things they are doing. My feeling is that either
these or some other files are infected with a trojan, but I'm running
Trend Micro's PC-cillin & Anti-spy ware tools, and nothing.

I first noticed a few stray process in taskmgr. WIN63.TMP.EXE. The
file is located in C:\WINDOWS\TEMP. I also noticed lots of 0 byte temp
files. This is not normal behaviour. My next step was to found out
what process was attempting to spawn this temp file. And it turned out
to be WINLOGON.EXE.

I've put in a security policy that is currently stopping WINLOGON.EXE
from executing these temp files. I've also sent the temp file to Trend
for analysis. This is their response.

Greetings!

We have analyzed the file winEE5.tmp.exe (172,099 bytes) that you submitted to us and >verified that it is non malicious by itself.

This file tries to connect to a certain website which do not exist anymore and therefore >could not cause any harm in the system. This file may arrive in the system as result of >visiting some websites or could be bundled by a software application.

Hopefully, we have addressed your concern.

Thank you for consulting TrendLabs.

Have a virus-free day!

Ok, so it non malicious but how did it get there. There must be some
other process fetching it right. I've now submitted the WINLOGON.EXE
for them to look at. But I don't think they will find anything.

Using System Internals ListDll tool I found a strange dll linked to
WINLOGON.EXE. wingzn32.dll . I couldn't find any information on it,
so I renamed it. Everything still works, and there are no more temp
files being created in C:\WINDOWS\TEMP

But, now I get messages about ALG.EXE trying to connect to an ftp site.
I'm denying it's request.

Anyone been through something similiar or perhaps offer any suggestions.

 

[Wesley Vogel]

There should be two winlogon.exe files,
C:\WINDOWS\system32
and
C:\WINDOWS\system32\dllcache

Check your version(s) of winlogon.exe here...
http://support.microsoft.com/dllhelp/?dlltype=file&l=55&alpha=winlogon.exe&S=1&x=9&y=7

[[WinLogon.exe is the Windows NT login manager. It handles the login and
logout procedures on your system. This process is an essential part of your
OS and should be left alone.

Note: winlogon.exe is also a process which is registered as
Trojan.W32.Netsky and the Backdoor.w32.Prorat Trojans. The Netsky worm is
distributed via the Internet through e-mail and comes in the form of an
e-mail message, in the hopes that you open it’s hostile attachment. The worm
has it’s own SMTP engine which means it gathers E-mails from your local
computer and re-distributes itself. In worst cases this worm can allow
attackers to access your computer, stealing passwords and personal data. It
is a registered security risk and should be removed immediately. ]]
from...
http://www.liutilities.com/products/wintaskspro/processlibrary/winlogon/

C:\Windows\winlogon.exe is not good.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[David H. Lipman]

From: <[email protected]>

| Over the last few days I've slowly been tracking these 2 processes and
| some of the strange things they are doing. My feeling is that either
| these or some other files are infected with a trojan, but I'm running
| Trend Micro's PC-cillin & Anti-spy ware tools, and nothing.
|
| I first noticed a few stray process in taskmgr. WIN63.TMP.EXE. The
| file is located in C:\WINDOWS\TEMP. I also noticed lots of 0 byte temp
| files. This is not normal behaviour. My next step was to found out
| what process was attempting to spawn this temp file. And it turned out
| to be WINLOGON.EXE.
|
| I've put in a security policy that is currently stopping WINLOGON.EXE
| from executing these temp files. I've also sent the temp file to Trend
| for analysis. This is their response.

Files like; WIN63.TMP.EXE are Trojans.


Please submit a samples of WIN??.TMP.EXE files to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://harrisonrj.home.comcast.net/step_by_step_pc_cleaning_process.htm#Step_3_%96_Getting_Help


* * * Please report back your results * * *

 

[roland.bird]

Thanks for your responses here's the results so far....

i have put through the following files: WINLOGON.EXE, ALG.EXE,
SVCHOST.EXE, WINGZN32.DLL, & WIN13.TMP.EXE

The results of the scan for the first three came back clean. However
the other two where not.

This is a report processed by VirusTotal on 02/26/2006 at 04:52:18 (CET) after >scanning the file "wingzn32.dll" file.

Antivirus Version Update Result
AntiVir 6.33.1.50 02.25.2006 no virus found
Avast 4.6.695.0 02.23.2006 Win32:Trojano-3292
AVG 718 02.24.2006 Clicker.BQZ
Avira 6.33.1.50 02.25.2006 no virus found
BitDefender 7.2 02.26.2006 Trojan.Clicker.G
CAT-QuickHeal 8.00 02.25.2006 no virus found
ClamAV devel-20060126 02.26.2006 no virus found
DrWeb 4.33 02.25.2006 no virus found
eTrust-InoculateIT 23.71.86 02.25.2006 no virus found
eTrust-Vet 12.4.2095 02.24.2006 no virus found
Ewido 3.5 02.25.2006 Hijacker.Small.kb
Fortinet 2.71.0.0 02.26.2006 Adware/Small
F-Prot 3.16c 02.25.2006 security risk named W32/Adclicker.QF

I>karus 0.2.59.0 02.24.2006 no virus found

Kaspersky 4.0.2.24 02.26.2006 Trojan-Clicker.Win32.Small.kb
McAfee 4705 02.24.2006 no virus found
NOD32v2 1.1418 02.24.2006 no virus found
Norman 5.70.10 02.24.2006 no virus found
Panda 9.0.0.4 02.25.2006 Suspicious file
Sophos 4.02.0 02.25.2006 Troj/Small-AMR
Symantec 8.0 02.26.2006 Download.Trojan
TheHacker 5.9.4.102 02.24.2006 no virus found
UNA 1.83 02.24.2006 TrojanClicker.Win32.Small
VBA32 3.10.5 02.26.2006 Trojan-Clicker.Win32.Small.kb

According to this it appears to be a adware clicker trojan of sorts.
Now the next one....

This is a report processed by VirusTotal on 02/26/2006 at 05:16:22 (CET) after >scanning the file "win13.tmp.exe" file.

Antivirus Version Update Result
AntiVir 6.33.1.50 02.25.2006 no virus found
Avast 4.6.695.0 02.20.2006 no virus found
AVG 718 02.24.2006 no virus found
Avira 6.33.1.50 02.25.2006 no virus found
BitDefender 7.2 02.26.2006 no virus found
CAT-QuickHeal 8.00 02.25.2006 no virus found
ClamAV devel-20060126 02.26.2006 no virus found
DrWeb 4.33 02.25.2006 no virus found
eTrust-InoculateIT 23.71.86 02.25.2006 no virus found
eTrust-Vet 12.4.2095 02.24.2006 no virus found
Ewido 3.5 02.25.2006 no virus found
Fortinet 2.71.0.0 02.26.2006 W32/Dloader.AUW-tr
F-Prot 3.16c 02.25.2006 no virus found
Ikarus 0.2.59.0 02.24.2006 no virus found
Kaspersky 4.0.2.24 02.26.2006 no virus found
McAfee 4705 02.24.2006 no virus found
NOD32v2 1.1418 02.24.2006 no virus found
Norman 5.70.10 02.24.2006 no virus found
Panda 9.0.0.4 02.25.2006 Suspicious file
Sophos 4.02.0 02.25.2006 no virus found
Symantec 8.0 02.26.2006 Download.Trojan
TheHacker 5.9.4.102 02.24.2006 no virus found
UNA 1.83 02.24.2006 no virus found
VBA32 3.10.5 02.26.2006 no virus found

This also appears to be a trojan download. I'm assuming that the
previous DLL is the downloader.

The WINGZN32.DLL has linked itself to WINLOGON.EXE somehow. Here's an
extract of the dll's used by winlogon.exe using Process Explorer.

Process: winlogon.exe Pid: 780

Name Description Company Name Version
advapi32.dll Advanced Windows 32 Base API Microsoft
Corporation 5.01.2600.2180
apphelp.dll Application Compatibility Client Library Microsoft
Corporation 5.01.2600.2180
authz.dll Authorization Framework Microsoft Corporation 5.01.2600.2622
clbcatq.dll Microsoft Corporation 2001.12.4414.0308
comctl32.dll Common Controls Library Microsoft
Corporation 5.82.2900.2180
comctl32.dll User Experience Controls Library Microsoft
Corporation 6.00.2900.2180
comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.00.2900.2180
comres.dll Microsoft Corporation 2001.12.4414.0258
crypt32.dll Crypto API32 Microsoft Corporation 5.131.2600.2180
cscdll.dll Offline Network Agent Microsoft Corporation 5.01.2600.2180
cscui.dll Client Side Caching UI Microsoft Corporation 5.01.2600.2180
ctype.nls
gdi32.dll GDI Client DLL Microsoft Corporation 5.01.2600.2818
imagehlp.dll Windows NT Image Helper Microsoft
Corporation 5.01.2600.2180
iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2180
kernel32.dll Windows NT BASE API Client DLL Microsoft
Corporation 5.01.2600.2180
locale.nls
midimap.dll Microsoft MIDI Mapper Microsoft Corporation 5.01.2600.2180
mpr.dll Multiple Provider Router DLL Microsoft
Corporation 5.01.2600.2180
msacm32.dll Microsoft ACM Audio Filter Microsoft
Corporation 5.01.2600.2180
msacm32.drv Microsoft Sound Mapper Microsoft Corporation 5.01.2600.0000
msasn1.dll ASN.1 Runtime APIs Microsoft Corporation 5.01.2600.2180
msgina.dll Windows NT Logon GINA DLL Microsoft
Corporation 5.01.2600.2180
msv1_0.dll Microsoft Authentication Package v1.0 Microsoft
Corporation 5.01.2600.2180
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.2180
nddeapi.dll Network DDE Share Management APIs Microsoft
Corporation 5.01.2600.2180
netapi32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.2180
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180
ntmarta.dll Windows NT MARTA provider Microsoft
Corporation 5.01.2600.2180
odbc32.dll Microsoft Data Access - ODBC Driver Manager Microsoft
Corporation 3.525.1117.0000
odbcint.dll Microsoft Data Access - ODBC Resources Microsoft
Corporation 3.525.1117.0000
ole32.dll Microsoft OLE for Windows Microsoft
Corporation 5.01.2600.2726
oleaut32.dll Microsoft Corporation 5.01.2600.2180
profmap.dll Userenv Microsoft Corporation 5.01.2600.2180
psapi.dll Process Status Helper Microsoft Corporation 5.01.2600.2180
rasapi32.dll Remote Access API Microsoft Corporation 5.01.2600.2180
rasman.dll Remote Access Connection Manager Microsoft
Corporation 5.01.2600.2180
regapi.dll Registry Configuration APIs Microsoft
Corporation 5.01.2600.2180
rpcrt4.dll Remote Procedure Call Runtime Microsoft
Corporation 5.01.2600.2180
rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft
Corporation 5.01.2600.2161
rtutils.dll Routing Utilities Microsoft Corporation 5.01.2600.2180
samlib.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180
secur32.dll Security Support Provider Interface Microsoft
Corporation 5.01.2600.2180
setupapi.dll Windows Setup API Microsoft Corporation 5.01.2600.2180
sfc.dll Windows File Protection Microsoft Corporation 5.01.2600.2180
sfc_os.dll Windows File Protection Microsoft Corporation 5.01.2600.2180
shell32.dll Windows Shell Common Dll Microsoft
Corporation 6.00.2900.2763
shlwapi.dll Shell Light-weight Utility Library Microsoft
Corporation 6.00.2900.2781
shsvcs.dll Windows Shell Services Dll Microsoft
Corporation 6.00.2900.2180
sortkey.nls
sorttbls.nls
sxs.dll Fusion 2.5 Microsoft Corporation 5.01.2600.2180
tapi32.dll Microsoft® Windows(TM) Telephony API Client DLL Microsoft
Corporation 5.01.2600.2180
unicode.nls
user32.dll Windows XP USER API Client DLL Microsoft
Corporation 5.01.2600.2622
userenv.dll Userenv Microsoft Corporation 5.01.2600.2180
uxtheme.dll Microsoft UxTheme Library Microsoft
Corporation 6.00.2900.2180
version.dll Version Checking and File Installation Libraries Microsoft
Corporation 5.01.2600.2180
wdmaud.drv WDM Audio driver mapper Microsoft Corporation 5.01.2600.2180
**>>wingzn32.dll <<** THIS ONE STOOD OUT FROM THE REST
winlogon.exe Windows NT Logon Application Microsoft
Corporation 5.01.2600.2180
winmm.dll MCI API DLL Microsoft Corporation 5.01.2600.2180
winscard.dll Microsoft Smart Card API Microsoft
Corporation 5.01.2600.2180
winspool.drv Windows Spooler Driver Microsoft
Corporation 5.01.2600.2180
winsta.dll Winstation Library Microsoft Corporation 5.01.2600.2180
wintrust.dll Microsoft Trust Verification APIs Microsoft
Corporation 5.131.2600.2180
wldap32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.2180
wlnotify.dll Common DLL to receive Winlogon notifications Microsoft
Corporation 5.01.2600.2180
ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft
Corporation 5.01.2600.2180
ws2help.dll Windows Socket 2.0 Helper for Windows NT Microsoft
Corporation 5.01.2600.2180
wtsapi32.dll Windows Terminal Server SDK APIs Microsoft
Corporation 5.01.2600.2180
xpsp2res.dll Service Pack 2 Messages Microsoft
Corporation 5.01.2600.2180

Files like; WIN63.TMP.EXE are Trojans.


Please submit a samples of WIN??.TMP.EXE files to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL....
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE togo through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed filesor you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://harrisonrj.home.comcast.net/step_by_step_pc_cleaning_process.htm#Step_3_%96_Getting_Help


* * * Please report back your results * * *

 

[David H. Lipman]

From: <[email protected]>

| Thanks for your responses here's the results so far....
|
| i have put through the following files: WINLOGON.EXE, ALG.EXE,
| SVCHOST.EXE, WINGZN32.DLL, & WIN13.TMP.EXE
|
| The results of the scan for the first three came back clean. However
| the other two where not.
|
OK. What about the results of the Multi AV Scan ?