Re: Strange behaviour with AGL.EXE & WINLOGON.EXE
- From: "Wesley Vogel" <123WVogel955@xxxxxxxxxxx>
- Date: Sat, 25 Feb 2006 13:27:42 -0700
There should be two winlogon.exe files,
C:\WINDOWS\system32
and
C:\WINDOWS\system32\dllcache
Check your version(s) of winlogon.exe here...
http://support.microsoft.com/dllhelp/?dlltype=file&l=55&alpha=winlogon.exe&S=1&x=9&y=7
[[WinLogon.exe is the Windows NT login manager. It handles the login and
logout procedures on your system. This process is an essential part of your
OS and should be left alone.
Note: winlogon.exe is also a process which is registered as
Trojan.W32.Netsky and the Backdoor.w32.Prorat Trojans. The Netsky worm is
distributed via the Internet through e-mail and comes in the form of an
e-mail message, in the hopes that you open it’s hostile attachment. The worm
has it’s own SMTP engine which means it gathers E-mails from your local
computer and re-distributes itself. In worst cases this worm can allow
attackers to access your computer, stealing passwords and personal data. It
is a registered security risk and should be removed immediately. ]]
from...
http://www.liutilities.com/products/wintaskspro/processlibrary/winlogon/
C:\Windows\winlogon.exe is not good.
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In news:1140897908.189979.82960@xxxxxxxxxxxxxxxxxxxxxxxxxxxx,
roland.bird@xxxxxxxxx <roland.bird@xxxxxxxxx> hunted and pecked:
Over the last few days I've slowly been tracking these 2 processes and
some of the strange things they are doing. My feeling is that either
these or some other files are infected with a trojan, but I'm running
Trend Micro's PC-cillin & Anti-spy ware tools, and nothing.
I first noticed a few stray process in taskmgr. WIN63.TMP.EXE. The
file is located in C:\WINDOWS\TEMP. I also noticed lots of 0 byte temp
files. This is not normal behaviour. My next step was to found out
what process was attempting to spawn this temp file. And it turned out
to be WINLOGON.EXE.
I've put in a security policy that is currently stopping WINLOGON.EXE
from executing these temp files. I've also sent the temp file to Trend
for analysis. This is their response.
Greetings!
We have analyzed the file winEE5.tmp.exe (172,099 bytes) that you
submitted to us and >verified that it is non malicious by itself.
This file tries to connect to a certain website which do not exist
anymore and therefore >could not cause any harm in the system. This file
may arrive in the system as result of >visiting some websites or could
be bundled by a software application.
Hopefully, we have addressed your concern.
Thank you for consulting TrendLabs.
Have a virus-free day!
Ok, so it non malicious but how did it get there. There must be some
other process fetching it right. I've now submitted the WINLOGON.EXE
for them to look at. But I don't think they will find anything.
Using System Internals ListDll tool I found a strange dll linked to
WINLOGON.EXE. wingzn32.dll . I couldn't find any information on it,
so I renamed it. Everything still works, and there are no more temp
files being created in C:\WINDOWS\TEMP
But, now I get messages about ALG.EXE trying to connect to an ftp site.
I'm denying it's request.
Anyone been through something similiar or perhaps offer any suggestions.
.
- References:
- Strange behaviour with AGL.EXE & WINLOGON.EXE
- From: roland . bird
- Strange behaviour with AGL.EXE & WINLOGON.EXE
- Prev by Date: Strange behaviour with AGL.EXE & WINLOGON.EXE
- Next by Date: Re: Windows XP Security and AOL.
- Previous by thread: Strange behaviour with AGL.EXE & WINLOGON.EXE
- Next by thread: Re: Strange behaviour with AGL.EXE & WINLOGON.EXE
- Index(es):
Relevant Pages
|
|
