15 replies to this topic

[mestro]

Here is my log output from a run of hijackthis. If you could look at this and tell me what might be caausing the winlogon process to consume all the CPU resources, I would be most appreciative.

It is a Win2K machine, I have Norton on here, SpySweeper, AdAware so am I hopefully optimistic this is not a trojan or virus. But the winlogon process is constantly running at 90+%.

M

Logfile of HijackThis v1.99.1
Scan saved at 10:36:49 AM, on 11/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://concorde.lab.eucom.mil:2002/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [MaxInst] MaxInst
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {50F851B0-0BBE-11D2-A237-00C04FBBD1CD} (AvMediaMasterCtrl Class) - https://172.16.120.7...MediaMasENU.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E2887EC-11FC-4600-989B-64E5AF3E156D}: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E2887EC-11FC-4600-989B-64E5AF3E156D}: NameServer = 192.168.100.10,137.95.3.19,136.95.3.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF4127F2-C836-44D3-8C5C-C92F853093AB}: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF4127F2-C836-44D3-8C5C-C92F853093AB}: NameServer = 192.168.100.10,137.95.3.19,137.95.3.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O20 - AppInit_DLLs: csauser.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: CiscoSecure ACS Agent (ACSRemoteAgent) - Unknown owner - C:\Program Files\Cisco\CiscoSecure ACS Agent\CSAgent\CSAgent.exe
O23 - Service: Cisco Security Agent (CSAgent) - Unknown owner - C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe" -t c (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NAV\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DoubleScreenService - Diamond Multimedia Systems, Inc - C:\WINNT\System32\dsnthser.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Program Files\NAV\rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

[little eagle]

Need to see a full log please.

[mestro]

Sorry but that is everything that was in the log file. The program created a log file on the desktop and I have just checked and this indeed the entire contents. M

[mestro]

Here is the output from the latest run, this is all that is in the log:

Logfile of HijackThis v1.99.1
Scan saved at 2:23:32 PM, on 11/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NAV\defwatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dsnthser.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\NAV\rtvscan.exe
C:\Program Files\Cisco\CiscoSecure ACS Agent\CSLogAgent\CSLogAgent.exe
C:\Program Files\Cisco\CiscoSecure ACS Agent\CSWinAgent\CSWinAgent.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NAV\vptray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\One Guy Coding\Automachron\achron.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\mmc.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINNT\system32\mmc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://concorde.lab.eucom.mil:2002/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [MaxInst] MaxInst
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {50F851B0-0BBE-11D2-A237-00C04FBBD1CD} (AvMediaMasterCtrl Class) - https://172.16.120.7...MediaMasENU.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E2887EC-11FC-4600-989B-64E5AF3E156D}: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E2887EC-11FC-4600-989B-64E5AF3E156D}: NameServer = 192.168.100.10,137.95.3.19,136.95.3.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF4127F2-C836-44D3-8C5C-C92F853093AB}: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF4127F2-C836-44D3-8C5C-C92F853093AB}: NameServer = 192.168.100.10,137.95.3.19,137.95.3.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O20 - AppInit_DLLs: csauser.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: CiscoSecure ACS Agent (ACSRemoteAgent) - Unknown owner - C:\Program Files\Cisco\CiscoSecure ACS Agent\CSAgent\CSAgent.exe
O23 - Service: Cisco Security Agent (CSAgent) - Unknown owner - C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe" -t c (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NAV\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DoubleScreenService - Diamond Multimedia Systems, Inc - C:\WINNT\System32\dsnthser.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Program Files\NAV\rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

[little eagle]

Is this computor connected to Ford Motor Company


Please download Ewido Security Suite it is a trial version of the program.

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Then click on Start Update

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.**
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop.

Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

Edited by little eagle, 15 November 2005 - 08:06 AM.

[little eagle]

Sorry but that is everything that was in the log file. The program created a log file on the desktop and I have just checked and this indeed the entire contents.

M

The running processes were not listed.

[little eagle]

open

Edited by little eagle, 01 December 2005 - 04:25 AM.

[mestro]

Here is the log from ewidio. Mike --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 11:42:12 AM, 11/26/2005 + Report-Checksum: 903E5707 + Scan result: HKU\S-1-5-21-1004336348-162531612-682003330-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup C:\Documents and Settings\Administrator\Cookies\administrator@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup ::Report End

[little eagle]

Download System Security Suite v1.04 here
Tutorial here.

Run 3S under “Items To Clear” tab place a checkmark in all of them but the last.
Reboot and Rescan with HJT and post a new log here.
Also please describe how your computer behaves now.

[mestro]

OK, here is the logfile from the latest HJT run after having run 3S and re-boot, the system is now running better, the winlogon process does not seem to be utilizing any CPU resources. I will watch the PC for the remained of the day....this is a domain controller in a lab, BTW. Would like to know what the issue was.

Logfile of HijackThis v1.99.1
Scan saved at 2:45:59 PM, on 12/2/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NAV\defwatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dsnthser.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Cisco\CiscoSecure ACS Agent\CSLogAgent\CSLogAgent.exe
C:\Program Files\Cisco\CiscoSecure ACS Agent\CSWinAgent\CSWinAgent.exe
C:\Program Files\NAV\rtvscan.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NAV\vptray.exe
C:\Program Files\One Guy Coding\Automachron\achron.exe
C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINNT\system32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://concorde.lab.eucom.mil:2002/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [MaxInst] MaxInst
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {50F851B0-0BBE-11D2-A237-00C04FBBD1CD} (AvMediaMasterCtrl Class) - https://172.16.120.7...MediaMasENU.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E2887EC-11FC-4600-989B-64E5AF3E156D}: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E2887EC-11FC-4600-989B-64E5AF3E156D}: NameServer = 192.168.100.10,137.95.3.19,136.95.3.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF4127F2-C836-44D3-8C5C-C92F853093AB}: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF4127F2-C836-44D3-8C5C-C92F853093AB}: NameServer = 192.168.100.10,137.95.3.19,137.95.3.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O20 - AppInit_DLLs: csauser.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: CiscoSecure ACS Agent (ACSRemoteAgent) - Unknown owner - C:\Program Files\Cisco\CiscoSecure ACS Agent\CSAgent\CSAgent.exe
O23 - Service: Cisco Security Agent (CSAgent) - Unknown owner - C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe" -t c (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NAV\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DoubleScreenService - Diamond Multimedia Systems, Inc - C:\WINNT\System32\dsnthser.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Program Files\NAV\rtvscan.exe

[little eagle]

I will watch the PC for the remained of the day....this is a domain controller in a lab, BTW. Would like to know what the issue was.

Yes, also do you have any idea what O4 - HKLM\..\Run: [MaxInst] MaxInst is doesn't look right? can you do a search and see what file it is associated with.

[mestro]

I have no idea what MAXINST is. How do I check to see what it is associated with?

[mestro]

OK it is associated with a SW package for DSMMEDIA whihc also has some driver associated so I must assume it is a HW component.

[mestro]

OK and one more instance of it is associated with NAV (Norton Anti-Virus). Things still seem fine.

[little eagle]

And the last log look fine

If there is no more that can be done we can close this thread.

Take a look at Tony Klein's article
So how did I get infected in the first place?