pakachoag

3 Posts

June 14th, 2011 19:00

Winlogon.exe process thrashing with McAfee real-time scanning - malware infection?

Very recently, this Dell PC running XP Home (sp3, with all updates current) and McAfee (VirusScan build 15.0.288. engine version 5400.1158, DAT version 6375 of 6/13/2011) begain experiencing very high CPU spikes and slow performance. The winlogon.exe process was spiking from 10% to 80% about once every second, and web searches suggested this had in the past been a symptom of a malware infection. McAfee full scans revealed nothing. However, the CPU activity would return to normal when McAfee real-time scanning is turned off, and will spike again when real-time protection is re-enabled. McAfee's only suggestion was to reinstall McAfee (done, problem persists) so it's time to explore other options.

Thanks in advance for your help.

HIJACKTHIS LOG FOLLOWS:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:16:10 PM, on 6/14/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\USER02\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f409.mail.yahoo.com/ym/login
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110531175322.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\mcsniepl.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

--
End of file - 7432 bytes

Responses(6)

pakachoag

3 Posts

June 20th, 2011 08:00

Hello again,

Sorry for the delay in updating this thread.

I ran the GMER rootkit scanner as you suggested, and it came up negative. I ran it first in its verbose mode (Show All checked - the log file produced was huge, so I have not attached it). I then ran it a second time with "Show All" unchecked (to see if it would produce a more manageable log), but it crashed with a BSOD when windows update decided to kick in.

After a restart, I let the windows updates run their course, and following the next restart (with windows updates installed) the previously observed conflict (mcafee vs winlogon) went away completely. It seems that one of the recent critical updates to XP has solved the problem, leading me to believe there may have been a problem with an earlier windows update.

As the box has been running now for several days without issue, I think we can close out this thread now.

Thanks for your help.

kevinf80_1d0ac6

1.1K Posts

June 15th, 2011 02:00

Hi pakachoag

I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.

* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE

** If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE

Please proceed as follows :-

Step 1

We need to upload a file to Jotti

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

C:\Windows\System32\Winlogon.exe

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.

Upload same File to Virustotal
Please visit Virustotal

Click the Browse... button
Navigate to the file C:\Windows\System32\Winlogon.exe
Click the Open button
Click the Send button
If you get a message saying File has already been analyzed: click Reanalyze file now
Copy and paste the results back here please.

Step 2

We need to see some additional information about what is happening in your machine.
Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool.
When done, DDS will open two (2) logs 1. DDS.txt
2. Attach.txt
Save both reports to your desktop.
The instructions here ask you to attach the Attach.txt.
Instead of attaching, please copy/past both logs into your next reply.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

Let me see the results from Jotti and VirusTotal, also both logs from DDS.

Kevin..

pakachoag

3 Posts

June 15th, 2011 19:00

Thanks for your help, Kevin.

The logs you requested follow. However, I wanted to note that I had on the 14th also run an MBAM scan which detected and cleaned a number of items (following McAfee scans that had detected nothing). These may have been remnants of a previous trojan infection 2 months ago which I had attempted to clean manually. Should have noted this in my first post.

The winlogon process consuming CPU cycles persists, however. As noted before, disabling McAfee real-time scanning causes the winlogon process to return to "normal" CPU usage.

JOTTI RESULTS:

Filename: winlogon.exe

Status: Scan finished. 0 out of 20 scanners reported malware.

Scan taken on: Thu 16 Jun 2011 02:33:50 (CET)

File size: 507904 bytes

Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5: ed0ef0a136dec83df69f04118870003e

SHA1: f77a7cd78877527023ebfb35e83b75ef59d3df07

VIRUSTOTAL RESULTS:

3 VT Community user(s) with a total of 3241 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name: winlogon.exe

Submission date: 2011-06-16 00:27:25 (UTC)

Current status: queued (#32) queued (#32) analysing finished

Result: 0/ 41 (0.0%)

Antivirus Version Last Update Result

AhnLab-V3 2011.06.16.00 2011.06.15 -

AntiVir 7.11.9.226 2011.06.15 -

Antiy-AVL 2.0.3.7 2011.06.15 -

Avast 4.8.1351.0 2011.06.15 -

Avast5 5.0.677.0 2011.06.15 -

AVG 10.0.0.1190 2011.06.15 -

BitDefender 7.2 2011.06.16 -

CAT-QuickHeal 11.00 2011.06.15 -

ClamAV 0.97.0.0 2011.06.16 -

Commtouch 5.3.2.6 2011.06.15 -

Comodo 9082 2011.06.16 -

DrWeb 5.0.2.03300 2011.06.16 -

eSafe 7.0.17.0 2011.06.15 -

eTrust-Vet 36.1.8389 2011.06.15 -

F-Prot 4.6.2.117 2011.06.15 -

Fortinet 4.2.257.0 2011.06.15 -

GData 22 2011.06.16 -

Ikarus T3.1.1.104.0 2011.06.15 -

Jiangmin 13.0.900 2011.06.15 -

K7AntiVirus 9.106.4812 2011.06.14 -

Kaspersky 9.0.0.837 2011.06.16 -

McAfee 5.400.0.1158 2011.06.16 -

McAfee-GW-Edition 2010.1D 2011.06.16 -

Microsoft 1.6903 2011.06.13 -

NOD32 6212 2011.06.16 -

Norman 6.07.10 2011.06.15 -

nProtect 2011-06-15.02 2011.06.15 -

Panda 10.0.3.5 2011.06.15 -

PCTools 7.0.3.5 2011.06.15 -

Prevx 3.0 2011.06.16 -

Rising 23.62.02.05 2011.06.15 -

Sophos 4.66.0 2011.06.16 -

SUPERAntiSpyware 4.40.0.1006 2011.06.16 -

Symantec 20111.1.0.186 2011.06.16 -

TheHacker 6.7.0.1.230 2011.06.14 -

TrendMicro 9.200.0.1012 2011.06.15 -

TrendMicro-HouseCall 9.200.0.1012 2011.06.16 -

VBA32 3.12.16.1 2011.06.15 -

VIPRE 9593 2011.06.16 -

ViRobot 2011.6.15.4513 2011.06.15 -

VirusBuster 14.0.82.0 2011.06.15 -

Additional information

MD5 : ed0ef0a136dec83df69f04118870003e

SHA1 : f77a7cd78877527023ebfb35e83b75ef59d3df07

SHA256: 45377cb8e9f0120f836fc8261c711f7dbf7199117afb3652ebf100d5f0429b1e

DDS.TXT

DDS (Ver_2011-06-12.02) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by betsey at 21:03:49 on 2011-06-15

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.340 [GMT -4:00]

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\MBAM\mbamservice.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE

C:\Program Files\SiteAdvisor\6172\SiteAdv.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\MBAM\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\taskmgr.exe

c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank

uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uWindow Title = Windows Internet Explorer provided by Yahoo!

mDefault_Page_URL = hxxp://www.dell4me.com/myway

mSearch Page =

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*www.yahoo.com/.../search.html

uURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6253\SiteAdv.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110531175322.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6253\SiteAdv.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background

uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe

mRun: [IgfxTray] c:\windows\system32\igfxtray.exe

mRun: [Lexmark 5200 series] "c:\program files\lexmark 5200 series\lxbtbmgr.exe"

mRun: [LXBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBTtime.dll,_RunDLLEntry@16

mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver2\LVCOMS.EXE

mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [SiteAdvisor] c:\program files\siteadvisor\6172\SiteAdv.exe

mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\mbam\mbamgui.exe" /starttray

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab

DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 216.195.0.131

TCP: Interfaces\{4AD55A44-A430-4CB2-B50D-E4B6F7733798} : DhcpNameServer = 216.195.0.131

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll

Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6253\SiteAdv.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-30 459728]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-30 89368]

R2 MBAMService;MBAMService;c:\program files\mbam\mbamservice.exe [2011-6-14 366640]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-4-30 214904]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-4-30 214904]

R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-4-30 214904]

R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-30 165000]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-30 159832]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-30 148520]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-30 57432]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-14 22712]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-30 179248]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-30 59288]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-30 337912]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-30 83688]

R3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [2005-1-15 152576]

S2 Ias;Network Security;c:\windows\system32\svchost.exe -k netsvcs [2002-8-29 14336]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-30 83688]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-30 85984]

S3 PCD5SRVC{FBEA8B78-1B22F121-05040000};PCD5SRVC{FBEA8B78-1B22F121-05040000} - PCDR Kernel Mode Service Helper Driver;\??\c:\progra~1\dellsu~2\hwdiag\bin\pcd5srvc.pkms --> c:\progra~1\dellsu~2\hwdiag\bin\PCD5SRVC.pkms [?]

=============== Created Last 30 ================

2011-06-15 02:13:26 -------- d-----w- c:\documents and settings\betsey\application data\Malwarebytes

2011-06-15 02:13:18 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-15 02:13:17 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-06-15 02:13:14 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-15 02:13:14 -------- d-----w- c:\program files\MBAM

2011-06-13 23:17:34 -------- d-----w- c:\windows\system32\XPSViewer

2011-06-13 23:16:28 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

2011-06-13 23:14:55 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2011-06-13 23:14:55 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2011-06-13 23:14:55 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2011-06-13 23:14:55 575488 ------w- c:\windows\system32\xpsshhdr.dll

2011-06-13 23:14:55 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2011-06-13 23:14:55 117760 ------w- c:\windows\system32\prntvpt.dll

2011-06-13 23:14:53 1676288 ------w- c:\windows\system32\xpssvcs.dll

2011-06-13 23:14:53 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2011-06-13 23:14:52 -------- d-----w- C:\2a5f35bd142d5c094838ca

2011-06-13 01:31:03 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-06-13 01:31:03 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-06-13 00:39:44 -------- d-----w- c:\documents and settings\all users\application data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}

2011-06-12 21:18:24 772904 ----a-w- c:\temp\Mats_Run.winfilefolder.exe

2011-06-12 19:40:10 -------- d-----w- c:\windows\system32\NtmsData

==================== Find3M ====================

============= FINISH: 21:07:09.03 ===============

DDS ATTACH.TXT

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_2011-06-12.02)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 1/11/2004 5:02:29 PM

System Uptime: 6/15/2011 8:54:29 PM (1 hours ago)

Motherboard: Dell Computer Corp. | | 0C2425

Processor: Intel(R) Celeron(R) CPU 2.40GHz | Microprocessor | 2392/400mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 37 GiB total, 25.324 GiB free.

D: is CDROM ()

E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX

Adobe Reader 7.1.0

Banctec Service Agreement

BCM V.92 56K Modem

Broadcom Management Programs

Critical Update for Windows Media Player 11 (KB959772)

Dell Networking Guide

DS21Patch

DVDSentry

FinePixViewer Ver.4.2

FUJIFILM USB Driver

Google Earth

Help and Support Customization

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

Hoyle Card Games 2005

ImageMixer VCD2 for FinePix

Intel(R) Extreme Graphics Driver

Internet Explorer Default Page

Java Auto Updater

Java(TM) 6 Update 26

Labtec WebCam

Lexmark 5200 Series

Malwarebytes' Anti-Malware version 1.51.0.1200

McAfee SecurityCenter

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Data Access Components KB870669

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft National Language Support Downlevel APIs

Microsoft Office 2000 Premium

Microsoft Office PowerPoint Viewer 2003

Microsoft User-Mode Driver Framework Feature Pack 1.0

Modem Helper

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Paint Shop Pro 5.01

PowerDVD

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Internet Explorer 7 (KB976325)

Security Update for Windows Internet Explorer 7 (KB978207)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB911565)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2491683)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Shockwave

Update for Windows Internet Explorer 7 (KB976749)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB978506)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Live Sign-in Assistant

Windows Media Format 11 runtime

Windows Media Player 11

Windows PowerShell(TM) 1.0

Windows XP Service Pack 3

WordPerfect Office 11

==== Event Viewer Messages From Past Week ========

6/15/2011 8:43:36 PM, error: Service Control Manager [7031] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

6/14/2011 10:35:22 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde

6/13/2011 5:37:38 PM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.

==== End Of File ===========================

kevinf80_1d0ac6

1.1K Posts

June 16th, 2011 01:00

Can you turn System Restore on and create a restore point A.S.A.P. It is not a good idea to have no restore points in your system....

I don`t see any obvious malware/infection in your logs, the results from Jotti and VirusTotal are not indicating anything wrong with winlgon. The only common denominator is McAfee realtime scanner, you`ve already re-installed McAfee that action made no improvement....

Run the following for a deeper look at your system, you must ensure that all security is turned OFF or this tool will not run.....

Download the GMER Rootkit Scanner. Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur

Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:
Temporarily disable Security

Do not use your computer for anything else during the scan.

Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO Then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
  
  Click the image to enlarge it
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

Kevin...

kevinf80_1d0ac6

1.1K Posts

June 20th, 2011 10:00

Since this issue appears to be resolved the topic has been closed. Glad we could help.

Everyone else please begin a New Topic.

The fixes and advice in this thread are for this System only. Do not apply the instructions from this thread to your own System. Please start a new thread describing your issue and someone will be along to assist you.

GregDaw

1 Message

June 23rd, 2011 14:00

I just want to say that I have the same problem with WINLOGIN.exe and McAfee Real Time Scanning causing CPU to go to 100%. Disabling Real Time Scanning allows WINLOGIN to return to normal CPU. Since apparently a MS update has cured the problem for the person Kevin was helping, I will wait a little longer until the next MS update is downloaded and installed and then if necessary will open a new thread.

Greg

View All

No Events found!

Virus & Spyware

Winlogon.exe process thrashing with McAfee real-time scanning - malware infection?

Was this post helpful?