winlogon.exe trying to reach blacklisted site

[snlehton 0]

I'm getting these kind of events in Filtered websites list (I've masked out the identifiable data):

hxxp://config.laxmbgaqm.com/config?uid=[XXX]&version=1.1.0.0&source=zl.sild&prod=netutils&rts=[XXX]&cts=[XXX]
hxxp://config.laxmbgaqm.com/update?uid=[XXX]&version=1.1.0.0&source=zl.sild&prod=netutils
hxxp://log.laxmbgaqm.com/log?evt=visit&uid=[XXX]&version=1.1.0.0&source=zl.sild&prod=netutils&ts=[XXX]&checksum=[XXX]&browserlist=iexplore.exe;chrome.exe;chrome.exe;firefox.exe;&seclist=NoneWindows Defender;ESET Internet Security;&defaultbrowser=firefox.exe&uuid2=[XXX]&mjv=10&mnv=0&buidn=[XXX]&arc=x64&rts=[XXX]&chassis=[XXX]

These entries are appearing every minute or so.

Any idea what is causing this? Obviously it looks bad, as it's listing the security apps installed on the device.

ESET did not scan anything fishy in the system otherwise.

[Marcos 5,132]

Please provide logs gathered by ELC to start off.

[snlehton 0]

12 minutes ago, Marcos said:

Please provide logs gathered by ELC to start off.

Where do I send them? It's pretty big.

EDIT: Also it contains tons of identifiable information like the whole Windows registry. Definitely not going to post it publicly on the net... is there are some secure way to go forward with ESET staff about this?

Edited April 26, 2018 by snlehton

[itman 1,705]

Did the Eset Filtered Web Sites log show the source for these connections winlogon.exe?

Using a tool like Process Explorer or Win's Task Manager, did you verify:

1.  that only one version of winlogon.exe is running

2.  the executing version is the one stored in the Win System32 directory.

3. winlogon.exe is not running as a child process to any other currently executing process.

Edited April 26, 2018 by itman

[Marcos 5,132]

You can upload the archive generated by ELC to OneDrive, Dropbox, etc. and drop me a private message with a download link. You can unselect Registry dump prior to gathering logs to make the archive smaller.

[AMP 0]

I'm having the same problem. But I'm getting those notifications every 10-15 seconds. My Google Chrome is also no longer usable, it can maybe load a page but then asks to kill the page and crashes.  

[Marcos 5,132]

1 minute ago, AMP said:

I'm having the same problem. But I'm getting those notifications every 10-15 seconds. My Google Chrome is also no longer usable, it can maybe load a page but then asks to kill the page and crashes.  

Please follow the instructions above and provide me with an archive generated by ELC.

[se_ebrahim 0]

The very problem is insisting on my windows too, no solution yet?

 

[snlehton 0]

4 hours ago, itman said:

Did the Eset Filtered Web Sites log show the source for these connections winlogon.exe?

Using a tool like Process Explorer or Win's Task Manager, did you verify:

1.  that only one version of winlogon.exe is running

2.  the executing version is the one stored in the Win System32 directory.

3. winlogon.exe is not running as a child process to any other currently executing process.

1. & 2. Yes. The file was C:\Windows\System32\winlogon.exe, and I verified it with Process Explorer

3. The winlogon.exe had no parents, but two childs fontdrvhost.exe and dwm.exe

Incidentally I needed to restore to an older system restore point because I messed ESET HIPS settings and whole computer became unusable slow.

After the system restore the problem had disappeared. At least for now...

[Marcos 5,132]

@snlehton This was most likely caused by the driver c:\windows\system32\drivers\netutils2016.sys. It's a legitimate driver, however, to my best knowledge it can load malicious configuration. Renaming it or moving it to a different folder in safe mode would have resolved the issue.

 

[itman 1,705]

Some background info. on netutils2016.sys: https://www.bleepingcomputer.com/startups/NetUtils2016.sys-29088.html

I would state that anything that installs a kernel mode driver and proceeds to make outbound connections from winlogon.exe is very far removed from the Adware category.

Edited April 26, 2018 by itman

[snlehton 0]

netutils2016.sys and netutils2016.dll were still present after the system restore, I removed them in safemode. Problem seems to have disappeared.

I have no idea where that driver came from. I haven't installed anything on the machine except software from reliable sources. Will keep close eye on it for now.

Edited April 27, 2018 by snlehton

[AMP 0]

10 hours ago, snlehton said:

netutils2016.sys and netutils2016.dll were still present after the system restore, I removed them in safemode. Problem seems to have disappeared.

I have no idea where that driver came from. I haven't installed anything on the machine except software from reliable sources. Will keep close eye on it for now.

I'm still having issues removing it in safe mode. I boot up in safe mode and when I try and remove the files I get a try again later window because the program is running in the back ground. Am I doing something wrong? Please advise.

[Marcos 5,132]

8 minutes ago, AMP said:

I'm still having issues removing it in safe mode. I boot up in safe mode and when I try and remove the files I get a try again later window because the program is running in the back ground. Am I doing something wrong? Please advise.

Try renaming the file or moving it to a different folder, e.g. c:\malware.

[se_ebrahim 0]

I also am facing another issue related to the fact that login system on windows shows that I cannot log in unless if I use the Microsoft password, and I cannot use the PIN, as the system had been off for hours or so... I think something is messing up with the Microsoft Log-In itself, my OneNote also does not work that I don't know the cause.

[Marcos 5,132]

You have to use the standard password to sign in safe mode: https://www.lostwindowspassword.com/windows-tips/unable-to-sign-in-safe-mode-windows-10-responds-with-a-password-incorrect-message.html

[EPlayle 0]

Hi I am having the same/similar problem.

chrome is unusable

This is the message I am getting in the log files. I can send log file

Time;URL;Status;Application;User;IP address;SHA1
1/05/2018 3:40:31 PM;hxxp://config.laxmbgaqm.com/config?uid=S1DHNSAFD05099A322653D&version=1.1.0.0&source=zl.sild&prod=netutils&rts=5ae67fb6&cts=5ae7e1af;Blocked by internal blacklist;C:\Windows\System32\winlogon.exe;NT AUTHORITY\SYSTEM;138.68.224.30;82A13B88273898E62B6A5DB540A9C1CB1672A001
 

Is this solution posted above the default solution we should all try? 

Has anyone got a fix yet? Not super computer fluent so unsure. 

 

Cheers

[se_ebrahim 0]

I do not have any problems related to losing my passwords, the only thing is that when a person relies on an anti-virus for deleting the viruses it's ridiculous when such things happen and you order the customer to delete the virus by himself/herself. Shouldn't be any signature update included when such a problem persists happening in short term for multiple customers?

[snlehton 0]

19 minutes ago, se_ebrahim said:

I do not have any problems related to losing my passwords, the only thing is that when a person relies on an anti-virus for deleting the viruses it's ridiculous when such things happen and you order the customer to delete the virus by himself/herself. Shouldn't be any signature update included when such a problem persists happening in short term for multiple customers?

I agree. Even if the malware isn't malicious (read files, keylogger, ransomware etc), I'd really really appreciate virus software telling me that there is something in your system that you  probably didn't intend to have there in the first place.

I have paid for ESET to have a peace of mind when it comes to viruses and other malicious attacks, and having something like this _not_ detected by ESET simply is quite disappointing and leaves me thinking what else it is missing.