Jump to content

Archived

This topic is now archived and is closed to further replies.

snlehton

winlogon.exe trying to reach blacklisted site

Recommended Posts

I'm getting these kind of events in Filtered websites list (I've masked out the identifiable data):

hxxp://config.laxmbgaqm.com/config?uid=[XXX]&version=1.1.0.0&source=zl.sild&prod=netutils&rts=[XXX]&cts=[XXX]
hxxp://config.laxmbgaqm.com/update?uid=[XXX]&version=1.1.0.0&source=zl.sild&prod=netutils
hxxp://log.laxmbgaqm.com/log?evt=visit&uid=[XXX]&version=1.1.0.0&source=zl.sild&prod=netutils&ts=[XXX]&checksum=[XXX]&browserlist=iexplore.exe;chrome.exe;chrome.exe;firefox.exe;&seclist=NoneWindows Defender;ESET Internet Security;&defaultbrowser=firefox.exe&uuid2=[XXX]&mjv=10&mnv=0&buidn=[XXX]&arc=x64&rts=[XXX]&chassis=[XXX]

These entries are appearing every minute or so.

Any idea what is causing this? Obviously it looks bad, as it's listing the security apps installed on the device.

ESET did not scan anything fishy in the system otherwise.

Share this post


Link to post
Share on other sites

Please provide logs gathered by ELC to start off.

Share this post


Link to post
Share on other sites
12 minutes ago, Marcos said:

Please provide logs gathered by ELC to start off.

Where do I send them? It's pretty big.

EDIT: Also it contains tons of identifiable information like the whole Windows registry. Definitely not going to post it publicly on the net... is there are some secure way to go forward with ESET staff about this?

Share this post


Link to post
Share on other sites

Did the Eset Filtered Web Sites log show the source for these connections winlogon.exe?

Using a tool like Process Explorer or Win's Task Manager, did you verify:

1.  that only one version of winlogon.exe is running

2.  the executing version is the one stored in the Win System32 directory.

3. winlogon.exe is not running as a child process to any other currently executing process.

Share this post


Link to post
Share on other sites

You can upload the archive generated by ELC to OneDrive, Dropbox, etc. and drop me a private message with a download link. You can unselect Registry dump prior to gathering logs to make the archive smaller.

Share this post


Link to post
Share on other sites

I'm having the same problem. But I'm getting those notifications every 10-15 seconds. My Google Chrome is also no longer usable, it can maybe load a page but then asks to kill the page and crashes.  

Share this post


Link to post
Share on other sites
1 minute ago, AMP said:

I'm having the same problem. But I'm getting those notifications every 10-15 seconds. My Google Chrome is also no longer usable, it can maybe load a page but then asks to kill the page and crashes.  

Please follow the instructions above and provide me with an archive generated by ELC.

Share this post


Link to post
Share on other sites

The very problem is insisting on my windows too, no solution yet?

 

Share this post


Link to post
Share on other sites
4 hours ago, itman said:

Did the Eset Filtered Web Sites log show the source for these connections winlogon.exe?

Using a tool like Process Explorer or Win's Task Manager, did you verify:

1.  that only one version of winlogon.exe is running

2.  the executing version is the one stored in the Win System32 directory.

3. winlogon.exe is not running as a child process to any other currently executing process.

1. & 2. Yes. The file was C:\Windows\System32\winlogon.exe, and I verified it with Process Explorer

3. The winlogon.exe had no parents, but two childs fontdrvhost.exe and dwm.exe

Incidentally I needed to restore to an older system restore point because I messed ESET HIPS settings and whole computer became unusable slow.

After the system restore the problem had disappeared. At least for now...

Share this post


Link to post
Share on other sites

@snlehton This was most likely caused by the driver c:\windows\system32\drivers\netutils2016.sys. It's a legitimate driver, however, to my best knowledge it can load malicious configuration. Renaming it or moving it to a different folder in safe mode would have resolved the issue.

 

Share this post


Link to post
Share on other sites

netutils2016.sys and netutils2016.dll were still present after the system restore, I removed them in safemode. Problem seems to have disappeared.

I have no idea where that driver came from. I haven't installed anything on the machine except software from reliable sources. Will keep close eye on it for now.

Share this post


Link to post
Share on other sites
10 hours ago, snlehton said:

netutils2016.sys and netutils2016.dll were still present after the system restore, I removed them in safemode. Problem seems to have disappeared.

I have no idea where that driver came from. I haven't installed anything on the machine except software from reliable sources. Will keep close eye on it for now.

I'm still having issues removing it in safe mode. I boot up in safe mode and when I try and remove the files I get a try again later window because the program is running in the back ground. Am I doing something wrong? Please advise.

Share this post


Link to post
Share on other sites
8 minutes ago, AMP said:

I'm still having issues removing it in safe mode. I boot up in safe mode and when I try and remove the files I get a try again later window because the program is running in the back ground. Am I doing something wrong? Please advise.

Try renaming the file or moving it to a different folder, e.g. c:\malware.

Share this post


Link to post
Share on other sites

I also am facing another issue related to the fact that login system on windows shows that I cannot log in unless if I use the Microsoft password, and I cannot use the PIN, as the system had been off for hours or so... I think something is messing up with the Microsoft Log-In itself, my OneNote also does not work that I don't know the cause.

Share this post


Link to post
Share on other sites

Hi I am having the same/similar problem.

chrome is unusable

This is the message I am getting in the log files. I can send log file

Time;URL;Status;Application;User;IP address;SHA1
1/05/2018 3:40:31 PM;hxxp://config.laxmbgaqm.com/config?uid=S1DHNSAFD05099A322653D&version=1.1.0.0&source=zl.sild&prod=netutils&rts=5ae67fb6&cts=5ae7e1af;Blocked by internal blacklist;C:\Windows\System32\winlogon.exe;NT AUTHORITY\SYSTEM;138.68.224.30;82A13B88273898E62B6A5DB540A9C1CB1672A001
 

Is this solution posted above the default solution we should all try? 

Has anyone got a fix yet? Not super computer fluent so unsure. 

 

Cheers

Share this post


Link to post
Share on other sites

I do not have any problems related to losing my passwords, the only thing is that when a person relies on an anti-virus for deleting the viruses it's ridiculous when such things happen and you order the customer to delete the virus by himself/herself. Shouldn't be any signature update included when such a problem persists happening in short term for multiple customers?

Share this post


Link to post
Share on other sites
19 minutes ago, se_ebrahim said:

I do not have any problems related to losing my passwords, the only thing is that when a person relies on an anti-virus for deleting the viruses it's ridiculous when such things happen and you order the customer to delete the virus by himself/herself. Shouldn't be any signature update included when such a problem persists happening in short term for multiple customers?

I agree. Even if the malware isn't malicious (read files, keylogger, ransomware etc), I'd really really appreciate virus software telling me that there is something in your system that you  probably didn't intend to have there in the first place.

I have paid for ESET to have a peace of mind when it comes to viruses and other malicious attacks, and having something like this _not_ detected by ESET simply is quite disappointing and leaves me thinking what else it is missing.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×