XP's Winlogon.exe and Rundll32.exe infected?

[DJ]

Since using Acronis True Image to create an image of an XP partition,
and restoring it to a new, larger, partition, a friend's PC has been
experiencing a problem that was manifesting as a network buffer
overflow that disables Internet Access, requiring a reboot. (I've been
told the actual error is 'WSAENOBUFS (10055) No buffer space
available')

The PC's running XP Home, that was patched to SP2 and all subsequent
updates some time before I performed the above procedure, so I doubt
the problem's been caused by any updates. As far as I know, no
software was installed AFTER the imaging. Furthermore, Kerio Firewall
has been installed for some time, and no changes have been made to
it's rules recently. The PC is directly connected to a Cable Modem,
and is connected by another NIC to one other PC, providing Internet
access to this second PC via ICS. The XP firewall is disabled.

It seems that XP is reaching it's default limit of 5000 ports, because
C:\Windows\System32\rundll32.exe and C:\Windows\System32\winlogon.exe
are repeatedly trying to connect to the Internet, specifically:
TCP Connection to h-213.61.6.3.host.de.colt.net [213.61.6.3:80]
TCP Connection to hosting-68.76.rev.fr.colt.net [213.41.76.68:80]
TCP Connection to 4.78.20.4:80
TCP Connection to 208.185.54.9.speedera.com [208.185.54.9:80]

because both these processes are blocked from (or more accurately, not
permitted to) access the Internet, each time they fail they increase
the port number and try again until the 5000 limit is reached.

I'm running XP Pro SP2 on my own PC, and neither of these processes
are attempting to access the Internet.

As I understand it, both of these exe's are integral parts of XP, and
it's whatever's calling them that's the problem. I've got Norton
Antivirus, and Microsoft Spyware running and I've scanned the drives
with AntiVir but they've found nothing. I've stopped or disabled as
many services as I can, and done the same with msconfig to prune the
programs that run on startup but both these processes are still
loading at boot.

I can shutdown the RunDLL32.exe using Task Manager, but not
WinLogon.exe as it's a 'critical system process'

For now, I've just left Kerio Firewall blocking and logging these
exe's attempts to access the Internet, and increased the number of
ports to 65534, but I'd like to find a more permanent solution,
because even with this higher limit, eventually it will be reached
requiring a reboot.

DJ

 

[Duane Arnold]

It seems that XP is reaching it's default limit of 5000 ports, because
C:\Windows\System32\rundll32.exe and C:\Windows\System32\winlogon.exe
are repeatedly trying to connect to the Internet, specifically:
TCP Connection to h-213.61.6.3.host.de.colt.net [213.61.6.3:80]
TCP Connection to hosting-68.76.rev.fr.colt.net [213.41.76.68:80]
TCP Connection to 4.78.20.4:80
TCP Connection to 208.185.54.9.speedera.com [208.185.54.9:80]

because both these processes are blocked from (or more accurately, not
permitted to) access the Internet, each time they fail they increase
the port number and try again until the 5000 limit is reached.

Just because those programs/processes are attempting to access the Internet
doesn't mean they are the ones who are making the original requests to
access the Internet. Malware can use programs such as those as a host.

You can use Process Explorer and look inside the programs/processes running
on the XP Home machine as opposed to the same ones running on the XP Pro,
since those are the same programs on both O/S(s). Maybe, you'll spot
something with PE that's running on the Home that's not running on the Pro.

Use PE menu View and Show Lower Pane and Show all Dll(s) and it will show
every program that is using a program/process.

You can right a running process in the upper pane or a program in the lower
pane and select Properties and PE will tell you everything about the
running process in the upper pane or program in the lower pane.

Process Explorer is (free).

http://tinyurl.com/klw1

 

[DJ]

Just because those programs/processes are attempting to access the Internet
doesn't mean they are the ones who are making the original requests to
access the Internet. Malware can use programs such as those as a host.

Yeah, this is what I understood.

You can use Process Explorer and look inside the programs/processes running
on the XP Home machine as opposed to the same ones running on the XP Pro,
since those are the same programs on both O/S(s). Maybe, you'll spot
something with PE that's running on the Home that's not running on the Pro.

Thanks for the tip about PE. I'll try it and see if I can find out
what's going on and have a good read of that webpage you linked as
well. I'd tried Security Task Manager www.neuber.com/taskmanager
and not found anything, but I may just not know how to use it!

 

[DJ]

By using Process Explorer and comparing what it shows on the dodgy XP
Home PC with what it shows on my XP Pro PC I suspect that alg.exe has
been infected for the following reasons:

1) On my XP Pro PC, highlighting alg.exe in the upper pane, results in
the lower pane showing numerous DLLs. On the XP Home PC, the lower
pane is empty when alg.exe is highlighted.

2) On my XP Pro PC, PE shows alg.exe as:
ALG.EXE 1944 Application Layer Gateway Service Microsoft
Corporation

On the XP Home PC, PE shows alg.exe as:
alg.exe 1004

3) On the XP Home PC, if I right-click on alg.exe and click on
properties, on the Image tab of the screen, the Path box shows 'Not
available' and the Verify button is grayed out. On My XP Pro PC the
Path box shows 'C:\WINDOWS\system32\alg.exe' and the Verify button
works.

4) On the XP Home PC, alg.exe is found in C:\WINDOWS\system32 and
C:\WINDOWS\SP2 Files\i386, and they are both 44kb, whereas on my XP
Pro PC the latter only contains alg.ex_ which is 18kb (IE compressed)
and a 44kb alg.exe is also present in C:\WINDOWS\system32\dllcache .

Some other observations:

Checking the properties of alg.exe in \System32 on the XP Home PC,
shows that it is 43.5Kb, it was last modified on 04 August 2004 and
it's version 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158). The alg.exe on
my XP Pro PC has exactly the same properties.

Stopping the ALG service on the XP Home PC makes alg.exe disappear
from PE. However RunDLL32.exe is still running, so I will have to
disable the ALG service and then reboot and see if RunDLL32.exe still
loads. If not, it must be the dodgy alg.exe that is calling it, but if
it still loads, something else must be calling it.

It's a bit worrying that neither Norton or Microsoft Anti-Spyware pick
up on this. Even if I replace alg.exe and rundll32.exe with known
clean copies, I guess there could still be other dodgy files lurking
on the drive, even if the original culprit is no longer present. Thank
god for Kerio Firewall is all I can say!

 

[Duane Arnold]

By using Process Explorer and comparing what it shows on the dodgy XP
Home PC with what it shows on my XP Pro PC I suspect that alg.exe has
been infected for the following reasons:

1) On my XP Pro PC, highlighting alg.exe in the upper pane, results in
the lower pane showing numerous DLLs. On the XP Home PC, the lower
pane is empty when alg.exe is highlighted.

It seems like it's questionable.

2) On my XP Pro PC, PE shows alg.exe as:
ALG.EXE 1944 Application Layer Gateway Service Microsoft
Corporation

On the XP Home PC, PE shows alg.exe as:
alg.exe 1004

It seems like it's questionable.

3) On the XP Home PC, if I right-click on alg.exe and click on
properties, on the Image tab of the screen, the Path box shows 'Not
available' and the Verify button is grayed out. On My XP Pro PC the
Path box shows 'C:\WINDOWS\system32\alg.exe' and the Verify button
works.

It seems like it's questionable.

4) On the XP Home PC, alg.exe is found in C:\WINDOWS\system32 and
C:\WINDOWS\SP2 Files\i386, and they are both 44kb, whereas on my XP
Pro PC the latter only contains alg.ex_ which is 18kb (IE compressed)
and a 44kb alg.exe is also present in C:\WINDOWS\system32\dllcache .

Some other observations:

Checking the properties of alg.exe in \System32 on the XP Home PC,
shows that it is 43.5Kb, it was last modified on 04 August 2004 and
it's version 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158). The alg.exe on
my XP Pro PC has exactly the same properties.

Stopping the ALG service on the XP Home PC makes alg.exe disappear
from PE. However RunDLL32.exe is still running, so I will have to
disable the ALG service and then reboot and see if RunDLL32.exe still
loads. If not, it must be the dodgy alg.exe that is calling it, but if
it still loads, something else must be calling it.

You don't need ALG.exe if you're not using the XP FW.

It's a bit worrying that neither Norton or Microsoft Anti-Spyware pick
up on this. Even if I replace alg.exe and rundll32.exe with known
clean copies, I guess there could still be other dodgy files lurking
on the drive, even if the original culprit is no longer present. Thank
god for Kerio Firewall is all I can say!

Kerio is not an integrated O/S component and it may not be protecting the
TCP/IP connection at system boot, because it has not started up first in
the start process to protect the TCP/IP and the malware program could be
beating it and sending out packets.

You may be able to verify this by using a packet sniffer like Etheral
(free).

I myself use Active Ports and put a short-cut for Active Ports in the
Start-up folder and the Refresh Rate is set to *HIGH*. That way I can see
all programs that are making connections at the boot and logon process to
remote IP(s). The PFW solution can be beaten too if the conditions are
right.

Duane

 

[DJ]

You don't need ALG.exe if you're not using the XP FW.

I didn't really think there was any need for alg.exe on the system in
question, which is why I took a cautious approach and didn't allow it
permission to connect in Kerio. I didn't realise that it could get
round this rule by connecting through winlogon.exe, but luckily that
didn't have permission to connect as well.

Kerio is not an integrated O/S component and it may not be protecting the
TCP/IP connection at system boot, because it has not started up first in
the start process to protect the TCP/IP and the malware program could be
beating it and sending out packets.

Kerio splash screen does tend to come up before I've had time to
logon, so it does load fairly early, but I take your point that, with
a broadband connection the networking components of XP may load before
Kerio and allow a trojan to connect.

You may be able to verify this by using a packet sniffer like Etheral
(free).

I myself use Active Ports and put a short-cut for Active Ports in the
Start-up folder and the Refresh Rate is set to *HIGH*. That way I can see
all programs that are making connections at the boot and logon process to
remote IP(s). The PFW solution can be beaten too if the conditions are
right.

Yet another program I'd not heard of. Thanks for the tip, I'll look
into this. I'll also have to submit a suspected virus/trojan report
with Norton Antivirus and Microsoft Spyware.

 

[DJ]

I've had a look at Active Ports, and what it shows is exactly the same
as Kerio 2.1.5's 'Firewall Status' list.

I'm not sure that Active Ports can load at bootup any quicker than
Kerio can, in which case there's not much advantage to it for me.

 

[Duane Arnold]

I've had a look at Active Ports, and what it shows is exactly the same
as Kerio 2.1.5's 'Firewall Status' list.

I'm not sure that Active Ports can load at bootup any quicker than
Kerio can, in which case there's not much advantage to it for me.

Except for my laptop with its mobile abilities, I have no need for a PFW
solution running on the machines. Therefore AP running at boot along with
me reviewing the FW appliance's logs allows me to determine what's
happening on my network. And if I needed to top outbound from a machine, I
would go to the FW appliance and set a rule to block the machine's IP
sending outbound traffic.

Duane