by cab2 » August 27th, 2009, 6:49 pm
Jotti's Scan:
This file has been scanned before. The results for this previous scan are listed below.
--------------------------------------------------------------------------------
Filename: winlogon.exe
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Thu 27 Aug 2009 13:20:55 (CET) Permalink
--------------------------------------------------------------------------------
Additional info
File size: 507904 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: ed0ef0a136dec83df69f04118870003e
SHA1: f77a7cd78877527023ebfb35e83b75ef59d3df07
Scanners
2009-08-27 Found nothing 2009-08-27 Found nothing
2009-08-27 Found nothing 2009-08-27 Found nothing
2009-08-26 Found nothing 2009-08-27 Found nothing
2009-08-27 Found nothing 2009-08-27 Found nothing
2009-08-27 Found nothing 2009-08-26 Found nothing
2009-08-27 Found nothing 2009-08-26 Found nothing
2009-08-27 Found nothing 2009-08-27 Found nothing
2009-08-27 Found nothing 2009-08-27 Found nothing
2009-08-27 Found nothing 2009-08-26 Found nothing
2009-08-26 Found nothing 2009-08-26 Found nothing
2009-08-27 Found nothing
VirusTOTAL:
<table border="1"><tr><td colspan="4">File winlogon.exe received on 2009.08.27 22:34:32 (UTC)</td></tr><tr><td>Antivirus</td><td>Version</td><td>Last Update</td><td>Result</td</tr><tr><td>a-squared</td><td>4.5.0.24</td><td>2009.08.28</td><td>-</td</tr><tr><td>AhnLab-V3</td><td>5.0.0.2</td><td>2009.08.27</td><td>-</td</tr><tr><td>AntiVir</td><td>7.9.1.7</td><td>2009.08.27</td><td>-</td</tr><tr><td>Antiy-AVL</td><td>2.0.3.7</td><td>2009.08.24</td><td>-</td</tr><tr><td>Authentium</td><td>5.1.2.4</td><td>2009.08.27</td><td>-</td</tr><tr><td>Avast</td><td>4.8.1335.0</td><td>2009.08.27</td><td>-</td</tr><tr><td>AVG</td><td>8.5.0.406</td><td>2009.08.27</td><td>-</td</tr><tr><td>BitDefender</td><td>7.2</td><td>2009.08.28</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>10.00</td><td>2009.08.27</td><td>-</td</tr><tr><td>ClamAV</td><td>0.94.1</td><td>2009.08.27</td><td>-</td</tr><tr><td>Comodo</td><td>2116</td><td>2009.08.28</td><td>-</td</tr><tr><td>DrWeb</td><td>5.0.0.12182</td><td>2009.08.28</td><td>-</td</tr><tr><td>eSafe</td><td>7.0.17.0</td><td>2009.08.27</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>31.6.6705</td><td>2009.08.27</td><td>-</td</tr><tr><td>F-Prot</td><td>4.5.1.85</td><td>2009.08.27</td><td>-</td</tr><tr><td>F-Secure</td><td>8.0.14470.0</td><td>2009.08.27</td><td>-</td</tr><tr><td>Fortinet</td><td>3.120.0.0</td><td>2009.08.27</td><td>-</td</tr><tr><td>GData</td><td>19</td><td>2009.08.28</td><td>-</td</tr><tr><td>Ikarus</td><td>T3.1.1.68.0</td><td>2009.08.27</td><td>-</td</tr><tr><td>Jiangmin</td><td>11.0.800</td><td>2009.08.27</td><td>-</td</tr><tr><td>K7AntiVirus</td><td>7.10.829</td><td>2009.08.27</td><td>-</td</tr><tr><td>Kaspersky</td><td>7.0.0.125</td><td>2009.08.27</td><td>-</td</tr><tr><td>McAfee</td><td>5722</td><td>2009.08.27</td><td>-</td</tr><tr><td>McAfee+Artemis</td><td>5722</td><td>2009.08.27</td><td>-</td</tr><tr><td>McAfee-GW-Edition</td><td>6.8.5</td><td>2009.08.27</td><td>-</td</tr><tr><td>Microsoft</td><td>1.4903</td><td>2009.08.27</td><td>-</td</tr><tr><td>NOD32</td><td>4375</td><td>2009.08.28</td><td>-</td</tr><tr><td>Norman</td><td></td><td>2009.08.27</td><td>-</td</tr><tr><td>nProtect</td><td>2009.1.8.0</td><td>2009.08.27</td><td>-</td</tr><tr><td>Panda</td><td>10.0.2.2</td><td>2009.08.27</td><td>-</td</tr><tr><td>PCTools</td><td>4.4.2.0</td><td>2009.08.27</td><td>-</td</tr><tr><td>Prevx</td><td>3.0</td><td>2009.08.28</td><td>-</td</tr><tr><td>Rising</td><td>21.44.11.00</td><td>2009.08.25</td><td>-</td</tr><tr><td>Sophos</td><td>4.45.0</td><td>2009.08.27</td><td>-</td</tr><tr><td>Sunbelt</td><td>3.2.1858.2</td><td>2009.08.27</td><td>-</td</tr><tr><td>Symantec</td><td>1.4.4.12</td><td>2009.08.27</td><td>-</td</tr><tr><td>TheHacker</td><td>6.3.4.3.389</td><td>2009.08.27</td><td>-</td</tr><tr><td>TrendMicro</td><td>8.950.0.1094</td><td>2009.08.27</td><td>-</td</tr><tr><td>VBA32</td><td>3.12.10.10</td><td>2009.08.27</td><td>-</td</tr><tr><td>ViRobot</td><td>2009.8.27.1905</td><td>2009.08.27</td><td>-</td</tr><tr><td>VirusBuster</td><td>4.6.5.0</td><td>2009.08.27</td><td>-</td</tr><tr><td colspan="4"> </td></tr><tr><td colspan="4">Additional information</td></tr><tr><td colspan="4">File size: 507904 bytes</td></tr><tr><td colspan="4">MD5...: ed0ef0a136dec83df69f04118870003e</td></tr><tr><td colspan="4">SHA1..: f77a7cd78877527023ebfb35e83b75ef59d3df07</td></tr><tr><td colspan="4">SHA256: 45377cb8e9f0120f836fc8261c711f7dbf7199117afb3652ebf100d5f0429b1e</td></tr><tr><td colspan="4">ssdeep: 6144:kNZlxEdL5RvGlcHF37newMLao6nMnKHOD13XRnCfOVSePfLtisgZYl:jdz+<BR>lcDKao6nSKHsRqOMgxZg<BR></td></tr><tr><td colspan="4">PEiD..: -</td></tr><tr><td colspan="4">PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x3e5e1<BR>timedatestamp.....: 0x48027549 (Sun Apr 13 21:04:09 2008)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x70991 0x70a00 6.82 39d0278af55c2446adf638b9f0236aff<BR>.data 0x72000 0x4e70 0x2000 6.28 44bd27282514b5e3a27b570106930d8d<BR>.rsrc 0x77000 0x9020 0x9200 3.62 8b50f3590d97bb27639f10bacbc53187<BR><BR>( 20 imports ) <BR>> ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA<BR>> AUTHZ.dll: AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle<BR>> CRYPT32.dll: CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx<BR>> GDI32.dll: RemoveFontResourceW, AddFontResourceW<BR>> KERNEL32.dll: WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, ExpandEnvironmentStringsW, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, GetVersionExA, DuplicateHandle, OpenProcess, GetOverlappedResult, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, TlsGetValue, DeleteCriticalSection, TlsAlloc, VirtualFree, TlsFree<BR>> msvcrt.dll: wcslen, _vsnwprintf, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp<BR>> NDdeApi.dll: -, -, -, -<BR>> ntdll.dll: RtlSubAuthoritySid, RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtSetInformationProcess, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlInitString, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlGetNtProductType, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtOpenDirectoryObject<BR>> PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW<BR>> PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW<BR>> REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery<BR>> RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate<BR>> Secur32.dll: LsaCallAuthenticationPackage, GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess<BR>> SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW<BR>> USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, GetMessageTime, SetTimer, SetLogonNotifyWindow, UnlockWindowStation, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, RegisterClassW, SetCursor, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, KillTimer, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, DefWindowProcW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW<BR>> USERENV.dll: -, WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, -, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, GetUserProfileDirectoryW<BR>> VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW<BR>> WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, _WinStationNotifyLogoff, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon<BR>> WINTRUST.dll: CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext<BR>> WS2_32.dll: -, -, getaddrinfo<BR><BR>( 0 exports ) <BR></td></tr><tr><td colspan="4">RDS...: NSRL Reference Data Set<BR>-</td></tr><tr><td colspan="4">pdfid.: -</td></tr><tr><td colspan="4">ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=ed0ef0a136dec83df69f04118870003e' target='_blank'>http://www.threatexpert.com/report.aspx?md5=ed0ef0a136dec83df69f04118870003e</a></td></tr><tr><td colspan="4">trid..: Win64 Executable Generic (80.9%)<BR>Win32 Executable Generic (8.0%)<BR>Win32 Dynamic Link Library (generic) (7.1%)<BR>Generic Win/DOS Executable (1.8%)<BR>DOS Executable Generic (1.8%)</td></tr></table>