STEP #1 -- Yes I read and followed all HIJACKTHIS pre-requisites.
STEP #2 -- In addition, followed all the cleaning steps at the following link (very good list): http://www.wildersse...ead.php?t=50662
PROBLEM DESCRIPTION
----------------------------
Yesterday during first boot of the day, Process Guard (www.diamondcs.com.au) signaled an alert that SVCHOST was trying to terminate WINLOGON. My hunch was that I had a WELCHIA worm infection.
Here is exact messages from Process Guard Event Log (just an excerpt as it kept trying and trying; PG did a nice intercept job):
Wed 08 - 07:55:28 [TERMINATE] c:\windows\system32\svchost.exe [980] was blocked from terminating c:\windows\system32\winlogon.exe [1100]
Wed 08 - 07:55:28 [TERMINATE] c:\windows\system32\svchost.exe [980] was blocked from terminating c:\windows\system32\logonui.exe [1856]
Wed 08 - 07:55:29 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [744]
[EXECUTION] Commandline - [ logonui.exe /status /shutdown ]
Wed 08 - 07:55:29 [TERMINATE] c:\windows\system32\svchost.exe [980] was blocked from terminating c:\windows\system32\winlogon.exe [1100]
Wed 08 - 07:55:29 [TERMINATE] c:\windows\system32\svchost.exe [980] was blocked from terminating c:\windows\system32\logonui.exe [1856]
Wed 08 - 07:55:30 [TERMINATE] c:\windows\system32\svchost.exe [980] was blocked from terminating c:\windows\system32\winlogon.exe [1100]
Wed 08 - 07:55:30 [TERMINATE] c:\windows\system32\svchost.exe [980] was blocked from terminating c:\windows\system32\logonui.exe [1856]
Wed 08 - 07:55:31 [TERMINATE] c:\windows\system32\svchost.exe [980] was blocked from terminating c:\windows\system32\winlogon.exe [1100]
Wed 08 - 07:55:31 [TERMINATE] c:\windows\system32\svchost.exe [980] was blocked from terminating c:\windows\system32\logonui.exe [1856]
. . . .
. . . .
. . . .
etc.
RESEARCH & ANALYSIS
----------------------------
As implied above in completing STEPS #1 & #2, I spent many hours yesterday trying to identify, find and eradicate any MALWARE I might have. The weird thing is that none (zero, nada) of the scans found anything.
WHAT DID I FIND?
----------------------
I am curious about two (2) weird things.
1. In my HIJACKTHIS log is an executable - RNFF.exe. No amount of Google investigation (web or groups) found anything about this program. The only thing I can link it to is a tool I downloaded and ran called -- RootkitRevealer (www.sysinternals.com); linked on the bases of -- and this is flimsy -- both RootkitRevealer and RNFF.exe had the same icon.
OK, second weird thing . . . .
2. I downloaded and ran a tool called, Process Explorer (also from, (www.sysinternals.com). Attached is a screen capture of the processes running on my PC with a SVCHOST process highlighted in particular (top pane of screen). In the lower pane of the screen you see a "CLB" file (Office XP Developer Code Librarian?) named, "R00000000002a.clb" listed in among all the DLL's associated with this particular occurence of SVCHOST. What is even weirder is that it is referencing this file from the "C:\WINDOWS\REGISTRATION\" directory.
ATTACHMENTS:
--------------------
HIJACKTHIS LOG -- Text file -- "hijackthis-2005JUN09.log"
PROCESS EXPLORER SCREEN IMAGE -- Bitmap file -- "PC Health Analysis01.bmp"
2