actual winlogon.exe is connection to http

[AlexLehm]

Hi,

I recently removed a spyware infestation from a PC of a colleague of mine which mainly consisted of some CoolWWW components and a program trying to appear as a security center application that displays spyware warnings.

I think I got rid of most of the components after running spybot s+d in Safe Mode in Windows 2000, however one thing still remains. After I have installed Kerio personal firewall I found that the actual winlogon.exe is connecting to two different IP-Adresses via http, one is owned by a internet service in Ukraine, the other one is owned by an internet service in the US.

If I allow the connection to go through, the program apparently downloads a file that is detected by Antivir as a trojan, which is stored in \windows\system32\1024\LXXX.tmp\LXXX.tmp (something like that)

I wonder if this is a known threat, I tried to locate the program by the HiJackThis logfile, but everything looked OK to me.

I don't have the HiJackThis log here right now, but I can add this tomorrow, if necessary.


bye, Alexander

[tashi]

Hello AlexLehm and welcome to the forums.

It might be best if someone takes a look at the system.

To post a hjt log please go here:
http://forums.spybot.info/forumdisplay.php?f=22

Cheers.