-
actual winlogon.exe is connection to http
Hi,
I recently removed a spyware infestation from a PC of a colleague of mine which mainly consisted of some CoolWWW components and a program trying to appear as a security center application that displays spyware warnings.
I think I got rid of most of the components after running spybot s+d in Safe Mode in Windows 2000, however one thing still remains. After I have installed Kerio personal firewall I found that the actual winlogon.exe is connecting to two different IP-Adresses via http, one is owned by a internet service in Ukraine, the other one is owned by an internet service in the US.
If I allow the connection to go through, the program apparently downloads a file that is detected by Antivir as a trojan, which is stored in \windows\system32\1024\LXXX.tmp\LXXX.tmp (something like that)
I wonder if this is a known threat, I tried to locate the program by the HiJackThis logfile, but everything looked OK to me.
I don't have the HiJackThis log here right now, but I can add this tomorrow, if necessary.
bye, Alexander
Last edited by AlexLehm; 2005-11-09 at 21:16.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules