winlogon.exe function?

[Dutchm@n]

Does winlogon.exe have a legal Windows function?

It seems to be guilty of wanting to contact all sorts of sites
that have nothing to do with what I am doing.
My Ontrack firewall program log regularly shows 40-50 blocked
attempts to sites like "Hotmail*** (at least 6 versions),
"hostmx's" , and many other weird and wonderful "host" names.

It persistently asks my permission on-screen to connect to
"Hostmx.mail.yahoo.com" which I personally then block.
The others however seem to be blocked in the background.

The app involved is always listed as winlogon.exe

What motivates all this - is winlogon or where does it get its
connect attempt info from?
NAV, AdAware nor Ontrack can find any fault.

Thanks in advance

 

[Lance Joiner]

Does winlogon.exe have a legal Windows function?

It seems to be guilty of wanting to contact all sorts of sites
that have nothing to do with what I am doing.
My Ontrack firewall program log regularly shows 40-50 blocked
attempts to sites like "Hotmail*** (at least 6 versions),
"hostmx's" , and many other weird and wonderful "host" names.

It persistently asks my permission on-screen to connect to
"Hostmx.mail.yahoo.com" which I personally then block.
The others however seem to be blocked in the background.

The app involved is always listed as winlogon.exe

What motivates all this - is winlogon or where does it get its
connect attempt info from?
NAV, AdAware nor Ontrack can find any fault.

Thanks in advance

Here's some info..
Winlogon.exe
You cannot end this process from Task Manager. This is the process
responsible for managing user logon and logoff. Moreover, Winlogon is active
only when the user presses CTRL+ALT+DEL, at which point it shows the
security dialog box.
----------------------------------------------------------------------------
----
Update 01.03.2004
Typical path (XP) is C:\WINDOWS\system32\winlogon.exe
(%systemroot%\system32\winlogon.exe).
----------------------------------------------------------------------------
----
Important Update 01.03.2004 by reger24:
If winlogon.exe is running in your system and it's exe-file is in c:\winnt
or c:\windows (%systemroot%) with a filesize of 17,424 Byte you should
terminate that process and remove it's autostart entry because it's the worm
W32.Netsky.D.
More information about W32.Netsky.D can be found on the following websites

 

[Dutchm@n]

Lance,

My profuse thanks for the tip - Yes that is what discovered.
I had not yet downloaded the latest AV updates and it looks
like I got the worm yesterday. (If you snooze you loose, but
luckily I happened to look in the firewall log)

NAV took it out (safe mode and system restore disabled) and
I did a fresh C-drive backup and restore point afterwards.

I have notified some friends whom I sent mails and hope my
firewall stopped it from getting to them.

Thanks again


| | > What motivates all this - is winlogon or where does it get its
| > connect attempt info from?
| > NAV, AdAware nor Ontrack can find any fault.
| >
| > Thanks in advance
| >
| >
| >
|
| Here's some info..
| Winlogon.exe
| You cannot end this process from Task Manager. This is the process
| responsible for managing user logon and logoff. Moreover, Winlogon is
active
| only when the user presses CTRL+ALT+DEL, at which point it shows the
| security dialog box.
| ----------------------------------------------------------------------
------
| ----
| Update 01.03.2004
| Typical path (XP) is C:\WINDOWS\system32\winlogon.exe
| (%systemroot%\system32\winlogon.exe).
| ----------------------------------------------------------------------
------
| ----
| Important Update 01.03.2004 by reger24:
| If winlogon.exe is running in your system and it's exe-file is in
c:\winnt
| or c:\windows (%systemroot%) with a filesize of 17,424 Byte you should
| terminate that process and remove it's autostart entry because it's
the worm
| W32.Netsky.D.
| More information about W32.Netsky.D can be found on the following
websites
|
|