Is this a virus?

[Lava]

Hi,

I hope this is the right NG. Every time I start my pc, Norton Internet
Securities gives a warning that a program tries to connect to internet. Each
time the program will have another name, this make me distrust it.
My up-to-date virus scan can't find anything, neighter does AdAware. I have
uninstalled all programs I don't use or don't trust. This is from the log:

The user has created a rule to "block" communications
Outbound TCP connection
Remote address,service is (66.220.17.151,http(80))
Process name is "C:\Documents and Settings\Martin\Local
Settings\Temp\Rsf1.exe"

Other names of the . exe:
Nhn1.exe
Wwi1.exe
Auw1.exe

These files are written in the Temp-directory when I start my pc. Deleting
them doesn't help.

1. Does anyone recognizes this?
2. Is this a virus?
3. How can I find out which program causes this behaviour?

Thanks, Martin.

 

[David W. Hodgins]

Hi,

I hope this is the right NG. Every time I start my pc, Norton Internet
Securities gives a warning that a program tries to connect to internet. Each
time the program will have another name, this make me distrust it.
My up-to-date virus scan can't find anything, neighter does AdAware. I have
uninstalled all programs I don't use or don't trust. This is from the log:

The user has created a rule to "block" communications
Outbound TCP connection
Remote address,service is (66.220.17.151,http(80))

The ip belongs to Hurricane Electric (he.net). There
is no reverse dns (name) associated with that ip.
From an Oct 6th message in google groups, that ip is
connected to lop.com, and that name still resolves to that address.

Check out http://www.spywareinfo.com/articles/lop/

If you download the updates for adaware, it should be able to remove it.
If not, try spybot, search & destroy.

Good Luck! Dave Hodgins