Hi, I'm having problems with a near phantom process on my pc. The problem is that if I check task manager, a process keeps flashing up too quick to be seen. I went into safe mode and it happens there too. It's a bit slower there though so I managed to get a screen print of it. I've uploaded the pic to here http://homepage.ntlworld.com/d.tayl...inIoginTASK.jpg (sorry, poor quality). I went back into normal mode and got a screen grab of it and what port it's using on the PC too, http://homepage.ntlworld.com/d.taylor83/WinIoginCMD.jpg , and also what processes spawned the net connection for it http://homepage.ntlworld.com/d.tayl...oginCMD_new.jpg . So, the thing I'm wondering is what is this WinIogin? I can't find it on the PC, search shows no results. Hijackthis finds references to it, and indicates it's tied into windows explorer. I've done the usual google search and not found much. What I have found says that it's spyware, but gives no information as to why they think that, what it does, where it comes from, etc. I suspect that they just guessed it was spyware, but maybe someone here will tell me whether they were right or not. Also, I don't have any ill effects on my PC, it runs fine (except for my wireless card dropping the connection after a few days, but think thats the poor card driver). Now I'm not 100% convinced it's spyware, in fact it looks like it should be a valid process judging by the applications implied by the netstat report. Does anyone know what this process is? I don't want to end/delete it only to find it's some weird variant of WINLOGON thats only there to use udp ports. Here's the hijackthis log anyway. Logfile of HijackThis v1.98.2 Scan saved at 13:11:58, on 15/12/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: K:\WINDOWS\System32\smss.exe K:\WINDOWS\system32\winlogon.exe K:\WINDOWS\system32\services.exe K:\WINDOWS\system32\lsass.exe K:\WINDOWS\system32\Ati2evxx.exe K:\WINDOWS\system32\svchost.exe K:\WINDOWS\System32\svchost.exe K:\WINDOWS\system32\Ati2evxx.exe K:\WINDOWS\Explorer.exe K:\WINDOWS\system32\spoolsv.exe K:\WINDOWS\WinIogon.exe K:\WINDOWS\system32\RunDll32.exe K:\PROGRA~1\Grisoft\AVG6\avgcc32.exe K:\Program Files\dvd43\dvd43_tray.exe K:\Program Files\D-Tools\daemon.exe K:\WINDOWS\system32\ctfmon.exe K:\Program Files\MSN Messenger\msnmsgr.exe K:\Program Files\Microsoft ActiveSync\WCESCOMM.exe K:\Program Files\Logitech\SetPoint\KEM.exe K:\Program Files\Project1\Soltek_HM.exe K:\Program Files\SpamPal\spampal.exe K:\Program Files\Logitech\SetPoint\KHALMNPR.exe K:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspn et_admin.exe K:\PROGRA~1\Grisoft\AVG6\avgserv.exe K:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe K:\WINDOWS\System32\snmp.exe K:\WINDOWS\System32\svchost.exe K:\WINDOWS\System32\svchost.exe K:\Program Files\Firefox\firefox.exe D:\Robins\toolz\hijackthis_198\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Pioneers of exploration of nets. F2 - REG:system.ini: Shell=Explorer.exe K:\WINDOWS\WinIogon.exe F3 - REG:win.ini: load=K:\WINDOWS\WinIogon.exe F3 - REG:win.ini: run=K:\WINDOWS\WinIogon.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - K:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - K:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - K:\Program Files\Xi\NetTransport 2\NTIEHelper.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - K:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint O4 - HKLM\..\Run: [AVG_CC] K:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [dvd43] K:\Program Files\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [Windows Logon Application] K:\WINDOWS\WinIogon.exe O4 - HKLM\..\Run: [NeroFilterCheck] K:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "K:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\RunServices: [Windows Logon Application] K:\WINDOWS\WinIogon.exe O4 - HKCU\..\Run: [ctfmon.exe] K:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "K:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [H/PC Connection Agent] "K:\Program Files\Microsoft ActiveSync\WCESCOMM.exe" O4 - Startup: Soltek HM.LNK = K:\Program Files\Project1\Soltek_HM.exe O4 - Startup: SpamPal for Windows.lnk = K:\Program Files\SpamPal\spampal.exe O4 - Global Startup: Logitech SetPoint.lnk = K:\Program Files\Logitech\SetPoint\KEM.exe O8 - Extra context menu item: Download all by Net Transport - K:\Program Files\Xi\NetTransport 2\NTAddList.html O8 - Extra context menu item: Download by Net Transport - K:\Program Files\Xi\NetTransport 2\NTAddLink.html O8 - Extra context menu item: Download using LeechGet - file://K:\Program Files\LeechGet 2004\\AddUrl.html O8 - Extra context menu item: Download using LeechGet Wizard - file://K:\Program Files\LeechGet 2004\\Wizard.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://K:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Parse with LeechGet - file://K:\Program Files\LeechGet 2004\\Parser.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\WINDOWS\System32\msjava.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - K:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - K:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - K:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - K:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1093030842562 O17 - HKLM\System\CCS\Services\Tcpip\..\{3317C01A-E7DE-4FC4-A124-1B36C58B56C8}: NameServer = 192.168.1.1,192.168.1.2 O17 - HKLM\System\CCS\Services\Tcpip\..\{BAE87740-C518-4B48-A835-8E91156952D0}: NameServer = 192.168.1.1 Many thanks to anyone who can shed some light on this. ps. Sorry about the longwinded post.

Read ALL of THIS about posting Hijack logs HijackThis log tutorial That helps in using the logs. To find out what each Startup(or Process) item does or means, and any recommendation as to if you should close the process: Task List Programs Also look here if you want: The Process Library

Thanks for the tip, didn't realise it was supposed to go in the security section, like I said in my post I don't think it is a security vuln. I can't find much info about the file, and it just doesn't seem like a virus, That's why I was asking if anyone knew what it was?

winiogon is a keylogger. i indentified it by luck actually. someone sended me a demo version(?!?) of the spyware to hack me so each time on startup it asked me to start the keylogger(weird huh, but its true). this way I was able to see how the process is called. you can safely remove it with hijackthis and it wont bother you again I think. hope it helps.