Re: Possible trojaned wlogon.exe?

From: Jim Zajkowski (jimat_private)
Date: Tue Jul 31 2001 - 17:21:30 PDT

  • Next message: Jim Forster: "Re: CRv3? Or some other ida type"

    On Tue, Jul 31, 2001 at 01:09:22PM -0500, Thompson, John J wrote:
    > Ive been keeping a close eye on the webserver and I just noticed that the
    > processor usage is really high. Since Ive been aware of it (about 2 hours)
    > the following process has been at or around 99% utilization:
    > PID 920 --- wlogin.exe
    
    We saw this on a Win2K machine, along with a process "w.exe".  It appears 
    to be a trojan.
    
    To remove it: find the WinLogin service in the registry and set its path back 
    to point to "winlogon.exe".  Reboot and you can delete wlogin and w.  
    
    There's a bit more information at deja; I think we searched for "wlogin.exe."
    
    --Jim
    
    -- 
    Jim Zajkowski
    System Administrator               http://www.jimz.net/pgp-pubkey.asc
    ITCS Contract Services     8A9E 1DDF 944D 83C3 AEAB  8F74 8697 A823 2113 5C53
    
    
    
    



    This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 18:27:09 PDT