today I found something strange, when i was logged into pw indo server suddenly i got booted by force like if the account was logged by force.
i felt something's wrong and check netstat, there was a suspicious ongoing connection, i marked it with '?' from the image below.
and found out it's running under a filename winload.exe , when I checked the file at virusscan.jotti.org it said
Code:
Service load:
0% 100%
File: winload.exe
Status: INFECTED/MALWARE
MD5: f719cf8719e318f30ae715579f133740
Packers detected:
-
A-Squared Found Backdoor.Rbot!IK
AntiVir Found WORM/Rbot.210944
ArcaVir Found Heur.RoundKick
Avast Found Win32:DCom-F
AVG Antivirus Found BackDoor.RBot.DM
BitDefender Found Backdoor.RBot.XTJ
ClamAV Found Exploit.DCOM.Gen
CPsecure Found W32.Net.W.Welchia.A
Dr.Web Found Win32.HLLW.MyBot.based
F-Prot Antivirus Found W32/Ircbot.1!Generic
F-Secure Anti-Virus Found Backdoor.Win32.Rbot.aea
Ikarus Found Backdoor.Rbot
Kaspersky Anti-Virus Found Backdoor.Win32.Rbot.aea
NOD32 Found a variant of Win32/Rbot
Norman Virus Control Found W32/Spybot.CNJK
Panda Antivirus Found W32/Gaobot.gen.worm
Quick Heal Found Backdoor.Rbot.aea
Sophos Antivirus Found W32/Rbot-Gen
VirusBuster Found Worm.RBot.Gen.10
VBA32 Found Backdoor.Win32.Rbot.aea
winload.exe is located at c:\winload.exe
is it a keylogger ?
dunno for how long it's been running on my system and not noticing anything wrong until today my account on pw id got booted by force, 2 of my char accounts.
I used tcpview application to see anything going in and out via internet on my system and that file was active.
just for precaution, if anyone visits this thread, do check if there was a winload.exe running on your system, maybe I got infected by running a file from here or somewhere else i'm not sure, better be safe than sorry.