Background: I've been using ZoneAlarm Pro since at least v4.5 (if not earlier)... not a newbie. I currently have 7.0.483, on a Windows XP/SP2 machine, along with Norton AntiVirus (2008, since newer revs don't co-exist with ZAPro), but all NAV definitions are up-to-date, and this is NAV-only, not one of the "suite" products, and the built-in firewall is disabled so as not to conflict with ZAPro.

I also run Windows Update regularly, particularly in the few days after each month's Patch Tuesday.

The problem began when I noticed pop-unders of the home page for an affiliated web site, for a site I stumbled across while surfing. It's literally been years since I saw an unexpected pop-up (never mind pop-under) with the combination of ZAPro and NAV. At first I thought it was just benign cross-site marketing (since the two sites ARE affiliated).

Then I noticed overall slower performance, started looking closely at the ZA logs and i noticed there were a lot of connections being made to other IP addresses, with no apparent good reason. The vast majority were being made by winlogon.exe ... so I tweaked its out-of-the-box ZAPro configuration to give me an Alert every time it connected to a new address. (I went to ZA Program Control for the Windows NT Logon Application (aka winlogon.exe), and added an Expert rule that Allows, with an alert and a log entry, connections to the Internet and Trusted zones using any protocol at any time, just so I can see 'who' it's talking to.)

Most of the addresses/URLs are unfamiliar. I tried blocking some, but that didn't stop it from reaching out to others.

Sounds like my machine has been turned into a bot! Perhaps with a bogus "winlogon.exe"? There are a total of a half-dozen copies on my disk, all of various (but close) sizes and dates; 3 of them share the same version ID (5.1.2600.2180) and size, but one of those has different dates, as do all the other 3. None has a modified or created date within the past year. (Earlier today, I thought I had located another copy in \PreFetch with a very-recent modified date, but it's not there now. I don't understand the Windows \PreFetch mechanism; would this be a plausible "attack vector" for a bogus winlogon.exe?)

I have done full spyware scans using ZoneAlarm (which, ONLY by using a Full-System scan, found 5 alleged Trojans which I quarantined... but none of those were in winlogon.exe. Subsequent research via Google indicates that at least a couple of those 5 are false-positives... and unfortunately, the quarantine does not display where the files were originally located. In any event, the winlogon outreaches are still continuing, so quarantining those 5 didn't solve the problem.

Similarly I did full updates and scans with Norton AV, which found nothing. I will try some other spyware scanners (e.g. AdAware Free) shortly.

What else can I/should I do??? I don't like the idea that my machine may be being used to infect others, and nothing is detecting the infection. What malware solutions would be good to investigate?

Timeline: Noticed the pop-unders about a week ago. Identified (and enabled alert/logs for) the winlogon.exe activity in the past two days.