I had occasion this weekend to try and bring a friends computer up to date and explain a little about security. I took the opportunity to load ZA Free on WinXP home after doing many updates from Windows update. The system is now bang up to date with patches. As I was doing this from behind my NAT router I did not bother too much about protection as the system had been on the NET for some months My other systems were fully protected and nothing has happened or was spotted by any monitoring I had running. However on loading ZAF A program popped up asking to connect to 18.104.22.168:SMTP it was called winkdp.exe installed (as I eventually found out) as a hidden system file in Windows/system32 I decided to disallow access as what it was asking did not "smell" right. I then decided to try and find out what it was and where it had come from. I tried to start task manager to see what processes were running, as soon as it was started it was terminated. Given the file system is NTFS I cannot use a DOS virus scanner at boot time so I decided to load up NOD32 V2 Beta as the most recent single install I could use. (lay my hands on) However when I tried to run nod32.exe I discovered that the file had been deleted. I installed it again over the top (having been asked to re-boot before) I then tried to run the program again and it was again immediatly deleted. I took the step of renaming the winkdp.exe to something else to see if anything was affected. All seems to run OK but then after a couple of re-boots I get asked to allow winkdc.exe access to the same location. Has anyone any ideas on what this may be and what the best way to eradicate it if it is not bona fide? Thanks for any suggestions.