http://www.avira.com/en/threats/TR_Proxy_Mitgl_DQ_1_details.html
On 2 Dec 2005 08:51:29 -0000, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Recently I have been infected with SpySheriff spyware. I removed everything, > using tools like HiJackthis, AdAware, Ewido, Trojan Hunter, Kaspersky > Antivirus, Free-AV, A-squared. I then reinstalled Windows (XP SP2) and > updated it to the day. > However, I've found out that at random intervals, my computer was having CPU > spikes and network traffic coming from winlogon.exe. Further examination > shows it connects to https.manwithnoname.biz through http (port 80) then it > starts mass mailing or doing whatever the scripts taken from that site tell > it to do. The process is winlogon.exe, but the file is unmodified. Obviously > I can't close the process, since it is a system process. There is not a > winlogon.exe in another directory than windows\system32, there are no > registry or startup keys that start anything suspicious, yet this happends. > Thousands of antivirus and antispyware software fail to detect it and there > is no google page that contains https.manwithnoname.biz. Please help me out! > Thanks >
