You can probably do more in-depth analysis about what is going on under the hood using the RootKitRevealer http://www.sysinternals.com/utilities/rootkitrevealer.html Have you done this?
Some of Mark Russinovich's blog entries talk about techniques you can use to reveal more information needed to neutrerlize your "backdoor" http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html and http://www.sysinternals.com/blog/2005/08/case-of-intermittent-and-annoying.html Slawek -----Original Message----- From: [EMAIL PROTECTED] Sent: Dec 2, 2005 2:51 AM To: [email protected] Subject: Undetectable backdoor! help Recently I have been infected with SpySheriff spyware. I removed everything, using tools like HiJackthis, AdAware, Ewido, Trojan Hunter, Kaspersky Antivirus, Free-AV, A-squared. I then reinstalled Windows (XP SP2) and updated it to the day. However, I've found out that at random intervals, my computer was having CPU spikes and network traffic coming from winlogon.exe. Further examination shows it connects to https.manwithnoname.biz through http (port 80) then it starts mass mailing or doing whatever the scripts taken from that site tell it to do. The process is winlogon.exe, but the file is unmodified. Obviously I can't close the process, since it is a system process. There is not a winlogon.exe in another directory than windows\system32, there are no registry or startup keys that start anything suspicious, yet this happends. Thousands of antivirus and antispyware software fail to detect it and there is no google page that contains https.manwithnoname.biz. Please help me out! Thanks ________________________________________ PeoplePC Online A better way to Internet http://www.peoplepc.com
