Did you try RootkitRevealer? www.sysinternals.com. You may also be able to see/stop the winlogin.exe process by using Process Explorer, another great sysinternals tool.
If you've reinstalled and been re-infected, then you need to look very carefully at all your software (is it all legit?) and anything else you install. Did you apply XPSP2 when the machine was offline? You can get infected while visiting Windows Update. Also, make sure that you're using strict IE policies (don't run Active X on untrusted sites, etc). --Kelly -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, December 02, 2005 3:51 AM To: [email protected] Subject: Undetectable backdoor! help Recently I have been infected with SpySheriff spyware. I removed everything, using tools like HiJackthis, AdAware, Ewido, Trojan Hunter, Kaspersky Antivirus, Free-AV, A-squared. I then reinstalled Windows (XP SP2) and updated it to the day. However, I've found out that at random intervals, my computer was having CPU spikes and network traffic coming from winlogon.exe. Further examination shows it connects to https.manwithnoname.biz through http (port 80) then it starts mass mailing or doing whatever the scripts taken from that site tell it to do. The process is winlogon.exe, but the file is unmodified. Obviously I can't close the process, since it is a system process. There is not a winlogon.exe in another directory than windows\system32, there are no registry or startup keys that start anything suspicious, yet this happends. Thousands of antivirus and antispyware software fail to detect it and there is no google page that contains https.manwithnoname.biz. Please help me out! Thanks
