You can probably do more in-depth analysis about what is going on under the
hood using the RootKitRevealer
http://www.sysinternals.com/utilities/rootkitrevealer.html
Have you done this?
Some of Mark Russinovich's blog entries talk about techniques you can use to
reveal more information needed to neutrerlize your "backdoor"
http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html
and
http://www.sysinternals.com/blog/2005/08/case-of-intermittent-and-annoying.html
Slawek
-----Original Message-----
From: manda@ecrmeurope.com
Sent: Dec 2, 2005 2:51 AM
To: forensics@securityfocus.com
Subject: Undetectable backdoor! help
Recently I have been infected with SpySheriff spyware. I removed everything,
using tools like HiJackthis, AdAware, Ewido, Trojan Hunter, Kaspersky
Antivirus, Free-AV, A-squared. I then reinstalled Windows (XP SP2) and updated
it to the day.
However, I've found out that at random intervals, my computer was having CPU
spikes and network traffic coming from winlogon.exe. Further examination shows
it connects to https.manwithnoname.biz through http (port 80) then it starts
mass mailing or doing whatever the scripts taken from that site tell it to do.
The process is winlogon.exe, but the file is unmodified. Obviously I can't
close the process, since it is a system process. There is not a winlogon.exe in
another directory than windows\system32, there are no registry or startup keys
that start anything suspicious, yet this happends. Thousands of antivirus and
antispyware software fail to detect it and there is no google page that
contains https.manwithnoname.biz. Please help me out!
Thanks
________________________________________
PeoplePC Online
A better way to Internet
http://www.peoplepc.com
