Did you try RootkitRevealer? www.sysinternals.com.
You may also be able to see/stop the winlogin.exe process by using
Process Explorer, another great sysinternals tool.
If you've reinstalled and been re-infected, then you need to look very
carefully at all your software (is it all legit?) and anything else you
install. Did you apply XPSP2 when the machine was offline? You can get
infected while visiting Windows Update. Also, make sure that you're
using strict IE policies (don't run Active X on untrusted sites, etc).
--Kelly
-----Original Message-----
From: manda@ecrmeurope.com [mailto:manda@ecrmeurope.com]
Sent: Friday, December 02, 2005 3:51 AM
To: forensics@securityfocus.com
Subject: Undetectable backdoor! help
Recently I have been infected with SpySheriff spyware. I removed
everything, using tools like HiJackthis, AdAware, Ewido, Trojan Hunter,
Kaspersky Antivirus, Free-AV, A-squared. I then reinstalled Windows (XP
SP2) and updated it to the day.
However, I've found out that at random intervals, my computer was having
CPU spikes and network traffic coming from winlogon.exe. Further
examination shows it connects to https.manwithnoname.biz through http
(port 80) then it starts mass mailing or doing whatever the scripts
taken from that site tell it to do. The process is winlogon.exe, but the
file is unmodified. Obviously I can't close the process, since it is a
system process. There is not a winlogon.exe in another directory than
windows\system32, there are no registry or startup keys that start
anything suspicious, yet this happends. Thousands of antivirus and
antispyware software fail to detect it and there is no google page that
contains https.manwithnoname.biz. Please help me out!
Thanks
