Re: Undetectable backdoor! help

manda@ecrmeurope.com wrote:

> Recently I have been infected with SpySheriff spyware. I removed everything, using tools like HiJackthis, AdAware, Ewido, Trojan Hunter, Kaspersky Antivirus, Free-AV, A-squared. I then reinstalled Windows (XP SP2) and updated it to the day.
> However, I've found out that at random intervals, my computer was having CPU spikes and network traffic coming from winlogon.exe. Further examination shows it connects to https.manwithnoname.biz through http (port 80) then it starts mass mailing or doing whatever the scripts taken from that site tell it to do. The process is winlogon.exe, but the file is unmodified. Obviously I can't close the process, since it is a system process. There is not a winlogon.exe in another directory than windows\system32, there are no registry or startup keys that start anything suspicious, yet this happends. Thousands of antivirus and antispyware software fail to detect it and there is no google page that contains https.manwithnoname.biz. Please help me out!
> Thanks
>  
this does not sound like you did a clean install of windows in any way.
my first suggestion would be to get Microsoft Anit-spyware on the 
machine which might be able to kill this w/o having to format a clean 
install into place. the other thing you can use (although some on this 
list would feel you should remove the software after) is ZoneLabs 
Security Suite (which you can download a complete demo for) and have it 
run both scans antivirus and anti spyware.

feel free to contact me directly if you need more assistance
-dan