Not saying you have to buy another computer. In fact, you probably just
want a 2nd clean HD to reinstall the OS on in your original computer.
I'm assuming you asked this question because you tried the normal apps
to check ports and track the port to a process and then to a file. That
is why I suggested just comparing hash values of files.
Discovering trojans, good trojans, and properly removing them is not an
easy task.
Reinstalling Windows doesn't always reinstall all of the executables.
Did you have the installation routine atleast format the drive? If not,
and if you didn't start with a wiped hard drive, then chances are some
of the system executables and files did not get overwritten. Same goes
for the registry.
Greg Kelley, EnCE
Vestige Digital Investigations
Computer Forensics | Electronic Discovery | Corporate Surety
46 Public Square, Ste 220
Medina, OH 44256
(330)721-1205 x5432
(330)721-1206 Fax
http://www.vestigeltd.com
-----Original Message-----
From: Costin Manda [mailto:manda@ecrmeurope.com]
Sent: Tuesday, December 06, 2005 3:13 AM
To: Greg Kelley
Subject: Re: Undetectable backdoor! help
Oh, come on! Thank you for the idea, but it seems a lot of work for a
single
trojan. Not to mention that I really can't afford a second computer. Did
I
mention that I've reinstalled Windows twice and it still does the same
thing? All the Windows executables, files, etc have been replaced.
____________ Costin Manda ECRM Europe
----- Original Message -----
From: "Greg Kelley" <gkelley@vestigeltd.com>
To: <manda@ecrmeurope.com>
Sent: Monday, December 05, 2005 20:08
Subject: RE: Undetectable backdoor! help
You could take a Windows XP SP2 clean install (install to a wiped disk)
and add the other programs that you currently have on your machine. Make
an image of that machine and your current machine. Hash each file and
compare the values. Pay particular attention to files under the Windows
directory. Identify a file that is named the same on both machines but
does not have matching hash values. Then start investigating that file.
Greg Kelley, EnCE
Vestige Digital Investigations
Computer Forensics | Electronic Discovery | Corporate Surety
46 Public Square, Ste 220
Medina, OH 44256
(330)721-1205 x5432
(330)721-1206 Fax
http://www.vestigeltd.com
-----Original Message-----
From: manda@ecrmeurope.com [mailto:manda@ecrmeurope.com]
Sent: Friday, December 02, 2005 3:51 AM
To: forensics@securityfocus.com
Subject: Undetectable backdoor! help
Recently I have been infected with SpySheriff spyware. I removed
everything, using tools like HiJackthis, AdAware, Ewido, Trojan Hunter,
Kaspersky Antivirus, Free-AV, A-squared. I then reinstalled Windows (XP
SP2) and updated it to the day. However, I've found out that at random
intervals, my computer was having CPU spikes and network traffic coming
from winlogon.exe. Further examination shows it connects to
https.manwithnoname.biz through http (port 80) then it starts mass
mailing or doing whatever the scripts taken from that site tell it to
do. The process is winlogon.exe, but the file is unmodified. Obviously I
can't close the process, since it is a system process. There is not a
winlogon.exe in another directory than windows\system32, there are no
registry or startup keys that start anything suspicious, yet this
happends. Thousands of antivirus and antispyware software fail to detect
it and there is no google page that contains https.manwithnoname.biz.
Please help me out! Thanks
