Not saying you have to buy another computer. In fact, you probably just want a 2nd clean HD to reinstall the OS on in your original computer.
I'm assuming you asked this question because you tried the normal apps to check ports and track the port to a process and then to a file. That is why I suggested just comparing hash values of files. Discovering trojans, good trojans, and properly removing them is not an easy task. Reinstalling Windows doesn't always reinstall all of the executables. Did you have the installation routine atleast format the drive? If not, and if you didn't start with a wiped hard drive, then chances are some of the system executables and files did not get overwritten. Same goes for the registry. Greg Kelley, EnCE Vestige Digital Investigations Computer Forensics | Electronic Discovery | Corporate Surety 46 Public Square, Ste 220 Medina, OH 44256 (330)721-1205 x5432 (330)721-1206 Fax http://www.vestigeltd.com -----Original Message----- From: Costin Manda [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 06, 2005 3:13 AM To: Greg Kelley Subject: Re: Undetectable backdoor! help Oh, come on! Thank you for the idea, but it seems a lot of work for a single trojan. Not to mention that I really can't afford a second computer. Did I mention that I've reinstalled Windows twice and it still does the same thing? All the Windows executables, files, etc have been replaced. ____________ Costin Manda ECRM Europe ----- Original Message ----- From: "Greg Kelley" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, December 05, 2005 20:08 Subject: RE: Undetectable backdoor! help You could take a Windows XP SP2 clean install (install to a wiped disk) and add the other programs that you currently have on your machine. Make an image of that machine and your current machine. Hash each file and compare the values. Pay particular attention to files under the Windows directory. Identify a file that is named the same on both machines but does not have matching hash values. Then start investigating that file. Greg Kelley, EnCE Vestige Digital Investigations Computer Forensics | Electronic Discovery | Corporate Surety 46 Public Square, Ste 220 Medina, OH 44256 (330)721-1205 x5432 (330)721-1206 Fax http://www.vestigeltd.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, December 02, 2005 3:51 AM To: [email protected] Subject: Undetectable backdoor! help Recently I have been infected with SpySheriff spyware. I removed everything, using tools like HiJackthis, AdAware, Ewido, Trojan Hunter, Kaspersky Antivirus, Free-AV, A-squared. I then reinstalled Windows (XP SP2) and updated it to the day. However, I've found out that at random intervals, my computer was having CPU spikes and network traffic coming from winlogon.exe. Further examination shows it connects to https.manwithnoname.biz through http (port 80) then it starts mass mailing or doing whatever the scripts taken from that site tell it to do. The process is winlogon.exe, but the file is unmodified. Obviously I can't close the process, since it is a system process. There is not a winlogon.exe in another directory than windows\system32, there are no registry or startup keys that start anything suspicious, yet this happends. Thousands of antivirus and antispyware software fail to detect it and there is no google page that contains https.manwithnoname.biz. Please help me out! Thanks
