Using spyware/adware programs to try and remove the rootkit will in all attempts be unsuccessfull as the rootkit resides between the lowest level raw registry hive and the highest level Windows API. The rootkit will evade from being revealed by modifying the output of the Windows API and thus remove their presence from the directory listing.
Try rootkit revealer from Sysinternals and see what you find http://www.sysinternals.com/Utilities/rootkitrevealer.html -Navroz -----Original Message----- From: Costin Manda [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 06, 2005 3:32 AM To: [email protected] Subject: Undetectable backdoor / Thread 2 Thanks to all for your replies. I will try as soon as possible the rootkit detection (as soon as I find out what it is :) ) I got a lot of good links and I will try them when I get home. I will clarify some things because I got a lot of emails asking me the same things. 1. Yes, I did try a firewall to patch the problem. Now ZoneAlarm is prohibiting winlogon.exe from communicating on the internet and it works. However, it still tries to connect periodically to https.manwithnoname.biz 2. No, this is not Mitgl.DQ.1 trojan, but it does seems to be from the same author. 3. No, I didn't do a clean Windows install after reformat. I did a Repair. I don't have the time to reinstall Windows. My system is actually a Windows 98 system that worked fine for about 5 or 6 years then I've upgraded to Windows XP two years ago. I will NOT do a clean Windows install, nor will I forget about Windows or Internet Explorer. If the Repair option doesn't replace all the Windows files, though, you might be on to something. Is that so? 4. RootKit. I will investigate this avenue. I haven't before, though, so thanks for giving me this direction for research. Why aren't the anti-virus and anti-spyware programs that I've tried doing this, though? 5. Winlogon.exe is NOT modified. 6. I've cleaned SpySheriff already. This is not SpySheriff, but it came in the same bundle. Must be a new spyware marketing strategy :) Thanks again for all the replies, I will respond to each of the sample and registry and log requests as soon as I get home. ____________ Costin Manda ECRM Europe
