Actually, the virus you mentioned is not the one he's searching for.
Infact, the infected .exe he talk about is winlogon.exe and the one
mentioned in the link you provide is explorer.exe.
Moreover, if he tries many updated AV with no success, I bet it's pretty
tough that you find a description of it on a website. Beside, if you put
"winlogon.exe+backdoor" inside your Google friend, you'll have plenty of
results and my suggestion is to look at them in order to see if the one
that is infecting the computer it's just a so-called variant of a known
virus. A virus variant can be undetected when properly modded.
Just my 2 cents
Marco
Technica Forensis
<forensis.technic
[EMAIL PROTECTED]>
To
"[EMAIL PROTECTED]"
05/12/2005 21.10 <[EMAIL PROTECTED]>
cc
[email protected]
Subject
Re: Undetectable backdoor! help
http://www.avira.com/en/threats/TR_Proxy_Mitgl_DQ_1_details.html
On 2 Dec 2005 08:51:29 -0000, [EMAIL PROTECTED] <[EMAIL PROTECTED]>
wrote:
> Recently I have been infected with SpySheriff spyware. I removed
everything, using tools like HiJackthis, AdAware, Ewido, Trojan Hunter,
Kaspersky Antivirus, Free-AV, A-squared. I then reinstalled Windows (XP
SP2) and updated it to the day.
> However, I've found out that at random intervals, my computer was having
CPU spikes and network traffic coming from winlogon.exe. Further
examination shows it connects to https.manwithnoname.biz through http (port
80) then it starts mass mailing or doing whatever the scripts taken from
that site tell it to do. The process is winlogon.exe, but the file is
unmodified. Obviously I can't close the process, since it is a system
process. There is not a winlogon.exe in another directory than
windows\system32, there are no registry or startup keys that start anything
suspicious, yet this happends. Thousands of antivirus and antispyware
software fail to detect it and there is no google page that contains
https.manwithnoname.biz. Please help me out!
> Thanks
>
