"HKLM\Software\Microsoft\Windows\Windows NT\Current Version\Winlogon"
In that key, you'll see an entry for the windows Shell. I've come across a few viruses/spyware/adware programs that modify this reg. entry to make their process load as part of the Windows shell (in XP at least). It should say nothing other than "Explorer.exe" in the shell info, if you see something like "Explorer.exe C:\Windows\System32\Nail.exe" or something like that, you've got a problem. The processes can't be killed after the machine has started up as it integrates itself into the shell. Same goes for other Winlogon.exe entries. Something worth checking out. Corey Watts-Jones BIT Incorporated Systems Support Specialist -----Original Message----- From: Marco Monicelli [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 06, 2005 11:39 AM To: Technica Forensis Cc: [email protected]; [EMAIL PROTECTED] Subject: Re: Undetectable backdoor! help Importance: High Actually, the virus you mentioned is not the one he's searching for. Infact, the infected .exe he talk about is winlogon.exe and the one mentioned in the link you provide is explorer.exe. Moreover, if he tries many updated AV with no success, I bet it's pretty tough that you find a description of it on a website. Beside, if you put "winlogon.exe+backdoor" inside your Google friend, you'll have plenty of results and my suggestion is to look at them in order to see if the one that is infecting the computer it's just a so-called variant of a known virus. A virus variant can be undetected when properly modded. Just my 2 cents Marco Technica Forensis <forensis.technic [EMAIL PROTECTED]> To "[EMAIL PROTECTED]" 05/12/2005 21.10 <[EMAIL PROTECTED]> cc [email protected] Subject Re: Undetectable backdoor! help http://www.avira.com/en/threats/TR_Proxy_Mitgl_DQ_1_details.html On 2 Dec 2005 08:51:29 -0000, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Recently I have been infected with SpySheriff spyware. I removed everything, using tools like HiJackthis, AdAware, Ewido, Trojan Hunter, Kaspersky Antivirus, Free-AV, A-squared. I then reinstalled Windows (XP SP2) and updated it to the day. > However, I've found out that at random intervals, my computer was having CPU spikes and network traffic coming from winlogon.exe. Further examination shows it connects to https.manwithnoname.biz through http (port 80) then it starts mass mailing or doing whatever the scripts taken from that site tell it to do. The process is winlogon.exe, but the file is unmodified. Obviously I can't close the process, since it is a system process. There is not a winlogon.exe in another directory than windows\system32, there are no registry or startup keys that start anything suspicious, yet this happends. Thousands of antivirus and antispyware software fail to detect it and there is no google page that contains https.manwithnoname.biz. Please help me out! > Thanks >
