At work im a tech support agent for 3 large isps in my area (outsorced IT help, PEBKAC!!!!) So that means I have to clean atleast 3 machines of spyware a day. I hate it. A lot! Latly Ive noticed that more and more spyware are attaching themselves to winlogon. This is a real bitch to get ride of.
And heres howto get rid of it....This tutorial might be a little weak but its helped me a million times over the last week or so.
Tools youll need
Adaware - IMHO works better then spybot and others
Hijack this - Startup whare ever it may hide
Process Explorer - process management - www.sysinternals.com
ok, scan with adaware. check hijackthis clean everything. reboot. w00t got it all........wait a second that damn 874365874365874365.dll is still bonded to winlogon. and that damn exe is back. damnit! do it again, try and rename it, try to kill it. damnit! still there! if only there was a way to quickly do this........................................................
***Warning*** using this method will/may crash windows! Its not nice but gets the job done!
ok have hijakthis open, then open up PE (process explorer) then suspend winlogon. CAREFULL NOW were walking on eggshells here (times 10000 if your doing it remotly!) ok, now kill explorer.exe. Now go forth and delete the dlls and exes that are making your life hell! After that open hijackthis and delete the entrys. Now for the fun and mean part. Time to lay the smackdown on winlogon. Open PE and kill the winlogon process. If your doing it remotely your session will now die. If your sitting infrunt of the machine it might bluescreen (i think 2k does it not sure, only done this remotly). Reboot machine and check your work! DONE!
ok, this might be a little patchey I will edit it once Ive done it a few times tonight (have to work) so I cant give instructions to the T. If anyone knows a better way that doesnt involve killing windows for a second Id love to hear it
Thanks for the read, hope it helps.
-ech0