winlogon + friend.
Results 1 to 9 of 9

Thread: winlogon + friend.

  1. #1
    Senior Member
    Join Date
    Oct 2005
    Posts
    197

    winlogon + friend.

    At work im a tech support agent for 3 large isps in my area (outsorced IT help, PEBKAC!!!!) So that means I have to clean atleast 3 machines of spyware a day. I hate it. A lot! Latly Ive noticed that more and more spyware are attaching themselves to winlogon. This is a real bitch to get ride of.
    And heres howto get rid of it....This tutorial might be a little weak but its helped me a million times over the last week or so.

    Tools youll need

    Adaware - IMHO works better then spybot and others
    Hijack this - Startup whare ever it may hide
    Process Explorer - process management - www.sysinternals.com

    ok, scan with adaware. check hijackthis clean everything. reboot. w00t got it all........wait a second that damn 874365874365874365.dll is still bonded to winlogon. and that damn exe is back. damnit! do it again, try and rename it, try to kill it. damnit! still there! if only there was a way to quickly do this........................................................

    ***Warning*** using this method will/may crash windows! Its not nice but gets the job done!

    ok have hijakthis open, then open up PE (process explorer) then suspend winlogon. CAREFULL NOW were walking on eggshells here (times 10000 if your doing it remotly!) ok, now kill explorer.exe. Now go forth and delete the dlls and exes that are making your life hell! After that open hijackthis and delete the entrys. Now for the fun and mean part. Time to lay the smackdown on winlogon. Open PE and kill the winlogon process. If your doing it remotely your session will now die. If your sitting infrunt of the machine it might bluescreen (i think 2k does it not sure, only done this remotly). Reboot machine and check your work! DONE!


    ok, this might be a little patchey I will edit it once Ive done it a few times tonight (have to work) so I cant give instructions to the T. If anyone knows a better way that doesnt involve killing windows for a second Id love to hear it

    Thanks for the read, hope it helps.

    -ech0
    meh. -ech0.

  2. #2
    The Recidivist
    Join Date
    Nov 2002
    Posts
    460
    This is like the redneck duct tape solution lol.

    Dirty but inventive.


    hjack
    "Where the tree of knowledge stands, there is always paradise": thus speak the oldest and the youngest serpents.
    - Friedrich Nietzsche

  3. #3
    Blast From the Past
    Join Date
    Jan 2003
    Posts
    729
    i had that problem with winlogon.exe... i went in with knoppix-std and replaced it with an untouched copy from my "never near a network" comp... did the job untill my client re-downloaded the offending spyware...
    work it harder, make it better, do it faster, makes us stronger

  4. #4
    Senior Member
    Join Date
    Oct 2005
    Posts
    197
    At work I dont have that option. Might be a good idea!
    meh. -ech0.

  5. #5
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    767
    This is like the redneck duct tape solution lol.

    Dirty but inventive
    More like afro engineering @ it's finest!

  6. #6
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    BART-PE..

    use HJT, Adaware and Trend Sysclean from this enviroment get most of the little F....rs on first pass

    you do need the remote registry tools with Bart pe(Thanks Irongeek.. a thousand time)

    useing the Bart pe boot cd .. makes the process of cleaning the Windows/Temp and user/local settings and Temp internet folders a snap..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  7. #7
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    echO

    What are the user's account setups like, are they limited users, if not then they are able to download and install any program, legit as well as spyware.

    If they have admin rights, you could reset to limited, they can download, but won't be able to install, but then you get all of the headaches associated with switching back and forth between users to set stuff up.

    Try installing Spywareblaster and Spywareguard Spywareblaster
    Spywareguard

    Might cut back on all those trips you make.
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  8. #8
    Senior Member
    Join Date
    Oct 2005
    Posts
    197
    dalek I cant mod there user accounts like that because these are ustomers machines. Also I dont have local access (for the record) thus limiting my options. Thanks for the replys gents
    meh. -ech0.

  9. #9
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    if your doing it remotly
    I assumed that remote access was the exception not the rule.. sry about my local access approach on this..

    Changing the subject slightly: When you remote into these machines are you useing Remote desktop, or a VNC?
    Most problems with Winlogon infectors that I have encountered, the Remote access would be out of the question, heck even getting into an application is a challenge
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides