-
October 16th, 2005, 06:45 PM
#1
winlogon + friend.
At work im a tech support agent for 3 large isps in my area (outsorced IT help, PEBKAC!!!!) So that means I have to clean atleast 3 machines of spyware a day. I hate it. A lot! Latly Ive noticed that more and more spyware are attaching themselves to winlogon. This is a real bitch to get ride of.
And heres howto get rid of it....This tutorial might be a little weak but its helped me a million times over the last week or so.
Tools youll need
Adaware - IMHO works better then spybot and others
Hijack this - Startup whare ever it may hide
Process Explorer - process management - www.sysinternals.com
ok, scan with adaware. check hijackthis clean everything. reboot. w00t got it all........wait a second that damn 874365874365874365.dll is still bonded to winlogon. and that damn exe is back. damnit! do it again, try and rename it, try to kill it. damnit! still there! if only there was a way to quickly do this........................................................
***Warning*** using this method will/may crash windows! Its not nice but gets the job done!
ok have hijakthis open, then open up PE (process explorer) then suspend winlogon. CAREFULL NOW were walking on eggshells here (times 10000 if your doing it remotly!) ok, now kill explorer.exe. Now go forth and delete the dlls and exes that are making your life hell! After that open hijackthis and delete the entrys. Now for the fun and mean part. Time to lay the smackdown on winlogon. Open PE and kill the winlogon process. If your doing it remotely your session will now die. If your sitting infrunt of the machine it might bluescreen (i think 2k does it not sure, only done this remotly). Reboot machine and check your work! DONE!
ok, this might be a little patchey I will edit it once Ive done it a few times tonight (have to work) so I cant give instructions to the T. If anyone knows a better way that doesnt involve killing windows for a second Id love to hear it
Thanks for the read, hope it helps.
-ech0
-
October 16th, 2005, 08:58 PM
#2
This is like the redneck duct tape solution lol.
Dirty but inventive.
hjack
"Where the tree of knowledge stands, there is always paradise": thus speak the oldest and the youngest serpents.
- Friedrich Nietzsche
-
October 17th, 2005, 12:42 AM
#3
i had that problem with winlogon.exe... i went in with knoppix-std and replaced it with an untouched copy from my "never near a network" comp... did the job untill my client re-downloaded the offending spyware...
work it harder, make it better, do it faster, makes us stronger
-
October 17th, 2005, 01:01 AM
#4
At work I dont have that option. Might be a good idea!
-
October 17th, 2005, 01:24 AM
#5
This is like the redneck duct tape solution lol.
Dirty but inventive
More like afro engineering @ it's finest!
-
October 17th, 2005, 02:43 PM
#6
BART-PE..
use HJT, Adaware and Trend Sysclean from this enviroment get most of the little F....rs on first pass
you do need the remote registry tools with Bart pe(Thanks Irongeek.. a thousand time)
useing the Bart pe boot cd .. makes the process of cleaning the Windows/Temp and user/local settings and Temp internet folders a snap..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
October 17th, 2005, 04:37 PM
#7
echO
What are the user's account setups like, are they limited users, if not then they are able to download and install any program, legit as well as spyware.
If they have admin rights, you could reset to limited, they can download, but won't be able to install, but then you get all of the headaches associated with switching back and forth between users to set stuff up.
Try installing Spywareblaster and Spywareguard Spywareblaster
Spywareguard
Might cut back on all those trips you make.
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
October 17th, 2005, 07:34 PM
#8
dalek I cant mod there user accounts like that because these are ustomers machines. Also I dont have local access (for the record) thus limiting my options. Thanks for the replys gents
-
October 17th, 2005, 10:39 PM
#9
I assumed that remote access was the exception not the rule.. sry about my local access approach on this..
Changing the subject slightly: When you remote into these machines are you useing Remote desktop, or a VNC?
Most problems with Winlogon infectors that I have encountered, the Remote access would be out of the question, heck even getting into an application is a challenge
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|