Jeff - I followed your instructions, the rogue dll attach itself to winlogon and explorer, when i remove the threads from all 3 of them it comes right back, and i’m still unable to delete the file. anyway to stop them from reloading?
W, start Process Explorer, then kill explorer.exe. Process Explorer will still be running-- use it to kill the threads attached to WinLogon.
I tried your things yesterday night and it works !!
Thanks a bunch.
Chris Lomont is right - there is only one way and that is a clean rebuild
The question I have for Chris Lomont however is HOW THE HELL DO I DO A CLEAN REBUILD when the rootkit I have hides my DVD drive when it detects an installation disk in it, hides DOS windows when it detects scanning software and disallows me to reformat any of my discs
???
Any help would be greatfully received…
HELP!, try booting from a bootable Windows install CD.
Thank you so much for this article. I haven’t got a rootkit issue so far(?), but I’ve been using the other tools for some time now. Using the Process Explorer to kill threads within winlogon and thus freeing the rogue dll was new to me. Thanks for the tip. I used another trick to get around the same problem on my friend’s computer. I used the windows explorer to deny read and execute rights to the rogue dlls that loaded themselves into winlogon.exe and lsass.exe (you need ntfs filesystem for this trick to work). Then rebooted the system and did the remaining cleanup as mentioned in the article.
The trick may not work against a spyware that will hook the API itself or monitor the system using a driver, but hopefully most spyware apps aren’t that smart.
Awesome article! A must-read for every desktop user out there. Clean, detailed, and based around free software.
I recommend that you make an ebook of this post 
For reasons of simplicity, I use 2 windows installations with different security software. This way I can switch from one to another and have a scan from another vendor.
Also, I’d suggest every advanced user have a bootable CD with Avast, Lavasoft and McAfee utilities to run. It does help and is faster than killing nasties from the windows GUI.
Thanks for your great article, it turns out my pc wasn’t as bad off as I suspected (I am a pc hypochondriac…) but I did learn a lot about processes and some great free tools. I feel like I have a better understanding about what to look for. Thanks again!
Hey Jeff.
Very helpful article. Just wanted to add a few useful tips.
Sometimes spyware installs services that monitor running processes, and keep firing them up as quick as you kill them. A very handy tip from Mark Russinovich (the Sysinternals guy) is to suspend the process rather than kill it. The process appears to be running, but it cannot do anything.
Hiya Jeff,
GREAT article. I got nailed by spyware in a bad way (stupidly clicked on something i shouldn’t have before installing spybot et-al on a new windows build). I dominated all the spyware thanks to your tips
Cheers!
- Luke
Great article indeed. Adaware spybot only go so far in cleaning up.
Will add Process Explorer autorun in my tools map. Tried a similar autorun program before but I had no idea so many things start at boottime.
FWIW I like your approach in that Antimalware software these days is worthless. I agree with whoever said once its infected it cannot be trusted. Here is what I do now that i work in an IT dept and make decisions to the fate of a computer
Initial contact: Run the antimalware software to make the user and management feel warm and fuzzy.
Run MSconfig and Hijack this. Kill weird processes
Second call: It came back. Make arrangement for a format and reinstall. I dont want rogue s*it on my network and if the simple didnt kill it I am not going to run the risk or waste anymore time beating a dead horse.
I have been a malware killing fool since 2003 and it has come to this.
would it be okay if I’ll just reformat the pc instead?
Hey Jeff,
Great article, what an excellent guide for removing malware, and a much better alternative than installing (and paying for) multiple spyware removal products which may or may not do the job.
I’d like to ditto the comments above about the code authentication options in PE and Autoruns, and about running rootkit revealer if there are still persistent nasties. I’d reckon this will get anyone out of trouble just about 100% of the time.
Thanks again!
Another handy item for killing these things is a clean install of cygwin on CD. With Cygwin’s ps, you can find hidden processes and kill them, which you often can’t from Task Manager and sometimes not even from proc explorer.
I agree that everyone should have current browser and patches and run AV, but sometimes it just seems to appear. The sadly pathetic response of most MCSE IT shops is to reimage the drive. They don’t care. But it often means days lost while the job is done and the user re-creates their working environment.
That is not the way to handle system administration. Any admin who can’t sit down at a PC with his tool cd and fix anything except a hardware fault is not worth hiring. Re-imaging is the first resort of an amateur, not the first response of a pro.
It isn’t a quick and easy task, but it’s doable in a couple hours. Been there, cleaned that.
I’d mention the command-line version of the free a-squad anti-malware. After a short research it turns out that a-squared is just the only company who offers a command prompt based tool. F-prot ceased support to its DOS-compatible version of antivirus, DrWeb and Vexira offer command-line scanners on commercial basis only. Other vendors seem to include this nice feature in enterprise products, which cannot be free by their nature.
To me, it’s one more reason to give thumbs up to a-squared.
Thanks for the useful article.
A good 40-page guide on ‘How to Secure Windows and Your Privacy’ can be downloaded from Scribd’s free document library at – http://www.scribd.com/doc/3091625/How-to-Secure-Your-Windows-PC-and-Your-Privacy
I’ve found that using Cygwin will let you kill processes that windows refuses to stop. It’s handy for removing files, too.
People on forums and open posts like this one never cease to amaze me. Instead of giving props to the effort and work put into this guide, people start talking about automatic tools that only work on a very small part of the problem.
I am a professional technician and systems admin, and I myself have worked with various spyware tools, HiJackThis, and many others, that really will NEVER be able to get rid of all spyware, trojan and memory resident intrusions that affect a system.
Spybot is good, but not even close to removing some system infestations.
Doing things manually will ALWAYS prove to be more effective a solution because we are living in the NOW and NEW and more lethal spyware threats WILL ALWAYS be created to suck money from the less fortunate that get infected from browsing habits or security holes.
I too use a Norton Ghost Image instead of a reinstall, but that is besides the point for someone who does not have the know how to even build an image of a clean install.
For pesky infestations, I have created a Batch File that automatically kills the spyware processes and removes the file after removing it from running in memory. Although this is a work in progress, it currently removes over 45 known spyware files, folders and memory residents.
People are so dumb now a days, and automatic tools do not help the problem too well. No matter how dumb the average user might be to removing intrusions, the day will come when they say enough is enough and find a way to do it themselves.
Dude, are you using a diiferent version of Process explorer then you gave a link to? The version I downloaded doesn’t have a ‘process properties dialog’ option! Help!