How to kill hidden winlogon processes

T

ToddAndMargo

Hi All,

First: I do not have a virus. Kaspersky 30 day demo
removed it completely. Please do not send me links
to malware removers.

The Zolob virus starts in the registry in the winlogon
keys. Becuase of this, it even runs in safe mode.
And processes started in the winlogon keys all
show up as a single "winlogon" entry on the processes
tab of the task manager.

Is there a third party tool process tool that will allow me to
see these processes and kill them as desired? A way
to tell the task manager to "show all"?

Many thanks,
-T
 
S

Shenan Stanley

First: I do not have a virus. Kaspersky 30 day demo
removed it completely. Please do not send me links
to malware removers.

The Zolob virus starts in the registry in the winlogon
keys. Becuase of this, it even runs in safe mode.
And processes started in the winlogon keys all
show up as a single "winlogon" entry on the processes
tab of the task manager.

Is there a third party tool process tool that will allow me to
see these processes and kill them as desired? A way
to tell the task manager to "show all"?
Click to expand...

You aren't clean, you said it yourself.

You cannot say, "I do not have a virus." and follow it with, "The Zolob
virus starts in the registry in the winlogon keys. ... Is there a third
party tool process tool that will allow me to see these processes and kill
them as desired?" and logically believe everything is clean...
 
P

Poprivet

Hi All,

First: I do not have a virus. Kaspersky 30 day demo
removed it completely. Please do not send me links
to malware removers.

The Zolob virus starts in the registry in the winlogon
keys. Becuase of this, it even runs in safe mode.
And processes started in the winlogon keys all
show up as a single "winlogon" entry on the processes
tab of the task manager.

Is there a third party tool process tool that will allow me to
see these processes and kill them as desired? A way
to tell the task manager to "show all"?

Many thanks,
-T
Click to expand...

Too bad; otherwise you could be helped.
 
T

ToddAndMargo

ToddAndMargo,

Have a look here:http://www.symantec.com/security_response/writeup.jsp?docid=2005-0817...
Click to expand...

Did not find a way to kill a running winlogon process in the
link you sent me.

This is a theory question. I am not asking for help with a virus.
(Maybe a future virus.)

By way, I usually use Bart PE to go into the registry and
remove the entries and then security erase (mangle) the
file the registry key points to. But, this time, BartPE
would not recognise the hard drive. (Some weird
first generation SATA drive.)

-T
 
T

ToddAndMargo

You cannot say, "I do not have a virus." and follow it with, "The Zolob
virus starts in the registry in the winlogon keys. ... Is there a third
party tool process tool that will allow me to see these processes and kill
them as desired?" and logically believe everything is clean...
Click to expand...

Actually I can. I checked. I know what to look for. This is an after
the fact question. Call it a theory question. Maybe I should not
have
said why I wanted to know. It would have kept responders
from going off on tangents.

Question: how do I kill a running winlogon process?

-T
 
D

David H. Lipman

From: <[email protected]>

| Hi All,
|
| First: I do not have a virus. Kaspersky 30 day demo
| removed it completely. Please do not send me links
| to malware removers.
|
| The Zolob virus starts in the registry in the winlogon
| keys. Becuase of this, it even runs in safe mode.
| And processes started in the winlogon keys all
| show up as a single "winlogon" entry on the processes
| tab of the task manager.
|
| Is there a third party tool process tool that will allow me to
| see these processes and kill them as desired? A way
| to tell the task manager to "show all"?
|
| Many thanks,
| -T

You are making faux conclusions and trying to heal your computer without the knowledge
needed. This is a bad combo.

Questions:
* What anti virus software called the infector the name "Zolob" ?
* Are you sure it was called Zolob and not a typo and it is really ZLob or Zotob ?
* You called this a "virus" do you know this for sure are what we talking about really is a
Trojan. Trojans and viruses are NOT the same.
* When you say a Winlogon entry. There are many. Some EXEs will chain off EXPLORER.EXE or
USERINIT.EXE and there are many Trojans that use the Winlogin Notify function.

This is NOT an anti virus group. You have posted extremley limited information and possible
misinformation. I suggest you gather ALL the facts, including any/all anti virus logs like
Kaspersky, and create a new post.

Here's a good place to do so...
 
D

David H. Lipman

From: <[email protected]>


|
| Actually I can. I checked. I know what to look for. This is an after
| the fact question. Call it a theory question. Maybe I should not
| have
| said why I wanted to know. It would have kept responders
| from going off on tangents.
|
| Question: how do I kill a running winlogon process?
|
| -T
|


You haven't defined any.
You have posted no facts.
Stating "winlogon process" says literally nothing.
 
T

ToddAndMargo

From: <[email protected]>

|
| Actually I can. I checked. I know what to look for. This is an after
| the fact question. Call it a theory question. Maybe I should not
| have
| said why I wanted to know. It would have kept responders
| from going off on tangents.
|
| Question: how do I kill a running winlogon process?
|
| -T
|

You haven't defined any.
You have posted no facts.
Stating "winlogon process" says literally nothing.
Click to expand...


Lets ask the question another way. Do you know of a third party tool
that shows ALL the running processes and allows me to kill which ones
I desire?

-T
 
C

CreateWindow

Dear ToddAndMargo,

Sysinternals "Process Explorer" available from MS downloads is an excellent
tool. Killing a process is a last ditch thing.Service processes should never
be killed this way - rather - ask the SCM to stop them.

CreateWindow
http://mymessagetaker.com
Stop using those paper phone message pads
make the computer work for you.
 
D

David H. Lipman

From: <[email protected]>


|
| Lets ask the question another way. Do you know of a third party tool
| that shows ALL the running processes and allows me to kill which ones
| I desire?
|
| -T
|

I know of many tools to do many things. However you STILL have not defined the problem.

I still have a hard time with your matching Zolob and Kaspersky and saying the PC is clean
yet require a ustility to kill an undefinded Winlogon Process.

You are in denial. Your PC is NOT clean.
 
T

ToddAndMargo

Dear ToddAndMargo,

Sysinternals "Process Explorer" available from MS downloads is an excellent
tool. Killing a process is a last ditch thing.Service processes should never
be killed this way - rather - ask the SCM to stop them.
Click to expand...

Went to Microsoft's download center and searched for both sysinternals
and
"Process Explorer". Did get any hits. Do you remember where you
downloaded your copy from?

Many thanks,
-T
 
T

ToddAndMargo

From: <[email protected]>

|
| Lets ask the question another way. Do you know of a third party tool
| that shows ALL the running processes and allows me to kill which ones
| I desire?
|
| -T
|

I know of many tools to do many things. However you STILL have not defined the problem.

I still have a hard time with your matching Zolob and Kaspersky and saying the PC is clean
yet require a ustility to kill an undefinded Winlogon Process.

You are in denial. Your PC is NOT clean.
Click to expand...

Dave,

I know you are only trying to help, but this is a theory question.
I want to
know how to kill a hidden (to the task manager) process the next time
I come across it. I do not need help removing a virus. I am
absolutely sure
of that. If you disagree, I take full responsibility for my own
actions.

By the way, my PC is running Linux. It is impossible for it
to catch this kind of crap. If I want to run Windows, I run it
in a virtual machine: it/they has/have NO Internet access. If I catch
something,
the virtual machine looks like a single file to Linux. All I have to
do is
restore my backup copy (Like Ghost, only a bazillion times easier
to use.)

Please only answer the question I asked.

-T
 
D

David H. Lipman

From: <[email protected]>


| Dave,
|
| I know you are only trying to help, but this is a theory question.
| I want to
| know how to kill a hidden (to the task manager) process the next time
| I come across it. I do not need help removing a virus. I am
| absolutely sure
| of that. If you disagree, I take full responsibility for my own
| actions.
|
| By the way, my PC is running Linux. It is impossible for it
| to catch this kind of crap. If I want to run Windows, I run it
| in a virtual machine: it/they has/have NO Internet access. If I catch
| something,
| the virtual machine looks like a single file to Linux. All I have to
| do is
| restore my backup copy (Like Ghost, only a bazillion times easier
| to use.)
|
| Please only answer the question I asked.
|
| -T

Linux gets malware albeit a *much* lower risk.

Taskmanger only sees NO-hidden process are they are all EXE based.

You have to use Process Explorer or some other GUI and see the parent/daughter dependencies
and kill or suspend them to kill a given process. This will be different if it is a DLL
than an EXE loaded process.

For example; you may have to suspend; SMSS.EXE, CSRSS.EXE, WINLOGON.EXE, SERVICES.EXE and
EXPLORER.EXE. Done wrong and you can go into a BSoD condition.

You said a Winlogon Process. Under....
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

That process could be a EXE loaded as...

Userinit = C:\WINNT\SYSTEM32\Userinit.exe, PROCESS.EXE
or
shell = explorer.exe PROCESS.EXE

Which would be easier than...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

which would load a DLL file.

You would then have to ask if you need to kill the process or can you remove the Registry
entry and reboot. The process may be ptrotected where you have to suspend the parent
process(s), remove the Registy key and reboot.

Process Explorer would be a helpful tool but it may be a combo. of tools depending on what
it is.
 
T

ToddAndMargo

From: <[email protected]>

| Dave,
|
| I know you are only trying to help, but this is a theory question.
| I want to
| know how to kill a hidden (to the task manager) process the next time
| I come across it. I do not need help removing a virus. I am
| absolutely sure
| of that. If you disagree, I take full responsibility for my own
| actions.
|
| By the way, my PC is running Linux. It is impossible for it
| to catch this kind of crap. If I want to run Windows, I run it
| in a virtual machine: it/they has/have NO Internet access. If I catch
| something,
| the virtual machine looks like a single file to Linux. All I have to
| do is
| restore my backup copy (Like Ghost, only a bazillion times easier
| to use.)
|
| Please only answer the question I asked.
|
| -T

Linux gets malware albeit a *much* lower risk.

Taskmanger only sees NO-hidden process are they are all EXE based.

You have to use Process Explorer or some other GUI and see the parent/daughter dependencies
and kill or suspend them to kill a given process. This will be different if it is a DLL
than an EXE loaded process.

For example; you may have to suspend; SMSS.EXE, CSRSS.EXE, WINLOGON.EXE, SERVICES.EXE and
EXPLORER.EXE. Done wrong and you can go into a BSoD condition.

You said a Winlogon Process. Under....
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

That process could be a EXE loaded as...

Userinit = C:\WINNT\SYSTEM32\Userinit.exe, PROCESS.EXE
or
shell = explorer.exe PROCESS.EXE

Which would be easier than...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

which would load a DLL file.

You would then have to ask if you need to kill the process or can you remove the Registry
entry and reboot. The process may be ptrotected where you have to suspend the parent
process(s), remove the Registy key and reboot.

Process Explorer would be a helpful tool but it may be a combo. of tools depending on what
it is.
Click to expand...


Thank you! Very helpful.
-T
 
Y

Ytrx

Is there a third party tool process tool that will allow me to
see these processes and kill them as desired? A way
to tell the task manager to "show all"?
Click to expand...

What's with all these "How to" posts stated as questions?

The subject line of this thread is "How to kill hidden winlogon
processes." That implies it's an instructional post as opposed to a
query. Don't you mean "How do I kill hidden winlogon processes?"

Have a nice day.

Ytrx

Welcome to the future. It's just starting now.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

unable to kill processes 5
How to kill tasks? 3
Booting the computer with minimal Processes & Services 10
Processes continue to run? 1
Too many processes active - how can I manage this 4
Running Processes 7
Can't kill processes 2
running processes 5

Top