PDA

View Full Version : Multiple Winlogons Analyzed With Hookshark


mcertini
May 29th, 2012, 00:31
A few days ago I noted multiple Winlogons in my task manager. It was a concern to see this though I did not know if it was a problem or not. After loading Hookshark I noted that this file had multiple hardware break point hooks. I noted also today that I do not have two Winlogons running which causes me to wonder why I am not seeing this.

On my computer I have a custom application that was built to patch memory addresses to expand virtual memory beyond Window's allocation. I do not think this would have anything to do with a login. Does anyone out know why I would have multiple logins?

Extremist
May 29th, 2012, 17:16
Multiple windows stations would do that (multiple users, remote desktops, etc.)

mcertini
May 29th, 2012, 19:23
Extremist,

Thank you for your reply. Would this occur with a Windows 7 operating system running a Windows XP Shell or Windows Virtual PC? Though if this was the case I would see currently two Winlogins and I do not. I just opened Windows Virtual PC and do not see multiple Winlogons. You would expect this process to continue.

My computer is a stand alone desktop PC which is hard wired to a router and then to a cable modem. I am not using multiple desktops or multiple users.

I'm confused.

Extremist
May 30th, 2012, 19:02
If you have no remote sessions or multiple users, the pendulum swings more towards malware. Still, if I remember correctly, there may be other legitimate explanations. There's no quick answer. If anti-malware scans don't turn up anything, I'd first try to kill those processes and see what happens. I'd also check them out in detail with a kernel debugger. No guarantees, of course. If I'm not 100% on anything, I'd reformat and reinstall (and these days even this isn't entirely foolproof). (BTW, "Reservoir Dogs" is a good example of what could happen when you're not 100% on something.)

Maximus
June 3rd, 2012, 03:20
Quote:
[Originally Posted by Extremist;92630]I'd reformat and reinstall (and these days even this isn't entirely foolproof)


do it this safely:
1) insert wincd&reboot FROM CD
2) select 'install new', 'do not recover install', go on partition manager and REMOVE the C partition
3) say install on unformatted C, say yes all time and go on installing.

for the multiple user problem, essentially you are 95% backdoored in my opinion. Unless you have logged with different users on the same machine OR you execute some special application that needs to run on a separate user... but that's a very special need.

Ah, dont even bother thinking that AVs will remove safely your viruses... imho burn all & restart is the only way.

deepzero
June 3rd, 2012, 04:22
+1, shoudnt be too much trouble, as it`s a vm anyways.
what program are you using in the screenshot?