Sorry, I haven't gotten around to writing this page properly yet. I'll give you the short and vague version.
Be careful! Winlogon is very necessary for the OS to function. Messing it up could be difficult to recover from.
Things generally hook into winlogon through "HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon/Notify". Go there and check out the subkeys. The following subkeys (among others) are normal:
If you find the entry that you are looking for then try changing it. If you can change it then reboot and see if it reverts. If it reverts or if you are denied access to changing it then it's probably what you are looking for.
Change the access control on the key so that SYSTEM has only read access. Then reboot the system and modify the value of the dll that is being called. Reboot again and your malware should no longer be hooked to winlogon.