Problems with 'winlogon.exe'

Hope you are still a member...

As of late Nov 2006, I am having the same trouble with winlogon.exe (this is the real file, not a similar name virus / trojan file) consuming 25-99% resources, as it keeps on running no matter what I do. System is Win XP Home with SP1, started with XP SP1, and continues when I updated SP1 to SP2.

All v irus and trojan scans from four anti-virus suppliers find nothing wrong...ALL the anti-virus are up to date.

We need to know HOW to easily replace winlogon.exe with the proper version one, as I am sure that if the XP O/S has gone through one or more security or other updates, the proper winlongon.exe version needs to be put back, maybe doing that will stop this crap.

MS needs to make available the winlogon.exe file so people can easily replace it, even if only to make SURE that it's not a defective winlogon.exe file, or perhaps a Registry problem that is causing winlogin.exe to keep on running and eating CPU resources.

Would appreciate any copy reply also being sent to my AOL Email: (E-Mail address blocked: See forums rules)

Many thanks!

(Oo;?(No one answered? Sad.)

(^~;?(Hey, Josephrot. winlogon.exe is extracted from XP disk, SP1 or SP2.)

But this case is terribly infected and doesn't directly relate to winlogon.exe. Probably HJT didn't show 020 winlogon hacks entry then, though.

Hi,

welcome to Devshed.

Can you download hijackthis, run a scan and post the results of the Scan here.

Have you tried running the system file checker? If you havnt, open a command prompt and type:

sfc /scannow

What antivirus/Trojana scanners did you use?

Let us know how you get on.
Displeaser

Thread split.

josephrot - it's always best to start a new thread.

Thank you to both Mugumi and displeaser for replies...

RATS, can't mention my Email address in the Forum, but that's understandable.

I have three XP Home / Pro systems, two are SP1 level, one is SP2. The SP1 one with the WINLOGON.EXE problem that keeps running on and on...

That is to say, the session boots up nicely, then WINLOGON.EXE does its work, then shuts down, only to again start up and all the while consumes great CPU resources as WINLOGON.EXE never really turns off and stays off as it should (comparing it to the other two normal systems)...

I am hopeful that re-installing WINLOGON.EXE from the on-the-machine O/S installer contents (these particular machines keep a copy of the entire XP CD on the machine as well as on a CD that I made for safety) will solve this nagging problem... but knowing MS and XP as I do, there's likely something else wrong that's causing WINLOGON.EXE to act this way, perhaps a new driver or other system level software that's not "letting go" of WINLOGON.EXE as it should or something like that. Rarely is XP ever that "easy to fix" by merely copying over a new copy of any file I have ever seen.

I am finding some mention of this problem as relates to Win 2003, and will hopefully locate a XP-specific entry or two in the MS Knowledge Base as well as 2003.

I have also tried many of the Registry Fix type applications, but to no avail or fix, in the hope they might locate some sort of Registry error.

Have used “all” the best quality anti-virus / anti-trojan / spyware out there.... Latest versions of Kapersky, Webroot SpySweeper, Spyware Doctor, and one or two others. Also utilize Grisoft AVG 7.5 continuously on the affected machine as well. All “say” nothing is wrong anywhere.

Will also run XP's System File Checker, to see what that shows or might do.

Thank you again for the ideas, and I will report back on what will hopefully fix this headache.

SMALL UPDATE: Yes, I am also inspecting with one or two normally superb and educational process explorer type applets.... hopefully will see what or who is doing what to WINLOGON.EXE

Joe
Knoxville, TN

Hi,

you might also want to have a look at process explorer. Services.exe runs under the winlogon process, so maybe one of your services is acting the bugger. Shut down any un-necessary services and see if that makes a difference.

Let us know how you get on with sfc /scannow and dont forget to post the hijackthis log.

Displeaser

Sorry guys - I must have split the thread just as you were posting to it

No probs Aitken, did get slightly confucing for a few mins though

System File Checker reports all system files good, as expected, etc.

RE: << you might also want to have a look at process explorer. Services.exe runs under the winlogon process, so maybe one of your services is acting the bugger. Shut down any un-necessary services and see if that makes a difference.>>

Will do the above next. Thank you for the heads-up on process explorer from MS.

Thats good anyway.

Very useful tool is process explorer, comes originally from sysinternals. Full list of utilities can be found here.

Also can you check your system/applications event logs to see if anything looks "dodgy" in there also post a hijackthis log for us to check.

Displeaser

(^~;?(Winlogon haunter is, generally speaking, true Trojans.)

Mostly they work as Winlogon subprocess and not winlogon.exe itself. They are particularly malicious and stealth. HJT may not be enough.

True, but process explorer may shed some light though. Is there anything newer then hjt that youve heard of Megumi?

josephrot:
Still do a HJT scan and post the results here, check your event log, Minimise your running services and see if the problem persists. if you have the problem can you check process explorer for anythin unusual and also maybe post a screenshot of the winlogon process with its child apps/dlls/process expanded.

Maybe run a Kaspersky online scan too (make a note of what ever it finds).

Theres nothing else we can do really until we get more info from you.

Displeaser