Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Confused About Winlogon

53 views
Skip to first unread message

JD

unread,
Mar 19, 2004, 4:45:51 PM3/19/04
to
I infer from some recent posts that Winlogon is some kind of worm or virus.
Yet I have a Winlogon file in WNNT/System32 that surely seems legit.
File Version: 5.1.2600.1178
Copyright Microsoft Corporation
Created 12/31/79
Modified 3/3/03
Size 506 kb
In Task Manager it uses 516 kb of memory.

Is there a "rogue" version out there that one should be on the lookout for?


Nick

unread,
Mar 19, 2004, 5:03:46 PM3/19/04
to
what....


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.634 / Virus Database: 406 - Release Date: 3/18/2004


purplehaz

unread,
Mar 19, 2004, 5:29:55 PM3/19/04
to

winlogon - winlogon.exe - Process Information
Process File: winlogon or winlogon.exe
Process Name: Windows Logon Process
Description: Windows NT logon utility that manages user logons and logoffs.
The utility prompts you for the password when you log on and allows you to
log off or shut down.
Company: Microsoft Corp.
System Process: Yes
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A

JD

unread,
Mar 19, 2004, 8:20:42 PM3/19/04
to
OK. Here's what I copied from a post in this ng a couple of days ago (Is
someone posting inaccurate information?):
Winlogon.exe
Category: Hijacker
Any software that resets your browser's settings to point to other sites.
Hijacks may reroute your info and address requests through an unseen site,
capturing that info. In such hijacks, your browser may behave normally, but
be slower. Homepage Hijackers will change your home page to some other site.
Error Hijackers will display a new error page when a requested URL is not
found.
Similar Pests: Hijacker
Date of Origin: July, 2003
WinLogonEXE: 0.0% of all pest reports (12 per 100,000 reports)
Storage Required: at least 1401KB
Browser Performance: Likely to slow performance of Internet Explorer.
Detection and Removal
PestPatrol removes this.
Manual Removal: Follow these steps to remove WinLogonEXE from your machine.
Begin by backing up your registry and your system, and/or setting a Restore
Point, to prevent trouble if you make a mistake.
Kill these running processes with Task Manager:
winlogon.exe
winlogon.unpacked.exe
Remove AutoRun Reference:
Go To the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
Unregister these DLLs with Regsvr32, then reboot:
systemroot+\cntrs.dll
systemroot+\csynth.dll
systemroot+\csyntht.dll
systemroot+\vlrs.dll
Remove these registry items (if present) with RegEdit:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\winlogon
Remove these files (if present) with Windows Explorer:
systemroot+\cntrs.dll
systemroot+\csynth.dll
systemroot+\csyntht.dll
systemroot+\vlrs.dllwinlogon.exe
winlogon.exe.txt
winlogon.unpacked.exe
"purplehaz" <soft...@for.me> wrote in message
news:uTtG1GgD...@TK2MSFTNGP10.phx.gbl...

Sharon F

unread,
Mar 19, 2004, 9:28:49 PM3/19/04
to
On Fri, 19 Mar 2004 17:20:42 -0800, JD wrote:

> OK. Here's what I copied from a post in this ng a couple of days ago (Is
> someone posting inaccurate information?):

Inaccurate info can happen but you may also be getting 2 truths that have
not been combined to tell the whole story.

Windows XP does have a file named winlogon.exe BUT there might be viruses
that add a second or third winlogon.exe to different folders than the one
that Windows normally uses. According to one response, there is one such
virus. Some quick research at a few of the antivirus websites and you can
confirm that (or not) for yourself.

Using the same names or similar names as those of normal system files is
one of the methods viruses (worms and whatever) will use to trick the user
into thinking everything is "okay" when they take a peek in Task Manager.
For example, there is at least one known virus that uses "winlogin.exe" as
its name.

Keeping virus definition files up to date is critical. Run a full system
scan now and then. These are usually more thorough than auto protection.
Also, another good idea is to become familiar with your system files (at
least the ones that normally show up in task manager).

--
Sharon F
MS-MVP ~ Windows XP Shell/User

JD

unread,
Mar 19, 2004, 10:06:48 PM3/19/04
to
Thanks for the heads-up Sharon. I will watch for the Winlogin file.
I also run the full system scan automatically every week. So far I've been
lucky.
"Sharon F" <sharo...@ETEmvps.org> wrote in message
news:ORCGUMiD...@TK2MSFTNGP11.phx.gbl...

purplehaz

unread,
Mar 20, 2004, 8:32:11 AM3/20/04
to
It may be a virus. Many viri have the same name or similar names to real xp
files. winlogon.exe is definetly a real xp file. There is also a virus
called Winlogon.exe. I think the key here is the windows file is all lower
case - winlogon.exe, and the virus has a capital W - Winlogon.exe.
If you suspect a virus, run a scan, if it comes up clean and your virus
definitions are updated then your fine.

Alex Nichol

unread,
Mar 20, 2004, 12:41:45 PM3/20/04
to
Sharon F wrote:

>Inaccurate info can happen but you may also be getting 2 truths that have
>not been combined to tell the whole story.
>
>Windows XP does have a file named winlogon.exe BUT there might be viruses
>that add a second or third winlogon.exe to different folders than the one
>that Windows normally uses. According to one response, there is one such
>virus. Some quick research at a few of the antivirus websites and you can
>confirm that (or not) for yourself.

The proper version ought to be in Windows\system32 (And possibly also
in Windows\servicepackfiles if SP1 is installed, though oddly it does
not appear to be in dllcache) Original windows version is 420Kbytes;
SP1 is 493


--
Alex Nichol MS MVP (Windows Technologies)
Bournemouth, U.K. Al...@mvps.D8E8L.org (remove the D8 bit)

0 new messages