winlogon.exe problems

[Guest]

I have the same problem aswell, to fix it I ended task on the svchost.exe (largest mb one most are like 3 to 4 megs but there should be one that is around 15 to 20mbs) once that is ended I saw no negative side effects and winlogon.exe quickly ceased to use up any cpu usage. I did check for viruses but norton seems to only tell me I am clean......all I know my issue has to do directly with svchost

[Another Guest]

well I entered safe mode and deleted the virus from the source.  It was a registry key.  It seemed to work because It doesn't show up on spy sweeper nor Norton.  However, I keep getting pop-ups from this CWS thing. I'm using Panda Active Scan, now, though for reassurance.

[Guest]

You need to download cwshredder to get rid of cool web search (CWS)

Download from here:

http://www.softpedia.com/public/cat/10/17/...10-17-150.shtml

[james]

Hey

AGV says i got a trojan downloader.small.gs and the infected file is winlogon.exe

i have tried just about everything to get rid of it but nothing is working

help would be much appreciated

cheers

James

[Kenny]

Hi.
Check out this page:

http://www.securemost.com/articles/trou_3_...ir_winlogon.htm
If you have trouble connecting.
Here's a short description:

It is a known technique that spyware, adwares, viruses, keyloggers etc use to hide from users - to drop files on the system that use the same name as a legitimate file but in a different directory. WinDir.winlogon locates a file winlogon.exe in %WinDir% on your system. The legitimate winlogon.exe file is located in %SystemDir%. Do not delete %WinDir%winlogon.exe unless you are 100% sure it is a threats.

If you find WINLOGON.EXE in your windows directory AND your Windows/System32 directory, try to remane WINLOGON.EXE in the windows dir.
It helped me.

Good luck
/KJ

[Teresa]

My Zone Alarm recently keeps saying that bootvid.exe wants to access the internet.  I don't know what this program is, so I always Deny it.  Does anyone know what bootvid.exe is?  Should I allow it?  Delete?  ??
Thanks.
T

[Guest]

[quote name=\'Guest\' date=\'May 29 2004, 09:27 PM\']I have the same problem aswell, to fix it I ended task on the svchost.exe (largest mb one most are like 3 to 4 megs but there should be one that is around 15 to 20mbs) once that is ended I saw no negative side effects and winlogon.exe quickly ceased to use up any cpu usage. I did check for viruses but norton seems to only tell me I am clean......all I know my issue has to do directly with svchost[/quote]
 How do you actually end the svchost? And which one?  There are several in the task manager.

[Guest]

oh thank you for all the help i believe everythign will be alright now.
i d/l everything that all you have given me and did what you all said
just to be safe. to erase the sychost you delete the one which is take all the memory. thats what i did but then the winlogon.exe was giving me the problems so use this
http://www.microsoft.com/technet/security/...n/ms04-011.mspx
that might work. thank you all again laters and take care.


                          "You got one life to live, so live it to the fullest."
                                                                 ---Dark Shadow--- http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />

[Guest_guest]

hello
I was having same problems with winlogon.exe and the pop-up messages. I had adaware spybot and CWSshredder and kept finding dll files used with winlogon.exe and rundll32.exe. If you shut down rundll32.exe the pop-ups stop but everytime you reboot a new dll file will be created.
you have to show all files including hidden and systems. I found vzdata.dll, ounce deleted you solve the problem.

[Isha]

[quote name=\'Guest\' date=\'May 7 2004, 11:26 AM\']i have the same problem.. pls help me to ![/quote]
Hey, i had the same prob.. but i updated and ran Ad-Aware6.0 and the thing is taken care of! .
I m so relieved!!  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'\' />

[Guest_nick]

just saw this thread.

winlogon.exe IS NOT sasser.  i work for ms in their pcsafety div.  i answer tech support lines for sasser and others all day long.

winlogon.exe, when infected, is the netsky.d worm.

sasser would give you an error with c:\windows\system32\lsass.exe when you attempt to get on the net.

there are also many other viruses that give this same error report, sdbot and korgo to name 2.

i can't stress enough to you guys that you MUST do windows update on a regular basis.  that is you best first defense for worms.  

any questions, email quickquest88Email Removed(hopefully i won't get spammed).  i would be happy to help.  or call 1-866-pcsafety.  just a warning, not all agents are trained in all the virus/worm info.  some are smarter than others.  but we will be happy to help.

[Edward - New Zealand]

I have had similar problems. sometimes virus can corrupt thesystem so badly that the only way is backup your data and re-install your operating system.
The best solution i can offer people out there is install a good Antivirus package, and keep it up to date!.
I work in the computer industry and my recomendation if you want a top class package. THE ONLY ONE I RECCOMEND IS NOD32 it is fast, auto updates and has not failed me yet. Check out the reviews and tests with other packages.
www.nod32.com - You will not regret it. By the way I do not work for them or get paid to promote their product.

[xavi]

[quote name=\'jellybean\' date=\'May 4 2004, 01:28 PM\']hi,
   I am having a lot of problems with my winlogon.exe taking my CPU usage up to 100%.Could somebody take a look at the HijackThis log below and indicate what the problem might be/what to ged rid of or repair? I would greatly appreciate the help.
Regards
Jellybean

Logfile of HijackThis v1.97.7
Scan saved at 20:30:58, on 5/4/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\TrojanHunter 3.8\TrojanHunter.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Julie.Behan\My Documents\My Received Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = staff-proxy.ul.ie:8080
R3 - Default URLSearchHook is missing
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: (no name) - {D2732C32-CF2F-4D54-A63F-BAC5D0170E13} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)
O3 - Toolbar: (no name) - {5D58EFB6-C0AA-4D0B-9945-149EDD1887A9} - (no file)
O3 - Toolbar: BORE TRANS TRAY - {636B5D20-CCC0-8375-EBE7-856641254CD1} - C:\PROGRA~1\DATAGR~1\Obj internet.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [shim camp] C:\PROGRA~1\idol boob readme\Elsenoun.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [GreatDownloads] rundll32.exe  C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:GreatDownloads:t
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice95\Office\FASTBOOT.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: GreatDownloads (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/03da3f2158db6c2baa05/...ip/RdxIE601.cab
O16 - DPF: {6369C1DE-BC90-45FF-8A7A-EAE2651544C2} (OTASelect Class) - http://logo.vodafone.ie/owls/main/OWL2.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.org/fvlite/fvliteY.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...B?37648.1328125
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E15111B0-95AE-4C05-B91F-F4564057990C} (MovieSystem WAY) - http://62.210.175.216/cabs/msway.cab[/quote]
 delete: O4 - HKCU\..\Run: [GreatDownloads] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar

[RESRUDEBOY]

Ive got the same problem, and reading this post helpd a little, im guessing its a virus of some sort, but so far there has been 3/4 different viruses mentioned.

Can anyone explaine to me how to get into the OS with the winlogon error showing? it seems to pop up as soon as i boot up. then reboots when i click debug. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

[Guest]

-------------------Soloution-----------------------
Start in Safe mode by pressing F8 when booting when it says
Verifying DMI Pool Data or something like that. Choose boot in safe mode, if you have broadband, go to Internet and get all XP Patches and run a virus scan. *XP SP2 is out soon!* log on as the Administrator.
Get the right patches and you are there!

C.G.
TMB International
http://www.tmb.net.tc