winlogon.exe problems

[jellybean]

hi,
   I am having a lot of problems with my winlogon.exe taking my CPU usage up to 100%.Could somebody take a look at the HijackThis log below and indicate what the problem might be/what to ged rid of or repair? I would greatly appreciate the help.
Regards
Jellybean

Logfile of HijackThis v1.97.7
Scan saved at 20:30:58, on 5/4/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\TrojanHunter 3.8\TrojanHunter.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Julie.Behan\My Documents\My Received Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = staff-proxy.ul.ie:8080
R3 - Default URLSearchHook is missing
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: (no name) - {D2732C32-CF2F-4D54-A63F-BAC5D0170E13} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)
O3 - Toolbar: (no name) - {5D58EFB6-C0AA-4D0B-9945-149EDD1887A9} - (no file)
O3 - Toolbar: BORE TRANS TRAY - {636B5D20-CCC0-8375-EBE7-856641254CD1} - C:\PROGRA~1\DATAGR~1\Obj internet.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [shim camp] C:\PROGRA~1\idol boob readme\Elsenoun.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [GreatDownloads] rundll32.exe  C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:GreatDownloads:t
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice95\Office\FASTBOOT.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: GreatDownloads (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/03da3f2158db6c2baa05/...ip/RdxIE601.cab
O16 - DPF: {6369C1DE-BC90-45FF-8A7A-EAE2651544C2} (OTASelect Class) - http://logo.vodafone.ie/owls/main/OWL2.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.org/fvlite/fvliteY.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...B?37648.1328125
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E15111B0-95AE-4C05-B91F-F4564057990C} (MovieSystem WAY) - http://62.210.175.216/cabs/msway.cab

[Guest]

i have the same problem.. pls help me to !

[Guest]

My XP computer is having the same problem; the computer is so slow, that I've been waiting for safe mode to start up now for 90 minutes and winlogon is still eating up all the cpu usage.

[supakit]

I have problem, winlogon used process 100% when I connected internet.
So, I solved the problem by install ZoneAlarm software and disable winlogon.exe connected into internet. that can be solove the problem. but what to know how to remove or repair that file or problem.

[Guest]

Try scanning for the Netsky virus.. a removal tool can be downloaded from www.sarc.com

[Guest]

I can do nothing on the computer.  Winlogon.exe completely ties up resources and no other process will respond.  I can open task manager, but it will not kill winlogon.exe.

[mprett]

I have the same problem with winlogon.exe. My firewall also tells me that winlogon is trying to connect to a DNS at start-up. Should this be happening?

[DarkPrynce]

God damit i got the same thing i thought it was like a trojan or somthing becuase i had a bootvid.exe just resently that was a trojan that got on my comp but it was there for a real long time before things happend and i dont want this to be on my comp for a long time.when i try to end proces it it says cant close like its a importand proogram or somting its under owner not system in task manager im a xp user will someone help please

[Guest]

It is Netsky D worm, use CLRAV utility from kaspersky labs
i had same problem today on client laptop, solved

The utility can be
downloaded from ftp://ftp.kaspersky.com/utils/clrav/.
(ftp://ftp.kaspersky.com/utils/clrav/)

fido_ri@Email Removed

[Guest]

Tried scanning for NETSKY worm. but couldn't find it, can it be something else?

[Dave Towne]

Norton Antivirus reports that my copy of WinLogon.exe is infected but doesn't fix it autiomatically.  

I suspect that the problems reported are all due to an infection in this file.

Question is: how to get a clean copy / restore a clean copy of this program.

[Nancy]

[quote name=\'Dave Towne\' date=\'May 23 2004, 12:34 PM\']Norton Antivirus reports that my copy of WinLogon.exe is infected but doesn't fix it autiomatically. 

I suspect that the problems reported are all due to an infection in this file.

Question is: how to get a clean copy / restore a clean copy of this program.[/quote]
My home computer suddenly came up with an error message:  
"winlogon.exe - Application Error"
Whether I click OK, CANCEL or just click the X to close it, it reboots my computer.  

I have been doing research on my computer at work.  It may be a Sasser Worm.  I have printed out all kinds of instructions.  Does anyone have the same problem?  If so, do you have some data or a solution.

MicroSoft says to go to Task Manager, end the task, then install the Microsoft Securty Bulletin MS04-011

Thanks . . . Nancy

[Guest]

[quote name=\'Nancy\' date=\'May 25 2004, 04:31 PM\'][quote name=\'Dave Towne\' date=\'May 23 2004, 12:34 PM\']Norton Antivirus reports that my copy of WinLogon.exe is infected but doesn't fix it autiomatically. 

I suspect that the problems reported are all due to an infection in this file.

Question is: how to get a clean copy / restore a clean copy of this program.[/quote]
My home computer suddenly came up with an error message:  
"winlogon.exe - Application Error"
Whether I click OK, CANCEL or just click the X to close it, it reboots my computer.  

I have been doing research on my computer at work.  It may be a Sasser Worm.  I have printed out all kinds of instructions.  Does anyone have the same problem?  If so, do you have some data or a solution.

MicroSoft says to go to Task Manager, end the task, then install the Microsoft Securty Bulletin MS04-011

Thanks . . . Nancy [/quote]
 welcome to may 25th - the day the virus hit.
something's going around, and no one's sure what it is.

try booting your system w/ your network cable unplugged - that'll at least get you up & running. once you're in, go to start -> control panel -> network connections, then disable your local area connection.  until there is ia fix, this will allow you to reboot your computer w/o an error message being generated.  however, you will not be able to access the internet.  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

finally, if you boot the system w/ your network connection disabled, you can open task manager (right click on the taskbar @ the bottom of your screen and go to task manager) and end any rundll32 processes that are currently running.  then, you can re-enable your network connection, plug the network cable in, and access the internet.  just MAKE SURE to disable your network connection again before you shut down.

i imagine there WILL be a fix, eventually...  they just have to figure out what it is, how it's getting in, and how to keep it out.  good luck, nancy!

sasser generates an error message about lsass.

[Nelson]

Hi Nancy

It is rather likely that you do in fact have a Sasser variant, if this is the case you should go to the following web page and follow the instructions in the recovery section about halfway down on the page.

http://www.microsoft.com/technet/security/...rts/sasser.mspx

According to Microsoft this should solve your problem.

Nelson

[BrusLi]

i had problem.. reboot... http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />
and i apparently fixed it with SPY S&D....

[Christian]

For the people at the begining of this thread... do you run Ad-Aware & Spybot? Both freeware & excellent for cleaning out data miners & tracking components. Data miners & tracking components, to my understanding, will eat up resources within your computer. You also need to delete all toolbars & toolbuttons as well because they are tracking components within your browser. Delete start up registry keys for anything you don't need to run continuously... such as Real schedueler, Quicktime, cd utilities, Messenger Service(a must do unless you use MSN messenger like you use your left hand, first go to messenger preferences & uncheck to start when windows boots).
Then if you're running XP or 2000 and would like to futher tweak go to BlackViper.com and look for Windows Service Configurations! Includes complete explanations of each service and advice on which services you can safely disable.

[Pako]

Yes, I had this problem not so long ago.  Begun by eating up my resources.  Couple of days later, I had the winlogon.exe problem at startup and I always had to reboot.  Tried to reinstall WinXP and I couldn`t load my computer anymore (0x00000007b).  Had to load using last settings that worked, fix the problem (IDE channels problem apparently) and then winlogon.exe begun to start eating up my resources again.

I bought and installed ZoneAlarm pro and disabled winlogon.exe access to the internet, and that solved the problem just great.  Apparently it is some type of Trojan/backdoor that loads something on the net, eating up the resources.  

So, as people previously said, try loading your computer while being disconnected to the internet.  If you absolutely must use internet, buy Zonealarm until a fix is found.

The main point of this post is to sum up previous ones and advise people NOT to try reinstalling XP.

[Pako]

As for Microsoft suggesting Nancy to end the task, how the hell are you supposed to end winlogon.exe ?  It is system.

[another guest]

I'm having kind of the same problem.  I run auto protect on norton and it said I had a trojan.  It couldn't remove it, so I tried to remove it with spysweeper.IT says I have Captain Menmo and Winlogon trojan.  I quarantine them and delete them, but they just keep showing up.  I don't know if this is related at all to this topic, but could someone help?

[Pako]

Remove spysweeper from your computer and download Spybot S&D instead.  If this still doesn`t work, try Ad-aware (they are both freeware).

As for virus scanning, try Panda ActiveScan.  It is an online scanning device that bypasses the ability of some virii to lock the anti-virus.

If your computer remains infected, you will have to note on a piece of paper which files you need to delete using Norton and delete them with WinXP recovery console (load from the WinXP installation cd and press R when you are prompted to do so).

Winlogon infections seem to be related somewhat with VX2.BetterInternet.  You can download VX2Finder and save a log.  Copy and paste the log back here and I will help you as I can.