Support Forum Articles File Help Startup DB Tips Service DB Hijack This! Analyzer

 

HijackThis automated log analyzer! Submit a log and you will receive ALL the information we have in our DB's on everything on your system INSTANTLY!

Winlogon.exe


Click here to scan for Winlogon.exe Related Errors and Optimize PC performance

What is it?
Windows Logon Process - Winlogon.exe

What does it do?
Direct Quote from here:
This is the process responsible for managing user logon and logoff. Moreover, Winlogon is active only when the user presses CTRL+ALT+DEL, at which point it shows the security dialog box.

Search MS for more info: Link

Virus Precaution:
The original Winlogon.exe from Microsoft gets placed in the C:WINDOWSSystem32 directory. if you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses. We've been able to find only 1 report of a virus so far.

Troj/Madr-B @ Sophos
Netsky.D @ Trend Micro

Fix Winlogon.exe Errors: Free Scan

Recommended: Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings




Winlogon.exe is a Windows System File and should be in a system directory. If it is then this application is safe.

Startup DB Entries:
[CueX44_stil_here]"Added by the PUNYA-A WORM! Note - this is not the legitimate winlogon.exe processb
[Firewall auto setup]"Added by the AGENT-EDB TROJAN! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Temp%" b
[ICQ Net]"Added by variants of the NETSKY WORMS! Note - this is not the legitimate winlogon.exe process which should not appear in Msconfig/Startup!" b
[ICQNet]"Added by the NETSKY-C WORM! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[Microsoft Windows Logon Process]"Added by the PROXYSER-R TROJAN! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[nvchost]"Added by the KLONE-J TROJAN! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[PaRaY_VM]"Added by the AUTORUN-DV WORM! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ~A~m~B~u~R~a~D~u~L~ subfolder" b
[RealTimeProtector]"Added by the AUTORUN.DIB WORM! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ~A~m~B~u~R~a~D~u~L~� subfolder" b
[RPCserr32g]"Added by the RITDOOR-B WORM! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[runwinlogon]"Added by the AGENT.TQY TROJAN! Note - this is not the legitimate winlogon.exe processb
[SmansaApp]"Added by the ROMARIO-A WORM! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[srv]"Added by the SILLYFDC.BCA WORM! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %UserProfile%\Local Settings\Application Data" b
[urudjeffni]"Added by the ROMARIO-A WORM! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[WinAuth]"Added by the STRTPAGE.BE TROJAN! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[Window UDP Control Servic]"Added by the RBOT-GXN WORM! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" b
[Windows ARP Detectioncx]"Added by a variant of the IRCBOT BACKDOOR! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!" b
[Windows Log Agent]"Added by the KEYLOGGER.AVK TROJAN! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %ProgramFiles%\Common Files" b
[Windows Logon Applicationedc]"Added by the DWNLDR-HGR TROJAN! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %UserProfile%" b
[Windows Logon Applicatonedc]"Added by the VB-EBV TROJAN! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %UserProfile%" b

Service DB Entries:
NTSVCMGR Other files in the same directory identified as Win32.Iroffer.b by Kasperksy
NTP (Network Time Protocol) Added by the Troj/Jtram-D TROJAN! Note: This trojan file is found in the System32Client folder.
NTLOAD Other files in the same directory identified as Win32.Iroffer.b by Kaspersky
NTCHARGE Related to Microsoft Internet Information Services (IIS).
Network Client (nwclntg) Added by the Boxed.E TROJAN!
Windows Kernel Services Added by an unknown variant of a backdoor TROJAN! Note: This worm rojan is located in C:%WINDIR% Do
windows logon Added by an unidentified TROJAN! of the Sdbot family. Note: This worm rojan is located in C:%WINDIR%
Windows NT Added by an unidentified TROJAN! of the Sdbot family. Note: This worm rojan is located in C:%WINDIR%
Windows NT Logon Application (WINLOGON) Added by an unidentified TROJAN! of the Sdbot family. Note: This worm rojan is located in C:%WINDIR%
Windows Process Viewer (The Windows Process Viewer) Added by an unidentified TROJAN! of the Sdbot family. Note: This worm rojan is located in C:%WINDIR%
Windows XP Advanced User Launcher Added by the SDBOT.CPV WORM! Note: This is not the legitimate Windows process WINLOGON.EXE (Which is

Disclaimer

Every attempt has been made to ensure the information about Winlogon.exe is accurate but alot of malware applications try to pose as valid applications. If it is something other than what was posted above please leave some feedback in the forum.
Printer Friendly

User Comments
kurthrob@aol.comI have an instance of winlogon.exe (with an L, or so it seems) that keeps making my virus scanner pop up with this infor mation ldC992.tmp C:\windows\system32\1024 fakeAlert-B trojan deleted winlobon.exe I would just like to know how to stop the occurance from happening. Please help if you can. kurthrob@aol.com
TomThe program itself is a worm that can spread through any removible stoarge device. Do some reserch before u ask a question!
Windows Files
lsass.exe | csrss.exe | alg.exe | dwwin.exe | Svchost.exe | Spoolsv.exe | wowexec.exe | cidaemon.exe | wmiprvse.exe | ctfmon.exe | Winlogon.exe | wuauclt.exe | Smss.exe | msmsgs.exe | rundll32.exe | mdm.exe | ntvdm.exe | wscntfy.exe | explorer.exe | ntdll.dll | iexplore.exe | msdxm.ocx | wisptis.exe | wdfmgr.exe | MsiExec.exe | PDVDServ.exe | DLLhost.exe | gcasdtserv.exe | shdoclc.dll | Winmgmt.exe | cisvc.exe | oleaut32.dll | taskmgr.exe | inetinfo.exe | Shell32.dll | mspmspsv.exe | internat.exe | hal.dll | comctl32.dll | mstask.exe |