Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


winlogon.exe infected?

  • Please log in to reply
5 replies to this topic

#1 squall55


  • Members
  • 3 posts
  • Local time:11:48 AM

Posted 01 August 2011 - 02:31 PM

I believe my winlogon.exe is infected. Here is what I am seeing. This has only started recently, I would say in the last day or two. I have my wireless connection or direct connection running and the system is running fine.

I have my Windows Task Manager running on the Processes Tab. At random points, i see the winlogon.exe, jump to 90-100% cpu, the system becomes very slow. I can move the mouse but it takes time for it to move.

The second I disconnect from the network, winlogon drops to normal values and the system is ok again. I can then turn the internet back on again and things will be ok for awhile before it starts again. Again, the timing is random when winlogon gets into high cpu.

I do have Ad-Aware, Spybot, Malwarebytes and Norton on, but none have been able to capture anything that's out of the ordinary. I searched my computer for all the winlogon.exe and found 4 of them:

c:\Documents and Settings\<my profile>\My Documents\Startup\i386 (496kb, 4/13/2008 8:12pm)
c:\WINDOWS\$NtServicePackUninstall$ (491kb, 8/12/2004 10:09am)
c:\WINDOWS\system32 (496kb, 4/13/2008 8:12pm)
c:\WINDOWS\ServicePackFiles\i386 (496kb, 4/13/2008 8:12pm)

I am running windows xp service pack 3.

Any help would be appreciated.

BC AdBot (Login to Remove)


#2 Broni


    The Coolest BC Computer

  • BC Advisor
  • 42,738 posts
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:48 AM

Posted 01 August 2011 - 09:02 PM

Welcome aboard Posted Image

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check "Hide protected operating system files".
NOTE. Make sure to reverse the above changes, when done with this step.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Windows\System32\winlogon.exe
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE


#3 squall55

  • Topic Starter

  • Members
  • 3 posts
  • Local time:11:48 AM

Posted 02 August 2011 - 07:43 PM

Here are the results from the scan:

3 VT Community user(s) with a total of 5963 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
Submission date:
2011-08-03 00:31:22 (UTC)
Current status:
queued queued analysing finished
0/ 43 (0.0%)

VT Community

Safety score: 100.0%
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.08.02.01 2011.08.02 -
AntiVir 2011.08.02 -
Antiy-AVL 2011.08.02 -
Avast 4.8.1351.0 2011.08.02 -
Avast5 5.0.677.0 2011.08.02 -
AVG 2011.08.02 -
BitDefender 7.2 2011.08.03 -
CAT-QuickHeal 11.00 2011.08.02 -
ClamAV 2011.08.02 -
Commtouch 2011.08.03 -
Comodo 9609 2011.08.03 -
DrWeb 2011.08.03 -
Emsisoft 2011.08.02 -
eSafe 2011.08.01 -
eTrust-Vet 36.1.8479 2011.08.02 -
F-Prot 2011.08.03 -
F-Secure 9.0.16440.0 2011.08.03 -
Fortinet 2011.08.03 -
GData 22 2011.08.03 -
Ikarus T3. 2011.08.03 -
Jiangmin 13.0.900 2011.08.02 -
K7AntiVirus 9.109.4973 2011.08.02 -
Kaspersky 2011.08.03 -
McAfee 5.400.0.1158 2011.08.03 -
McAfee-GW-Edition 2010.1D 2011.08.02 -
Microsoft 1.7104 2011.08.02 -
NOD32 6345 2011.08.02 -
Norman 6.07.10 2011.08.02 -
nProtect 2011-08-02.01 2011.08.02 -
Panda 2011.08.02 -
PCTools 2011.08.03 -
Prevx 3.0 2011.08.03 -
Rising 2011.08.02 -
Sophos 4.67.0 2011.08.02 -
SUPERAntiSpyware 2011.08.03 -
Symantec 20111.1.0.186 2011.08.03 -
TheHacker 2011.08.02 -
TrendMicro 2011.08.02 -
TrendMicro-HouseCall 2011.08.03 -
VBA32 2011.08.02 -
VIPRE 10045 2011.08.03 -
ViRobot 2011.8.2.4601 2011.08.02 -
VirusBuster 2011.08.02 -

#4 Broni


    The Coolest BC Computer

  • BC Advisor
  • 42,738 posts
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:48 AM

Posted 02 August 2011 - 08:06 PM

Looks normal.

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.


Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE


#5 squall55

  • Topic Starter

  • Members
  • 3 posts
  • Local time:11:48 AM

Posted 03 August 2011 - 09:09 PM

Thanks Broni for all your help!!!

After I ran the first set of steps and that came back negative, I began to wonder if I might actually be chasing a red herring. As it turns out I don't see this problem at home, when I am on my wireless internet or connected directly to my router.

However, when I am at work with my laptop and use my works wireless the problem shows up. It happened again today when I was at work, but did not show itself in the same way with the winlogon. So I think the problem is somehow related to my works wireless connection.

So at this point, I think I will say that I do not have a problem with winlogon, but with my works wireless.

Thank you however for all you help and guidance, if the problem re-appears at my home wireless/direct connection to my router, I will try the next steps you have put here in this thread.

Thanks again!!!

#6 Broni


    The Coolest BC Computer

  • BC Advisor
  • 42,738 posts
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:48 AM

Posted 03 August 2011 - 09:11 PM

Very well :)
Good luck!

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users