# Windows/Winlogon.exe issue



## PRSF (Jul 11, 2008)

Hi Everyone, first post here on these forums

I am having an issue recently with what I think is some sort of infection.

I am running nod32 v2.7 currently, it found some type of threat recently, NU_threat? At the time I was running COMODO firewall (which I have now uninstalled, POS IMO) nod32 said it removed that threat (not sure if its related to this issue im having now)

Windows XP Home, when I removed the COMODO firewall and went back to windows firewall I noticed in the exceptions there is one called c:/windows/winlogon.exe. I know winlogon is part of windows in the system32 folder and that if it resides in the windows folder its generally some type of threat. Its greyed out and has a check mark beside it in the windows firewall meaning I cannot unselect it from being allowed.

Ad-aware has found nothing, nod32 has found nothing, ran a kaspersky scan using its online tool, it found a threat but I was unable to see what it was nor remove it. Im about to reload windows right now im so annoyed with it.

Is this an issue I should be concerned about, is the security of my computer compromised? 

I have and do regularly run Hijack this, I work as a tech and can usually determine what is ok and whats not on the logs. I did fix two issues that had to do with the windows/winlogon, they are still in the backup area of HJT and if I try to remove them from there they just come back next time I open up HJT.

Im looking at purchasing Kaspersky or even Eset smart security, not sure which one I should go for yet, as my nod32 is currently an out of date version

Anyway, sorry for the long post, any help would be greatly appreciated

Thanks


----------



## johnwill (Sep 26, 2002)

You should ALWAYS run an up to date virus scanner, if you like NOD32, consider ESET Smart Security. I run that here, so far it's been fine.


----------



## PRSF (Jul 11, 2008)

Iv recently installed Kaspersky 7.0 IS, removed a few things, even tho I have that program running a firewall, if I look under the windows firewall in the control panel (tho it is turned off), it still shows the c:/windows/winlogon.exe, which is still greyed out and cannot be deselected.

Do you think this still poses a potential threat?

Thanks


----------



## ckhoo (Feb 15, 2009)

Kaspersky didn't detect the infection on my machine as well. To verify that you have been infected, you'll need to do the following:


Step 1: Find the winlogon.exe process ID
Open up the task manager (right click on the task bar and select 'Task manager')
Enable the PID (process ID) column. By default, the task manager does not list the running process ID. If you don't have it:
In the program menu, select View->Select columns... A select columns dialog should appear.
Check the box next to PID and click on OK to apply the change.

Go to the process list (the Process tab in the task manager)
Look for winlogon.exe in the 'Image Name' column and record down its associated PID.

Step 2: Check to see if winlogon is establishing any suspicious connections. It should not be connecting to any external location.
Open up a command line window (Start->Run..., then execute 'cmd' to open a command line window).
List all the active net connections on your PC. In the command line window, type 'netstat -a -o'. This will list out all the active connections and the process that used them.
Look for the winlogon.exe process ID in the active connections list. If you see it, you're infected.


In my case, the infection was connected to an IP address hosted at sbcglobal.net (a Yahoo! domain). The 'fake' winlogon.exe is deployed in windows\winlogon.exe instead of windows\system32\winlogon.exe. The virus can't replace the original because it's a fundamental part of your O/S.

If you have the virus, here's how you clean it manually. Note, this is not for the faint of heart.

Step 1: Stop the fake winlogon.exe process from launching
Launch the registry editor (Start->Run, then execute 'regedit').
Go to My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Look for the 'Shell' entry. The original entry should say only say 'Explorer.exe'. If it says 'Explorer.exe c:\windows\winlogon.exe' or something to that effect, you need to change it back to just say 'Explorer.exe'.
Make a note of where the fake winlogon.exe is deployed to. We're going to erase the file in the next step.

Step 2: Boot in windows safe mode
Restart the operating system.
While it's booting, hold down F8. It should bring up the boot menu.
Select the Safe mode option and follow through on all the menus until the operating system launches.
If you're successful, the desktop should have the words 'safe mode' or something to that effect displayed.

Step 3: Delete the infection
Go to the offending file location. For me it was c:\windows\winlogon.exe. WARNING: DO NOT DELETE c:\windows\system32\winlogon.exe - this is the original O/S winlogon executable.
Delete the file. If you're not able to delete it, then the infection is active and you'll need to start from the beginning again.
Once it's deleted, reboot your machine as normal.

Step 4: Verify that the infection is clean by following the detection instructions.

I hope this is helpful.


----------

