Winlogon.exe

Bill P · Dec 10, 2008

Hi
I have WinPatrol installed and it has started to detect a new auto startup
program / C:\Documents and Settings\HP_Owner\winlogon.exe/ and is asking if
this prog is approved to run each time I login or restart.

I am not sure whether or not this is a trojan or whether it is genuine. I
believe the genuine one is in C\Windows\System 32.
Does anyone have any guidance? At the moment I am not approving it when
WinPatrol flags it up.
Regards Bill

Bill P · Dec 10, 2008

PS
WinXP Home SP3

Olórin · Dec 10, 2008

Bill P said:
PS
WinXP Home SP3

What have your researches so far turned up?

Did you make any changes to your system just before this started happening?

What, if any, anti-virus and anti-malware protection do you have in place?

Try uploading the file to www.virustotal.com to see what a wide selection of
AVs think of it.

How is this file being started - from the Start Menu, registry etc? Does
WinPatrol say or can you otherwise find out?

If you've made no changes and don't know what this file is, certainly
continue blocking it from starting for now.

Bill P · Dec 10, 2008

Olórin said:
What have your researches so far turned up?

Did you make any changes to your system just before this started
happening?

What, if any, anti-virus and anti-malware protection do you have in place?

Try uploading the file to www.virustotal.com to see what a wide selection
of AVs think of it.

How is this file being started - from the Start Menu, registry etc? Does
WinPatrol say or can you otherwise find out?

If you've made no changes and don't know what this file is, certainly
continue blocking it from starting for now.

Hi Olorin
Thanks for responding.
I downloaded a prog from the internet from a p2p site (I know it is dodgy
but I scanned it with Norton before installing and it found nothing.)
After installation the WinLogon popups started from WinPatrol. It was being
started from the Start menu. In the Active Tasks list the genuine WinLogon
in System32 was running, therefore I have assumed that the one in
C\Documents and settings\HP Owner folder was an intruder.
I have just done a system restore and low and behold the spurious file has
disappeared and the popups have stopped.
Regards Bill

Gerry · Dec 10, 2008

Bill

You need to be far more careful with the way you handle email.
http://www.neuber.com/taskmanager/process/winlogon.exe.html
http://www.symantec.com/security_response/writeup.jsp?docid=2004-030110-0232-99&tabid=2

What you got was relatively easy to remove but lately there are far more
problematic nasties coming in by the same route.

--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

Bill P · Dec 11, 2008

Hi Gerry
I didn't pick that particular nasty up via email. It came from a dodgy
program I downloaded from a p2p website.
Regards Bill