Sign in with
Sign up | Sign in
Your question

Is winlogon.exe a virus and WinLogon.exe a windows utility?

Last response: in Windows XP
Share
Anonymous
June 11, 2005 10:57:04 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

I've been seeing winlogon.exe running and was not sure what it was. I found
an answer on www.liutilities.com that has me puzzled. The site describes a
possible relationship between winlogn and WinLogon as follows:

Process File: winlogon or winlogon.exe
Process Name: Microsoft Windows Logon Process

Description:
WinLogon.exe is the Windows NT login manager. It handles the login and
logout procedures on your system. This process is an essential part of your
OS and should be left alone. Note: winlogon.exe is a process which is
registered as the W32.Netsky.D@mm worm. This virus is distributed via the
Internet through e-mail and comes in the form of an e-mail message, in the
hopes that you open it’s hostile attachment. The worm has it’s own SMTP
engine which means it gathers E-mails from your local computer and
re-distributes itself. In worst cases this worm can allow attackers to access
your computer, stealing passwords and personal data. It is a registered
security risk and should be removed immediately. Please see additional
details regarding this process"

If I read the above correctly, it saying that a process called winlogon.exe
without the caps found in WinLogon.exe is the virus.

I'd like some clarification and/or verification of the above, if possible.

Pyramid36
Anonymous
June 11, 2005 12:25:37 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

The real winlogon.exe is in
C:\WINDOWS\system32\dllcache
and
C:\WINDOWS\system32

The other winlogon.exe would be in
C:\WINDOWS

W32.Netsky.D@mm
http://securityresponse.symantec.com/avcenter/venc/data...

Update your antivirus software and run a complete system scan if you're
concerned.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:4CCD54E6-6ACA-410B-BBC5-618544E8234C@microsoft.com,
Pyramid 36 <Pyramid36@discussions.microsoft.com> hunted and pecked:
> I've been seeing winlogon.exe running and was not sure what it was. I
> found an answer on www.liutilities.com that has me puzzled. The site
> describes a possible relationship between winlogn and WinLogon as follows:
>
> Process File: winlogon or winlogon.exe
> Process Name: Microsoft Windows Logon Process
>
> Description:
> WinLogon.exe is the Windows NT login manager. It handles the login and
> logout procedures on your system. This process is an essential part of
> your OS and should be left alone. Note: winlogon.exe is a process which is
> registered as the W32.Netsky.D@mm worm. This virus is distributed via the
> Internet through e-mail and comes in the form of an e-mail message, in the
> hopes that you open it’s hostile attachment. The worm has it’s own
> SMTP engine which means it gathers E-mails from your local computer and
> re-distributes itself. In worst cases this worm can allow attackers to
> access your computer, stealing passwords and personal data. It is a
> registered security risk and should be removed immediately. Please see
> additional details regarding this process"
>
> If I read the above correctly, it saying that a process called
> winlogon.exe without the caps found in WinLogon.exe is the virus.
>
> I'd like some clarification and/or verification of the above, if possible.
>
> Pyramid36
June 11, 2005 2:17:01 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Pyramid 36 wrote:
>> I've been seeing winlogon.exe running and was not sure what it was.
>> I found an answer on www.liutilities.com that has me puzzled. The
>> site describes a possible relationship between winlogn and WinLogon
>> as follows:
>>
>> Process File: winlogon or winlogon.exe
>> Process Name: Microsoft Windows Logon Process
>>
>> Description:
>> WinLogon.exe is the Windows NT login manager. It handles the login
>> and logout procedures on your system. This process is an essential
>> part of your OS and should be left alone. Note: winlogon.exe is a
>> process which is registered as the W32.Netsky.D@mm worm. This virus
>> is distributed via the Internet through e-mail and comes in the form
>> of an e-mail message, in the hopes that you open it's hostile
>> attachment. The worm has it's own SMTP engine which means it gathers
>> E-mails from your local computer and re-distributes itself. In worst
>> cases this worm can allow attackers to access your computer,
>> stealing passwords and personal data. It is a registered security
>> risk and should be removed immediately. Please see additional
>> details regarding this process"
>>
>> If I read the above correctly, it saying that a process called
>> winlogon.exe without the caps found in WinLogon.exe is the virus.
>>
>> I'd like some clarification and/or verification of the above, if
>> possible.
>>
>> Pyramid36

No.

winlogon.exe

is OK
Related resources
Anonymous
June 11, 2005 2:29:51 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

From: "Pyramid 36" <Pyramid36@discussions.microsoft.com>

| I've been seeing winlogon.exe running and was not sure what it was. I found
| an answer on www.liutilities.com that has me puzzled. The site describes a
| possible relationship between winlogn and WinLogon as follows:
|
| Process File: winlogon or winlogon.exe
| Process Name: Microsoft Windows Logon Process
|
| Description:
| WinLogon.exe is the Windows NT login manager. It handles the login and
| logout procedures on your system. This process is an essential part of your
| OS and should be left alone. Note: winlogon.exe is a process which is
| registered as the W32.Netsky.D@mm worm. This virus is distributed via the
| Internet through e-mail and comes in the form of an e-mail message, in the
| hopes that you open it’s hostile attachment. The worm has it’s own SMTP
| engine which means it gathers E-mails from your local computer and
| re-distributes itself. In worst cases this worm can allow attackers to access
| your computer, stealing passwords and personal data. It is a registered
| security risk and should be removed immediately. Please see additional
| details regarding this process"
|
| If I read the above correctly, it saying that a process called winlogon.exe
| without the caps found in WinLogon.exe is the virus.
|
| I'd like some clarification and/or verification of the above, if possible.
|
| Pyramid36

The file name WinLogon.exe is the same as winlogon.exe and the two can not exist in the same
folder. Windows treats filenames using uppercase and lowercase names the same (unlike
Unix). Therefore, for two files to be the same name and to be different, they *must* be in
different folders.

The legit version should be; %windir%\system32\WINLOGON.EXE
{ other copies/version may be in 'i386' or 'ServicePack' folders }

If you find WINLOGON.EXE in %windir% or some other folder such as
%WinDir%\MSAGENT\WIN32\WINLOGON.EXE then you shoukld be suspicious of it.!

The Netsky puts WINLOGON.EXE in the %windir% folder --
http://vil.nai.com/vil/content/v_101048.htm

So does the following...
PosX -- http://vil.nai.com/vil/content/v_100801.htm
StartPage-EK -- http://vil.nai.com/vil/content/v_127317.htm

The Sober worm puts WINLOGON.EXE in the folder %WinDir%\MSAGENT\WIN32
W32/Sober.l@MM -- http://vil.nai.com/vil/content/v_131869.htm


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
June 11, 2005 2:29:52 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Thanks everyone. Searched WINNT directory and winlogon.exe seems legit,
based on the information you provided.

Dodged a bullet for a change.

Pyramid36

"David H. Lipman" wrote:

> From: "Pyramid 36" <Pyramid36@discussions.microsoft.com>
>
> | I've been seeing winlogon.exe running and was not sure what it was. I found
> | an answer on www.liutilities.com that has me puzzled. The site describes a
> | possible relationship between winlogn and WinLogon as follows:
> |
> | Process File: winlogon or winlogon.exe
> | Process Name: Microsoft Windows Logon Process
> |
> | Description:
> | WinLogon.exe is the Windows NT login manager. It handles the login and
> | logout procedures on your system. This process is an essential part of your
> | OS and should be left alone. Note: winlogon.exe is a process which is
> | registered as the W32.Netsky.D@mm worm. This virus is distributed via the
> | Internet through e-mail and comes in the form of an e-mail message, in the
> | hopes that you open it’s hostile attachment. The worm has it’s own SMTP
> | engine which means it gathers E-mails from your local computer and
> | re-distributes itself. In worst cases this worm can allow attackers to access
> | your computer, stealing passwords and personal data. It is a registered
> | security risk and should be removed immediately. Please see additional
> | details regarding this process"
> |
> | If I read the above correctly, it saying that a process called winlogon.exe
> | without the caps found in WinLogon.exe is the virus.
> |
> | I'd like some clarification and/or verification of the above, if possible.
> |
> | Pyramid36
>
> The file name WinLogon.exe is the same as winlogon.exe and the two can not exist in the same
> folder. Windows treats filenames using uppercase and lowercase names the same (unlike
> Unix). Therefore, for two files to be the same name and to be different, they *must* be in
> different folders.
>
> The legit version should be; %windir%\system32\WINLOGON.EXE
> { other copies/version may be in 'i386' or 'ServicePack' folders }
>
> If you find WINLOGON.EXE in %windir% or some other folder such as
> %WinDir%\MSAGENT\WIN32\WINLOGON.EXE then you shoukld be suspicious of it.!
>
> The Netsky puts WINLOGON.EXE in the %windir% folder --
> http://vil.nai.com/vil/content/v_101048.htm
>
> So does the following...
> PosX -- http://vil.nai.com/vil/content/v_100801.htm
> StartPage-EK -- http://vil.nai.com/vil/content/v_127317.htm
>
> The Sober worm puts WINLOGON.EXE in the folder %WinDir%\MSAGENT\WIN32
> W32/Sober.l@MM -- http://vil.nai.com/vil/content/v_131869.htm
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
June 11, 2005 3:29:01 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Stephen wrote:
> Pyramid 36 wrote:
>>> I've been seeing winlogon.exe running and was not sure what it was.
>>> I found an answer on www.liutilities.com that has me puzzled. The
>>> site describes a possible relationship between winlogn and WinLogon
>>> as follows:
>>>
>>> Process File: winlogon or winlogon.exe
>>> Process Name: Microsoft Windows Logon Process
>>>
>>> Description:
>>> WinLogon.exe is the Windows NT login manager. It handles the login
>>> and logout procedures on your system. This process is an essential
>>> part of your OS and should be left alone. Note: winlogon.exe is a
>>> process which is registered as the W32.Netsky.D@mm worm. This virus
>>> is distributed via the Internet through e-mail and comes in the form
>>> of an e-mail message, in the hopes that you open it's hostile
>>> attachment. The worm has it's own SMTP engine which means it gathers
>>> E-mails from your local computer and re-distributes itself. In worst
>>> cases this worm can allow attackers to access your computer,
>>> stealing passwords and personal data. It is a registered security
>>> risk and should be removed immediately. Please see additional
>>> details regarding this process"
>>>
>>> If I read the above correctly, it saying that a process called
>>> winlogon.exe without the caps found in WinLogon.exe is the virus.
>>>
>>> I'd like some clarification and/or verification of the above, if
>>> possible.
>>>
>>> Pyramid36
>
> No.
>
> winlogon.exe
>
> is OK

LOL! Good one!

What? You weren't joking?!

BWAHAHAHAHAHAHAHAHAHA!


--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com/mscommunity
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"
June 11, 2005 6:37:40 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

kurttrail wrote:
>> Stephen wrote:
>>> Pyramid 36 wrote:
>>>>> I've been seeing winlogon.exe running and was not sure what it
>>>>> was. I found an answer on www.liutilities.com that has me
>>>>> puzzled. The site describes a possible relationship between
>>>>> winlogn and WinLogon as follows:
>>>>>
>>>>> Process File: winlogon or winlogon.exe
>>>>> Process Name: Microsoft Windows Logon Process
>>>>>
>>>>> Description:
>>>>> WinLogon.exe is the Windows NT login manager. It handles the login
>>>>> and logout procedures on your system. This process is an essential
>>>>> part of your OS and should be left alone. Note: winlogon.exe is a
>>>>> process which is registered as the W32.Netsky.D@mm worm. This
>>>>> virus is distributed via the Internet through e-mail and comes in
>>>>> the form of an e-mail message, in the hopes that you open it's
>>>>> hostile attachment. The worm has it's own SMTP engine which means
>>>>> it gathers E-mails from your local computer and re-distributes
>>>>> itself. In worst cases this worm can allow attackers to access
>>>>> your computer, stealing passwords and personal data. It is a
>>>>> registered security risk and should be removed immediately.
>>>>> Please see additional details regarding this process"
>>>>>
>>>>> If I read the above correctly, it saying that a process called
>>>>> winlogon.exe without the caps found in WinLogon.exe is the virus.
>>>>>
>>>>> I'd like some clarification and/or verification of the above, if
>>>>> possible.
>>>>>
>>>>> Pyramid36
>>>
>>> No.
>>>
>>> winlogon.exe
>>>
>>> is OK
>>
>> LOL! Good one!
>>
>> What? You weren't joking?!
>>
>> BWAHAHAHAHAHAHAHAHAHA!
>>
>>
>> --
>> Peace!
>> Kurt

No. winlogon.exe in Windows\System32 is part of the operating system
installation.
Anonymous
June 11, 2005 7:51:53 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Stephen wrote:
> kurttrail wrote:
>>> Stephen wrote:
>>>> Pyramid 36 wrote:
>>>>>> I've been seeing winlogon.exe running and was not sure what it
>>>>>> was. I found an answer on www.liutilities.com that has me
>>>>>> puzzled. The site describes a possible relationship between
>>>>>> winlogn and WinLogon as follows:
>>>>>>
>>>>>> Process File: winlogon or winlogon.exe
>>>>>> Process Name: Microsoft Windows Logon Process
>>>>>>
>>>>>> Description:
>>>>>> WinLogon.exe is the Windows NT login manager. It handles the
>>>>>> login and logout procedures on your system. This process is an
>>>>>> essential part of your OS and should be left alone. Note:
>>>>>> winlogon.exe is a process which is registered as the
>>>>>> W32.Netsky.D@mm worm. This virus is distributed via the Internet
>>>>>> through e-mail and comes in the form of an e-mail message, in
>>>>>> the hopes that you open it's hostile attachment. The worm has
>>>>>> it's own SMTP engine which means it gathers E-mails from your
>>>>>> local computer and re-distributes itself. In worst cases this
>>>>>> worm can allow attackers to access your computer, stealing
>>>>>> passwords and personal data. It is a registered security risk
>>>>>> and should be removed immediately. Please see additional details
>>>>>> regarding this process"
>>>>>>
>>>>>> If I read the above correctly, it saying that a process called
>>>>>> winlogon.exe without the caps found in WinLogon.exe is the virus.
>>>>>>
>>>>>> I'd like some clarification and/or verification of the above, if
>>>>>> possible.
>>>>>>
>>>>>> Pyramid36
>>>>
>>>> No.
>>>>
>>>> winlogon.exe
>>>>
>>>> is OK
>>>
>>> LOL! Good one!
>>>
>>> What? You weren't joking?!
>>>
>>> BWAHAHAHAHAHAHAHAHAHA!
>>>
>>>
>>> --
>>> Peace!
>>> Kurt
>
> No. winlogon.exe in Windows\System32 is part of the operating system
> installation.

Too bad you didn't say that to begin with. There are also viruses that
create winlogon.exe files in other places.

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com/mscommunity
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"
!