Winlogon issue

[Hola hoop]

Hello all

Windows XP home
Standard "boxed" pc 2.2ghz
Standard everything else

A collegue of mine gives me his comp to look at as running slow.
The Winlogin process is using up 100% of CPU constantly. Just started all of a sudden, nothing installed, nothing deleted, not even internet was accessed.
Comp was firewalled with Macaffee internet security, modem left OFF when not in use and internet used for 2 hours a week for browsing. Msconfig reduced to 1 item on start up
Scanned HDD with antivirus, trojan scanner ect ect (through through scan.) All updates always upto date.
100% sure no virus sypware ect ect (worked on over 100 machines with these types of problems so plse dont reply..."scan for....." its already been done and i have most of the tools posted on the stickies to.

I did repair of windows, and reinstall and still same. Short of a full format (i never do this unless EVERYTHING has been exhausted)
i am stumped.
Corrupt registry? (no SP2 installed )
There is NO admin logon and NO passworded user accounts, only the Computer name.

Any ideas guys and gals?

[Baddog]

Boot it in safe mode and see what you get. If no CPU usage. Then start knocking out processes with MSCONFIG.

[Hola hoop]

Thanks for reply baddog, but i already done all the "basic stuff"
safe mode make no difference cause WInlogin is a SYSTEM process so cannot be stopped,it still runs while in safe mode cause safe mode disables unnecessary programs only

Already said before i have 1 thing in msconfig on NORMAL startup and that is the mouse driver(this definately not the problem)

I doubt this is a conflict as nothing new done to machine at least 4 weeks before this happened and was used "offline" writing word and excel docs in that time so cannot see how anything would conflict.

A real headscratcher this

[fancyf]

McAfee perhaps?

[Baddog]

winlogin - winlogin.exe - Process Information

Process File: winlogin or winlogin.exe
Process Name: RANDEX.E virus

Description:
winlogin.exe is added to the system as a result of the RANDEX.E virus. It is an IRC Trojan horse gives remote access to your computer using IRC. This program is a registered security risk and should be removed immediately. If found on your system make sure that you have downloaded the latest update for your antivirus application.
____________________________________

Note the spelling:winlongin-winlogon

http://www.liutilities.com/products/...rary/winlogin/

[Hola hoop]

Thanks again for replies guys, ok heres the thing (bear in mind im away from comp at moment to check spelling of winlogin/winlogon

but.......

It is a SYSTEM process. A virus should maybe be under user processes?? but this is definately a system process as i shut it down with a different process manager and the system shutdown and rebooted.

I would be very suprised if this is a virus and if it is usual scans did not detect it, (i did online scan to and left overnight which took
ages lol)

i will double check spelling but am pretty sure its winlogin (not exe) and its registered as system process. How u stop a system process without causing errors?Should i maybe remove the reg key from Start/run or Always run thread? I am not sure how to deal with this as EVERYTHING was and still is fully updated (panda, av, kaspersky and macafee virus scanners used...not at same time....all clean)

ty again for your help people

[Direct1]

WINLOGON.EXE is the correct file. WINLOGIN.EXE is NOT a system process.

This link might help...

http://www.sysopt.com/forum/showthre...hreadid=161595

Good luck!

[Hola hoop]

Ok i took another look at the system

It is called Winlogin (spelt exactly as is)

It is registered as SYSTEM process (may not be in reality but on this system it is 100% a system process).I stopped it again and it shutdown pc and rebooted (just like when u kill a valid system crictical process....windows becomes unstable and closes)

In task manager it shows as SYSTEM PROCESS, cpu usage goes up and down between 60% to 100% usage every few seconds. System performance now non-exsistent. A folder window took 87 second to load!

Very very through scans done and again....i have most of the tools u helpful people posted on the stickies.

If it is virus, macaffee, panda online, av online and kaspersky (all updated) dont remove it or even find it.
2 trojan only scans done.....nothing. System shows clean. No odd files in Windows or Windows/system 32
Msconfig empty
no=non microsoft services running.
Disabled system restore, reduced cache size to 2 megs.
all still same and no diff.

Macafee log shows no intrusions into the registry or non authorised changes to the registry.

total seperate individual scans including spyware = 22


I appreciate all your help guys, this is a tricky b****** and simple safe mode scanning wont do it this time. I think i need specifics.


What i really need is sumone who can tell me.......ok what you do is this......hopefully sumone who has had exact same problem.

Again thanks all for your input

[Baddog]

http://securityresponse.symantec.com....randex.e.html

[Hola hoop]

Lol when i was searching i never found that info Baddog


%System%\winlogin.exe
%System%\win32sockdrv.dll
%System%\yuetyutr.dll
In Windows NT/2000/XP, it modifies the "Shell"= value of the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

to one of the following:

"Shell"="explorer.exe winlogin.exe"


Thats exactly what i was looking for, i didnt realise it modifies the Explorer shell, no wonder i couldnt stop or find it. i found the dll (by date i worked out it was that) but not the key or shell. By modifying explorer it can look like a system process in task mamager then.......what a tricky f*****.

Time to squash this cockroach

Baddog.......thanks a lot man. Great help

[fancyf]

In addition to Baddog's link, (Hello Baddog )
I also found this: Blaster worm & variants

M$ offers a removal tool: Windows Malicious Software Removal Tool

> Download
> Online Scan


Check this also: http://www.grc.com/dcom/

[r8500]

What's the lesson of the day folks?

Even if it looks and acts like a system process, it doesn't mean it isn't out to get you

[Hola hoop]

ty for your reply fancyf but i would NEVER use the microsoft tool

i dont like the idea that not only it is done thru automatic updates but it then uses the update link to inform microsoft of the results without any intervention from user. I had to throughly read the microsoft report on it and only once way way down the bottom does it say this and that once started cant be stopped and the info it gives.

For me i dont like that idea at all, microsofts versions offers nothing new and the romanian company they bought the software from is not a widely established company i would use for AV.

but thats my opinion.....if a program doesnt give the user full control, or at least VISIBLE options to change and tweak, then i have my suspicions about it and rather use the many alternatives. Would u leave your car keys with a guy u never met before who told you his name only and said "yes i am a professional mechanic" i will fix your car? Or would u take your car to sumone u trust or who feels trustworthy to you?

Operating systems yes,
anti-virus, firewalls, pop up blockers ect a big NO NO.

[Baddog]

Originally posted by fancyf
In addition to Baddog's link, (Hello Baddog )

[fancyf]

I don't know I've never had the chance to use it... but there must be other removal tools out there.

This one (from the makers of SpySweeper) tho it looks like it also sends a report... right.

Hey yea it can be done manually too


* Check the DCOM tool.