VilmaTech.com > VilmaTech Blog > Winlogon.exe, Remove Winlogon Process Error Message and Winlogon.exe Virus

Winlogon.exe, Remove Winlogon Process Error Message and Winlogon.exe Virus

Published on December 31, 2013

Introduction

Winlogon stands for Windows Logon Process, a process taking the responsibility of loading user profile on logon. Winlogon.exe is a system process belonging to Microsoft Windows Operating System produced by Microsoft Corporation. Therefore, such process can be easily found in the background running as a kernel system process in the form of SYSTEM USER.

winlogonexe0wr

 

Winlogon.exe Affected

Due to its major task to load profile, winlogon.exe has been targeted by infections aiming at obtaining information for money generation. According to the observation by VilmaTech Research Lab, W32.Netsky.D@mm and Win32. Netsky Trojan are the two major infections that affect winlogon.exe. On the occurrence of affected winlogon.exe, some problems will be triggered:

  • Multiple winlogon.exe processes running in Task Manager to consume resource.
  • Winlogon.exe error messages are brought up constantly at each Windows start.
  • Some programs/ games are blocked by winlogon.exe.
  • Certain Disk cannot be opened up.
  • Search redirect problems happen occasionally.

Be noted that backdoor or vulnerability will be subsequently formed soon after winlogon.exe is affected as collected information needs to be transferred to remote server so that money can be generated after being resold to other spammers. Considering the fact that affected winlogon.exe stays identical to the genuine winlogon.exe, how to differentiate which one is fake that needs to be removed? Keep reading the following paragraphs. If it is still confusion, you are welcome to get help from computer experts with rich experience at VilmaTech Online Support.

live chat

 

Differentiation

It is important to differentiate the genuine from the fake before removal since winlogon.exe is a system process. In other word, basic system start-up cannot even be completed if the genuine winlogon.exe is corrupted or removed by force. VilmaTech experts hereby introduce easy way to help with differentiation – the user name of genuine winlogon.exe should be “SYSTEM” instead of current user name and its process name should be winlogon.exe rather than WINLOGON.exe. All these can be checked in Task Manager.

Tips: In the case of winlogon.exe being affected, situation can be complex and terrible. Autorun.inf is also generated or affected to help cover up the trace of infection and dodge detection as well as easy deletion by installed anti-virus programs. Winlogon.exe problems should be fixed immediately to gain proper operations so that subsequent steps can be carried out to further remove the Trojan affecting winlogon.exe. The following instruction is applicable exclusively to winlogon.exe issues. Should you have any difficulty in removing the culprit infection after fixing winlogon.exe issues, you are welcome to resort professional help offered with pleasure by VilmaTech Online Support.

live chat

 

Instructions to Fix Winlogon.exe Issues in Several Cases

Situation One. Remove affected winlogon.exe

 
Step1. Unveil hidden files and folders before removing generated files and related ones to winlogon.exe virus.

Windows 8

  • Double click to open Windows Explorer from Start screen and navigate to View tab.windows explorer
  • Tick ‘File name extensions’ and ‘Hidden items’ options on the pop-up window.win8 hidden file
  • Press “OK” button to confirm the change.

 
Windows 7/Vista/XP

  • Search for and open ‘Folder Options’ from ‘Control Panel’.folder options1
  • Hit View tab to tick ‘Show hidden files and folders and non-tick Hide protected operating system files (Recommended)’ and then click ‘OK’.

 
When all hidden items are unveiled, follow the following steps to remove related items.
a. Remove the following listed files and folders:

D:\autorun.inf
D:\pagefile#com
C:\Program Files\Internet Explorer\iexplore.com
C:\Program Files\Common Files\iexplore.com
C:\WINDOWS\1.com
C:\WINDOWS\iexplore.com
C:\WINDOWS\finder.com
C:\WINDOWS\Debug\[name] Programme.exe
C:\Windows\system32\command#com

Tip: before removing “C:\Windows\system32\command.com”, please make sure if its created time is the same as system files; if so, do not remove “C:\Windows\system32\command.com”. If its created time is the same as the following listed files, please do remove C:\Windows\system32\command.com”.

C:\Windows\system32\msconfig.com
C:\Windows\system32\regedit.com
C:\Windows\system32\dxdiag.com
C:\Windows\system32\rundll32.com
C:\Windows\system32\finder.com
C:\Windows\system32\a.exe

b. Navigate to C:\Windows and remove winlogon.exe, winlogon.dll, winlogon_hook.dll and winlogonkey.dll

c. Navigate to the following directory and remove winlogon.exe.mdmp as well as appcompat.txt C:\DOCUME~1\[username]\LOCALS~1\Temp\WER2534.dir00\winlogon.exe.mdmp

Tip: in some cases, all .exe files will be disabled. You may need to restore .exe file by following the below steps.

  • Navigate to C:\Windows\system32 and copy cmd.exe to your desktop.
  • Right click on it to rename it as cmd.com.
  • Double click on cmd.com file and a little black window will popup.
  • Put “assoc .exe=exefile” and hit Enter key to proceed.
  • Put “ftype exefile=”%1″ %*”when the flashing line jumps to the next line and hit Enter key.

Should you still have problems in removing related files and folders, it is wise to ask online computer experts for help so that no mistake will be made to arouse unexpected issues to complex the situation.

live chat

 

Step2. Enter into Registry Editor and remove related keys; when done, restart the computer to proceed.

  • Hold and press Win key and R key at once to bring up a text box.win+r
  • Type “regedit” and hit Enter key to access Registry Editor.run regedit
  • Navigate to the following registry and remove the key aol7.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

  • Navigate to the following registry and remove “Torjan pragramme”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 
Step3. Exterminate running process of WINLOGON.EXE after a system reboot.
Direct extermination of WINLOGON.EXE would still trigger error message telling the process cannot be ended since the system is not smart enough to tell if winlogon.exe is affected or not due to the fact that it is mechanically programmed to consider it as default system process. Follow the below steps to make modifications for a smooth process extermination.

Windows 7/Vista/XP

  • Hold Ctrl, Alt and Delete key combination together to bring up Task Manager.
  • Hit View tab to select ‘Show Kernel Times’/ ‘Select Process Page Columns’.
  • Tick PID (Process Identifier) on the pop-up window and press OK button to confirm the change.PID
  • Find ‘LSASS.exe’ for its image of the User Account which does not belong to system.
  • Back to desktop and press Win key and R together to bring up a text box.
  • Put in ‘CMD’ and press Enter key to enable DOS window.
  • Type ‘ntsd –c q -p (PID, the number you saw on Task Manager)’ (without quotation marks).
  • Press Enter key to proceed.
  • Back to Task Manager to find WINLOGON.EXE and right click on it for extermination.
  • When done, please restart the computer and scan with installed anti-virus programs to further remove the culprit infection.

 
Windows 8

  • Hold Win key and R key at once to bring up text box and put in ‘Task’.
  • When Task Manager shows up, follow the same process to exterminate WINLOGON.EXE.win8 task manager
  • When done, please restart the computer and scan with installed anti-virus programs to further remove the culprit infection.

 

Situation Two. False positive.

Take Avira anti-virus program for example

  • Access configuration to tick expert mode.
  • Find Scan option to choose its settings option.
  • In the setting option, access “exception” option to make “winlogon.exe” as an exception.

 

Situation Three. Suffix being tempered.

  • Hold and press Win key and R key at once to bring up a text box.
  • Type “regedit” and hit Enter key to access Registry Editor. registry enditor2
  • Navigate to the following registry and restore “Shell”=”Explorer.exe 1” to “Shell”=”Explorer.exe”change to explorer

 

Situation Four. Conflicts with newly installed program.

Uninstall recently installed program and update your system to the latest.

 

Attention:
Winlogon.exe per se is not a virus at all. However, due to its task of loading profiles of users as well as system information, it is targeted by various types of infections. Before removing the affected winlogon.exe, learning how to differentiate the genuine from the fake is required so that no mistake would be made to disable system start-up. Extra attention should also be paid to other files with .COM suffix created the same date when WINLOGON.EXE issues happened. If there’s any, do not double click on it, instead, remove it without hesitation. Otherwise, unwitting click on such files will bring back infections and affected winlogon.exe is enabled to stay still. In the case where typing “regedit” brings back all vicious items to block the fix and removal, it is advisable to ask professionals with rich experience and knowledge for instant help.

live chat

Subscribe to our RSS feed

Latest Posts

Categories

Archives