Winlogon stands for Windows Logon Process, a process taking the responsibility of loading user profile on logon. Winlogon.exe is a system process belonging to Microsoft Windows Operating System produced by Microsoft Corporation. Therefore, such process can be easily found in the background running as a kernel system process in the form of SYSTEM USER.
Due to its major task to load profile, winlogon.exe has been targeted by infections aiming at obtaining information for money generation. According to the observation by VilmaTech Research Lab, W32.Netsky.D@mm and Win32. Netsky Trojan are the two major infections that affect winlogon.exe. On the occurrence of affected winlogon.exe, some problems will be triggered:
Be noted that backdoor or vulnerability will be subsequently formed soon after winlogon.exe is affected as collected information needs to be transferred to remote server so that money can be generated after being resold to other spammers. Considering the fact that affected winlogon.exe stays identical to the genuine winlogon.exe, how to differentiate which one is fake that needs to be removed? Keep reading the following paragraphs. If it is still confusion, you are welcome to get help from computer experts with rich experience at VilmaTech Online Support.
It is important to differentiate the genuine from the fake before removal since winlogon.exe is a system process. In other word, basic system start-up cannot even be completed if the genuine winlogon.exe is corrupted or removed by force. VilmaTech experts hereby introduce easy way to help with differentiation – the user name of genuine winlogon.exe should be “SYSTEM” instead of current user name and its process name should be winlogon.exe rather than WINLOGON.exe. All these can be checked in Task Manager.
Tips: In the case of winlogon.exe being affected, situation can be complex and terrible. Autorun.inf is also generated or affected to help cover up the trace of infection and dodge detection as well as easy deletion by installed anti-virus programs. Winlogon.exe problems should be fixed immediately to gain proper operations so that subsequent steps can be carried out to further remove the Trojan affecting winlogon.exe. The following instruction is applicable exclusively to winlogon.exe issues. Should you have any difficulty in removing the culprit infection after fixing winlogon.exe issues, you are welcome to resort professional help offered with pleasure by VilmaTech Online Support.
Step1. Unveil hidden files and folders before removing generated files and related ones to winlogon.exe virus.
Windows 8
Windows 7/Vista/XP
When all hidden items are unveiled, follow the following steps to remove related items.
a. Remove the following listed files and folders:
D:\autorun.inf
D:\pagefile#com
C:\Program Files\Internet Explorer\iexplore.com
C:\Program Files\Common Files\iexplore.com
C:\WINDOWS\1.com
C:\WINDOWS\iexplore.com
C:\WINDOWS\finder.com
C:\WINDOWS\Debug\[name] Programme.exe
C:\Windows\system32\command#com
Tip: before removing “C:\Windows\system32\command.com”, please make sure if its created time is the same as system files; if so, do not remove “C:\Windows\system32\command.com”. If its created time is the same as the following listed files, please do remove C:\Windows\system32\command.com”.
C:\Windows\system32\msconfig.com
C:\Windows\system32\regedit.com
C:\Windows\system32\dxdiag.com
C:\Windows\system32\rundll32.com
C:\Windows\system32\finder.com
C:\Windows\system32\a.exe
b. Navigate to C:\Windows and remove winlogon.exe, winlogon.dll, winlogon_hook.dll and winlogonkey.dll
c. Navigate to the following directory and remove winlogon.exe.mdmp as well as appcompat.txt C:\DOCUME~1\[username]\LOCALS~1\Temp\WER2534.dir00\winlogon.exe.mdmp
Tip: in some cases, all .exe files will be disabled. You may need to restore .exe file by following the below steps.
Should you still have problems in removing related files and folders, it is wise to ask online computer experts for help so that no mistake will be made to arouse unexpected issues to complex the situation.
Step2. Enter into Registry Editor and remove related keys; when done, restart the computer to proceed.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Step3. Exterminate running process of WINLOGON.EXE after a system reboot.
Direct extermination of WINLOGON.EXE would still trigger error message telling the process cannot be ended since the system is not smart enough to tell if winlogon.exe is affected or not due to the fact that it is mechanically programmed to consider it as default system process. Follow the below steps to make modifications for a smooth process extermination.
Windows 7/Vista/XP
Windows 8
Take Avira anti-virus program for example
Uninstall recently installed program and update your system to the latest.
Attention:
Winlogon.exe per se is not a virus at all. However, due to its task of loading profiles of users as well as system information, it is targeted by various types of infections. Before removing the affected winlogon.exe, learning how to differentiate the genuine from the fake is required so that no mistake would be made to disable system start-up. Extra attention should also be paid to other files with .COM suffix created the same date when WINLOGON.EXE issues happened. If there’s any, do not double click on it, instead, remove it without hesitation. Otherwise, unwitting click on such files will bring back infections and affected winlogon.exe is enabled to stay still. In the case where typing “regedit” brings back all vicious items to block the fix and removal, it is advisable to ask professionals with rich experience and knowledge for instant help.
