Is winlogon.exe a virus and WinLogon.exe a windows utility?

[Guest]

I've been seeing winlogon.exe running and was not sure what it was. I found
an answer on www.liutilities.com that has me puzzled. The site describes a
possible relationship between winlogn and WinLogon as follows:

Process File: winlogon or winlogon.exe
Process Name: Microsoft Windows Logon Process

Description:
WinLogon.exe is the Windows NT login manager. It handles the login and
logout procedures on your system. This process is an essential part of your
OS and should be left alone. Note: winlogon.exe is a process which is
registered as the W32.Netsky.D@mm worm. This virus is distributed via the
Internet through e-mail and comes in the form of an e-mail message, in the
hopes that you open it’s hostile attachment. The worm has it’s own SMTP
engine which means it gathers E-mails from your local computer and
re-distributes itself. In worst cases this worm can allow attackers to access
your computer, stealing passwords and personal data. It is a registered
security risk and should be removed immediately. Please see additional
details regarding this process"

If I read the above correctly, it saying that a process called winlogon.exe
without the caps found in WinLogon.exe is the virus.

I'd like some clarification and/or verification of the above, if possible.

Pyramid36

 

[Stephen]

No.

winlogon.exe

is OK

 

[Wesley Vogel]

The real winlogon.exe is in
C:\WINDOWS\system32\dllcache
and
C:\WINDOWS\system32

The other winlogon.exe would be in
C:\WINDOWS

W32.Netsky.D@mm
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Update your antivirus software and run a complete system scan if you're
concerned.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[David H. Lipman]

From: "Pyramid 36" <[email protected]>

| I've been seeing winlogon.exe running and was not sure what it was. I found
| an answer on www.liutilities.com that has me puzzled. The site describes a
| possible relationship between winlogn and WinLogon as follows:
|
| Process File: winlogon or winlogon.exe
| Process Name: Microsoft Windows Logon Process
|
| Description:
| WinLogon.exe is the Windows NT login manager. It handles the login and
| logout procedures on your system. This process is an essential part of your
| OS and should be left alone. Note: winlogon.exe is a process which is
| registered as the W32.Netsky.D@mm worm. This virus is distributed via the
| Internet through e-mail and comes in the form of an e-mail message, in the
| hopes that you open it’s hostile attachment. The worm has it’s own SMTP
| engine which means it gathers E-mails from your local computer and
| re-distributes itself. In worst cases this worm can allow attackers to access
| your computer, stealing passwords and personal data. It is a registered
| security risk and should be removed immediately. Please see additional
| details regarding this process"
|
| If I read the above correctly, it saying that a process called winlogon.exe
| without the caps found in WinLogon.exe is the virus.
|
| I'd like some clarification and/or verification of the above, if possible.
|
| Pyramid36

The file name WinLogon.exe is the same as winlogon.exe and the two can not exist in the same
folder. Windows treats filenames using uppercase and lowercase names the same (unlike
Unix). Therefore, for two files to be the same name and to be different, they *must* be in
different folders.

The legit version should be; %windir%\system32\WINLOGON.EXE
{ other copies/version may be in 'i386' or 'ServicePack' folders }

If you find WINLOGON.EXE in %windir% or some other folder such as
%WinDir%\MSAGENT\WIN32\WINLOGON.EXE then you shoukld be suspicious of it.!

The Netsky puts WINLOGON.EXE in the %windir% folder --
http://vil.nai.com/vil/content/v_101048.htm

So does the following...
PosX -- http://vil.nai.com/vil/content/v_100801.htm
StartPage-EK -- http://vil.nai.com/vil/content/v_127317.htm

The Sober worm puts WINLOGON.EXE in the folder %WinDir%\MSAGENT\WIN32
W32/Sober.l@MM -- http://vil.nai.com/vil/content/v_131869.htm

 

[David H. Lipman]

From: "Stephen" <[email protected]>


|
| No.
|
| winlogon.exe
|
| is OK
|


Your answer is insufficient to the question. See my reply !

 

[Guest]

Thanks everyone. Searched WINNT directory and winlogon.exe seems legit,
based on the information you provided.

Dodged a bullet for a change.

Pyramid36

 

[kurttrail]

No.

winlogon.exe

is OK

LOL! Good one!

What? You weren't joking?!

BWAHAHAHAHAHAHAHAHAHA!


--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com/mscommunity
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"

 

[Stephen]

No. winlogon.exe in Windows\System32 is part of the operating system
installation.

 

[kurttrail]

No. winlogon.exe in Windows\System32 is part of the operating system
installation.

Too bad you didn't say that to begin with. There are also viruses that
create winlogon.exe files in other places.

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com/mscommunity
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"