Winlogon Error

[Peter Hallett]

After years of running normally, my Windows XP Home machine suddenly
developed a winlogon problem. It starts apparently normally but, having
displayed the desktop icons, then shows an MS error window, stating,
“winlogon.exe encountered a problem and needed to close.†The usual, “Tell
Microsoft about this,†options are then offered. After closing this window,
the computer apparently runs normally until shut-down, whereupon its
behaviour is capricious. Sometimes it shuts down normally but more often the
‘Turn-off’ command is interpreted as ‘Restart’. The most likely outcome, at
the moment, however, is that after clearing the desktop icons, the machine
sits with the desktop on display and refuses to do anything else. It has
then to be turned off at the wall switch.

A McAfee scan reports a problem with winlogon.exe – apparently a Trojan –
and declares that it has been fixed but the problem recurs when the machine
is restarted. Chkdsk does not apparently find anything wrong.

Reinstalling the OS offers a solution but, unless I can get away with a
non-destructive installation, that might turn out to be the use of a
sledgehammer to crack a nut that might be broken by simpler means. Any
suggestions?

 

[Shenan Stanley]

After years of running normally, my Windows XP Home machine suddenly
developed a winlogon problem. It starts apparently normally but,
having displayed the desktop icons, then shows an MS error window,
stating, "winlogon.exe encountered a problem and needed to close."
The usual, "Tell Microsoft about this," options are then offered.
After closing this window, the computer apparently runs normally
until shut-down, whereupon its behaviour is capricious. Sometimes
it shuts down normally but more often the 'Turn-off' command is
interpreted as 'Restart'. The most likely outcome, at the moment,
however, is that after clearing the desktop icons, the machine sits
with the desktop on display and refuses to do anything else. It
has then to be turned off at the wall switch.

A McAfee scan reports a problem with winlogon.exe - apparently a
Trojan - and declares that it has been fixed but the problem recurs
when the machine is restarted. Chkdsk does not apparently find
anything wrong.

Reinstalling the OS offers a solution but, unless I can get away
with a non-destructive installation, that might turn out to be the
use of a sledgehammer to crack a nut that might be broken by
simpler means. Any suggestions?

What "Trojan" is McAfee telling you that you have?
What other AV software and/or malware software have you scanned with?

 

[Gerry]

Peter

Does the problem also show up when you boot to safe mode?

If it does try Last Known Good Configuration?
A description of the Safe Mode Boot options in Windows XP
http://support.microsoft.com/kb/315222/en-us

Another option is to log on as the Administrator in Safe Mode and create
a new user profile.

HOW TO Create and Configure User Accounts in Windows XP
http://support.microsoft.com/?id=279783

How to Copy User Data to a New User Profile
http://support.microsoft.com

A copy of the Event Viewer Error report could help.

Have a look in the System and Application logs in Event Viewer for
Errors and Warnings and post copies here. Don't post any more than 48
hours ago.

You can access Event Viewer by selecting Start, Control Panel,
Administrative Tools, and Event Viewer. When researching the meaning
of the error, information regarding Event ID, Source and Description
are important.

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.Microsoft.com/kb/308427/en-us

A tip for posting copies of Error Reports! Run Event Viewer and double
click on the error you want to copy. In the window, which appears is a
button resembling two pages. Click the button and close Event
Viewer.Now start your message (email) and do a paste into the body of
the message. Make sure this is the first paste after exiting from
Event Viewer.

--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Peter Hallett]

McAfee reports a Trojan infection in the following:–

As ‘Repared’:–
HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon|Userinit

As ‘Quarantined’:–
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\sdra64.exe
C:\WINDOWS\system32\twex.exe

As ‘Scan after restart’:–
C:\WINDOWS\system32\twext.exe

As ‘Termination failed’:-
C:\WINDOWS\system32\winlogon.exe

The Trojan is identified as Spy-Agent.bw!mem

McAfee’s recommended action is, “No action required.†(Something of an
understatement, it would seem!)

System restore is currently turned off.

I have Windows Defender installed (which, unsurprisingly, has nothing to say
on the matter) and an as yet unregistered trial version of Spyware Doctor.
The latter reports the following low risk trojans:-
Trojan.CWS (15 instances)
Spyware.Known_Bad_Sites (8)
Application.TrackingCookies (87)
Adware.Advertising (32)

The following medium risk Trojans:-
Trojan.Popuper (11)
Adware.ProtectionBar(5)

and one high risk Trojan:-
Trojan-Spy.Lyndra (2)

The problem I find is that every company in the anti-malware business offers
the 'ultimate' solution and does not always distinguish between what is worth
worrying about and what not. Who hasn't got cookies, for example?

I would happily buy and register my trial copy of Spyware Doctor if I
thought that it would solve the problem but I have no guarantee that that
would be the case.

In the mean time, I am less than amused that McAfee appears to have let
through some potentially damaging malware which it appears unable to remove.
As an amateur, in this area, it is difficult to know what to do when I have
cleaned up my machine. Change my anti-virus, anti-spyware software and if so
to what? Buy Spyware Doctor?

 

[Peter Hallett]

Thanks, Gerry. I am dealing with the responses one at a time. It takes a
while to gather the necessary information. To add to the difficulties, the
website decided to hold things up for a while. (I could as easily have
driven around. You appear to be located 'on my doorstep'. Ironically, this
signal will probably go all the way across the Atlantic and then back to
within about ten mile from where it started!)

In answer to your suggestion, the problem repeats in exactly the same way
with a safe mode, as with a normal, start. In the former case, however,
McAfee declares that my machine is not protected but declines to 'Fix' it due
to an unspecified error! That is not particularly helpful but is probably an
artefact of safe mode, rather than a defect of VirusScan.

I turned off System Restore shortly after the problem first showed so I am
not sure that I will be able to return to a Last Known Good Configuration.
(I have never actually got that to work in the past. The Last Known Good
Configuration is often too late. The system is not always that smart in
deciding what constitutes a 'Good' configuration.)

 

[Gerry]

Peter

Malwarebytes' Anti-Malware
1.36 -freeware (if you upgrade you pay).
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

Run Malwarebytes' and turn off your current anti-virus
before you do to avoid a conflict. Disregard the invitation on the web
site regarding the Registry Optimiser -a Registry Optimiser is not a
helpful utility.

--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Peter Hallett]

Gerry,

Herewith the results of running Malwarebytes’ Anti-Malware on my computer –
unfortunately not what I was hoping for, but no criticism of Anti-Malware.
(Incidentally, the URL you supplied has a small error. It's
'www.download.cnet.com' rather than 'www.download.com'.)

Not much was found. There were 6 alerts in all, a Rogue.DriveCleaner in a
Registry Key, 2 Registry Values (Trojan.FakeAlert.H and Malware.Trace) and
two Registry Data Items, both identified as Disabled.SecurityCenter.
Trojan.FakeAlert.H was also found in C:\Windows\internat.exe. The references
to Disabled.SecurityCenter suggest that these are items already quarantined
by McAfee’s VirusScan, so perhaps it did not do such a bad job after all.

The trouble with the proprietary malware scanners is that they seem to come
up with their own lists, which I suspect are not always as important as the
software vendors would like us to believe. Spyware Doctor, for example,
still returns a closely similar list to the last one I reported, with the
exception of the high-risk item. I also repeated the full McAfee scan, after
the Malwarebytes run, with exactly the same result as previously.

I am now beginning to doubt that malware is the prime cause of my present
difficulties. It would seem that I have a corrupted winlogon.exe file,
leaving the problem of how to repair or replace it. Being a system file, as
far as I am aware it can’t be deleted, in the hope that XP will recreate it.

Googling ‘winlogon’ reveals that the problem is not an isolated one. There
seem to be a lot of other users in the same boat as me. The question
therefore seems to be, “Is there a way of repairing or replacing winlogon.exe
without reinstalling the OS?†– a less than attractive prospect. If not, it
looks as if I shall just have to bite the bullet. I didn’t find anything of
immediate relevance in Microsoft’s Knowledge Base, although I might have been
looking in the wrong place.

The situation remains that, after doing what cleanup I can, my computer will
still not shutdown or restart. As soon as the desktop icons have been
cleared nothing further happens. The machine has to be switched off on the
wall (echoes of the Windows 95 ‘shut-down’ problem, for those who can
remember back that far!) On restarting, the machine works its way through to
the point where it has just finished populating the desktop with icons and
then displays the winlogon error. If that is ignored, however, everything
seems to work normally, until it comes time to shut down again.

Wouldn’t it be nice if someone produced a utility which worked its way
though all the system files and repaired or replaced any corrupted ones? We
could go to bed at night and then wake up to a rejuvenated computer in the
morning. (Well, one can but dream.)

 

[Shenan Stanley]

Reinstalling the OS offers a solution but, unless I can get away
with a non-destructive installation, that might turn out to be
the use of a sledgehammer to crack a nut that might be broken by
simpler means. Any suggestions?

<snip>

Run SFC /scannow
(* Only if you have a Windows CD at the same service pack level as your
installed OS - if you do not - you should likely make one by integrating the
latest service pack into your CD and burning a new one.)
http://pcsupport.about.com/od/toolsofthetrade/ht/sfc-scannow.htm

Repair Installation is also an option (non-destructive.) Same caveat - you
should have a Windows XP CD at the same service pack level as your current
machine.

For your problem - I probably would try replacing your USERINIT.EXE first -
using a BartPE CD works for me - but it can also be done in the Recovery
Console.

 

[Gerry]

Peter

Is the SP3 update installed? Is the SP3 update included in your Windows
XP CD?

Is there an error report in the System Log of Event Viewer? If yes
please post a copy.

You can access Event Viewer by selecting Start, Control Panel,
Administrative Tools, and Event Viewer.

A tip for posting copies of Error Reports! Run Event Viewer and double
click on the error you want to copy. In the window, which appears is a
button resembling two pages. Click the button and close Event
Viewer.Now start your message (email) and do a paste into the body of
the message. Make sure this is the first paste after exiting from
Event Viewer.

--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Peter Hallett]

Gerry,

Thanks to your help, I have excellent news to report. The problem has been
fixed!

The System Log showed over 125 errors, dating back to the end of March. I
began the task of copying and pasting the more recent ones, as you suggested,
but, despite the fact that they seemed, at first, to bear little relationship
to one another, by going back far enough a pattern began to emerge. (In
fact, restricting the examination to the last 48 hours was not that helpful.
Among other applications, McAfee VirusScan, in particular, was unwilling to
run under Safe Mode, at one point contributing 10 errors, one after the
other, all Safe Mode related.)

In the longer term, it became clear that PC Tools Spyware Doctor was
throwing up a disproportionate number of errors, with McAfee VirusScan
running a close second. The two applications did not appear to like each
other. On the ‘last-in, first-out’ principal, I therefore uninstalled
Spyware Doctor. Lo and behold, the winlogon problem vanished. My machine
returned to normal operation, apparently becoming a lot less sluggish in the
process.

I don’t quite understand why the interaction was not spotted earlier. I
don’t remember the onset of the symptoms as immediate but other things were
also taking place around the time that Spyware Doctor was installed,
including an unavoidable update to VirusScan, when the earlier product was
superseded. Whatever the cause, however, I draw the following conclusions:–

1. Do not take error messages at their face value and do not act on them
without careful consideration. It seems safest to assume no more than that
an error message means you have a problem. Had I been rashly tempted to
delete winlogon.exe, for example, I would have found myself in much worse
trouble.
2. Do not assume that well-known commercial products from mainstream
software suppliers are necessarily compatible. It may be that McAfee
VirusScan and PC Tools Spyware Doctor run perfectly happily together in other
environments and my difficulties may also have had something to do with the
way these utilities were installed in my computer but, whatever the cause, in
my case they seem to be unwilling bedfellows.
3. If you don’t know exactly what you are doing, take advice before acting.

My next job is to follow Shenan Stanley's recommendations. My computer runs
under XP SP3. The latter is not burned into my CD, partly explaining my
reluctance to reinstall the OS. I understand that the installation baulks at
replacing what it sees as a more current version. (In this case, of course,
it probably would not have done any good anyway!) This is a situation that I
need to address.

Let me sign off, therefore, by saying, “Thank you very much.†I just hope
that my experience and your helpful advice will prove useful to others with
similar problems.

 

[Gerry]

Thanks Peter for reporting the outcome.


--


Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Peter Hallett]

You will observe, from the other correspondence in this thread, that my
initial problem has been solved. I am now following-up on your
recommendations. Scannow has been run and, gratifyingly, identifies a
‘clean’ machine, leaving me with one remaining task. I have two computers,
one with a recovery CD and the other with a full XP disk. The first was
supplied without SP2 or SP3, whilst the newer one came without SP3. Both
machines were subsequently updated to SP3 without, I am pleased to say, any
difficulty.

My problem, as I now understand it from a colleague – I have not had
occasion to try it myself – is that, if I attempt to restore either machine
from the supplied CD, the exercise will fail because SP3 will not ‘update’ to
earlier versions, leaving me, presumably with no option but to reformat the
disk and start from scratch, in the event of a major problem.

My newer Dell machine came with instructions on how to make a single Dell OS
Recovery CD but, when the instructions are followed, the necessary utility
does not appear to be installed and Dell seems to be very vague on the issue.

You mention burning a new CD, incorporating the latest service pack. I have
followed your links, and done a bit of Googling, but cannot see how to create
a new CD. Is there an alternative to buying a full OS disk incorporating
SP3? Recovery from a bare SP2 , or even SP1, machine could be a long and
frustrating process if, for some reason, my regular back-up does not work.
It is always useful to have a disk, particularly with an older computer.

 

[Shenan Stanley]

You will observe, from the other correspondence in this thread,
that my initial problem has been solved. I am now following-up on
your recommendations. Scannow has been run and, gratifyingly,
identifies a 'clean' machine, leaving me with one remaining task.
I have two computers, one with a recovery CD and the other with a
full XP disk. The first was supplied without SP2 or SP3, whilst
the newer one came without SP3. Both machines were subsequently
updated to SP3 without, I am pleased to say, any difficulty.

My problem, as I now understand it from a colleague - I have not had
occasion to try it myself - is that, if I attempt to restore either
machine from the supplied CD, the exercise will fail because SP3
will not 'update' to earlier versions, leaving me, presumably with
no option but to reformat the disk and start from scratch, in the
event of a major problem.

My newer Dell machine came with instructions on how to make a
single Dell OS Recovery CD but, when the instructions are followed,
the necessary utility does not appear to be installed and Dell
seems to be very vague on the issue.

You mention burning a new CD, incorporating the latest service
pack. I have followed your links, and done a bit of Googling, but
cannot see how to create a new CD. Is there an alternative to
buying a full OS disk incorporating SP3? Recovery from a bare SP2
, or even SP1, machine could be a long and frustrating process if,
for some reason, my regular back-up does not work. It is always
useful to have a disk, particularly with an older computer.

Unfortunately - if, when you purchased the computer originally, you did not
choose the option to receive an actual Windows XP CD (you have a Dell -
AFAIK, it has always ben an option when purchasing a Dell) then you are left
with only a few choices...

1) Contact Dell - see if they will send you a Windows XP installation CD
(OEM) for your computer. Surprisingly I have seen this work in the past.
2) Find someone with a Dell computer with the same flavor of Windows XP as
yours that did order the CD with their new purchase - make a copy of that
CD.
3) Find a generic OEM CD, make a copy of it.
4) Find a generic Windows XP CD of any license type and turn it into one
that accepts OEM product keys with a slight change of a single file
(SETUPP.ini) before burning a new integrated copy.

Your best/wisest choice IMO is the first. Any of them should work, though.

That is so you have a true OS CD.... (Which I gather you have one at
least - so that is more for future readers than you, I believe.)


As for making it so you could restore your computer to a point in time - you
should use an imaging application. There are several out there that would
do the job. If you were to create a UBCD4WIN - you'd have an option or two
for free thatr will work fine - given you have some place to put the image
(like an external hard disk drive, network location, etc.)

When your computer is running as you would like it to be (anytime and
everytime you feel like doing it) you could make a disk image of your
computer in a short period of time (time dependent on the amount of data you
store on your system) and store that image to apply at a later date - if
disaster struck.

 

[Peter Hallett]

Thanks for the suggestions.

I have got the Dell CD but it does not incorporate SP3. The CD for the
older machine does not even have SP2.

I am probably seeking both belt and braces because I do keep fairly well
backed up. Nevertheless, being forced, on two occasions in the past, to do a
full recovery from the archive, does tend to make one a bit over-cautious.
It is very gratifying to press the button and then come back, and hour or so
later, to find everything more or less as it was before the disaster took
place but it also makes you worry about the day when you press the button and
nothing happens – or, at least, not what you expect.

Now that I am clean again, I’ll go and back up both machines while I work
out my next moves. In the mean time, I am grateful for your assistance.

 

[Shenan Stanley]

Thanks for the suggestions.

I have got the Dell CD but it does not incorporate SP3. The CD for
the older machine does not even have SP2.

<snip>

You can integrate the service packs into a Windows XP CD (actual
installation CD) as well as many post-SP patches.

nLite, AutoStreamer or just using the /integrate command for service packs
and some patches come to mind. Bart's Boot Image Extractor along with a
decent CD burning application could give you a bootable updated CD.