Winlogon.exe has become a favorite program for worm/virus writers to hide there payloads.
Winlogon is the program responsible for user authentication in windows. This is the program that is responsible for showing you the windows logon dialog box.
Here are some reasons why virus writes love to hide there worms in winlogon.exe:
- It’s an essential system process, so most people wont suspect that winlogon is the culprit.
- It’s not easy to kill winlogon.exe. And even if you do manage to kill the process, your machine will instantly crash, and will show you the blue screen.
Today we are going to discuss about removing winlogon virus, without shutting down the computer or using any kind of bootable disk.
Tools required
- Sysinternals Process Explorer
- Replacement File explorer like FreeCommander( optional )
The process is pretty easy actually. We are going to use Process explorer to list the DLLs loaded in winlogon.exe. You will see a list of DLLs that are currently loaded in winlogon.exe.
Most of the valid DLLs will have proper description and company name. But if you are able to see some DLL with no description, no company name and some strange name, then its most probably a worm.
In order to make sure that this DLL is indeed a malware, we can double click the DLL name and check the strings within the DLLs.
See if there are some suspicious strings within the DLL. Strings like “worm”, “password”, or name of some suspicious website are sure shot indications that it is indeed a malware.
To be extra sure, you can search the Internet for the name of the DLL to make sure that the DLL in indeed malware.
Note: Click on screenshot for full size image.
Virus writer truly love hiding there malware withing winlogon, because in order to remove the malware, you will have to kill winlogon, which is not an easy task for most user.
However, you can follow these steps to kill winlogon and delete the malware:
- It’s not possible to kill winlogon.exe usng windows task manager. So we are going to use excellent tool “Sysinternals Process Explorer” to kill winlogon.exe.
- Since this tutorial is for common computer users, I will not explain about deleting the malware using command prompt.You can download the excellent file explorer called “FreeCommander” to browse through the filesystem and delete the malware.Using FreeCommander is a lot easier than using the Command Prompt.
1. Run FreeCommander so that we can browse and delete files.
2. Start Process Explorer and then kill Explorer.exe using it. We are killing explorer.exe because most of the time, explorer.exe is also infected. So we are killing it just to be sure…
3. Now its time to kill winlogon.exe. The process is pretty simple actually. All we have to do is, before killing winlogon.exe, we have to kill Smss.exe.
We have to do this because Smss.exe process monitors winlogon.exe and will shutdown the machine if it finds that winlogon is not running.
After killing Smss.exe, you can safely kill winlogon.exe.
4. After winlogon is gone, you can safely delete the malware. Since you have already killed explorer, you can use FreeCommander to browse the filesystem and delete the malware.
Thats it. You have now safely removed the malware from your system, without using any kind of bootable disk 
September 4th, 2008 at 9:16 am
This was the best advice I’ve found so far. Your tip worked for me on the very first try. Thanks!!!
September 5th, 2008 at 8:14 pm
thanks for the tips
September 6th, 2008 at 7:54 am
I have the PEPATCH in my machine back in my office in Louisiana.
So I must fix it remotely.
For some reason AVG is no longer installed on that computer, and when I install AVG it does an automatic remove or move to vault against the winlogon which prevents a reboot (an endless loop starts). So far, I can reboot with restore, but that removes AVG for the next time, and I still don’t deal definitively with the virus.
So here is as I understand it before trying to fix my computer back home.
1.Download both process explorer
and Free Commander
2.Use process explorer to locate winlogon.exe and then in lower pane view the DLL’s
3.check out the dll’s and find the offenders.
4.use process explorer to kill processes in this order:
a) Explorer.exe
b) Smss.exe
c) Winlogon.exe
5.Use Free Commander to Kill the offending dll’s
Now my questions are
1) Before I restart can I then install AVG and let it run its first scan for viruses and malware in which it auto deletes or removes to vault infected viruses? Then restart.
2)Or should I restart and install avg after restarting?
It would seem the 1st would be the best course, in case winlogon would get reinfected on start up.
what can I do to safeguard that if the wrong dll is removed and I won’t be able to reboot?
Thanks for the help on this!
September 6th, 2008 at 8:34 am
Hello MAX,
You can definately run AVG agfter deleting the offending DLL from your machine. If AVG has got a signature for the offending DLL, it will delete the DLL automatically.
However, I have seen that some programs will not function normally after killing winlogon. If you are able to run AVG properly after killing winlogon, then go ahead and do a scan.
“what can I do to safeguard that if the wrong dll is removed and I won’t be able to reboot?”
Not much actually. If you somehow delete the wrong DLL, you wont be able to boot normally. Just take a look at the strings inside the suspect DLL and see if’s got suspicious strings.
Thats the sure shot way to detect the malware.
Please let me know if you have got any problem. I reply to all the comments
September 13th, 2008 at 9:37 am
Yep, a nice tutorial… good one…. Stumbled…
September 13th, 2008 at 9:38 am
Thanks for leaving a comment in my blog…….. ya winlogon virus is pretty tough to kill last time i wrote a program in C# to kill the virus as virus programmer was so intelligent his code was not allowing to run processes like hijackthis,avenger, process explorer and almost all the virus removal tools and it was updating all the registry entries in winlogon and runonce very frequently………….. atlast i wrote a multithreaded registry editing program in C# which was changing the virus dll path to some junk file more frequently than the malware itself and force rebooted system and that solved my problem……….
any way my job would have been much more simpler if i got this tip at that time
Cheers,
Manjunath
http://probedeep.blogspot.com/
September 13th, 2008 at 11:51 am
Hello manjunath jee,
Well most worm writers are not that smart. You can easily change the name of Process Explorer to some other string. You can use Ultra Edit or some other nice hex editor in order change the string.
For example, change the string “Process Explorer” to “Krocess Kxplorer”. Just make sure that the length of the string matches.
Most bums just check the window title and kill the program. This is an easy way to bypass this kind of studpid protections
I used to crack programs using FileMonitor, and some programs used to kill FileMonitor by searching for window title. So i used to change the string File Monitor in File Monitor executable using UltraEdit. That used to do the trick
September 14th, 2008 at 11:17 am
yup!!! i did that toooo
i renamed hijack this to names such as pingpong and process explorer to alaram etc but nothing worked? the malware/worm was very smart indeed i dont know how it was recognizing the malware removal tools even though i renamed it…….
September 14th, 2008 at 11:38 am
Manjunath jee,
I meant that you have to change every string “inside the executable”. Changing the name of the executable wont do any good.
Open the executable using some hex editor like UltraEdit and then search and replace the string “Process Explorer” inside the executable.
Just make sure that the string length are same.
September 19th, 2008 at 11:14 am
hey…
Ur steps worked like a charm……….. THNX A LOT!!!!!!!!!!!!!!!11
September 19th, 2008 at 11:31 am
thnx buddy…. ur steps worked like a charm…………
THNX a lot!!!!!!!!!!!!!
September 24th, 2008 at 7:07 am
Hello! How do I change the ’string’ inside the Process Explorer? I opened it in Ultraedit but all I see is millions of numbers&letters.
I can’t turn of the computer from the start menu, the Task Manager is disabled and also Regedit, Safe Mode, Hijackthis, Process Explorer and even some websites. So I think I have the same problem here.
Could anyone please explain to me how to use this Ultraedit so I can try the solution above.
Thank you
October 16th, 2008 at 2:04 am
You quite obviously spent a lot of time writing this article, so why not run it through a spell-checker, and then proof read it to remove your poor grammar? It just jumps out from the page.
October 16th, 2008 at 5:23 am
Yahell:
Just open the executable in Ultraedit and then click on Search Menu:
Search > Replace
Now you can replace any string inside the executable. Just make sure that you have checked “Find ASCII” checkbox to replace only ascii strings.
Ultraedit is a really powerfull hex editor and you can do a lot more than just replacing the strings.
James:
thanks for your comment, I will spellchek the article …
And all those Grammer Nazis out there: you are free to pin point the mistakes
October 21st, 2008 at 9:35 pm
OK
GET LINUX
DONE
PROBLEM SOLVED
NEED WINDOWS
its called vmware brotha!!!
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nn\n\n\
October 21st, 2008 at 11:05 pm
User vmware to run windows …so that my new PC behaves like a 386 ?? Virtualization layer indrocuses a LOT of overhead. No matter what VMWare says, and no matter how many vitual drivers you use in your virtual machine, your virtual machine machine will be _ALWAYS_ slow that your bare naked machine.
And besides … I dont even want to touch Linux. Unix machines still have a lot of things that need improvement. Printing, X-window system , a good and coherent desktop evnironment …and the list goes on.
If you want to have your daily dose of kernel programming, you can still do that on windows. Just download the DDK and head to ntdev. You will find lots of smart people there to interact with.
But please…. dont thing that we “common” people are goint to shift to Linux or any other *nix variant just because it’s cool.
Linux aint cool and it will never be
October 24th, 2008 at 4:44 am
Hi, I have a problem with winlogon.exe
computer works fine, but when I try to shut it down, if show me that windows are closing, and few seconds before I can hear the harddisk is turn off, it show a blue screen with the message: c000021a
critical system fault, in winlogon on the adress 000….. ??? (don’t know) system halted.
And computer is still not turn off, after I turn off manually.
Next time I can start normally, laptop works fine, until the turn off.
Can you give me an advice?
I have tried to instal recovery console, then exchange the winlogon.exe another one from other comp (doesn’t work), and I don’t want to reinstal windows because some aplication are unique for me….
Thanks a lot Martin.
October 24th, 2008 at 6:03 am
Hello martin,
It seems that some critical system files on your system are messed up or deleted accidentaly.
This may be due to :
1. Some antivirus/anitspyware deleting some critical system files while removing the malware.
2. Due to hard disk crash. Check if you have found.000 found.001 ….etc named folders on your hard disk. If it does, then chkdsk has moved some system files to these folders during scanning process.
3. Sometimes strange GINA DLLs may also cause problems. Some wireless drives like Atheros may install additional authentication DLLs that may cause problem with SP3. However, this is very rare, as most of the time, drivers are not the problem.
Your options:
1. Try pressing F8 during sytem boot and then choose the “Last known good configuration”. If you are lucky, and have a good system restore point, then you will no problem. However, if you are not lucky and you dont have good system restore point then carry on to step 2.
2. Boot using windows installation CD and choose the repair option to repair your current windows installation. This option will just replace the system files and all your programs will be safe. You wont have to reinstall them
Good luck. It’s not a big problem, and you can solve it pretty easily.
November 2nd, 2008 at 1:04 am
[...] 1.Removing-winlogon-virus: [...]
November 9th, 2008 at 2:18 pm
thanks for the tip … I had ddccvlfe.dll on my machine and it was in winlogon, explorer, and cli.exe … for some reason it was firing off two versions of cli.exe
had to kill all three … but it worked after that
Thanks!
Horus
November 24th, 2008 at 1:27 pm
I would love to try out some of this stuff, but my pc has started to loop reboot. I found that I had a winlOgon.exe virus as notified by “RemoveIT” spyware software. So I downloaded AVG, installed. It was running a check, the virus came up in the box etc. Next thing the pc just started rebooting, it goes into the blue XP user screen for a few moments, and then reboots again.
What now, could comeone please give me some advice?
Brad
November 27th, 2008 at 2:37 am
Hi. i`ve got a Vundo in my laptop and i was wondering if I can follow the steps in the article. Thanks!!!!
November 27th, 2008 at 3:12 pm
Thank you, solved it for me:)
November 29th, 2008 at 9:44 am
Many, many thanks for your clear instructions which have helped me get rid of Vundo (identified but not deleted by McAfee)
November 29th, 2008 at 1:26 pm
This one has me stumped. Something is causing the browser to open and when it’s ope all it does is go to the home page. If you go to another page all it does is reload the home page.
Multiple browser windows keep opening. When you rename or delete the brower program you get an unsigned error message saying ‘Application can’t be found’.
I wiped out the disk drive and loaded windows and it’s still there. I wiped out the drive multiple times and used different CD sources of XP and they all come up the same. I used Partition Magic to wipe out a little 8 Gb partition I thought this critter might be hiding in. Always the same results.
When XP starts up it tries to go online. I was able to open Explorer before it happened once and the right pane in explorer went to the default MSN home page.
The only place I think this thing can be hiding is in the Bios but the floppy drive no longer works so I can’t flash it using the Dell update.
When I use your technique, all dlls associated with Winlogon are signed as Microsoft.
I took me two days to isolate this thing to explorer being triggered by Winlogon. As soon as I open an Explorer window it starts trying to fire up IE again.
At least XP Pro lets you delete IE. XP Home automatically restores it.
Any ideas would be most appreciated. I have just the basic XP Pro install while I’m trying to find this bug. Could it really be hiding in the bios and reinstalling itself that way?
Thanks
November 29th, 2008 at 1:39 pm
hello nuguy47,
It’s very easy to see which program is running the browser using Process Explorer. It’s tree view will help you locate the exact program thats running the browser.
If process explorer indicates that winlogon is runnig the browser, then there’s definately some worm loaded inside winlogon.
Try scanning using some free antivirus and follow the steps above to remove the worm.
if you need any more help then just let me know
November 30th, 2008 at 3:45 am
How is the bug still there when I:
a) wiped the hdd each time using a DES approved program before I
b) reloaded windows multiple times from different source disks (3 different)
c) don’t have any unsigned dlls under winlogon (they all say Microsoft)
Malwarebytes found a winlogon virus and removed it.
What next?
Thanks in advance for your helf.
December 31st, 2008 at 3:42 am
hey i have this nasty lil bug on my computer. it’s been here the last few days. i’ve tried every antisoftware u can think of everything from avast, to vundofix. and still cant get it off.
i believe it to be a vundo. when i do hijackthis the same file keeps coming back everytime i delete it. the winlogon file kept showing up to be infected as well.
i know bugs can get into winlogon so i did a search on my computer for it and 4 winlogons came up. one of them was in my system32 folder which i know is the real one but what about the others.
i was just going to delete the others but peeps started yelling at me saying dont delete them or my computer wont work. so after someone sent me to this site i downloaded the two tools u said but before i try them i am a lil scared i might mess my computer up cuz i never used these two programs.
but a quick question, after i kill a program how do i turn it back on.
like u say to kill explorer, then smss, then winlogon but after i do that how do i turn them back on. i practiced 1st and turned off yahoo but once i did i didnt know how to turn it back on.
and with the free commander tool how do i browse. also no tray shows up at the bottom of my process explorer. sorry for the long reply i just like to be detailed.
January 1st, 2009 at 2:29 am
[...] 1.Removing-winlogon-virus: [...]
January 2nd, 2009 at 12:16 am
hi, thanks for this post, it has helped me to get rid of a vundo trojan that was making life miserable for me.
January 5th, 2009 at 4:02 pm
This advice rocks. I was going nuts trying to remove a dll from my system.