Re: Is winlogon.exe a virus and WinLogon.exe a windows utility?

Thanks everyone. Searched WINNT directory and winlogon.exe seems legit,
based on the information you provided.

Dodged a bullet for a change.

Pyramid36

"David H. Lipman" wrote:

> From: "Pyramid 36" <Pyramid36@xxxxxxxxxxxxxxxxxxxxxxxxx>
>
> | I've been seeing winlogon.exe running and was not sure what it was. I found
> | an answer on www.liutilities.com that has me puzzled. The site describes a
> | possible relationship between winlogn and WinLogon as follows:
> |
> | Process File: winlogon or winlogon.exe
> | Process Name: Microsoft Windows Logon Process
> |
> | Description:
> | WinLogon.exe is the Windows NT login manager. It handles the login and
> | logout procedures on your system. This process is an essential part of your
> | OS and should be left alone. Note: winlogon.exe is a process which is
> | registered as the W32.Netsky.D@mm worm. This virus is distributed via the
> | Internet through e-mail and comes in the form of an e-mail message, in the
> | hopes that you open it’s hostile attachment. The worm has it’s own SMTP
> | engine which means it gathers E-mails from your local computer and
> | re-distributes itself. In worst cases this worm can allow attackers to access
> | your computer, stealing passwords and personal data. It is a registered
> | security risk and should be removed immediately. Please see additional
> | details regarding this process"
> |
> | If I read the above correctly, it saying that a process called winlogon.exe
> | without the caps found in WinLogon.exe is the virus.
> |
> | I'd like some clarification and/or verification of the above, if possible.
> |
> | Pyramid36
>
> The file name WinLogon.exe is the same as winlogon.exe and the two can not exist in the same
> folder. Windows treats filenames using uppercase and lowercase names the same (unlike
> Unix). Therefore, for two files to be the same name and to be different, they *must* be in
> different folders.
>
> The legit version should be; %windir%\system32\WINLOGON.EXE
> { other copies/version may be in 'i386' or 'ServicePack' folders }
>
> If you find WINLOGON.EXE in %windir% or some other folder such as
> %WinDir%\MSAGENT\WIN32\WINLOGON.EXE then you shoukld be suspicious of it.!
>
> The Netsky puts WINLOGON.EXE in the %windir% folder --
> http://vil.nai.com/vil/content/v_101048.htm
>
> So does the following...
> PosX -- http://vil.nai.com/vil/content/v_100801.htm
> StartPage-EK -- http://vil.nai.com/vil/content/v_127317.htm
>
> The Sober worm puts WINLOGON.EXE in the folder %WinDir%\MSAGENT\WIN32
> W32/Sober.l@MM -- http://vil.nai.com/vil/content/v_131869.htm
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
.