WINLOGON.EXE - Dangerous

What you should do about WINLOGON.EXE:

Check Your PC Now
Your PC may be infected. The presence of a file called WINLOGON.EXE is a possible sign of infection.


You should urgently check your PC to make sure it is not infected. The free version of Prevx CSI will scan your PC in less than two minutes and check for millions of spyware and malware infections including WINLOGON.EXE. Don't take the risk, check your PC now by clicking the green button.

Download Prevx CSI Now

Who Uses Prevx CSI?

Prevx has been detecting the threats that others miss since 2004.

More than 2,078,771 people have scanned with Prevx CSI and between them have checked 30.5 billion files. 68% of the PCs scanned had malware present.

What we know about WINLOGON.EXE:

The filename WINLOGON.EXE was first seen on Aug 22 2007 in The UNITED KINGDOM. It has also been seen in the following geographical regions of the Prevx community:

  • MALAYSIA on Sep 27 2007
  • SPAIN on Apr 11 2008
  • CHINA on Apr 12 2008
  • PAKISTAN on Mar 20 2008
  • The EUROPEAN UNION on May 14 2008
The filename WINLOGON.EXE is used by multiple object types including objects,executable programs,objects.

The most common file size is 16,535 bytes. But the following file sizes have also been seen:

  • 446,464 bytes
  • 155,476 bytes
  • 93,184 bytes
  • 43,072 bytes
  • 65,536 bytes
  • 46,080 bytes
  • 161,280 bytes
  • 471,040 bytes

The unsafe files using this name are associated with the malware group BackDoor.Generic8.TPW.Some files using the name WINLOGON.EXE are also associated with the malware groups:
  • Worm/VB.BSP
  • Trojan.SystemPoser
  • TROJAN.AGENT.GEN
  • Backdoor.Trojan
  • Generic.IY
  • SystemPoser:Trojan-All Variants
 These files have no vendor, product or version information specified in the file header.

WINLOGON.EXE has been seen to perform the following behavior(s):

  • Creates a TCP port which listens and is available for communication initiated by other computers
  • The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
  • This Process Contains User Mode Rootkit Functionality
  • Adds a Registry Key (RUN) to auto start Programs on system start up
  • This Process Creates Other Processes On Disk
  • Creates potentially fake system tray messages and error warnings
  • The Process is packed and/or encrypted using a software packing process
  • Can communicate with other computer systems using HTTP protocols
  • Sends email using SMTP protocols
  • Registers a Dynamic Link Library File
  • This Process Deletes Other Processes From Disk
  • Executes a Process
  • Writes to another Process's Virtual Memory (Process Hijacking)
  • Opens pop up browser windows
  • Uses DNS to retrieve the IP address for web sites
  • Disables the built in Windows File Protection System
  • Terminates Processes
  • Makes outbound connections to other computers using NETBIOSOUT protocols
  • Disables the Notification Baloon for the Windows Security Center
  • Disabling the Windows Built in Firewall enabling rogue processes to access the internet without user knowledge or permission
  • Disables the Windows Security Center Service
  • Creates a new Background Service on the machine
  • Disables Access to the Windows Registry Editior
  • Modifies Windows Security Policies to restrict/expand User Privlidges on the machine
  • Disables Access to the Task Manager built into Windows

WINLOGON.EXE has been the subject of the following behavior(s):

  • Executed as a Process
  • Created as a process on disk
  • Created as a new Background Service on the machine
  • Executed from Temporary Folders
  • Registered as a Dynamic Link Library File
  • Copied to multiple locations on the system
  • Added as a Registry auto start to load Program on Boot up
  • Deleted as a process from disk
  • Has code inserted into its Virtual Memory space by other programs
  • Terminated as a Process

WINLOGON.EXE can also use the following file names:

  • WINVNC4.EXE
  • REALVNC_NOICON_V412/412_NOICON_VS6SP6/WINVNC4.EXE
  • 3D17CF905D59960373089677F942CECA.EXE
  • 02887489.EXE
  • 54235787.EXE
  • ASTRY.EXE
  • SCVHOST.EXE
  • SYSTEM.EXE
  • EXPLORER.EXE
  • NETWORK.EXE
  • .EXE
  • IMG0918.JPG-WWW.PHOTOALBUMS.COM
  • 91906574.EXE
  • 87432959.ZIP
  • 84876974.ZIP
  • 14722113.ZIP
  • 67070884.EXE
  • 78624852.EXE
  • 1.EXE
  • DPTRMAPTRI-877.PMS.EXE
  • C401C4B72ED997E18D73906637E82E56.EXE
  • 43399713.SVD
  • SERVICES.EXE
  • CSRSS.EXE
  • SMSS.EXE
  • J6472622.EXE
  • C_47262K.COM
  • ZH592372484Y.EXE
  • O4472627.EXE
  • _DEFAULT47262.PIF
  • YESBRON.COM
  • DOCUMENTS AND SETTIN
  • S96
  • _DEFAULT4726
  • 94736353.DAT
  • ADOBE PHOTOSHOP CS3 KEY GEN.EXE
  • 65993214.EXE
  • WINDOWS XP PROFESSIONAL KEYGEN.EXE
  • 29995299.DAT
  • 13956119.SVD
  • 90988146.EXE
  • 97470483.EXE
  • DPTRNKNLHW-610.PMS.EXE
  • 23FDE57320EAC41D02135863DBEB6B9E.EXE
  • DPTRRKLELB-187.PMS.EXE

Virus, Spyware & Malware Center