Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Getting Winlogon.exe Error Messages at Startup and Shutdown of XP Pro SP2

Posted on 2006-11-14
18
Medium Priority
?
13,823 Views
Last Modified: 2011-08-18
Hi Everyone:

       Each time I start up the computer, I get the following error message when the desktop attempts to load:  Winlogon.exe encountered a problem and needed to close.  After a few seconds, it disappears on its own.  Sometimes, I can click Cancel to clear it as well.  When I shutdown XP, I get the following error message which also makes reference to winlogin.exe.  The error message reads as follows: Winlogon.exe Application Error.  The instruction at (makes reference to a memory address with numbers and letters) could not be read by the memory.  Click Cancel or OK to terminate the program or select Debug program.

         Any help on resolving this winlogon.exe error message within XP Pro SP2 will be appreciated.

        Thank you.

        George
0
Comment
Question by:GMartin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
18 Comments
 
LVL 11

Assisted Solution

by:theProfessa
theProfessa earned 200 total points
ID: 17940612
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 1800 total points
ID: 17941779
It's probably not a nail infection, I haven't seen nail since last year.
A lot of nasties can also call themselves "winlogon.exe"

Let's look at your hijackthis log please.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then upload the logs to any hosting sites,
or go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 17943622
We have solution is experts exchange. check this and see if this resolves the issue.

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21238499.html

Please Follow the acepted answer. you would be able to resolve this issue.

Any comments please get back to us.

Regards
Gopal krishna K
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:GMartin
ID: 17953890
Hi Everyone:

       I tried the sfc /scannow and chkdsk /r, b ut, those procedures did not correct the problem.  I did post the log file after running HiJack This.  Hopefully, this issue can be resolved this way.

      Thanks again for the suggestions.  I look forwad to hearing again from everyone.

      George
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1800 total points
ID: 17961653
Where's the link to your hijackthis log?
0
 

Author Comment

by:GMartin
ID: 17963229
Hi

       Sorry for taking so long.  Here is the link to the log file:
http://www.rafb.net/paste/results/B0V1sV38.html

       Thank you

       George
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17963699
Thanks for the log.

Download Pocket Killbox.
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Select "All Files"
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

c:\windows\system32\mstds.exe
c:\windows\system32\p2pnetworking.exe
C:\WINDOWS\sachostx.exe  
C:\WINDOWS\mservice.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
*If the computer doesn't restart, just restart manually.

Run a scan with Hijackthis and put a check next to these entries, while all browsers and other windows are closed click "Fix Checked":
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank  
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [mstds.exe] c:\windows\system32\mstds.exe  
O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe  
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O16 - DPF: {33331111-1111-1111-1111-611111193423} -  
O16 - DPF: {33331111-1111-1111-1111-611111193429} -  
O16 - DPF: {33331111-1111-1111-1111-615111193427} -


Please, also download AVG anti-spyware(formerly Ewido)
http://www.ewido.net/en/download/
and save that file to your desktop. This is a 30 day trial of the program
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
    *Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
    *Select "Automatically generate report after every scan"
    *Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet.
 
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
 
IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:
* Launch ewido-anti-spyware by double-clicking the icon on your desktop.
* Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
* Ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
* If you have any infections you will prompted, then select "Apply all actions"
* Next select the "Reports" icon at the top.
* Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file).
* Close ewido.
0
 

Author Comment

by:GMartin
ID: 17973038
Hi Everyone:

      I want to take a moment and followup on the progress with this concern.  Basically, infection was detected on this computer by HiJack This and Ewido.  While I was able to quarantine and delete the infection through the trial version of AVG Anti-Spyware, I am still experiencing the same winlogon.exe error messages at bootup and shut down.  

      On a sidenote, I wanted to use System Restore, but, this feature was turned off.  Any further helps with this concern will be appreciated.

       Thank you.

       George
0
 

Author Comment

by:GMartin
ID: 17973062
Hi Everyone:

       Whenever I click on Ctrl, Alt, Del, and click on the Processes tab, I do see winlogon.exe within the list taking up 856K of memory.  Whenever I first open this menu, it is interesting to note this file takes up 468K of memory.  The type classified for this background process is System.  

       The reviews regarding the winlogon.exe file are "mixed" at best.  Some experts suggest this is an needed file because it manages the login and logoff protocols of Windows XP, while, some experts believe this file can sometimes become dangerously infected and can be used by hackers to obtain personal information like usernames and passwords.

        I look forward to revewing any further thoughts to this post.

        George
0
 

Author Comment

by:GMartin
ID: 17973075
Hi Everyone:

         Just one more observation I made which I like to share.  As I understand it, the winlogon.exe file should only be in the system32 folder of windows.  However, when I performed a file search, I found this file to exist in other folders.  Should I delete the winlogon.exe files in the other folders and leave the one with system32 intact?  

          George
0
 

Author Comment

by:GMartin
ID: 17973121
Hi Once Again Everyone:

       I did not think it necessary to mention this earlier, but, perhaps it is fruitful to bring it up.  While I was able to run sfc /scannow and chkdsk /r, I was only able to carry out these procedures within Normal Mode.  Whenever I tried to do it as an Administrator within Safe Mode, I continually got the following error message:  Windows file protection could not initiate a scan of protected system files.  The specific error code is 0x000006ba [The RPC Server is Unavailable].

        I am not sure if reporting this error is of much help, but, I like to carefully go over anything which might help provide a clue to resolving the issue at hand.

        George
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17973143
Did you also follow my suggestions above? after you've done those let us look at a new hijackthis log.

Yes the legit svchost.exe should be in the system32 folder and unless you're talking about the ones in the windows backup, otherwise anywhere else would be bad.

tell us where this svchost.exe you're talking about and we'll tell you if it's bad or not.

You need to try and clean your system from malware/viruses before you try any repair etc, or you might end up having your system unbootable or not being able to login.
0
 

Author Comment

by:GMartin
ID: 17973422
Hi

       The file I am referring to is winlogon.exe which is referenced within the startup and shutdown windows error message.  By the way, I will go ahead and prepare to send the link to a new hijack this log file.

        Thanks again for your help and followups.

         George
0
 

Author Comment

by:GMartin
ID: 17973444
Hi

       Here is the link to the new HijackThis Log File created after the cleanup.  The link is
http://www.rafb.net/paste/results/zGP7qS84.html

       George
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 1800 total points
ID: 17973664
Do you have the Dritek System Inc.
Install Catalog File?

If not then this entry below is bad:
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
I would fix the above entry in Hijackthis.


C:\WINDOWS\SYSTEM32\instcat.dll <-- I would rename this file to disable it or submit it at jotti --> http://virusscan.jotti.org/


Let us know if the error persists after you disable that file.
0
 

Author Comment

by:GMartin
ID: 17973814
Hi There

       Thanks so much for the followup advise.  Incidentally, I bookmarked the scan links given.  They are handy especially when it comes to malware infection.  Now, to the problem at hand.

        I fixed 020 using HiJack This and renamed the file instcat.dll to test.dll, but, still having the error messages relating to winlogon.exe.  Sorry about this because the suggestions you are giving are great ones.  Apparently, this is going to be a tricky problem to finally resolve.

        On a sidenote, I really want to thank you for helping me clean up my pc.  Outside of the annoying error message upon restart and shutdown of the pc, it is running much smoother.

        In closing, I look forward to reading and trying out any further suggestions you have.

        George
0
 

Author Comment

by:GMartin
ID: 17975457
Hi Everyone:

          I am happy to report this problem is now fully resolved.  I have restarted my pc both from cold and warm boots without the annoying winlogon.exe application error.  While I enjoyed trying out each expert's suggestions, I must confess I got a whole lot out of rpggamergirl's recommendations.  Not only did this expert solve my problem, but, this expert gave me information and resourceful tools which can be used in the future in dealing with malware.  As stated earlier, I bookmarked the resourceful links supplied.

          Now, regarding why the intervention strategies did not work right away may have been due to the updates (e.g. cleaning out the registry entries and memory of malware, etc.) probably had something to do with Windows XP needing to update the changes by either a cold or warm reboot.  As always, I am very pleased with the results of this post.

          Very good job everyone, especially rpggamergirl.  I greatly appreciate your professional guidance through this rather difficult problem.

            Thank you again for a job well done!!!

            George
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17978322
Hi George,

It's good to know that the problem's been resolved. And it was a pleasure assisting with you.
Thank you for the points and the excellent grade!

Happy computing!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Often we come across situations wherein our batch files would be needing to reboot Windows for a variety of reasons. A few of them would be like: (1) Setup files have been updated whose changes can take effect only after a reboot …
Windows 10 is here and for most admins this means frustration and challenges getting that first working Windows 10 image. As in my previous sysprep articles, I've put together a simple help guide to get you through this process. The aim is to achiev…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question