Solved

Getting Winlogon.exe Error Messages at Startup and Shutdown of XP Pro SP2

Posted on 2006-11-14
18
13,791 Views
Last Modified: 2011-08-18
Hi Everyone:

       Each time I start up the computer, I get the following error message when the desktop attempts to load:  Winlogon.exe encountered a problem and needed to close.  After a few seconds, it disappears on its own.  Sometimes, I can click Cancel to clear it as well.  When I shutdown XP, I get the following error message which also makes reference to winlogin.exe.  The error message reads as follows: Winlogon.exe Application Error.  The instruction at (makes reference to a memory address with numbers and letters) could not be read by the memory.  Click Cancel or OK to terminate the program or select Debug program.

         Any help on resolving this winlogon.exe error message within XP Pro SP2 will be appreciated.

        Thank you.

        George
0
Comment
Question by:GMartin
18 Comments
 
LVL 11

Assisted Solution

by:theProfessa
theProfessa earned 50 total points
ID: 17940612
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 450 total points
ID: 17941779
It's probably not a nail infection, I haven't seen nail since last year.
A lot of nasties can also call themselves "winlogon.exe"

Let's look at your hijackthis log please.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then upload the logs to any hosting sites,
or go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 17943622
We have solution is experts exchange. check this and see if this resolves the issue.

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21238499.html

Please Follow the acepted answer. you would be able to resolve this issue.

Any comments please get back to us.

Regards
Gopal krishna K
0
 

Author Comment

by:GMartin
ID: 17953890
Hi Everyone:

       I tried the sfc /scannow and chkdsk /r, b ut, those procedures did not correct the problem.  I did post the log file after running HiJack This.  Hopefully, this issue can be resolved this way.

      Thanks again for the suggestions.  I look forwad to hearing again from everyone.

      George
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 450 total points
ID: 17961653
Where's the link to your hijackthis log?
0
 

Author Comment

by:GMartin
ID: 17963229
Hi

       Sorry for taking so long.  Here is the link to the log file:
http://www.rafb.net/paste/results/B0V1sV38.html

       Thank you

       George
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17963699
Thanks for the log.

Download Pocket Killbox.
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Select "All Files"
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

c:\windows\system32\mstds.exe
c:\windows\system32\p2pnetworking.exe
C:\WINDOWS\sachostx.exe  
C:\WINDOWS\mservice.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
*If the computer doesn't restart, just restart manually.

Run a scan with Hijackthis and put a check next to these entries, while all browsers and other windows are closed click "Fix Checked":
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank  
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [mstds.exe] c:\windows\system32\mstds.exe  
O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe  
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O16 - DPF: {33331111-1111-1111-1111-611111193423} -  
O16 - DPF: {33331111-1111-1111-1111-611111193429} -  
O16 - DPF: {33331111-1111-1111-1111-615111193427} -


Please, also download AVG anti-spyware(formerly Ewido)
http://www.ewido.net/en/download/
and save that file to your desktop. This is a 30 day trial of the program
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
    *Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
    *Select "Automatically generate report after every scan"
    *Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet.
 
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
 
IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:
* Launch ewido-anti-spyware by double-clicking the icon on your desktop.
* Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
* Ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
* If you have any infections you will prompted, then select "Apply all actions"
* Next select the "Reports" icon at the top.
* Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file).
* Close ewido.
0
 

Author Comment

by:GMartin
ID: 17973038
Hi Everyone:

      I want to take a moment and followup on the progress with this concern.  Basically, infection was detected on this computer by HiJack This and Ewido.  While I was able to quarantine and delete the infection through the trial version of AVG Anti-Spyware, I am still experiencing the same winlogon.exe error messages at bootup and shut down.  

      On a sidenote, I wanted to use System Restore, but, this feature was turned off.  Any further helps with this concern will be appreciated.

       Thank you.

       George
0
 

Author Comment

by:GMartin
ID: 17973062
Hi Everyone:

       Whenever I click on Ctrl, Alt, Del, and click on the Processes tab, I do see winlogon.exe within the list taking up 856K of memory.  Whenever I first open this menu, it is interesting to note this file takes up 468K of memory.  The type classified for this background process is System.  

       The reviews regarding the winlogon.exe file are "mixed" at best.  Some experts suggest this is an needed file because it manages the login and logoff protocols of Windows XP, while, some experts believe this file can sometimes become dangerously infected and can be used by hackers to obtain personal information like usernames and passwords.

        I look forward to revewing any further thoughts to this post.

        George
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:GMartin
ID: 17973075
Hi Everyone:

         Just one more observation I made which I like to share.  As I understand it, the winlogon.exe file should only be in the system32 folder of windows.  However, when I performed a file search, I found this file to exist in other folders.  Should I delete the winlogon.exe files in the other folders and leave the one with system32 intact?  

          George
0
 

Author Comment

by:GMartin
ID: 17973121
Hi Once Again Everyone:

       I did not think it necessary to mention this earlier, but, perhaps it is fruitful to bring it up.  While I was able to run sfc /scannow and chkdsk /r, I was only able to carry out these procedures within Normal Mode.  Whenever I tried to do it as an Administrator within Safe Mode, I continually got the following error message:  Windows file protection could not initiate a scan of protected system files.  The specific error code is 0x000006ba [The RPC Server is Unavailable].

        I am not sure if reporting this error is of much help, but, I like to carefully go over anything which might help provide a clue to resolving the issue at hand.

        George
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17973143
Did you also follow my suggestions above? after you've done those let us look at a new hijackthis log.

Yes the legit svchost.exe should be in the system32 folder and unless you're talking about the ones in the windows backup, otherwise anywhere else would be bad.

tell us where this svchost.exe you're talking about and we'll tell you if it's bad or not.

You need to try and clean your system from malware/viruses before you try any repair etc, or you might end up having your system unbootable or not being able to login.
0
 

Author Comment

by:GMartin
ID: 17973422
Hi

       The file I am referring to is winlogon.exe which is referenced within the startup and shutdown windows error message.  By the way, I will go ahead and prepare to send the link to a new hijack this log file.

        Thanks again for your help and followups.

         George
0
 

Author Comment

by:GMartin
ID: 17973444
Hi

       Here is the link to the new HijackThis Log File created after the cleanup.  The link is
http://www.rafb.net/paste/results/zGP7qS84.html

       George
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 450 total points
ID: 17973664
Do you have the Dritek System Inc.
Install Catalog File?

If not then this entry below is bad:
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
I would fix the above entry in Hijackthis.


C:\WINDOWS\SYSTEM32\instcat.dll <-- I would rename this file to disable it or submit it at jotti --> http://virusscan.jotti.org/


Let us know if the error persists after you disable that file.
0
 

Author Comment

by:GMartin
ID: 17973814
Hi There

       Thanks so much for the followup advise.  Incidentally, I bookmarked the scan links given.  They are handy especially when it comes to malware infection.  Now, to the problem at hand.

        I fixed 020 using HiJack This and renamed the file instcat.dll to test.dll, but, still having the error messages relating to winlogon.exe.  Sorry about this because the suggestions you are giving are great ones.  Apparently, this is going to be a tricky problem to finally resolve.

        On a sidenote, I really want to thank you for helping me clean up my pc.  Outside of the annoying error message upon restart and shutdown of the pc, it is running much smoother.

        In closing, I look forward to reading and trying out any further suggestions you have.

        George
0
 

Author Comment

by:GMartin
ID: 17975457
Hi Everyone:

          I am happy to report this problem is now fully resolved.  I have restarted my pc both from cold and warm boots without the annoying winlogon.exe application error.  While I enjoyed trying out each expert's suggestions, I must confess I got a whole lot out of rpggamergirl's recommendations.  Not only did this expert solve my problem, but, this expert gave me information and resourceful tools which can be used in the future in dealing with malware.  As stated earlier, I bookmarked the resourceful links supplied.

          Now, regarding why the intervention strategies did not work right away may have been due to the updates (e.g. cleaning out the registry entries and memory of malware, etc.) probably had something to do with Windows XP needing to update the changes by either a cold or warm reboot.  As always, I am very pleased with the results of this post.

          Very good job everyone, especially rpggamergirl.  I greatly appreciate your professional guidance through this rather difficult problem.

            Thank you again for a job well done!!!

            George
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17978322
Hi George,

It's good to know that the problem's been resolved. And it was a pleasure assisting with you.
Thank you for the points and the excellent grade!

Happy computing!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Introduction Often we come across situations wherein our batch files would be needing to reboot Windows for a variety of reasons. A few of them would be like: (1) Setup files have been updated whose changes can take effect only after a reboot …
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now