Getting Winlogon.exe Error Messages at Startup and Shutdown of XP Pro SP2

Hi Everyone:

       Each time I start up the computer, I get the following error message when the desktop attempts to load:  Winlogon.exe encountered a problem and needed to close.  After a few seconds, it disappears on its own.  Sometimes, I can click Cancel to clear it as well.  When I shutdown XP, I get the following error message which also makes reference to winlogin.exe.  The error message reads as follows: Winlogon.exe Application Error.  The instruction at (makes reference to a memory address with numbers and letters) could not be read by the memory.  Click Cancel or OK to terminate the program or select Debug program.

         Any help on resolving this winlogon.exe error message within XP Pro SP2 will be appreciated.

        Thank you.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It's probably not a nail infection, I haven't seen nail since last year.
A lot of nasties can also call themselves "winlogon.exe"

Let's look at your hijackthis log please.
Please download HijackThis 1.99.1
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then upload the logs to any hosting sites,
or go to the below link and login using your Experts-Exchange username and password.
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> 
and click "Analyse", click "Save".  Then post the link to the saved list here.
We have solution is experts exchange. check this and see if this resolves the issue.

Please Follow the acepted answer. you would be able to resolve this issue.

Any comments please get back to us.

Gopal krishna K
Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

GMartinAuthor Commented:
Hi Everyone:

       I tried the sfc /scannow and chkdsk /r, b ut, those procedures did not correct the problem.  I did post the log file after running HiJack This.  Hopefully, this issue can be resolved this way.

      Thanks again for the suggestions.  I look forwad to hearing again from everyone.

Where's the link to your hijackthis log?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GMartinAuthor Commented:

       Sorry for taking so long.  Here is the link to the log file:

       Thank you

Thanks for the log.

Download Pocket Killbox.
*Select the "Delete on Reboot" option.
*Select "All Files"
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
*If the computer doesn't restart, just restart manually.

Run a scan with Hijackthis and put a check next to these entries, while all browsers and other windows are closed click "Fix Checked":
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank  
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [mstds.exe] c:\windows\system32\mstds.exe  
O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe  
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O16 - DPF: {33331111-1111-1111-1111-611111193423} -  
O16 - DPF: {33331111-1111-1111-1111-611111193429} -  
O16 - DPF: {33331111-1111-1111-1111-615111193427} -

Please, also download AVG anti-spyware(formerly Ewido)
and save that file to your desktop. This is a 30 day trial of the program
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
    *Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
    *Select "Automatically generate report after every scan"
    *Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet.
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:
* Launch ewido-anti-spyware by double-clicking the icon on your desktop.
* Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
* Ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
* If you have any infections you will prompted, then select "Apply all actions"
* Next select the "Reports" icon at the top.
* Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file).
* Close ewido.
GMartinAuthor Commented:
Hi Everyone:

      I want to take a moment and followup on the progress with this concern.  Basically, infection was detected on this computer by HiJack This and Ewido.  While I was able to quarantine and delete the infection through the trial version of AVG Anti-Spyware, I am still experiencing the same winlogon.exe error messages at bootup and shut down.  

      On a sidenote, I wanted to use System Restore, but, this feature was turned off.  Any further helps with this concern will be appreciated.

       Thank you.

GMartinAuthor Commented:
Hi Everyone:

       Whenever I click on Ctrl, Alt, Del, and click on the Processes tab, I do see winlogon.exe within the list taking up 856K of memory.  Whenever I first open this menu, it is interesting to note this file takes up 468K of memory.  The type classified for this background process is System.  

       The reviews regarding the winlogon.exe file are "mixed" at best.  Some experts suggest this is an needed file because it manages the login and logoff protocols of Windows XP, while, some experts believe this file can sometimes become dangerously infected and can be used by hackers to obtain personal information like usernames and passwords.

        I look forward to revewing any further thoughts to this post.

GMartinAuthor Commented:
Hi Everyone:

         Just one more observation I made which I like to share.  As I understand it, the winlogon.exe file should only be in the system32 folder of windows.  However, when I performed a file search, I found this file to exist in other folders.  Should I delete the winlogon.exe files in the other folders and leave the one with system32 intact?  

GMartinAuthor Commented:
Hi Once Again Everyone:

       I did not think it necessary to mention this earlier, but, perhaps it is fruitful to bring it up.  While I was able to run sfc /scannow and chkdsk /r, I was only able to carry out these procedures within Normal Mode.  Whenever I tried to do it as an Administrator within Safe Mode, I continually got the following error message:  Windows file protection could not initiate a scan of protected system files.  The specific error code is 0x000006ba [The RPC Server is Unavailable].

        I am not sure if reporting this error is of much help, but, I like to carefully go over anything which might help provide a clue to resolving the issue at hand.

Did you also follow my suggestions above? after you've done those let us look at a new hijackthis log.

Yes the legit svchost.exe should be in the system32 folder and unless you're talking about the ones in the windows backup, otherwise anywhere else would be bad.

tell us where this svchost.exe you're talking about and we'll tell you if it's bad or not.

You need to try and clean your system from malware/viruses before you try any repair etc, or you might end up having your system unbootable or not being able to login.
GMartinAuthor Commented:

       The file I am referring to is winlogon.exe which is referenced within the startup and shutdown windows error message.  By the way, I will go ahead and prepare to send the link to a new hijack this log file.

        Thanks again for your help and followups.

GMartinAuthor Commented:

       Here is the link to the new HijackThis Log File created after the cleanup.  The link is

Do you have the Dritek System Inc.
Install Catalog File?

If not then this entry below is bad:
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
I would fix the above entry in Hijackthis.

C:\WINDOWS\SYSTEM32\instcat.dll <-- I would rename this file to disable it or submit it at jotti -->

Let us know if the error persists after you disable that file.
GMartinAuthor Commented:
Hi There

       Thanks so much for the followup advise.  Incidentally, I bookmarked the scan links given.  They are handy especially when it comes to malware infection.  Now, to the problem at hand.

        I fixed 020 using HiJack This and renamed the file instcat.dll to test.dll, but, still having the error messages relating to winlogon.exe.  Sorry about this because the suggestions you are giving are great ones.  Apparently, this is going to be a tricky problem to finally resolve.

        On a sidenote, I really want to thank you for helping me clean up my pc.  Outside of the annoying error message upon restart and shutdown of the pc, it is running much smoother.

        In closing, I look forward to reading and trying out any further suggestions you have.

GMartinAuthor Commented:
Hi Everyone:

          I am happy to report this problem is now fully resolved.  I have restarted my pc both from cold and warm boots without the annoying winlogon.exe application error.  While I enjoyed trying out each expert's suggestions, I must confess I got a whole lot out of rpggamergirl's recommendations.  Not only did this expert solve my problem, but, this expert gave me information and resourceful tools which can be used in the future in dealing with malware.  As stated earlier, I bookmarked the resourceful links supplied.

          Now, regarding why the intervention strategies did not work right away may have been due to the updates (e.g. cleaning out the registry entries and memory of malware, etc.) probably had something to do with Windows XP needing to update the changes by either a cold or warm reboot.  As always, I am very pleased with the results of this post.

          Very good job everyone, especially rpggamergirl.  I greatly appreciate your professional guidance through this rather difficult problem.

            Thank you again for a job well done!!!

Hi George,

It's good to know that the problem's been resolved. And it was a pleasure assisting with you.
Thank you for the points and the excellent grade!

Happy computing!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.