Winlogon.exe has taken over my computer

By paullong ยท 5 replies
Jun 1, 2008
  1. Hi

    I've done a lot of searching of the net and maintenance on my laptop to find out what is going on with winlogon.exe. Attached is the Hijack This log. I've also searched for other copies of winlogon.exe and it doesn't appear anywhere on the computer apart from the correct place. It stays permanently at the top of task manager when I put processes in order of CPU usage, taking a minimum of 50% - but I have seen it go up to 97% when other process are not running. It's slowing down my whole PC.

    I run Kaspersky Anti-Virus / Anti-Spyware but I was trying to re-install the Sony Ericsson PC Suite and Kaspersky was stopping me so I paused the protection in order to do this. It didn't look like it had actually done anything so I assumed it hadn't paused protection, but I can only assume that this is where some sort of virus has found it's way in to my usually very well protected PC.

    Any help with this would be very much appreciated. Thank you. Paul
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Check the Shell value for Winlogon in your registry. Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    should show:

    Shell REG_SZ explorer.exe

    Or download this tool:
    This utility checks for the correct GINA value in the Registry and will allow you to restore it, if its incorrect.

    I didn't open the HJT Log, should I?
  3. paullong

    paullong TS Rookie Topic Starter

    Key above was fine.

    The HJT log I posted because that's what the forum suggested I did somewhere and then posted it in here.

    Am just running the XP_FixLogon file now.

    "Gina DLL is not standard! DLL in use: msginasfa.dll" - reparied

    Now it says "Default Gina in use." Am about to reboot.
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    I'm feeling a little good about this!
  5. paullong

    paullong TS Rookie Topic Starter


    Don't get too carried away with feeling good yet. It's still there following reboot. But thanks for trying.

    My desktop PC has a winlogon file modified on 14 April 2008 at 01:12 size 496 Kb

    The laptop (infected one) has winlogon file modified on 4 August 2004 at 13:00 size 490Kb

    Of course I can't copy the good one on to the bad one because it's in use! Am going to try some safe mode stuff and maybe a system restore, but if anyone still has some ideas then please do tell as I can check the forum on my other PC.

    Thanks, Paul
  6. paullong

    paullong TS Rookie Topic Starter

    Have done a recovery console and tried to copy the winlogon.exe file from my other computer which worked - but made no difference.

    Safe Mode stops the problem from occurring whilst in safe mode.

    System Recovery to Friday evening worked, but again made no difference. I don't have any previous restore points.

    Am now stuck!
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...