Tutorials to .com

Tutorials to .com » Os » Winxp » Application » Use WinXP for a long time Winlogon do you know?

Use WinXP for a long time Winlogon do you know?

Print View , by: iSee ,Total views: 21 ,Word Count: 1475 ,Date: Wed, 26 Aug 2009 Time: 10:11 AM

Filed Winlogon, many winxp users may not know, but we have often used it! When you press the Ctrl + Alt + Del, when, Winlogon is activated, and this time you will see a Windows Security window, the window displays the current login account and landing time, there is "Lock Computer", "cancellation", "shutdown", "Change Password", "Task Manager", etc. buttons.

1, Winlogon What is this?

Winlogon.exe is the Windows XP registry manager, located in C: WindowsSystem32 directory is mainly used to manage XP users log in and out, handling user logon and logoff tasks.

When you press Ctrl + Alt + Del and then select "Task Manager", in the process list to see Winlogon.exe (Figure 1) process, the size of its space is dynamic ─ ─ time the user logged on. If you log on XP system, for an hour or so, the process will take up 1.2MB ~ 8.5MB memory space.

Figure 1

Second, check your Winlogon.exe normal?

Because Winlogon.exe necessary to start the process of the system is very important, we now have a lot of Trojans have set their eyes it is! For example, a man named PcShare domestic Trojan program, when you are infected with it later, it will automatically process your own inserted into the Winlogon.exe process; later once you start the system, PcShare will be run in conjunction with the Winlogon.exe, but also escaped most of the network firewall to intercept.

It is precisely because Winlogon.exe particularly susceptible to viruses and Trojans, so concerned about whether the exposure to Winlogon.exe is necessary, then how to check Winlogon.exe it normal? Advise you to examine from the following points:

1, check the name and path of Winlogon.exe

With other system processes (such as SMSS.EXE, LSASS.EXE, CSRSS.EXE, etc.) the same, Winlogon.exe the name is not case-sensitive, and if you found in Task Manager, Winlogon.exe sometimes capitalized, sometimes is lowercase, this is normal!, but you have to carefully check that the name "O" in the end is the letter O, or the number 0? If the number 0, Winlog0n.exe sure it is a virus!

Secondly Also check the path where Winlogon.exe normal Winlogon.exe should be located at C: WindowsSystem32 directory, and is based on the user SYSTEM running. If you're in the Task Manager found that it is a non-SYSTEM users are running, or in their path is% Windows%, then the Winlogon.exe certainly infected with the virus of the!

2, Winlogon.exe does not automatically connect to the network requirements

Winlogon.exe is a local process, so it is absolutely not automatically required to connect the network! If you start TCPView2.4 (Download http://www.mydown.com/soft/network/netassistant/496/403496.sHtml ) and found that in the process list (Figure 2) has Winlogon.exe process opens a listening port, is required to connect the network, then this must have been Trojan horses Winlogon.exe hijacked, it should be removed as soon as possible of the.

Fig.2

Also suggest you look at the software to run Auto runs (Download http://www.mydown.com/soft/18/18943.html), and then select the Winlogon.exe, check what files it starts. Under normal circumstances, Winlogon.exe should be launched one implementation document logonui.exe and 6 dll files, the specific name as follows (Figure 3), if not these documents is very questionable!

Fig.3

Third, with the Winlogon related "luoxue" virus

Ago, the Internet has been the outbreak of the virus WINLOGON for everyone to create a great deal of trouble and loss. WINLOGON virus in Chinese called "luoxue", is a specialized stealing "World of Legend," "World of Warcraft", "QQ" and the network silver account password virus. It is not only stealing passwords, but also to avoid killing, and self-closing anti-virus software and Trojan nemesis, in the virus, you will find:

Double-click "My Computer" / drive letter can not be opened or that there is auto-play, a large number of file association has been modified; open the Task Manager, there two WINLOGON.exe process, in which the original winlogon.exe process, which WINLOGON.exe (path is c: windowswinlogon.exe) is a Trojan for the main program (for Dao Hao Ma), you can not end the process. In addition, under the D drive will be more two files autorun.inf and pagefile.com; c disk will generate the following 15 virus files:

C: WindowsWINLOGON.EXE

C: Program FilesInternet Exploreriexplore.com

C: Program FilesCommon Filesiexplore.com

C: WINDOWS1.com

C: WINDOWSiexplore.com

C: WINDOWSfinder.com

C: WINDOWSExeroud.exe

C: WINDOWSDebugDebug Programme.exe

C: Windowssystem32command.com

C: Windowssystem32msconfig.com

C: Windowssystem32egedit.com

C: Windowssystem32dxdiag.com

C: Windowssystem32undll32.com

C: Windowssystem32finder.com

C: Windowssystem32a.exe

In order to remove luoxue virus, anti-virus software will suggest that you upgrade to the latest virus database, and then re-use anti-virus software to extermination; or manually removed, as follows:

1, termination WINLOGON.EXE

The use of the process killer prockiller2.7, or Procexp first to end the process (be careful not to end lowercase winlogon.exe); then go to the registry, delete the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunTorjan ragramme

2, delete the file exposed

Remove the C: Windows directory under the winlogon.exe, winlogon.dll, winlogon_hook.dll and winlogonkey.dll files, then open the registry to remove AOL instant messenger 7.0 services, that is located in the registry [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices] under aol7.0 key.

Then right-click the D drive (do not double-click to avoid activating the virus), select "Open", delete the autorun.inf and pagefile.com; into the C++ drive, delete the 15 files listed above!

3, restore the file association

Restore file association with the SRE. First SREng.EXE suffix changed to. Com, in order to be able to run SRE; in the SRE main window select "Start Project" in the "Registry" tab, remove the Trojans to start item; and then click on "System Recovery" and enter "file Association "tab, check" Select All "(Figure 4), point" fix ", you can restore all the file association.

Fig.4

If you want to manually repair the file association, it can be operational: to C: Windowssystem32 in the cmd.exe file to the desktop, and then renamed cmd.com, in order to be able to run them; start cmd.com into DOS state, enter the following command to restore the exe file association:

assoc. exe = exefile Enter

ftype exefile = "% 1"% * Enter

After the restart the computer, exe file can be run; but re-enter the system, it will pop-up "File not found a" prompt, because 1.com virus file has already been removed, for which you can click the "Start" / Run, type regedit to open the registry, navigate to the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon to "Shell" = "Explorer.exe 1" restore "Shell" = "Explorer.exe" then you're done!


Windows XP Application Articles


Can't Find What You're Looking For?


Rating: Not yet rated

Comments

No comments posted.