WINLOGON.EXE Causing Problem

[sainit]

Hello Friends,

I m facing a big problem.

My PC becomes dead slow after booting. I found a Process "WINLOGON.EXE" is doing all this. When i try to end this process message appears like this "CRITICAL SYSTEM PROCESS, CANT'T BE STOPPED".

Pls help me how to get rid ot this problem.

Already i have scanned my PC for viruses but there is nothing.

Guys help me fast.

Thanks

 

[Vishal Gupta]

Don't try to end this process, its a system service.
Download "HijackThis" from *www.hijackthis.de/ and then scan ur computer with it. Then post logfile contents here.

 

[sainit]

thanks Vishal,

Very soon i will download this and logfile will attatch here.

thanks

hi Vishal

I run that program "Hijack this" and matter which i got is given below. pls advice me further -

Logfile of HijackThis v1.99.1
Scan saved at 10:40:45 AM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\JEEVAN\LOCALS~1\Temp\Temporary Directory 4 for hijackthis_199.zip\HijackThis.exe

O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\system32\ljjhihh.dll
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GDL-GARHI.COM
O17 - HKLM\Software\..\Telephony: DomainName = GDL-GARHI.COM
O17 - HKLM\System\CCS\Services\Tcpip\..\{383FD7B7-48DA-49CE-BBF0-FBE890E32C26}: NameServer = 192.168.0.6,0.0.0.0
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GDL-GARHI.COM
O17 - HKLM\System\CS1\Services\Tcpip\..\{383FD7B7-48DA-49CE-BBF0-FBE890E32C26}: NameServer = 192.168.0.6,0.0.0.0
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = GDL-GARHI.COM
O17 - HKLM\System\CS2\Services\Tcpip\..\{383FD7B7-48DA-49CE-BBF0-FBE890E32C26}: NameServer = 192.168.0.6,0.0.0.0
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = GDL-GARHI.COM
O17 - HKLM\System\CS3\Services\Tcpip\..\{383FD7B7-48DA-49CE-BBF0-FBE890E32C26}: NameServer = 192.168.0.6,0.0.0.0
O20 - Winlogon Notify: ljjhihh - C:\WINDOWS\SYSTEM32\ljjhihh.dll
O20 - Winlogon Notify: winktf32 - C:\WINDOWS\SYSTEM32\winktf32.dll

Vishal analyse this and give some suggestion soon.

Vishal can i do it my self(analysis of hijack this file). if yes then how.

thanks vishal

 

[Vishal Gupta]

Buddy, I don't think its a complete log file. Did u remove entires from it?
In the above logfile, I found following 3 items suspected:

O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\system32\ljjhihh.dll
O20 - Winlogon Notify: ljjhihh - C:\WINDOWS\SYSTEM32\ljjhihh.dll
O20 - Winlogon Notify: winktf32 - C:\WINDOWS\SYSTEM32\winktf32.dll

 

[anandk]

get THIS particular winlogon.exe file checked at *virusscan.jotti.org/ esp if it is not situated in your system32 folder.