Question : How can I determine if winlogon.exe is malware?

I'd say within the last month I have been encountering a winlogon.exe error which gives me the wonderful BSoD. Unfortunately the machine immediately reboots before I can get the exception error.

I have run a search for winlogon.exe and have found a couple items outside of the system32 folder that I thought were suspicious. I ran Kaspersky on each file individually, as well as MBAM. I have run full scans with both apps previously and have not picked anything up.

Any thoughts here? I've seen other forums which indicate to do a repair with the OS disc, and I will try that, but before I do, I want to make sure that it isn't in vain.
 
Winlogon Files - Suspicious?
328668
 

Answer : How can I determine if winlogon.exe is malware?

I see this question has gone into "neglected status."

The correct answer is still the CAPTCHA image, but you might be able to get away with a form token.  It should prove more reliable than the IP address, but less reliable than CAPTCHA.  Here is my teaching example of how to use a form token.  

Best of luck with it, ~Ray
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
<?php // RAY_form_token.php
error_reporting(E_ALL);

// DEMONSTRATE THE USE OF A FORM TOKEN TO UNIQUELY IDENTIFY FORMS



// NOTE - YOU MUST START THE SESSION ON EVERY PAGE!
session_start();



// CREATE AN IDENTITY IN THE FORM
function make_form_token()
{
    // A RANDOM STRING
    $string    = "CHANGE THIS IF YOU WANT" . time() . $_SERVER["SCRIPT_FILENAME"] . "?";

    // MAKE A MESSAGE DIGEST OF THE STRING TO USE AS A TOKEN
    $token     = md5($string);
    $_SESSION["_form_token"]    = $token;
    return $token;
}



// EVALUATE THE IDENTITY IN THE FORM
function check_form_token($token='')
{
    // CHOOSE THE TOKEN WE WANT TO TEST
    if ($token === '')
    {
        $token = $_POST["_form_token"];
    }

    // COMPARE OUR CURRENT TOKEN TO THE SESSION STORED TOKEN
    if ($token == $_SESSION["_form_token"])
    {
        // MUNG THE TOKEN TO ENSURE THAT IT CAN ONLY BE USED ONCE
        $_SESSION["_form_token"] = md5($_SESSION["_form_token"]);
        return TRUE;
    }
    return FALSE;
}



// MODIFY THIS IF YOU WANT A FRIENDLY FORM TOKEN ERROR
function form_token_error()
{
    die("Form Token Error");
}



// DEMONSTRATE HOW THIS WORKS
// SESSION IS REQUIRED - SEE ABOVE WHERE WE STARTED THE SESSION
// session_start();

// CHECK FOR FORM INPUT
if (!empty($_POST))
{
    // SHOW THE FORM TOKEN
    $token = $_SESSION["_form_token"];
    echo "<br />THE FORM TOKEN IS $token ";
    if ( check_form_token() )
    {
        echo "AND IT IS VALID.\n";
    }
    else
    {
        echo "AND IT IS NOT VALID.\n";
    }
    
    echo "<br />Refresh this screen to resend the data and you can see a form token error.\n";
}



// END OF PHP - PUT UP A FORM TO ILLUSTRATE THE USE OF THE TOKEN
?>
<br /><br />
Click GO to see the form token.
<form method="post">
<input type="hidden" name="_form_token" value="<?=make_form_token()?>" />
<input type="submit" name="submit" value="Go!" />
</form>
Random Solutions  
 
programming4us programming4us