Strange error occuring.

[maniac]

Hello all.

I'm getting a spate of an single error occuring with the winlogon.exe file, as pictured below. It's started this morning on a couple of machines, and seems to be spreading, which is worrying me as I can't find out what's causing it!

I'm immediatly thinking virus, but sophos is reporting nothing and is completely up-to-date.

I've seen 12 machines now with the error, and I expect I'm going to find more as the afternoon progresses.

Can anyone help, Google hasn't been much help so far!!

Cheers,

Mike.

P.S I should add that clicking either button causes the machine to shut down and reboot, then the error occurs again. We've solved it by re-imaging all the machines affected so far, but I'm still puzzled as to what's causing it!

[Geoff]

Do you use any software that replaces the MSGINA with its own (Citrix or Netware for example?)

[maniac]

Nope, completely generic network from that point of view. We do run ranger as you can see, but that doesn't modify that part of windows as far as I know??

[bishopsgarthstockton]

daft question, have you checked the services.

Are you running WSUS? Could ba an update that the machines are recieving?

[maniac]

I can't get onto any affected machines to check services or logs etc.

Yes we are running WSUS, and that's a good point because machines are set to update on a thursday, meaning most updates are applied at the next reboot, which would have been this morning.

Cheers,

Mike.

[maniac]

Just checked our WSUS, and the latest updates in that are dated 08/05/2007 which means they would have been installed last week. There's been no updates downloaded this week, so it's very unlikely to be this causing the problem.

Mike.

[bishopsgarthstockton]

http://www.auditmypc.com/process/msgina.asp take a look at this

[bishopsgarthstockton]

can you get in the affected system through safemode and replace the effected files?

[maniac]

it does the same in safemode!

I can get onto the machines hdd by using \\machinename\c$\ and look at the files, but I can't do anything with the winlogon.exe file, as it's in use of course! So far I've not had any more reports, so maybe it's just one of those things.

I've had it suggested that some of the kids may be causing it, as there's been a spate of kids attempting to 'hack' the system recently. Again the problem is I've no idea how they might be doing it, or even what they might be doing to the system to cause this error!

I guess I'm just going to have to keep monitoring the situation.

Mike.

[Finch7]

do you have anything running that might be attempting to remove a virus/spyware.

Just read this, you may want to too...

http://www.lavasoftsupport.com/index.php?showtopic=3013

[bishopsgarthstockton]

Do you have any key loging software that can flash on yopur screen certain words a user has typed in to google i.e. hack. then you could monitor them. also do they have access to removable storage? do a search for .bat files etc in all user directories.

Im sure there is software that you can boot from with ntfs rather than fat32 so you could then restore the .exe and any other related files that are causing the problem. otherwise suppose you would have to send a image to it

[robert.mabbutt]

What about plugging the hard disk into another machine to restore the damaged file?

Robert

[bishopsgarthstockton]

snap, just thaught that lol

[ZeroHour]

Just FYI people, I believe Ranger etc link into MSGINA as its the only way I believe you can control CTRL+ALT+DEL. I would remote Ranger of the client and see if it goes away then. What AV you got as well?