How to determine if my winlogon.exe is legit?

[kpagcha]

Something just happened to my computer (Win 7 64) that used to happen to my old one, and I think it must be a malware. What happens is that is just freezes, you can switch windows, minimize, maximize... but nothing responds, no new process can be launched.

So I opened the task manager to check what process was running and saw three of them I couldn't tell what they are: csrss.exe, nvxdsync.exe and winlogon.exe.

I thought the last one could be malware impersonating a Windows function and indeed after a quick search that possibility popped up. The thing is... how can I tell if it's indeed malware or it's legit? Neither Avast nor Malwarebytes picked anything up.

After searching I found out the usual location of that exe is C:\WINDOWS\system32\winlogon.exe, but then it said I should be suspicious if it was located in any of the directories on a list, among which was also the previous route.

So yeah, how can I tell if it's Window's winlogo.exe or malware? And how about the other two exes? Are they shady?

 

[Ralston18]

What are the locations of the files? That is one key piece of information.

csrss.exe is a legitimate file but as you have discovered the location may be an indication of something amiss. Important file, and to be brief here, Just google the name for more information. Do not let any sites "fix" a csrss.exe problem for you.

nvxdsync.exe is the NVIDIA User Experience driver - you would/could have that if you have NVIDIA graphics cards.

winlogon.exe.: same as csrss.exe. Normally a legitmate file but can be mis-used.

What is interesting is that the freezing has occured on two computers. Very good chance that some configuration or application (backup software for example) could be duplicating the files.

Or it could be malware - however, I would have some trust in Avast and Malwarebytes to catch that.

Post the full file locations and see if some backup or other file duplication process is taking place. Try to narrow down the details somewhat.

That will help figure out if and what problem is occuring.

And, use Event Viewer to see what happens just before or at the time of the computer freezing. May be something entirely different going on....

 

[kpagcha]

What are the locations of the files? That is one key piece of information.

csrss.exe is a legitimate file but as you have discovered the location may be an indication of something amiss. Important file, and to be brief here, Just google the name for more information. Do not let any sites "fix" a csrss.exe problem for you.

nvxdsync.exe is the NVIDIA User Experience driver - you would/could have that if you have NVIDIA graphics cards.

winlogon.exe.: same as csrss.exe. Normally a legitmate file but can be mis-used.

What is interesting is that the freezing has occured on two computers. Very good chance that some configuration or application (backup software for example) could be duplicating the files.

Or it could be malware - however, I would have some trust in Avast and Malwarebytes to catch that.

Post the full file locations and see if some backup or other file duplication process is taking place. Try to narrow down the details somewhat.

That will help figure out if and what problem is occuring.

And, use Event Viewer to see what happens just before or at the time of the computer freezing. May be something entirely different going on....

I don't know where csrss.exe nor winlogon.exe are located because when I click "go to directory" in the task panel it does nothing. Cannot open the properties either. All I can do is search them.

When serching for winlogon.exe under C these folders are listed (I excluded winlogon.exe.mui files):

C:\Program Files (x86)\Malwarebytes Anti-Malware\Chameleon\Windows
C:\Windows\System32
C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636
C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_cbb7f2bdeea2829c

Last three have have an icon which is a window and you can see a starred sky with a moon.

csrss.exe is in the following locations (also excluded de .mui files):

C:\Windows\System32
C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3

And I am going to choose that the other exe is safe because I do have an NVIDIA GPU.

 

[Ralston18]

"amd64" -

Motherboard related?

Leftover files from the previous GPU?

The winsxs folder is used to store and backup files needed for Windows installations.

I would leave all of the named files and folders alone for now and look in the Event Viewer logs for some specific error code or warnings.

Red and yellow icons flag events of most interest.

Right clicking any given log entry will provide more details about what happened etc.. See what you can find in the Event Viewer and note if any of the subject processes may be involved. Please post accordingly.