Winlogon.exe 99% CPU Usage

[Alaron]

Here is a strange problem that is driving me nuts. Yesterday I noticed that my computer was very sluggish, so I opened up the Task Manager and I saw that winlogon.exe was using 99% of my cpu and about 5MB of RAM. I jumped over to my other system and saw that same process using no cpu and about 700k of RAM. So something is clearly amiss.

I ran Spybot, AdAware, HijackThis, Housecall and they came up with a couple things but the problem didn't go away.

After some Googling, I found that winlogon can be hacked by a Trojan, but I couldn't find the suggested files and registry entries.

I did notice that the cpu use only goes up when I plug in the network cable. If I unplug, it drops to 0 but RAM use is still there.

I cannot terminate the process because Windows says it is essential, but clearly something is wrong.

I would appreciate any help.

[Ob1]

run a windows repair from your xp cd.
its the second option after the EULA, dont choose the first option cause it will start the recovery console and thats not what u want. run it as if you were going to put a fresh copy of windows on your machine, and when it searchs for previous windows version, it will find your xp partition and prompt you to repair it, or press esc to install a fresh copy. Press R and it will start the repair

[rspassey]

Did you try your scans in safe mode? Sometims little bugger infections will eat up all your resources by turning your computer into a zombie bot. This especially seems right if it happens only when you are connected with the network cable.

[Alaron]

Thanks for the replies.
I did run the system in safe mode, and winlogon.exe does not load then. I will try the repair now.

EDIT
I finished a repair but no luck. It did nothing without the net connection. Once I plugged in though, I could watch the memory jump from 700k to over 3MB and the CPU jump up. It is even sluggish to type.

Any ideas on how to get this under control?

[Digitalic]

Could be hardware related. Try replacing the NIC.

[SGS]

It's possible that it's a hardware problem but I would think software/malware more likely.

You mentioned that you ran HijackThis. It does not fix anything by itself. Did you fix any of the entries? You might want to post the log it creates and maybe we can find the problem.

[Digitalic]

Agreed SGS but, I suggested the NIC problem because,

1) Alaron mentioned that various apps were run to detect and remove software problems and

2) "Once I plugged in though, I could watch the memory jump from 700k to over 3MB and the CPU jump up. It is even sluggish to type."

Which shot a red flag up to me that once the NIC was involved something was amiss. Either a corrupt driver or hardware problem. If the NIC is replaced and it solves it, bingo, if not, we move on.

[SGS]

Agreed. And it's one or the other...

[Alaron]

Logfile of HijackThis v1.99.1
Scan saved at 8:23:14 PM, on 11/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Stuff\Zipped Folders\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ig
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Folding@Home 5.02.lnk = ?
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1111283792999
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1122232862625
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD506AF1-A3CA-4121-8627-61A172B21863}: NameServer = 24.29.161.129,24.29.161.137
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

[SGS]

I don't see any malware in your log. I was looking to see where winlogon.exe was running from. The C:\WINDOWS\system32\ folder is the right one. Alot of viruses use the name winlogon.exe but run from the C:\Windows or C:\Winnt folder. So you are pretty much set there.

Another thing that sometimes gets the winlogon process humming at high cpu usage is spoolsv.exe when there is a print job waiting. Try opening taskmanager and shut down spoolsv.exe and see if the cpu useage drops. If it does, check to see if a job is waiting to be printed.

That's about all I can come up with, right now, software wise. If you're still having the problem, checking out Digitalic's suggestion would be the next step.

Let us know how it goes...

PS: I notice that you are running XP without any service packs. I also see no antivirus program or firewall running.
I'm amazed you're not having malware problems.

[Alaron]

I tried the spoolssv service, nothing there.

I tried another NIC card but I couldn't get the system to bootup except in Safe Mode.

In Safe Mode, I ran HiJackThis and it found a dll file called msctl32.dll . Information told me this file was unfixable because the dll would reinstall the registry entry, so I had to delete it manually. However, it wouldn't let me delete it.

I found a program called Killbox, recommended by HijackThis, that would kill the file on reboot. It did do that, and the system booted normally.

Now the system is up and running. Winlogon.exe is so far not using the cpu but the memory usage is climbing slowly and it is around 2.5MB.

Hijackthis still comes up with msctl32.dll when it scans, only now it says "File Missing".

I'll just play it by ear for now and report back if something goes sour.

[rspassey]

Just so you know, you can check and fix those 016s, they will reinstall the next time you go to use them, I always remove them from my PC.
If the file is missing, then check it an have HJT fix them, or have you tried that too?

[SGS]

Nice work, Alaron. There are a few things I find odd though. I wonder why you could only boot into safe mode with the new nic? I haven't heard of that before. And I wonder why the msctl32.dll was only picked up in safe mode.

The other thing is the memory usage. On my machine winlogon is only using 4,088K. 2.5 MB seems excessive.

Well, keep an eye on it and see how things go.

[rspassey]

However, winlogon.exe for me is only 568k

[Alaron]

Thanks for all the help guys. I am up and running now and winlogon is only using about 650k. That msctl32.dll was the culprit. I'm just glad to have things back to normal.

And no worries SGS, I did have SP2 and Windows Firewall, but after the Repair Install, they got wiped out.

After all this I think I am going to back up my files and do a new installation anyway. This one is getting bogged down with lots of unnecessary stuff.

Thanks again.