winlogon.exe?

[erucader]

ok so my main xp box has been running pretty smooth since I built it last year but it has just started to give me trouble. I was typing yesterday when suddenly it completely stalled (music and everything) and then would only respond for maybe one second out of ten. I managed to get everything closed and open task manager and find the offending service to be winlogon.exe. It was using 99% cpu and 260 megs of ram. What is the deal with this program and how do I make this not happen??

[erucader]

something is weird with this computer now... it is taken about 30 seconds to load settings on log on, and there are popups all over the place... I have tried restoring to before this started and shutting off all startup programs to no avail. The only thing I know will fix this is a reformat. Any other ideas??

[DragonNOA1]

WinLogon.exe
This process manages users’ logons and logoffs on your PC/Server. The window which pops up and prompts you for your username and password, or which allows you to logoff or shutdown, is the WINLOGON process.

Recommendation :
An integral part of the operating system, leave alone.


If you have restored, the last thing I would try is to run adaware, spybot, and a full scan from your anti-virus (fully updated definition file). If you have defragged and everything is still slow (I'm guessing it's not your RAM or swap file b/c everything was fine earlier) than it looks like it is time to reformat.

[Lobos]

as dragon said it is a valid process

but there is a virus that adds it in there too

there is a form of cws parasite that adds a fake winlogon.exe
into the Startup group

Please do this. Click here: http://www.sherrylynn.us/HijackThis.exe to download Hijack This. Save it to it’s own folder (not temporary files or the desktop).
Close all open windows and open HIJACK THIS. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”. Click on “Save Log” and save it to NotePad. Copy the entire log and paste it here.

DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise.

[erucader]

Logfile of HijackThis v1.97.7
Scan saved at 5:07:16 PM, on 15/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Eric D------\Desktop\thing\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2565261e4b4bf45...p/RdxIE601.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...7865.667337963
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

[Lobos]

well i dont see what i was looking for the winlogon that shows in your log is a valid the valid one

it looks pretty clean the only thing i can see that you can get rid of is

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)



of course you sure dont have alot of autoolading programs

did you run adaware, spybot, and a full scan from your anti-virus (fully updated definition file) as DragonNOA1 suggested.

you can do an online scan

http://www.pandasoftware.com/activescan/
http://housecall.trendmicro.com/
http://www.ravantivirus.com/scan/

[Allanv]

did you by any chance run the last batch of windows updates?

as one of them is a tad borked. and causes this behavoiur and the BSOD on some machines, its happened to 50+ pc's here "local Gov" and M$ are aware.

you need to goto:

1,boot to safe mode
2 open task manager and set explorer priority to realtime, so you can get to the control panel.

3, go back to taskmanager and set priotity to realtime for MSHTA.EXE, so add remove gets some cpu

4, add/remove programs and remove hotfix KB835732

5, go back to task manager and set SPUNIST.EXE to realtime for the uninstall to run.

6, wait a few mins aand the unistaller will ask you to finish and reboot.

It should be back to normal after the reboot.

Regards

Allanv


PS: yes it could also be spyware, but if you have updated windows trhen my bet is the latest patch...

[Lobos]

good to know allen

[erucader]

Quote:

Originally posted by Lobos of course you sure dont have alot of autoolading programs

I had all startup things disabled when I ran this to see what was going on...but the problems were still happening. It seems to be more stable now but I am still getting really slow login and popup mania (even with popup blocker running!).. I did multiple adaware, spybot, virus, everything. I will try what Allan suggested now...

[Lobos]

about the pop ups this might help
i dont know if you have your messenger service turned off
if it isnt it might help

http://www.microsoft.com/windowsxp/p...e/stopspam.asp

[erucader]

weird...I thought that was turned off...thanks!

[Lobos]

no problem hows your system running