CROSS-POST - winlogon.exe consuming 50% CPU time

[also posted on microsoft.public.windowsxp.security_admin]
Running WinXP Pro SP3.
========
I did some checking yesterday to see why my PC was "slow" and found that
this process was using !50% of the CPU time. Did a reboot, same thing.
Googles it and saw I might have malware so I ran Symantec AV, Windows
Defender in full scan, Sysinternal's Rootkit Revealer, and Windows Malicious
Software Removal. They found nothing.

I ran Sysinternal's Process Explorer and found the following:

winlogon.exe >> Properties >> Threads
TID 3108 consumes ~52% of CPU time and CSwitch Delta is ~160, and Start
Address is winlogon.exe+0x39156, and Context Switches is ~68,000.

The total thread count for this process is 22.

I've gone through msconfig to pare down what auto-starts with the same
results.

What else should I check?

--
Mike Webb
Platte River Whooping Crane Maintenance Trust, Inc.
a conservation non-profit (501 (c)(3)) organization
Wood River, NE

From: "Mike in Nebraska" <Mike_Webb@whoopingcrane.org>

| [also posted on microsoft.public.windowsxp.security_admin]
| Running WinXP Pro SP3.
| ========
| I did some checking yesterday to see why my PC was "slow" and found that
| this process was using !50% of the CPU time. Did a reboot, same thing.
| Googles it and saw I might have malware so I ran Symantec AV, Windows
| Defender in full scan, Sysinternal's Rootkit Revealer, and Windows Malicious
| Software Removal. They found nothing.
|
| I ran Sysinternal's Process Explorer and found the following:
|
| winlogon.exe >> Properties >> Threads
| TID 3108 consumes ~52% of CPU time and CSwitch Delta is ~160, and Start
| Address is winlogon.exe+0x39156, and Context Switches is ~68,000.
|
| The total thread count for this process is 22.
|
| I've gone through msconfig to pare down what auto-starts with the same
| results.
|
| What else should I check?
|


Actullay you Multi-Posted not Cross-Posted.

Process Explorer shows the fully qualified path to the running process.

What is the fully qualified path to winlogon.exe ?



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

I'm at home now, and I don't remember seeing it. I'll look at it
Monday.

Sorry to reply so late ...... the path to the file is:
C:\WINDOWS\system32\winlogon.exe

Mike

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%2315LGZCyIHA.2340@TK2MSFTNGP04.phx.gbl...
> From: "Mike in Nebraska" <Mike_Webb@whoopingcrane.org>
>
> | [also posted on microsoft.public.windowsxp.security_admin]
> | Running WinXP Pro SP3.
> | ========
> | I did some checking yesterday to see why my PC was "slow" and found that
> | this process was using !50% of the CPU time. Did a reboot, same thing.
> | Googles it and saw I might have malware so I ran Symantec AV, Windows
> | Defender in full scan, Sysinternal's Rootkit Revealer, and Windows
> Malicious
> | Software Removal. They found nothing.
> |
> | I ran Sysinternal's Process Explorer and found the following:
> |
> | winlogon.exe >> Properties >> Threads
> | TID 3108 consumes ~52% of CPU time and CSwitch Delta is ~160, and Start
> | Address is winlogon.exe+0x39156, and Context Switches is ~68,000.
> |
> | The total thread count for this process is 22.
> |
> | I've gone through msconfig to pare down what auto-starts with the same
> | results.
> |
> | What else should I check?
> |
>
>
> Actullay you Multi-Posted not Cross-Posted.
>
> Process Explorer shows the fully qualified path to the running process.
>
> What is the fully qualified path to winlogon.exe ?
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

From: "Mike in Nebraska" <Mike_Webb@whoopingcrane.org>

| Sorry to reply so late ...... the path to the file is:
| C:\WINDOWS\system32\winlogon.exe
|
| Mike
|


That's the legitimate file. The question is are there hooks in Winlogon that is causing a
higher CPU utilization.

Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en...HJTInstall.exe

Save a log and open it in Notepad.

Find the lines that start with "O20 - Winlogon ..."
Copy and paste ONLY those lines in your reply.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Did as suggested but no entries of "O20 Winlogon" were in the log file.

Mike
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:OSf5D$myIHA.4772@TK2MSFTNGP03.phx.gbl...
> From: "Mike in Nebraska" <Mike_Webb@whoopingcrane.org>
>
> | Sorry to reply so late ...... the path to the file is:
> | C:\WINDOWS\system32\winlogon.exe
> |
> | Mike
> |
>
>
> That's the legitimate file. The question is are there hooks in Winlogon
> that is causing a
> higher CPU utilization.
>
> Download and execute HiJack This! (HJT)
> http://www.trendsecure.com/portal/en...HJTInstall.exe
>
> Save a log and open it in Notepad.
>
> Find the lines that start with "O20 - Winlogon ..."
> Copy and paste ONLY those lines in your reply.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

From: "Mike in Nebraska" <Mike_Webb@whoopingcrane.org>

| Did as suggested but no entries of "O20 Winlogon" were in the log file.
|
| Mike


Thank you.
I am at a loss of why you have high utilization :-(

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Well, maybe it's not all a loss of time. It would appear not to be malware.
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23dpspWnyIHA.5520@TK2MSFTNGP06.phx.gbl...
> From: "Mike in Nebraska" <Mike_Webb@whoopingcrane.org>
>
> | Did as suggested but no entries of "O20 Winlogon" were in the log file.
> |
> | Mike
>
>
> Thank you.
> I am at a loss of why you have high utilization :-(
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>