Tech Support Guy banner
Cancel

winlogon.exe stealing my CPU!

1642 Views 3 Replies 2 Participants Last post by  Rollin' Rog
B
Hi all,
The process winlogon.exe is taking between 40-70% of my CPU, sometimes even 90! I am using windows XP. I don't know when this started and why but I have tried rebooting (sometimes it works :) ) and it is still the same. Someone advise me to reinstall but this would be a big amount of time since I have to make backups of all my work and reinstall many prebeta software (with many problems in the installation...) I wonder if someone can help me to fix this problem.

I dowloaded the HijackThis and scaned my PC, here is the output:

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
d:\CAENSERVER\CAENHVOPCServer.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
E:\Program Files\Colligo Networks\Colligo Workgroup Edition\pwssvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\CERN\Zephyr\zhm.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CERN\Client Printing Package\pgm\PrntTray.EXE
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\CERN\Client Printing Package\pgm\lprserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
D:\Babylon\Babylon.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\System32\cmd.exe
D:\ETM\PVSS2\2.12.1\bin\PVSSConsole.exe
D:\ETM\PVSS2\2.12.1\bin\PVSS00data.exe
D:\ETM\PVSS2\2.12.1\bin\PVSS00event.exe
D:\ETM\PVSS2\2.12.1\bin\PVSS00sim.exe
D:\ETM\PVSS2\2.12.1\bin\PVSS00ctrl.exe
D:\ETM\PVSS2\2.12.1\bin\PVSS00NV.exe
D:\software\FwFSM\bin\PVSS00smi.exe
D:\software\FwFSM\bin\dns.exe
D:\software\FwFSM\bin\smiSM.exe
D:\software\FwFSM\bin\smiSM.exe
D:\software\FwFSM\bin\smiSM.exe
D:\software\FwFSM\bin\smiSM.exe
D:\ETM\PVSS2\2.12.1\bin\PVSS00ctrl.exe
C:\WINNT\CDILLA64.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\rgreino\Local Settings\Temp\HijackThis.exe
C:\WINNT\System32\mdm.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cern.ch/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cern.ch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zephyr] "C:\Program Files\CERN\Zephyr\zwgc.exe"
O4 - HKLM\..\Run: [CERN Printing Launcher] C:\Program Files\CERN\Client Printing Package\Printrun.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [Babylon Translator] D:\Babylon\Babylon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cern.ch
O16 - DPF: {B9B1E29D-4B98-4995-8B7C-89AE3EFA25BE} (KeithleyControl.display) - http://137.138.75.96/KeithleyControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cern.ch
O17 - HKLM\Software\..\Telephony: DomainName = cern.ch
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B5B56CD-6297-4981-B9AE-720C460A8861}: Domain = cern.ch
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B5B56CD-6297-4981-B9AE-720C460A8861}: NameServer = 137.138.16.5,137.138.17.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cern.ch
O17 - HKLM\System\CS1\Services\Tcpip\..\{9B5B56CD-6297-4981-B9AE-720C460A8861}: Domain = cern.ch
O17 - HKLM\System\CS1\Services\Tcpip\..\{9B5B56CD-6297-4981-B9AE-720C460A8861}: NameServer = 137.138.16.5,137.138.17.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cern.ch
O17 - HKLM\System\CS2\Services\Tcpip\..\{9B5B56CD-6297-4981-B9AE-720C460A8861}: Domain = cern.ch
O17 - HKLM\System\CS2\Services\Tcpip\..\{9B5B56CD-6297-4981-B9AE-720C460A8861}: NameServer = 137.138.16.5,137.138.17.5

Thanks all for your time,
Boby.
See less See more
Save
Like
Status
Not open for further replies.
1 - 4 of 4 Posts
Rollin' Rog
You truncated the log somewhat so I'm not sure of your Windows version other than it is not XP.

You have many mysterious startups there that at first glance seem to be legit but unusual.

Are there a lot of User Profiles on the system? Does the problem occur if you create a new, dummy profile and log in under that?

Does anything in this list look like it might apply?

http://tinyurl.com/mjoy
Save
Like
B
Sorry, I truncated it :). I don't know two much about windows, I closed almost all the applications and I run again the HiJackThis. I am in a big net with over 6000 users. (cern)

Logfile of HijackThis v1.96.4
Scan saved at 8:18:03 PM, on 9/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
d:\CAENSERVER\CAENHVOPCServer.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
E:\Program Files\Colligo Networks\Colligo Workgroup Edition\pwssvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\CERN\Zephyr\zhm.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CERN\Client Printing Package\pgm\PrntTray.EXE
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\CERN\Client Printing Package\pgm\lprserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
D:\Babylon\Babylon.exe
C:\WINNT\CDILLA64.EXE
C:\WINNT\System32\mdm.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\rgreino\Local Settings\Temp\HijackThis.exe
C:\WINNT\System32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cern.ch/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cern.ch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zephyr] "C:\Program Files\CERN\Zephyr\zwgc.exe"
O4 - HKLM\..\Run: [CERN Printing Launcher] C:\Program Files\CERN\Client Printing Package\Printrun.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [Babylon Translator] D:\Babylon\Babylon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cern.ch
O16 - DPF: {B9B1E29D-4B98-4995-8B7C-89AE3EFA25BE} (KeithleyControl.display) - http://137.138.75.96/KeithleyControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cern.ch
O17 - HKLM\Software\..\Telephony: DomainName = cern.ch
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B5B56CD-6297-4981-B9AE-720C460A8861}: Domain = cern.ch
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B5B56CD-6297-4981-B9AE-720C460A8861}: NameServer = 137.138.16.5,137.138.17.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cern.ch
O17 - HKLM\System\CS1\Services\Tcpip\..\{9B5B56CD-6297-4981-B9AE-720C460A8861}: Domain = cern.ch
O17 - HKLM\System\CS1\Services\Tcpip\..\{9B5B56CD-6297-4981-B9AE-720C460A8861}: NameServer = 137.138.16.5,137.138.17.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cern.ch
O17 - HKLM\System\CS2\Services\Tcpip\..\{9B5B56CD-6297-4981-B9AE-720C460A8861}: Domain = cern.ch
O17 - HKLM\System\CS2\Services\Tcpip\..\{9B5B56CD-6297-4981-B9AE-720C460A8861}: NameServer = 137.138.16.5,137.138.17.5

Thanks,
Boby
See less See more
Save
Like
Rollin' Rog
Well, it is XP after all. The winnt in the system path always throws me off when I see that.

Since I can't really identify what is causing the problem the procedure I would try is to first eliminate all the "startup" programs as a possible cause of the problem. This is easy to do using msconfig which is a troubleshooting utility for "clean booting" XP...

http://support.microsoft.com/default.aspx?scid=kb;EN-US;310353

Basically you just want to try unchecking the "load startup items" group first and see if that makes a substantial difference. If it does, then you know something under the Startup tab is causing the problem and the task is to selectively disable individual items or groups of items until you find out what it is.

A second method is to create a new User Account and boot up under that. That too has the effect of determining whether the problem is due to a User configuration or is something that is machine wide.

You have many "server" related starting processes there it appears. Are you running a web server and are these something new?

d:\CAENSERVER\CAENHVOPCServer.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\WINNT\System32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\CERN\Zephyr\zhm.exe

O4 - HKLM\..\Run: [Zephyr] "C:\Program Files\CERN\Zephyr\zwgc.exe"
O4 - HKLM\..\Run: [CERN Printing Launcher] C:\Program Files\CERN\Client Printing Package\Printrun.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE

Obviously I have no idea where these are going or what they are doing, but the winlogon problem may be associated with some server or network related task that is not being handled efficiently.
See less See more
Save
Like
1 - 4 of 4 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top