Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winlogon Using 100% Cpu


  • Please log in to reply
14 replies to this topic

#1 A Free Spirit

A Free Spirit

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 28 November 2005 - 11:24 AM

Hi.

Long time viewer - first time poster!

Since Friday, my PC has been running dead, slow and stops as winlogon.exe is using 100% of the CPU time all the time, only dipping down to about 85% when another application can force its way in! When I start Windows, it sits at "Windows is starting up...." and does nothing, so I have to restart it three times before it finally starts Windows up correctly. I'm running XP Home SP2, 3.2 GHz processor; 1 GB RAM on a home built configuration, no new hardware or software installed in the week the problem first started.

This heavy CPU usage only happens when the internet connection (Belkin Wireless ADSL with USB adapter) is running - as soon as I disconnect, Winlogon.exe goes from about a 3mb size down to about 500k and stops hammering the CPU...only then is the PC usable again.

I've scanned for viruses using AVG and Norton's on-line scanner (that took a day to run!!) but nothing was found; I've scanned for Spyware using Ad-Aware, S&D, and even Microsoft Spyware software! Nothing found other than wayward cookies which I deleted anyway.

I ran Registry Mechanic and it found about 90 "problems" but that was due to me uninstalling and deleting files and not do a restart afterwards.

I've know that some spyware creates another version of winlogon.exe for its own purposes, but I've looked for winlogin, winLogin, winlog0n and winl0gon and all other permutations of that but I can only find the "standard" Microsoft version in c:\windows\system32.

I've rolled back to last Monday using Restore, when I know the PC was running fine but that has made no difference.

I renamed the winlogon.exe file and replaced the file from a copy from Win XP Home cd but when I booted the PC back up, I got a message saying Windows could not write to the memory address of the new winlogon.exe and it just crashed out and restarted. So I had to replace the file with the old one and I'm back to square one.

I've ran hijackthis and found a few anomalies (like blank shell and missing file addresses) but nothing indicating any badness! But I'm no expert of hijackthis so I dare say I've missed out so important stuff somewhere along the way!!

I really don't want to have to re-install everything just because of one "corrupted" file but it's looking that way!!

Anybody have any suggestions or ideas as to what else I can try

Many thanks in advance!

Kind Regards

Kevin

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 33,337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:40 PM

Posted 28 November 2005 - 12:51 PM

Does winlogon.exe appear in Msconfig/Startup? If so, then post your log in the Hijackthis forum for assistance.
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

If this is not malware related then try System File Checker. The main reason for using the SFC utility is when you suspect there may be a problem with a Windows XP system file. SFC allows you to check for any corrupt system files.

Go to Start > Run and type: sfc /scannow

Make sure that you include a space between the c and /. This command will immediately initiate the Windows File Protection service to scan all protected files, verify their integrity, and replace any problem files. If sfc discovers that a protected file has been overwritten, it retrieves the correct version of the file from the %systemroot%\system32\dllcache folder, and then replaces the incorrect file. You must be logged on as a member of the Administrators group to run sfc and it may ask you to insert your Windows Installation CD so have it available.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#3 A Free Spirit

A Free Spirit
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 28 November 2005 - 04:10 PM

Wow - where did you find that little gem!

:thumbsup:

I ran sfc /scannow and as you guessed, I needed to insert the Win XP Home CD - had to click retry each time it checked a file but at the end, I checked Task Manager and CPU usage for Winlogon.exe is fluctuating at between 1% and 5% and it's file size is <20,000k which is more than acceptable!!! (mainly cos I don't know what the norm should be!)

I'm guessing that winlogon.exe was corrupted by spyware or virus, disinfected by whichever progs, but remained corrupted by the attack.

Thanks for saving me from hours of re-installing!

Best Wishes

Kevin

:flowers:

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 33,337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:40 PM

Posted 28 November 2005 - 06:58 PM

SFC is part of Windows built in File Protection. Glad to hear you resolved the problem by using it.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#5 A Free Spirit

A Free Spirit
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 29 November 2005 - 03:41 AM

Hi again

I think I might have celebrated too soon!

Everything is great on the PC...until I did a reboot! :thumbsup:

The graphics display has gone all blocky and ASCII coded symbols everywhere - I cannot get into the BIOS to check the initial display option. If I let it run through, it get to the (very blocky!) Windows splash screen and then it sits at Windows is starting up prompt and there it sits for ever more. Even if I reboot a few tirmes it just sits at that start up page.

When I ran the procedure you suggested, I used the original Windows XP Home CD for the replacement files but I'm wondering if I should have used SP2 disc instead. What I think has happened is the "old" versions of the corrupted files have been used and XP hasn't got a clue what it's doing, as it was using SP2 files perviously! Is that a reasonable line of thought?

So I need to get into the BIOS settings somehow and guesstimate which option is the Init Display setting, then I'll be able to get into the start up configuration and setup a bootlog file to try and see what the PC is getting hung up on.

Oh the joys of computing!

Thank again for your assistance

Kevin

#6 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:01:40 PM

Posted 29 November 2005 - 09:05 AM

on Dell's F2
HP/Compaq's F10
Some others use ctrl+alt+enter
Or just the DELETE key

I would start with F2 and F10
"2007 & 2008 Windows Shell/User Award"

#7 usasma

usasma

    Still visually handicapped, new avatar (a camel) :0)


  • Members
  • 16,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:01:40 PM

Posted 29 November 2005 - 09:13 AM

SFC won't let you use the SP2 disc - it'll complain until you use the installation disk (but you can cheat by slipstreaming a copy of SP2 into it).

It sounds like you were infected, and as a result of trying to use SFC.EXE without a virus scan, the system has "mucked up".

FWIW - I'd reset your BIOS to defaults by removing the CMOS battery for 20 - 30 minutes, then I'd try a repair install ( http://www.michaelstevenstech.com/XPrepairinstall.htm )

Then, I'd immediately recover any data on the system (to removable media). Remember that these copies may also be infected)

Then I'd do a format (maybe even a low-level format) and a clean install of the OS (most major makers have 2 options for recovery - a non-destructive one (like the repair install) and a destructive one (like a clean install))

Don't forget to visit Windows update immediately after using the SP2 CD (and don't hook up to the internet until then!)
- John
**If you need a more detailed explanation, please ask for it. I have the Knack. **

#8 A Free Spirit

A Free Spirit
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 29 November 2005 - 09:17 AM

Hi

I can get into the BIOS - but the whole screen is just made up of blue, white and yellow "blocks" with some of the text writing visible. I can move the selection "bar" around the screen but I have no idea what option I'm on and fear to select anything and change setting in case I'm in the wrong place.
(I'm using another PC in case you're wondering how I'm able to reply!)

I've reset the BIOS via a jumper but it's still the same problem. The BIOS is a bit daft as the Init Display has the option for the default onboard chip or the AGP card....and there's no onboard graphics chip on the motherboard!!! DOH!

I'll need to try and find out what BIOS the motherboard uses and see if I can get an idiots guide as to how many cursor moves are required to get to the Init Display option, and try doing it blind.

Thanks for the assistance

Regards

Kevin

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 33,337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:40 PM

Posted 29 November 2005 - 11:31 AM

You can download and use the bios wizard to get the information.
http://www.unicore.com/bioswiz/index2.html

Or use a system info tool like SIW or everest home.
http://www3.sympatico.ca/gtopala/about_siw.html
http://www.lavalys.com/products/overview.php?pid=1&lang=en
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#10 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:01:40 PM

Posted 29 November 2005 - 11:39 AM

If you have an old video card laying around pop it in and see if the will allow you to access the BIOS. Are you sure you video card hasn't died?
"2007 & 2008 Windows Shell/User Award"

#11 Bobang

Bobang

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 29 November 2005 - 12:38 PM

I think there is corruption in your Virtual Memory File. To get your system going normally:

Press WindowsKey + Break = System Properties / Advanced Tab / Settings / Advanced / Change Button(under Virtual Memory) / Check Radio Button saying "No Memory" ( I have German Windows, so the wording may be slightly different).

Then press OK and once again OK.

Restart your system. Virtual Memory will be created afresh. The problem should be gone.

Bobang

Posted Image



#12 A Free Spirit

A Free Spirit
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 01 December 2005 - 07:59 AM

Hello again

Sorry for not replying to anybody until now - the PC was keeping me out of everything, so I'm having to use the work PC again!!

The story so far is...I turned off the memory paging as advised and restarted the PC. But I'm still getting XP sitting at the 'Windows is starting' screen and there it sits for evermore. The ONLY way I can get into XP is in Safe Mode - non of the other Safe Mode options will work - and when I do get in, obviously I'm limited in what I can do.

I've tried setting up Bootlog, but as it never gets into XP, nothing is getting written back. I've tried replacing userinit and winlogon files but again I get nowhere with it. I'm not sure what i can try really...it maybe a goosed device driver but at this rate I'm going to have to bite the bullet and re-install from scratch!!

Oh - what joy that will be!

Kevin

#13 usasma

usasma

    Still visually handicapped, new avatar (a camel) :0)


  • Members
  • 16,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:01:40 PM

Posted 01 December 2005 - 10:45 AM

. . . FWIW - I'd reset your BIOS to defaults by removing the CMOS battery for 20 - 30 minutes, then I'd try a repair install ( http://www.michaelstevenstech.com/XPrepairinstall.htm )

Then, I'd immediately recover any data on the system (to removable media). Remember that these copies may also be infected)

Then I'd do a format (maybe even a low-level format) and a clean install of the OS (most major makers have 2 options for recovery - a non-destructive one (like the repair install) and a destructive one (like a clean install))

Don't forget to visit Windows update immediately after using the SP2 CD (and don't hook up to the internet until then!)


- John
**If you need a more detailed explanation, please ask for it. I have the Knack. **

#14 A Free Spirit

A Free Spirit
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 02 December 2005 - 11:51 AM

Hi Again

I tried the Repair Install.....now the PC will not boot up at all!! Just loops around on itself and doesn't even get close to Windows.

So I guess it's time to raise the white flag and go for the full install from start! I've got a new hard drive ready to go so I guess I'll be setting up a PC over the weekend!

An interesting sting in the tail is that my ISP has sent an e-mail to advise me that I have sent out spam e-mail while my pc has been dead and having just checked my usage for the week, I've downloaded 120mb on a daily basis and I've not even been able to get in let alone get to the Net. The ISP said sombody must have hacked onto my wireless router - I've got WEP etc enabled, SSID hidden, router is locked down to my MAC address and the router is shielded to block as much leakage as possible.

So I'm playing safe and assigning my old boot disk to the bin!!! :thumbsup:

Thanks for everybody's assistance - I've learnt a few thing!!

Kind Regards

Kevin

#15 usasma

usasma

    Still visually handicapped, new avatar (a camel) :0)


  • Members
  • 16,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:01:40 PM

Posted 02 December 2005 - 12:06 PM

Where does it fail? Does it fail during the repair, or after it when you try to boot up Windows? At this point, everything should still be intact on your hard drive and accessible.

The SPAM report from your ISP suggests, to me, that you may have become a "zombie" for some spammer (who accessed your system and caused it to send out spam!). And, that depends on how they accessed your system and router.

I'd say that a low-level reformat and clean install of Windows is your best bet right now. A low-level format can be done with free tools from the hard drive manufacturer's website, and a clean install will allow you to start out virus free! Don't forget that you'll have to update your motherboard and system hardware drivers after the clean install (along with the obligatory visit to Windows Update).

Here's a couple of suggestions to keep this from happening again.
1) Anti-virus software - updated daily and used always!
2) Anti-spyware software - updated daily and used always!
3) A software firewall - used always, updated as needed!
4) Windows Update - go there daily to check for the latest updates - then download and install them!e
5) Watch where you surf!
6) Don't ever click on anything that you didn't ask for. Close it (or it's application) by using Ctrl-Alt-Del to open Task Manager and close the application that it's running in (usually Internet Explorer).

Some tips for the next time this happens:
1) Use automatic backup software to backup your most important information to another drive
2) Back up your registry daily - and save multiple days so that you can go back to a previous version if necessary)
3) Use System Restore - there are even ways to edit some files so that more or less can be included in the System Restore folders.
4) Use a disk imaging utility to make a copy of your hard drive - then use it regularly to make a more current copy. That way, with a system crash, you can be back up and running within 20 minutes - using the last copy of the disk image.

Edited by usasma, 02 December 2005 - 12:07 PM.

- John
**If you need a more detailed explanation, please ask for it. I have the Knack. **




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users