Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Server 2003, Winlogon.exe high CPU problems


  • Please log in to reply
1 reply to this topic

#1 PittsPCR

PittsPCR

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 17 October 2010 - 03:59 AM

Hello everyone. I have never been as stumped as I am today. Earlier today, I logged into a FRESH install of Windows Server 2003 R2. I noticed it was a bit laggy, but didn't think much about it. I went into windows update and let the server install something like 33 updates. I know as of right now, it is completely up to date.

This server is a dual Xeon Prestonia 2.4Ghz, with 1Gb of registered ddr ram. I have windows installed on a RAID 1 configured ULTRA640 setup with 2 34.7GB hdds.


Here is the problem. Upon investigation into why my RDP connection was so laggy, I discovered that winlogon.exe was using 50% cpu. Here are some screenshots:


The first thing you might notice, there are two instances of winlogon.exe. Trying to end either of these processes results in the "This is a critical system process. Task Manager cannot end this process."

So I downloaded hijackthis and ran it. Here are the results.
QUOTE
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:11:16 AM, on 10/17/2010
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Noobixide\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O15 - ESC Trusted IP range: http://10.1.10.2
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1286209635869
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2192CF2D-1BD8-474F-BD0D-DF495F81F32D}: NameServer = 10.1.10.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9CC3515-A22B-4142-812C-AA1E42B16242}: NameServer = 10.1.10.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2192CF2D-1BD8-474F-BD0D-DF495F81F32D}: NameServer = 10.1.10.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2192CF2D-1BD8-474F-BD0D-DF495F81F32D}: NameServer = 10.1.10.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - c:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4047 bytes


Now, I looked at this and I don't see anything that stands out. So I downloaded and ran Malwarebytes anti-malware. Again, no results. I am clueless as for what to do.

Anything would be appreciated.

Edited by hamluis, 17 October 2010 - 10:02 AM.
Moved from Windows NT forum to Malware Removal Logs ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 Baltboy

Baltboy

    Bleepin' Flame Head


  • Members
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:04:55 AM

Posted 17 October 2010 - 10:01 AM

Typically if you were going to post a hijack this log thinking it was malware/virus you should do so in the appropriate forum. However in this case I believe your problem is Microsoft related. Specifically in the tscupgrd.exe entries. For a fresh install there is no need for these to be running. I believe the following article describes well what is occuring in your computer and the solution.

http://www.theshonkproject.com/index.php?o...46&Itemid=1
Get your facts first, then you can distort them as you please.
Mark Twain




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users