Winlogon.exe running 50% CPU

[billyellis]

Hi,

I am curently experiencing an issue where winlogon.exe is running 50% of my CPU constantly - it is not fluctuating at all.

When I logged in today, I entered my login info and my wallpaper flashed briefly before returning to the login screen. When I logged in again it worked normally.

Now my virus-scan is warning me of changes to my shell32 and hosts files (attached), and I have not run WindowsUpdate today. There also are "Generic9.BGEU" trojans in a couple of archives. Lastly, streaming video is having a lot of problems, possibly because of the CPU hogging by "winlogon" but I thought I would mention it for completeness' sake.

Are there any new viruses, etc. out that are related to winlogon.exe? When I "logged in" twice, did I inadvertently provide a hacker with my logon info??

Can I manually stop winlogon.exe and have it run normally upon reboot?

 

[kritius]

It depends where the winlogon.exe is running, if its from the Msconfig/Startup its ok, if its elsewhere then I would say malware.

It could be the NEVEG.A WORM

Check to see if there is anything like this in the registry,

1. Click Start > Run.
2. Type regedit

Then click OK.

3. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, check to see if any of the follow values are present:

".Prog" = "%Windir%\system\winlogon.exe"
"BuildLab" = "%Windir%\system\winlogon.exe"
"ccApps" = "%Windir%\system\winlogon.exe"
"FriendlyTypeName" = "%Windir%\system\winlogon.exe"
"Microsoft Visual SourceSafe"= "%Windir%\system\winlogon.exe"
"RegDone" = "%Windir%\system\winlogon.exe"
"TEXTCONV" = "%Windir%\system\winlogon.exe"
"WMAudio" = "%Windir%\system\winlogon.exe"

if they are i would get rid of them.

5. Exit the Registry Editor.

 

[billyellis]

None of those entries is there. (yay)

But I'm still a little spooked by the strange combination of
1. double logon with a never seen before 'partial' logon and then apparent kickout
2. strange behavior from startup program controlling logon
3. red flags from virus scanner


So if anyone hears anything about new security issues masquerading as winlogon to steal logon info, please add a note to this thread.:suspiciou

 

[billyellis]

Update:

I just noticed an access denial that I have not seen before (attached). I am logged on as the Administrator, but I am being denied access to AllUsers/Documents.

I recently set up a home network, which is currently disabled. Could this denial simply be because another known network computer is disconnected? I would think that the "AllUsers" section for this computer would refer exclusively to users on this computer...

 

[kritius]

I think that you would be better off following the advice HERE.

If only to gain piece of mind.

 

[JRudi]

Winlogon.exe Solution

I had this same problem. The CPU utilization was at 50% with no programs running. winlogon was showing 50% CPU usage all the time.

I resolved this problem by installing XP service pack 3, per a microsoft kb article - /946480, which states it fixes a memory leak in winlogon.exe.

Hope this helps someone else.

Judi