Hi, really weird whats going on here. We have an issue with a server which uses 99% of the CPU due to the winlogon.exe. We found out that this was used by a user under Doc. & Set. that no one created. We also found a software under the user's profile with the name ProxyHunter (needless to say that no one has installed this either.). So, we removed this user completely and for about an hour or so the system worked just fine (also we clened the registry and HJT ). And what do you know.... the user gets recreated by the server after an hour and also reinstalls the above software which includes in its directories a file called winlogon.exe.
I am going crazy over here so please, spare some thoughts lol.
Oh, the server is behind a secured network and an ISA ....
Start Free Trial
