Solved

Winlogon process goes to 99% and consumes the machine.

Posted on 2006-11-27
15
2,908 Views
Last Modified: 2011-04-14
After logging on the system appears to hang.

I see that Winlogon CPU utilization has gone to 99%.

I talked to Microsoft and they said that it might be a problem with the windows audio driver.

I booted into safe mode and tried to disable the service from starting. I got an access denied error that said that I needed to log on as an administrator. I was the local administrator. AAArgh!

I then tried to set up a testadmin accoutn. I recieved an error message that the user FOCUS/testadmin could not be added to the Adminstrators group because FOCUS/testadmin does not exist. DUH! I was trying to create that account. AAArgh!

I am running a chkdsk now.

I did a system restore to a point prior to Thanksgiving. I had installed franklin planner for Outlook over the holidays.

Any suggestions would be grealy appreciated.

Thanks,

Steve
0
Comment
Question by:steveurich
  • 6
  • 4
  • 2
  • +2
15 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Most nasties use the winlogon\notify key, show us a hijackthis log to rule out malware.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then upload the logs to any hosting sites,
or go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 

Author Comment

by:steveurich
Comment Utility
How do I run this when the system is hung for all intents and purposes.

Will it run in Safe mode. Will Windows load the usb driver so that I could bring it across on a thumb drive.

Thanks,

Steve
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
yes, it should work just fine.

Winlogon is a pain, sometimes you haev to wait and wait and wait... well you get the idea....Do me a favor, go to regedit, and ex[port the following key to a .reg file, open it in notepad, and paste it here.....

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

We should be able to get the same from HijackThis!, but would be nice to have a backup plan...
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Yes you can run hijackthis from the thumb drive and yes it will run in safe mode. Normal mode is recommended so all entries show up, but if safe mode is the only mode where you can run it then run it in safe mode.
0
 
LVL 9

Expert Comment

by:gopal_krishna
Comment Utility
This can happen due to the Windows Update service keeps searching for the windows update and if the updates fails then it keeps searching at the background. hence I would suggest that you please Follow the exact steps that are provided below: Do not miss out any:

1. Click Start->Run, type "services.msc" (without quotation marks) in the open box and click OK.
2. Double click the service "Automatic Updates".
3. Click on the Log On tab, please ensure the option "Local system account" is selected and the option "Allow service to interact with desktop" is unchecked.

4. Check if this service has been enabled on the listed Hardware Profile. If not, please click the Enable button to enable it.
5. Click on the tab "General "; make sure the "Startup Type" is "Automatic". Then please click the button "Start" under "Service Status" to start the service.
6. Repeat the above steps with the other service: Background Intelligent Transfer Service (BITS)


================================ NEXT ================================


Re-register Windows Update components and Clear the corrupted Windows Update temp folder


1. Click on Start and then click Run,
2. In the open field type "REGSVR32 WUAPI.DLL" (without quotation marks) and press Enter.
3. When you receive the "DllRegisterServer in WUAPI.DLL succeeded" message, click OK.
4. Please repeat these steps for each of the following commands:

REGSVR32 WUAUENG.DLL
REGSVR32 WUAUENG1.DLL
REGSVR32 ATL.DLL
REGSVR32 WUCLTUI.DLL
REGSVR32 WUPS.DLL
REGSVR32 WUPS2.DLL
REGSVR32 WUWEB.DLL

After the above steps are finished reboot.

Cheers
Gopal Krishna K
0
 

Author Comment

by:steveurich
Comment Utility
http://www.rafb.net/paste/results/9dMuSX18.html

is where the rusults of the Hijack this is posted.

Steve
0
 

Author Comment

by:steveurich
Comment Utility
Logfile of HijackThis v1.99.1
Scan saved at 4:12:38 PM, on 11/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis 1.99.1\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palm\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142926183199
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142467118515
O16 - DPF: {83229950-AD1D-4B94-8304-F56E95AFACF7} (Surgient URA Remote Desktop Client) - http://staging-ura.demoservers.com/HTGateway/proxy/srdp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://vmware.webex.com/client/T23L/webex/ieatgpc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://upload-v5.streamload.com/Upload/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Sytek.local
O17 - HKLM\Software\..\Telephony: DomainName = Sytek.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{37E20A19-8628-43CC-94D1-869CCF0DB6A4}: NameServer = 192.168.1.1,192.168.1.90
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2F24AAB-54E7-49FF-9995-FF15AF59A686}: NameServer = 192.168.1.4,192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Sytek.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sytek.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Sytek.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = sytek.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sytek.local
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Central Management Server (BOBJCentralMS) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\CMS.exe" -service -name Focus.cms  -restart (file missing)
O23 - Service: Report Application Server (BOBJCrystalReportApplicationServer) - Unknown owner - C:\Program Files\Business Objects\common\3.5\bin\crystalras.exe" -service -name Focus.RAS -ns Focus  -ipport -restart (file missing)
O23 - Service: Crystal Reports Cache Server (BOBJCrystalReportsCacheServer) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\cacheserver.exe" -service -name Focus.cacheserver -cache -nops -deleteCache -ns Focus -restart (file missing)
O23 - Service: Crystal Reports Page Server (BOBJCrystalReportspageserver) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\pageserver.exe" -service -name Focus.pageserver -ns Focus  -restart (file missing)
O23 - Service: Connection Server (BOBJCS) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\ConnectionServer.exe"  -service -name Focus.ConnectionServer -ns Focus -restart (file missing)
O23 - Service: AA Dashboard Server (bobjdashboardengine) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\AADashboard.exe" -service -name Focus.dashboardengine -ns Focus (file missing)
O23 - Service: Desktop Intelligence Cache Server (BOBJDesktopIntelligenceCacheServer) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\fccache.exe" -service -name Focus.Desktop_IntelligenceCacheServer -cache -nops -deleteCache -ns Focus -lib cacheFC -libTypeDescription  "Desktop Intelligence Cache Server" -restart (file missing)
O23 - Service: Desktop Intelligence Report Server (BOBJDesktopIntelligenceReportServer) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\fcproc.exe" -service -name Focus.Desktop_IntelligenceReportServer -ns Focus -lib procFC -libTypeDescription  "Desktop Intelligence Report Server" -maxDesktops 0 -restart (file missing)
O23 - Service: Destination Job Server (BOBJDestinationServer) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\procdest.exe" -service -name Focus.destinationjobserver -ns Focus -objectType CrystalEnterprise.Destination -lib procDest  -restart -jsTypeDescription "Destination Job Server (file missing)
O23 - Service: Event Server (BOBJEventServer) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\EventServer.exe" -service -name Focus.eventserver -ns Focus -restart (file missing)
O23 - Service: Input File Repository Server (BOBJInputFileServer) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\inputfileserver.exe" -service -name Input.Focus -ns Focus -restart (file missing)
O23 - Service: AA Individual Profiler Server (bobjiprofiler) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\AAProfiler.exe" -service -name Focus.profileengine -ns Focus (file missing)
O23 - Service: Desktop Intelligence Job Server (BOBJJobServer_DesktopIntelligence) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\JobServerFullClient.exe" -service -name Focus.Desktop_IntelligenceJobServer  -ns Focus -objectType CrystalEnterprise.FullClient -lib pp_procFC  -jsTypeDescription "Desktop Intelligence Job Server" -maxDesktops 0 -restart (file missing)
O23 - Service: Crystal Reports Job Server (BOBJJobServer_Report) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\JobServer.exe" -service -name Focus.reportjobserver  -ns Focus -objectType CrystalEnterprise.Report -lib procReport  -restart -jsTypeDescription "Crystal Reports Job Server (file missing)
O23 - Service: AA Predictive Analytic Server (bobjminingengine) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\AADMining.exe" -service -name Focus.miningengine -ns Focus (file missing)
O23 - Service: Output File Repository Server (BOBJOutputFileServer) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\outputfileserver.exe" -service -name Output.Focus -ns Focus -restart (file missing)
O23 - Service: AA Analytics Server (bobjportfolioengine) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\AAAnalytics.exe" -service -name Focus.portfolioengine -ns Focus (file missing)
O23 - Service: AA Metric Aggregation Server (bobjprobeengine) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\AAMetrics.exe" -service -name Focus.probeengine -ns Focus (file missing)
O23 - Service: List of Values Job Server (BOBJProcessServer) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\procLov.exe" -service -name Focus.ListOfValuesJobServer -ns Focus -objectType CrystalEnterprise.MetaData.MetaDataRepositoryInfo -lib procLOV  -restart -jsTypeDescription "List of Values Job Server (file missing)
O23 - Service: Program Job Server (BOBJProgramServer) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\ProgramServer.exe" -service -name Focus.programjobserver  -ns Focus -objectType CrystalEnterprise.Program -lib procProgram  -restart -jsTypeDescription "Program Job Server (file missing)
O23 - Service: AA Set Analyzer Server (bobjquerymanager) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\AAQueryMgr.exe" -service -name Focus.setanalysisengine -ns Focus (file missing)
O23 - Service: AA Repository Management Server (bobjrepomgt) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\AARepoMgt.exe" -service -name Focus.repomgt -ns Focus (file missing)
O23 - Service: AA Alert & Notification Server (bobjrulesengine) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\AARules.exe" -service -name Focus.rulesengine -ns Focus (file missing)
O23 - Service: AA Statistical Process Control Server (bobjspcengine) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\AASPC.exe" -service -name Focus.spcengine -ns Focus (file missing)
O23 - Service: Apache Tomcat 5.0.27 (BOBJTomcat) - Unknown owner - C:\Program Files\Business Objects\Tomcat\bin\tomcat5.exe" //RS//BOBJTomcat (file missing)
O23 - Service: Web Intelligence Job Server (BOBJWebiServer) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\procWebi.exe" -service -name Focus.Web_IntelligenceJobServer -ns Focus -objectType CrystalEnterprise.Webi -lib procwebi  -restart -jsTypeDescription "Web Intelligence Job Server (file missing)
O23 - Service: Web Intelligence Report Server (BOBJWIRS) - Unknown owner - C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\WIReportServer.exe" -service -name Focus.Web_IntelligenceReportServer -ns Focus -restart (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Just out of left field, but try uninstalling Business Objects if you dont use it anymore....It will clean up all those services that have missing files......
And how does Winlogon act with McAfee disabled?

I dont see anything malicious off the bat....

Process Explorer
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

Then double click Winlogon.exe, and then see what thread is hogging the CPU. Hopefully it will help to isolatew exaclty what under winlogon is being eaten up...
0
 

Author Comment

by:steveurich
Comment Utility
Gopal Krishna K

Regarding the steps that you asked me to do.

I did the Automatic Updates but was unable to start the Automatice update as I can only access the system in safe mode and I got an error when I tried to start it. Error 1084 unable to start while in safe mode.

I did do the steps:

2. In the open field type "REGSVR32 WUAPI.DLL" (without quotation marks) and press Enter.
3. When you receive the "DllRegisterServer in WUAPI.DLL succeeded" message, click OK.
4. Please repeat these steps for each of the following commands:

REGSVR32 WUAUENG.DLL
REGSVR32 WUAUENG1.DLL
REGSVR32 ATL.DLL
REGSVR32 WUCLTUI.DLL
REGSVR32 WUPS.DLL
REGSVR32 WUPS2.DLL
REGSVR32 WUWEB.DLL

To no avail.

Could you get this Winlogon problem if you had not connected to the domain in a while?

Thanks,

Steve
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Winblogon maxing out the CPU can be done on any system, not just domain related/home systems. I would look back to my last post, and take a close look at process explorer. You should be able to get an idea of the exact .dll or service that is being run under Winlogon. It shows the hierarchy of services, and what process that owns them. So that way, you can start with Winlogon, and open it from there.....And I know it might take a while to load it up in regular mode, but its a necesary thing to do, since thats where the problems lie....


Also, did you ever look at the contents of this key? If you can load spybot in safe mode, (d/l it to a flash media), inside spybot, you can safely enable/disable all winlogon items iunder Advanced>Tools>Startup...Disable them all and see how it boots, then use the process of elimination....

You should be able to use Safe mode with Networking to get to the net....Without any massive slowdowns....
0
 

Author Comment

by:steveurich
Comment Utility
I had to get back to doing business. I restored from a ghost image.

The only change that I had made in system was install Franklin Covey Plan Plus for Microsoft Outlook.

Could an application like that cause problems with Winlogon?

The concepts behind the Franklin Covey Plan Plus for Microsoft Outlook are great but the software has been so ridden with bugs that it has been unusable.

That said, if it works it would be great! I would like to reinstall it but I am concerned that I will end up right back where I was.

Thanks.

Steve
0
 

Author Comment

by:steveurich
Comment Utility
I ran into the problem again and opened up a call with Microsoft.

In my case it turned out that I had a corrupted offline file folder. We renamed the \windows\csc folder and rebooted and the problem went away.

Steve
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
More than likely it is the cscui.dll entry under \\\\Winlogon\Notify\ that was tanking due to the corruption of the folder.

Glad youre fixed....
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
Comment Utility
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Most of the time we are in fix when all of sudden our systems behave weirdly.  Such problems cost time and effort... so it's best to take some preventive actions so that we can avoid such issues or overcome such problems more easily. Preventive M…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now