SBS 2011 Hundreds of Instances of LogonUI

Every morning when I check our SBS 2011 server, I find that the server is using up almost all of its memory and is running very slowly.  When looking at the Memory usage I find hundreds of instances of LogonUI running taking up each about 10K of memory.  When I reboot the server these instances are not there.  But over night, it seem the system is loading them for some reason.  Can anyone help me determine what may be causing this?
maike9Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

crash2000Commented:
Sounds like Malware
Try a full security scan with whatever product you use and let me know.

Mark
0
Elmar KoschkaSenior System EngineerCommented:
you use the server for rdp? perhaps you should configure the time for logoff for closed and disconnected sessions?
0
maike9Author Commented:
I discovered that my predecessor failed to install adequate AV software on the server.  I'm installing Norton Endpoint Protection on server now.  

Yes, this server is used for RDP however no one remoted in last night.  Since rdp is exposed to internet, is it possible that connection attempts that fail to gain access will open up LoginUI instances, and since I am not sure if there is a timeout on them, that they are being left open?
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

crash2000Commented:
I would definetely say that something is comprimised on your server.
Can you turn off RDP until scanning is complete?

Mark
0
Elmar KoschkaSenior System EngineerCommented:
You can manage timeouts via GPO under
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
maike9Author Commented:
UPDATE:  

Mark, I installed Norton Endpoint Protection on the server and ran a full system scan.  All that was found was a single cookie which was removed.

Elmar-H, I tried to find the location where the RDP timeout is set but was unable to find it based on the information you gave above.  Can you please expand your guidance on how to modify the timeout settings for RDP connections.

Also, I want to disable RDP temporarily to see if the problem goes away.  Is there a setting to change or a service to disable that will disable RDP temporarily?

Thank you for all your help.

Mike
0
crash2000Commented:
Hi Mike,

Can you run malwarebytes on there too please?
I'm not convinced it's clear.

Mark
0
maike9Author Commented:
Will ad-aware suffice?
0
Elmar KoschkaSenior System EngineerCommented:
See Attachement :-)
GPO.jpg
0
crash2000Commented:
I would use Malwarebytes. You can get it free from http://www.malwarebytes.org
You don't need the paid version.

I am out today, so may not be able to answer quickly.

Mark
0
maike9Author Commented:
Update

This morning the LogonUI issue was not a problem.  Not sure if what I did to the server yesterday helped.  Today, I concentrated on removing unneed/redundant software from the box.  My predecessor had installed Comcast Toolbar on the machine which installed a bunch of other crap.  I removed the Comcast Toolbar, CA Pest Patrol Protection, and ComcastAntiSpyware.  After removing that last item, I noticed a significant increase in the speed of machine.

I also ran a full system scan using AD-Aware Pro which found and removed 9 cookies.  I then uninstalled Ad-Aware and installed MalwareBytes.  I ran a quick scan using MB and it found and additional trojan called Trojan.FakeFireFox.  I removed the trojan using MB.  I am currently doing a full system scan using MB.

One other thing I'd like to note.  I was going through the System Event logs and I'm seeing thousands of entries under the Terminal Services-RemoteConnectionManager source I think since we enabled RDP.

"Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated."

Could this mean that something is trying to hack the remote connection?  Could this cause the LogonUI instance issue?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.