winlogon.exe still @ 100% CPU after following Removal Guide

WinXP SP2 box

CPU pegs @ 100% on winlogon.exe - seems to be at random times. Can reboot the machine and just let it sit inactive - come back an hour later and winlogon.exe is going full bore.

Only fix seems to be hard power cycle.

Attaching logs. Have followed READ & RUN ME FIRST Before Asking for Support. Well, at least down to the BitDefender online san. B/c of geographic location, this box only has dialup access. After waiting an hour for BitDefender to update virus definitions, it came back with an error and could not install the new defs. Exasperating.

Went ahead and ran Bitdefender scan with old defs. Said it deleted Trojan.Peed.Gen from a FastStone dll. Didn't fix problem. Expect this was a false positive b/c nothing else reported it and downloaded directly from FastStone.org. Nonetheless, I haven't re-installed until this winlogon.exe issue gets resolved.

Based on some other posts about similar problems, also ran VundoFix (no infected files found - V6.5.11) and ComboFix. Didn't see anything that particularly bothered me, but 1st time using these tools.

Suggestions?

 

Re: winlogon.exe still @ 100% CPU after following Removal Guide (additional logs)

additional logs attached

 

Made the changes you requested. Afraid it hasn't changed the status of anything. Over the course of the day, machine still freezes up.

 

Winlogon.exe seems to peg out when the computer is idling.

Rebooted this morning. Finished using OpenOffice for word processing around 9:00am. Left OpenOffice application open and left the machine sitting idle for most of the day. When I checked the box at 7:15pm, Winlogon.exe was running at 100% utilization. There was a Windows Security ballon saying that Symantec Endpoint Protection was disabled. At 8:55, it was still pegged and I power cycled.


Couple of items of note from system / application logs:

On 11/9 at at 7:18pm, log shows the Symantec successfully downloaded definition files from LiveUpdate. But when you open Symantec and check definitions, version is Tuesday, Oct 16, 2007 r9. Only internet connection is dialup - could have been online at 7:18 on 11/9 but did not initiate a virus update.

There are also several Symantec Tamper Protection notices from AOL processes.

Nothing else stands out

 

Right click the winlogon.exe and tell me what the properties/association is ...

Did a search of harddrive for winlogon.exe. Found it in
c:\windows\system32 - file version 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
c:\windows\servicepackfiles\i386 (xpsp_sp2_rtm.040803-2158)
Binary comparison showed that these are exactly the same file

When I first boot up, winlogon.exe process is using 1,792k memory. When it is hogging processor, is at 4700k.
Priority is set to High at bootup.




Is Symnatec a paid for application? And is AOL your ISP?
Yes, everything on this box is legitimately licensed.

Symantec Endpoint Protection 11.0.780.1109
Antivirus / spyware definitions Tues, Oct 16, 07 r9
Proactive Threat Protection definitions Tues Oct 16, 07 r33
Network Threat Protection Thur Oct 11, 07 r1

AOL (9.0 VR Revision 4327.5006) is ISP for this box.



If you disable symnatec...does the process stop?

I think there are multiple processes associated with Symantec:
ccapp.exe
ccSvcHst
Right-click on system tray and disable realtime protection doesn't seem to have any effect on these particular processes. But it doesn't remove icon from tray either...
If you really want it disabled, I believe it will probably require some registry edits - don't know which particular keys though.


Something else called CDAC11BA.exe - don't know what it is.

Another possibly related process - Rtvscan.exe



What happens if you kill the process?
kill Rtvscan: no noticeable impact. But it re-spawns itself.
kill ccSvcHst. exe: WinSecurity Center reports Enpoint is turned off, but Symantec is actually still actively running. Process re-spawns itself.
Kill ccApp: can't tell that anything happened.
kill CDAC11BA.exe : can't tell that anything happened.


Rebooted so things weren't quite so molested - attached is a list of the processes that are running at startup. All the copies of SvcHost seem a bit strange

Dialup connection is too slow to attempt to look up what all these processes are. I'll have to do a bit more research tomorrow.

 

First time using ProcessExplorer. Sorry, but I'm not quite following your instructions.

Right Click on Winlogon.exe, Properties - there is no Services tab.

Haven't found a Dependencies tab either. Only thing I see is the process tree - which almost all the processes running on the box are children of winlogon.exe.


When you say turn off a service, do you mean suspend the process? Restore a service mean resume that process?

I assume that I should suspend the child processes in turn rather than the parent winlogon.exe process?

Sorry for the elementary questions, just haven't quite synced up with the mechanics of the tool. Hate to ask you to babysit, but I need more specific instructions.

I've attached a couple of screen shots from right after a clean boot - winlogon.exe hasn't gone haywire at this point.

 

TimW,

Thanks for all your help. Looks like your diagnosis of a likely hardware problem was spot on. I believe everything is probably cleared up now. Will watch it for a couple of days and let you know.


Here's a synopsis:
Task Manager reports Winlogon.exe running at 100% utilization.
Process Explorer shows that it is actually a hardware interrupt problem.

Started removing PCI cards.

When I got rid of an old internal 56k modem, utilization dropped back to 0%. Apparently it was camping out on the bus.

Again, thanks for your help