Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92290 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Winlogon at 90+% CPU Utilization


  • This topic is locked This topic is locked
15 replies to this topic

#1 mestro

mestro

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 15 November 2005 - 04:11 AM

Here is my log output from a run of hijackthis. If you could look at this and tell me what might be caausing the winlogon process to consume all the CPU resources, I would be most appreciative.

It is a Win2K machine, I have Norton on here, SpySweeper, AdAware so am I hopefully optimistic this is not a trojan or virus. But the winlogon process is constantly running at 90+%.

M

Logfile of HijackThis v1.99.1
Scan saved at 10:36:49 AM, on 11/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://concorde.lab.eucom.mil:2002/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [MaxInst] MaxInst
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {50F851B0-0BBE-11D2-A237-00C04FBBD1CD} (AvMediaMasterCtrl Class) - https://172.16.120.7...MediaMasENU.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E2887EC-11FC-4600-989B-64E5AF3E156D}: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E2887EC-11FC-4600-989B-64E5AF3E156D}: NameServer = 192.168.100.10,137.95.3.19,136.95.3.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF4127F2-C836-44D3-8C5C-C92F853093AB}: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF4127F2-C836-44D3-8C5C-C92F853093AB}: NameServer = 192.168.100.10,137.95.3.19,137.95.3.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O20 - AppInit_DLLs: csauser.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: CiscoSecure ACS Agent (ACSRemoteAgent) - Unknown owner - C:\Program Files\Cisco\CiscoSecure ACS Agent\CSAgent\CSAgent.exe
O23 - Service: Cisco Security Agent (CSAgent) - Unknown owner - C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe" -t c (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NAV\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DoubleScreenService - Diamond Multimedia Systems, Inc - C:\WINNT\System32\dsnthser.exe
O23 - Service: Intel Alert Handler - IntelŪ Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - IntelŪ Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - IntelŪ Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - IntelŪ Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Program Files\NAV\rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

    Advertisements

Register to Remove


#2 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 15 November 2005 - 04:21 AM

Need to see a full log please. :)

#3 mestro

mestro

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 15 November 2005 - 06:41 AM

Sorry but that is everything that was in the log file. The program created a log file on the desktop and I have just checked and this indeed the entire contents. M

#4 mestro

mestro

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 15 November 2005 - 07:41 AM

Here is the output from the latest run, this is all that is in the log:

Logfile of HijackThis v1.99.1
Scan saved at 2:23:32 PM, on 11/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NAV\defwatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dsnthser.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\NAV\rtvscan.exe
C:\Program Files\Cisco\CiscoSecure ACS Agent\CSLogAgent\CSLogAgent.exe
C:\Program Files\Cisco\CiscoSecure ACS Agent\CSWinAgent\CSWinAgent.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NAV\vptray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\One Guy Coding\Automachron\achron.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\mmc.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINNT\system32\mmc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://concorde.lab.eucom.mil:2002/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [MaxInst] MaxInst
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {50F851B0-0BBE-11D2-A237-00C04FBBD1CD} (AvMediaMasterCtrl Class) - https://172.16.120.7...MediaMasENU.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E2887EC-11FC-4600-989B-64E5AF3E156D}: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E2887EC-11FC-4600-989B-64E5AF3E156D}: NameServer = 192.168.100.10,137.95.3.19,136.95.3.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF4127F2-C836-44D3-8C5C-C92F853093AB}: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF4127F2-C836-44D3-8C5C-C92F853093AB}: NameServer = 192.168.100.10,137.95.3.19,137.95.3.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O20 - AppInit_DLLs: csauser.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: CiscoSecure ACS Agent (ACSRemoteAgent) - Unknown owner - C:\Program Files\Cisco\CiscoSecure ACS Agent\CSAgent\CSAgent.exe
O23 - Service: Cisco Security Agent (CSAgent) - Unknown owner - C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe" -t c (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NAV\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DoubleScreenService - Diamond Multimedia Systems, Inc - C:\WINNT\System32\dsnthser.exe
O23 - Service: Intel Alert Handler - IntelŪ Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - IntelŪ Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - IntelŪ Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - IntelŪ Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Program Files\NAV\rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#5 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 15 November 2005 - 08:05 AM

Is this computor connected to Ford Motor Company :scratch:


Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

Edited by little eagle, 15 November 2005 - 08:06 AM.


#6 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 15 November 2005 - 08:13 AM

Sorry but that is everything that was in the log file. The program created a log file on the desktop and I have just checked and this indeed the entire contents.

M

The running processes were not listed. :thumbup:

#7 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 26 November 2005 - 07:53 AM

open :D

Edited by little eagle, 01 December 2005 - 04:25 AM.


#8 mestro

mestro

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 01 December 2005 - 06:07 AM

Here is the log from ewidio. Mike --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 11:42:12 AM, 11/26/2005 + Report-Checksum: 903E5707 + Scan result: HKU\S-1-5-21-1004336348-162531612-682003330-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup C:\Documents and Settings\Administrator\Cookies\administrator@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup ::Report End

#9 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 01 December 2005 - 06:23 AM

Download System Security Suite v1.04 here
Tutorial here.

Run 3S under “Items To Clear” tab place a checkmark in all of them but the last.
Reboot and Rescan with HJT and post a new log here.
Also please describe how your computer behaves now.

#10 mestro

mestro

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 02 December 2005 - 07:52 AM

OK, here is the logfile from the latest HJT run after having run 3S and re-boot, the system is now running better, the winlogon process does not seem to be utilizing any CPU resources. I will watch the PC for the remained of the day....this is a domain controller in a lab, BTW. Would like to know what the issue was.

Logfile of HijackThis v1.99.1
Scan saved at 2:45:59 PM, on 12/2/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NAV\defwatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dsnthser.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Cisco\CiscoSecure ACS Agent\CSLogAgent\CSLogAgent.exe
C:\Program Files\Cisco\CiscoSecure ACS Agent\CSWinAgent\CSWinAgent.exe
C:\Program Files\NAV\rtvscan.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NAV\vptray.exe
C:\Program Files\One Guy Coding\Automachron\achron.exe
C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINNT\system32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://concorde.lab.eucom.mil:2002/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [MaxInst] MaxInst
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco Systems\CSAgent\bin\okclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {50F851B0-0BBE-11D2-A237-00C04FBBD1CD} (AvMediaMasterCtrl Class) - https://172.16.120.7...MediaMasENU.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E2887EC-11FC-4600-989B-64E5AF3E156D}: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E2887EC-11FC-4600-989B-64E5AF3E156D}: NameServer = 192.168.100.10,137.95.3.19,136.95.3.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF4127F2-C836-44D3-8C5C-C92F853093AB}: Domain = lab.eucom.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF4127F2-C836-44D3-8C5C-C92F853093AB}: NameServer = 192.168.100.10,137.95.3.19,137.95.3.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lab.eucom.mil
O20 - AppInit_DLLs: csauser.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: CiscoSecure ACS Agent (ACSRemoteAgent) - Unknown owner - C:\Program Files\Cisco\CiscoSecure ACS Agent\CSAgent\CSAgent.exe
O23 - Service: Cisco Security Agent (CSAgent) - Unknown owner - C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe" -t c (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NAV\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DoubleScreenService - Diamond Multimedia Systems, Inc - C:\WINNT\System32\dsnthser.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel Alert Handler - IntelŪ Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - IntelŪ Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - IntelŪ Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - IntelŪ Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Program Files\NAV\rtvscan.exe

    Advertisements

Register to Remove


#11 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 02 December 2005 - 08:14 AM

I will watch the PC for the remained of the day....this is a domain controller in a lab, BTW. Would like to know what the issue was.

Yes, also do you have any idea what O4 - HKLM\..\Run: [MaxInst] MaxInst is doesn't look right? can you do a search and see what file it is associated with.

#12 mestro

mestro

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 02 December 2005 - 08:40 AM

I have no idea what MAXINST is. How do I check to see what it is associated with?

#13 mestro

mestro

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 02 December 2005 - 08:45 AM

OK it is associated with a SW package for DSMMEDIA whihc also has some driver associated so I must assume it is a HW component.

#14 mestro

mestro

    New Member

  • New Member
  • Pip
  • 8 posts

Posted 02 December 2005 - 08:48 AM

OK and one more instance of it is associated with NAV (Norton Anti-Virus). Things still seem fine.

#15 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 02 December 2005 - 09:35 AM

And the last log look fine :thumbup:

If there is no more that can be done we can close this thread.

Take a look at Tony Klein's article
So how did I get infected in the first place?

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users