Dear Forum Members,
I ran into this problem just recently. So I ran Spybot to check for anything which it came up clean, but my CPU still was at 100% usage with nothing else running. Winlogon.exe was running 99% cpu usage and is un killable from the task manager. The usage would stop if the net connection (ethernet) was disabled. Also Active ports showed that port 25 was being openned by netlogon to different ip's. After some looking on the net. I found out that winlogon can be hijacked by a dll to do almost anything. I quickly searched the windows directory tree for dlls created in the past week, and found msctl32.dll this seems to be from its name a Microsoft named file. This is to mislead newbies from deleting the file. This file came in from a exe file I ran that was loaded with malware/trojans/spyware/adware that I thought had all be stopped by teatimer and Avast. All except this new one. I can send the registry entry this new malware file to SpyBot for the next definition update along with the dll. Killbox is about the only way to kill this running task without killing the registry key, reboot, kill the file, reboot of XP.
This file is not detected yet by Avast as a trojan, but will soon. I suspect that almost all AV's will not detect the file as a trojan either. File attached Hope this helps some people.
Last edited by tashi; 2005-11-22 at 22:29.
Reason: Removed attachment