Another Hijackthis log, Winlogon at 50% CPU

Problem: takes too long to log in. 30 minutes and then the winlogon process uses 50% of CPU

Here is log file... Is there anything needed?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:30 PM, on 8/28/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\VMware\VMware Tools\vmacthlp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Report2web\Admin\AppToService.exe
E:\Report2web\Admin\AppToService.exe
E:\Report2web\Admin\CoDPublishing.exe
E:\Report2web\Admin\AppToService.exe
E:\Report2web\Admin\r2wMaintenanceService.exe
E:\Report2web\Admin\AppToService.exe
E:\Report2web\Admin\r2wBurst.exe
C:\WINDOWS\system32\nfsclnt.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
E:\Report2web\Admin\r2wWebMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$QUESTRMEX\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\VMware\VMware Converter\vmware-ufad.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\VMware\VMware Tools\VMwareService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\svchost.exe
D:\SFU\Mapper\mapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insummit.com
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe
O4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1974957475-1412045639-1617787245-25345\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'summitsvc')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.insummit.com
O15 - ESC Trusted Zone: http://b.casalemedia.com
O15 - ESC Trusted Zone: http://analytics.live.com
O15 - ESC Trusted Zone: http://www.msn.com
O15 - ESC Trusted Zone: http://www.snapfile.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = removed
O17 - HKLM\Software\..\Telephony: DomainName = removed
O17 - HKLM\System\CCS\Services\Tcpip\..\{226A427C-25E2-4DE1-BA02-E151B67B5048}: NameServer = removed
O17 - HKLM\System\CCS\Services\Tcpip\..\{87AA1E24-C0D2-4901-8B86-772CBDCF15D8}: NameServer = removed
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDBD2A23-64B0-4E81-B09E-12870437D529}: NameServer = removed
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = removed
O17 - HKLM\System\CS1\Services\Tcpip\..\{226A427C-25E2-4DE1-BA02-E151B67B5048}: NameServer = removed
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = removed
O17 - HKLM\System\CS2\Services\Tcpip\..\{226A427C-25E2-4DE1-BA02-E151B67B5048}: NameServer = removed
O23 - Service: Report2Web CoD Publishing (AppToService_Report2Web CoD Publishing) - Basta Computing - E:\Report2web\Admin\AppToService.exe
O23 - Service: Report2Web Maintenance Service (AppToService_Report2Web Maintenance Service) - Basta Computing - E:\Report2web\Admin\AppToService.exe
O23 - Service: Report2Web Report Burster (AppToService_Report2Web Report Burster) - Basta Computing - E:\Report2web\Admin\AppToService.exe
O23 - Service: Report2Web Report Router (AppToService_Report2Web Report Router) - Basta Computing - E:\Report2web\Admin\AppToService.exe
O23 - Service: Report2Web Web Monitor (AppToService_Report2Web Web Monitor) - Basta Computing - E:\Report2web\Admin\AppToService.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: TSM Scheduler Service - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\dsmcsvc.exe
O23 - Service: VMware Converter Service (ufad-p2v) - VMware, Inc. - C:\Program Files\VMware\VMware Converter\vmware-ufad.exe
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe
O23 - Service: VMware Physical Disk Helper Service - Unknown owner - C:\Program Files\VMware\VMware Tools\vmacthlp.exe

--
End of file - 6332 bytes

Did you install all the Report2web stuff that includes AppToService.exe? I don't know why turning an app into a service would be something that you would want to do.

I have the same question for r_server.exe. Did you install that too? If not delete it.

I also see in O17 that the nameserver was removed. Was the machine on a domain at one time & isn't anymore?

This was a server prior to me being at the company so I inherited the issue. This is a old system that is kept turned on for historical data only.

I will look at the AppToService.exe and r_server.exe to see if they are needed anylonger.

The computer is still on the domain, but i wonder if someone deleted the computer account then recreated it so the server would have different SID...

I will keep you posted...

I thought we lost you for a couple of weeks. Since you inherited the problem, suggest that they move the historical data & remove the machine.

Found the problem on this server. It was setup as a virtual and had paravirtuliation turned on, once it was turned off the CPU went back to normal. Thank you everyone for your help and suggestions.