Computer Runs Slowly and the Winlogon Process Uses a High Percentage of CPU Resources (329897)


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
This article was previously published under Q329897

SYMPTOMS

When you run Windows 2000 or Windows 2000-based programs, you may experience one or more of the following issues:
  • Windows and Windows-based programs run very slowly.
  • Documents do not open correctly, or when they open, they do not contain all of the expected content.
  • You cannot start Windows Task Manager.

    NOTE: To start Task Manager, right-click a blank area on the taskbar, and then click Task Manager.
  • If you can start Task Manager, you notice that the Winlogon process uses a very high percentage of available CPU resources.
  • Your antivirus program no longer runs.

CAUSE

You may experience one or more of these issues if your computer is infected with a variant of the W32.Klez worm program (virus).

RESOLUTION

Microsoft does not provide software that can detect or remove computer viruses. If you suspect or confirm that your computer is infected with a virus, obtain current antivirus software. For a list of antivirus software manufacturers, click the following article number to see the article in the Microsoft Knowledge Base:

49500 List of Antivirus Software Vendors

MORE INFORMATION

To determine whether the W32.Klez worm program is running on your computer, follow these steps:
  1. Quit all running programs, and then restart Windows in Safe mode. To start Windows in Safe mode, follow these steps:
    1. Press F8 after the computer performs its Power On Self Test (POST).
    2. On the Windows 2000 Advanced Options menu that appears, use the ARROW keys to select Safe Mode, and then press ENTER.
    3. Select the operating system to start, and then press ENTER.
  2. Log on to Windows, click Start, click Run, type services.msc in the Open box, and then click OK.
  3. Browse the list of running services for the following service

    WINKxxx.EXE

    where xxx is two to three random characters appended to the word "WINK" -- for example, WINKAP.EXE, WINKZFU.EXE, or WINKNWK.EXE.
If this service is listed, the computer may be infected with a variant of the Klez worm program.

NOTE: In many cases, you will have to reinstall your antivirus program after you remove this worm program.

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Modification Type:MajorLast Reviewed:1/25/2005
Keywords:kbprb KB329897
©2004 Microsoft Corporation. All rights reserved.