I remember a Virus/Spyware thing that caused similar issues in my office. Here are my notes: The virus creates two random-named files (probably in %systemroot%\system32), filename.dll and filename.cpy.dll -- easy to check for an infection by searching for *.cpy.dll. It also creates (and tightly protects) the registry hive HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian. To get rid of it: - Reboot the machine and don't log on to it. - Go to another workstation, run \\machinename\c$ (to the infected machine) and delete the offending files. Get both filename.cpy.dll and filename.dll. - Log on to the infected machine and delete the above registry key. On a non-networked machine, here are some instructions that work. - Go to regedit (regedt32 in 2K) - Expand: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian and ake a note of the file name there, in System32. (You could just search for *.cpy.dll in system32 folder) - RightClick (security menu->permissions in 2K) permissions, uncheck box: "Allow inheritibale permissions".. - Hit ok, and REMOVE on next prompt. - Restart computer! - Find and delete the <file> that was in that key along with it's companion from System32: <file name>.cpy.dll - Go back to registry editor,recheck the permissions box on that key, right click Delete the 'Guardian' folder. ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Ruud Bransen Sent: Wednesday, July 21, 2004 3:25 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Users can't logoff, admins can; winlogon.exe taking all cpu time Login times are fine. It just logging off that never happens. Regards, Ruud Bransen Databalk bv ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Newman, Phil Sent: dinsdag 20 juli 2004 18:23 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Users can't logoff, admins can; winlogon.exe taking all cpu time Sounds like you need the post SP4 patches to slow out the slow login times ________________________________ From: Ruud Bransen [mailto:R.Bransen@xxxxxxxxxxx] Sent: 20 July 2004 16:32 To: thin@xxxxxxxxxxxxx Subject: [THIN] Users can't logoff, admins can; winlogon.exe taking all cpu time Environment: Windows 2000 SP4 domain controller with roaming user profiles Windows 2000 SP4 / Citrix MF XP 1.0 SP3 FR3 And this issue: "Normal" users can not log off, once the user is a member of the Domain Admins, the user logs off normally. After logging off the session hangs at the "Closing network connections" message. If I disconnect the network connections manually, it hangs without this message (so just W2K blue). The Winlogon process takes the complete CPU time even after logging off the user through CMC or Terminal Server Manager. After logging of the user through CMC, the user profile is still on the Terminal Server and "in use" as it can not be deleted till the server has rebooted. I tried - the policy "Do not check for ownership of roaming profiles" (or something similar) - changing permissions at the "Documents and Settings" folder - installing all updates at Windows update Can anyone help out? Regards, Ruud Bransen Databalk bv