Solved

Explorer.exe accesses tons of files after login.  Takes almost a minute for it to finish.

Posted on 2004-08-24
15
585 Views
Last Modified: 2008-02-01
This computer boots up to the login screen in a normal amount of time.  However, once I log in, I find that the computer runs very sluggishly with apparently very heavy disk access.  This lasts upward to one minute.

I put Sysinternals' file access monitor in the startup folder and it showed that explorer.exe was accessing tons of files during this sluggish period.  I can't really determine if it's hitting every file on the HD, but it's a whole heck of a lot of them rather than a small subset over and over.

Once the computer gets past this initial condition, it operates normally in all regards never having another one of these "fits."

I've run Virus utilities and it always comes up clean.  I've also defragged the drive on more than one occassion with no notable improvement.

Thanks for your assistance.
AMP
0
Comment
Question by:AbsentMindedProf
  • 7
  • 5
  • 3
15 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Hello AbsentMindedProf =)

Download HijackThis v1.98.2, run it, Save the LOG file and Post it here:
http://tools.radiosplace.com/HijackThis.exe
0
 

Author Comment

by:AbsentMindedProf
Comment Utility
I am new to EE so I don't know if there is a way to post the file as an attachment, so here is the contents of the log file:

Logfile of HijackThis v1.98.2
Scan saved at 9:22:38 AM, on 8/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\System32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
H:\WINDOWS\System32\snmp.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\PROGRA~1\SPYWAR~1\PPMemCheck.exe
H:\PROGRA~1\SPYWAR~1\PPControl.exe
H:\PROGRA~1\SPYWAR~1\CookiePatrol.exe
H:\PROGRA~1\WINPAT~1\WINPAT~1.EXE
H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
H:\WINDOWS\system32\ntvdm.exe
H:\CLARION6\BIN\C60SRVX.EXE
H:\CLARION6\BIN\C60SRVX.EXE
H:\CLARION6\BIN\C60SRVX.EXE
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\rdpclip.exe
H:\WINDOWS\system32\logonui.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - H:\Program Files\Pop-Up Stopper\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - H:\Program Files\Pop-Up Stopper\pstopper.dll
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "H:\Program Files\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PPMemCheck] H:\PROGRA~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [Spyware X-terminator Control Center] H:\PROGRA~1\SPYWAR~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] H:\PROGRA~1\SPYWAR~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WinPatrol Plus] H:\PROGRA~1\WINPAT~1\WINPAT~1.EXE
O4 - HKLM\..\Run: [ATIPTA] H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - H:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - H:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - H:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - H:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - H:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - H:\WINDOWS\web\related.htm
O12 - Plugin for .spop: H:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021017/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C2D6C46-6602-11D4-A5E3-444553540000} (Alice Control) - http://www.skotos.net/MarrachGame/Alice44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/31776fd911264ec25905/netzip/RdxIE2.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {C3D96A02-EEA7-4264-98D7-D882A7338DE5} (Excite Installer Start) - http://downloads.excite.com/images/nocache/platinum/x8initialsetup1.0.0.2.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,4,0,4238/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFA24232-1CFC-4EB8-B22B-A3D56875D069}: NameServer = 207.44.96.129,204.186.0.201


0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
ur LOG is clean AbsentMindedProf..... that means system is clean from all junk stuff !!!!!

so can u tell me if this problem has just started or... ??
How much RAM are u using..... and when u goto Start>Run>msconfig>Startup
and click on Disable All, and restart, does the same problem happen even ??
0
 

Author Comment

by:AbsentMindedProf
Comment Utility
It has been happening on this PC for some months now, but the delay seems to be getting longer than when I first noticed it.  I assumed it got worse as the computer amassed more files on the HD.

RAM is 512Mb

I can only log in remotely to the computer right now, so I cannot check the msconfig idea (would be very hard to gauge the login delay from remote login)

But I can tell you that I think I have already tried this idea in the past with no improvement.  

If I bring up TaskManager while this is going on, Explorer shows some CPU usage but it's only a couple percent (<15%) during the boggy period.  The HD LED is on almost solid.

It's almost like Explorer.exe is "touching" every file on the HD.

I even tried an "alternate" shell called "Talisman Desktop" thinking it would take the place of explorer.exe, but that didn't work out either.

AMP
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
if its the problem with explorer.exe then this problem shud occur in Safemode also..... does it ??
0
 

Author Comment

by:AbsentMindedProf
Comment Utility
I will try that when I have direct access to the PC (later today) and post the results.

Thanks
AMP

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
sure no problem :)

!! Good Luck !!
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:AbsentMindedProf
Comment Utility
same thing in safe mode

here's a sample from filemon's log (there's literally thousands of entries similar to this) :

9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 5a Professional Edition\Online Manuals\      NO MORE FILES      FileBothDirectoryInformation      
9:24:53 PM      explorer.exe:1860      CLOSE      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 5a Professional Edition\Online Manuals\      SUCCESS            
9:24:53 PM      explorer.exe:1860      OPEN      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 5a Professional Edition\Tools\      SUCCESS      Options: Open Directory  Access: All      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 5a Professional Edition\Tools\      SUCCESS      FileBothDirectoryInformation: *      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 5a Professional Edition\Tools\      SUCCESS      FileBothDirectoryInformation      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 5a Professional Edition\Tools\      NO MORE FILES      FileBothDirectoryInformation      
9:24:53 PM      explorer.exe:1860      CLOSE      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 5a Professional Edition\Tools\      SUCCESS            
9:24:53 PM      explorer.exe:1860      OPEN      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\      SUCCESS      Options: Open Directory  Access: All      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\      SUCCESS      FileBothDirectoryInformation: *      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\      SUCCESS      FileBothDirectoryInformation      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\      NO MORE FILES      FileBothDirectoryInformation      
9:24:53 PM      explorer.exe:1860      CLOSE      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\      SUCCESS            
9:24:53 PM      explorer.exe:1860      OPEN      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\App Guides\      SUCCESS      Options: Open Directory  Access: All      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\App Guides\      SUCCESS      FileBothDirectoryInformation: *      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\App Guides\      SUCCESS      FileBothDirectoryInformation      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\App Guides\      NO MORE FILES      FileBothDirectoryInformation      
9:24:53 PM      explorer.exe:1860      CLOSE      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\App Guides\      SUCCESS            
9:24:53 PM      explorer.exe:1860      OPEN      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\App Guides\Biz Rules\      SUCCESS      Options: Open Directory  Access: All      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\App Guides\Biz Rules\      SUCCESS      FileBothDirectoryInformation: *      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\App Guides\Biz Rules\      SUCCESS      FileBothDirectoryInformation      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\App Guides\Biz Rules\      NO MORE FILES      FileBothDirectoryInformation      
9:24:53 PM      explorer.exe:1860      CLOSE      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\App Guides\Biz Rules\      SUCCESS            
9:24:53 PM      explorer.exe:1860      OPEN      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\Docs\      SUCCESS      Options: Open Directory  Access: All      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\Docs\      SUCCESS      FileBothDirectoryInformation: *      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\Docs\      SUCCESS      FileBothDirectoryInformation      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\Docs\      NO MORE FILES      FileBothDirectoryInformation      
9:24:53 PM      explorer.exe:1860      CLOSE      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\Docs\      SUCCESS            
9:24:53 PM      explorer.exe:1860      OPEN      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\Docs\WhitePapers\      SUCCESS      Options: Open Directory  Access: All      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\Docs\WhitePapers\      SUCCESS      FileBothDirectoryInformation: *      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\Docs\WhitePapers\      SUCCESS      FileBothDirectoryInformation      
9:24:53 PM      explorer.exe:1860      DIRECTORY      H:\Documents and Settings\jb\Start Menu\Programs\Clarion 6\Docs\WhitePapers\      NO MORE FILES      FileBothDirectoryInformation      

~lines omitted~

9:24:56 PM      explorer.exe:1860      QUERY INFORMATION      H:\Program Files\Talisman 2\talisman.exe      SUCCESS      Attributes: A      
9:24:56 PM      explorer.exe:1860      QUERY INFORMATION      H:\Program Files\Talisman 2\talisman.chm      SUCCESS      Attributes: A      
9:24:56 PM      explorer.exe:1860      QUERY INFORMATION      H:\Program Files\Trillian\readme.txt      SUCCESS      Attributes: A      
9:24:56 PM      explorer.exe:1860      QUERY INFORMATION      H:\Program Files\Trillian\trillian.exe      SUCCESS      Attributes: A      
9:24:56 PM      explorer.exe:1860      QUERY INFORMATION      H:\Program Files\Tweak-XP Pro\Help\help.htm      SUCCESS      Attributes: A      
9:24:56 PM      explorer.exe:1860      QUERY INFORMATION      H:\Program Files\Tweak-XP Pro\Mailord.url      SUCCESS      Attributes: A      
9:24:56 PM      explorer.exe:1860      QUERY INFORMATION      H:\Program Files\Tweak-XP Pro\Order.url      SUCCESS      Attributes: A      
9:24:56 PM      explorer.exe:1860      QUERY INFORMATION      H:\WINDOWS\system32\msiexec.exe      SUCCESS      Attributes: A      
9:24:56 PM      explorer.exe:1860      QUERY INFORMATION      H:\Program Files\Tweak-XP Pro\Home.url      SUCCESS      Attributes: A      
9:24:56 PM      explorer.exe:1860      QUERY INFORMATION      H:\Program Files\Ulead VideoStudio 5.0\Readme.hlp      SUCCESS      Attributes: A      

....and so on.



0
 

Expert Comment

by:pretendergnd
Comment Utility
I am having the same problem.  Did you get an answer?
0
 

Author Comment

by:AbsentMindedProf
Comment Utility
Unfortunately, no.  

I won't say I'm *glad* that you're having the same problem, but it is a little comforting that I'm not the only one.  It makes me feel like I'm not crazy :)

Have you tried anything to correct the problem?  I've tried turning off various services, including Indexing, but nothing seems to make any difference.

AMP
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
what u can do is U people can compare the installed programs, hardwares and LOGS of hijakcthis of ur systems,,,,, and can check what is the similarity.... that can narrow down the problem i think :-?
0
 

Author Comment

by:AbsentMindedProf
Comment Utility
Unfortunately, the PC that exhibits the problem has a multitude of programs installed (The start menu has three columns when expanded!)

The thing that makes it such a peculiar problem (I would think) is the fact that it is explorer.exe that is doing all the file accessing.

AMP


0
 

Expert Comment

by:pretendergnd
Comment Utility
I have basically tried all the same things you have and gotten the same result.  I unfortunately only get windows of opportunity to work on this persons machine so I cannot run Hijackthis until I get another window.  My filemon log has a lot of entries that look like:

7400      5:47:23 PM      explorer.exe:3044      CLOSE      C:\      SUCCESS            
7401      5:47:23 PM      explorer.exe:3044      OPEN      F:\      SUCCESS      Options: Open  Access: All      
7402      5:47:23 PM      explorer.exe:3044      CLOSE      F:\      SUCCESS            
7403      5:47:23 PM      explorer.exe:3044      OPEN      F:\      SUCCESS      Options: Open  Access: All      
7404      5:47:23 PM      explorer.exe:3044      CLOSE      F:\      SUCCESS            
7405      5:47:23 PM      explorer.exe:3044      OPEN      G:\      SUCCESS      Options: Open  Access: All      
7406      5:47:23 PM      explorer.exe:3044      CLOSE      G:\      SUCCESS            
7407      5:47:23 PM      explorer.exe:3044      OPEN      G:\      SUCCESS      Options: Open  Access: All      
7408      5:47:23 PM      explorer.exe:3044      CLOSE      G:\      SUCCESS            

Which are a little different than yours that seem to actually go to a particular path.  I have spent a lot of time running spyware adware and virus software as well as shutting down services but it still persist.  I think we are going to have to reformat :(.
0
 

Author Comment

by:AbsentMindedProf
Comment Utility
pretendergnd, any new developments on this subject for you?
0
 

Accepted Solution

by:
pretendergnd earned 300 total points
Comment Utility
No.  We reformated the machine.  I can only hope that it will not happen again.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Are you unable to synchronize your OST (Offline Storage Table) file with Microsoft Exchange Server? Is your OST file exceeding 2 GB size limit? In Microsoft Outlook 2002 and earlier versions, there is a 2 GB size limit for the OST file. If the file …
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now