Solved

System running VERY slow - Urgent need help!

Posted on 2004-09-07
84
18,436 Views
Last Modified: 2008-01-09
The computer is a Dell something or other pre-loaded with Win 2k pro.
The system is operating VERY slowly and the HD is constantly active.

I need to get it working properly again by the end of the day.

In an effort to resolve the trouble I have done the following and still have the same problem:

Defrag and scan disk - no help

Spyboy S&D scan w/updated definitions – found some items and removed but still no help

Norton A/V w/updated definitions – negative results

Turned off sharing of C: - upon re-boot the drive was again set to shared. (the PC is stand-alne not networked)

Turned off indexing service – this did seem to help, but the next day, the machine was running slow again.

I Did a repair of the OS using the install CD – still have the same problem.

The system will not allow me to shut down any running process thru task manager, but I can boot into safe mode with no problems.

I am not familiar with Win 2k pro and I need advice.

All suggestions are greatly appreciated – this has become an urgent matter.

Thanks in advance.
0
Comment
Question by:Analog_Kid
  • 27
  • 21
  • 12
  • +6
84 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 20 total points
Comment Utility
perhaps this would have been better posted in th windows 2000 TA?
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
it is the PC in general or network operation - or is it just pants generally?
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
Duh! Stupid me, I posted in the wrong area. I've aske that the question be moved.

Anyway, the machine is not connected to a network of any kind. What do you mean by pants?

Thanks for your help.
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
Oh, it does have AOL for connecting to the Internet.
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
Please post a list of the running processes from the task manager.

J
0
 
LVL 3

Assisted Solution

by:hehewithbrackets
hehewithbrackets earned 40 total points
Comment Utility
C$ is a default share and cannot be removed.

How much space does your hard drive have left?

Are there any processes using up a lot of system resources?  What processes are you trying to shut down and are unable to?

When was the virus software added to the system?  If you added virus software after the system was infected, it may not be working properly.
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi
Hi first download this and click scan - don't fix anything first, just post the logfile here,
http://tools.radiosplace.com/HijackThis.exe

Deb :))
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
>>post a list of the running processes

I don't have access to it at this very moment, so I cant say. But it is a huge list. Is there a way to thin that out to the absolute bare minimum?

>>How much space does your hard drive have left?

Its nearly completly empty - only 10% or so used.

>>Are there any processes using up a lot of system resources?  
I dont know. How do I find that info?

>>...If you added virus software after the system was infected...

I dont think that is the case. The machine is a friends, but I am aware that he has had Norton A/V installed ever since he bought the machine and this problem is recent.
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
It's probably best to rule out any nasties before trying any further system fixes or repairs, particularly given the fact that you've already found some. Unfortunately Norton is missing stacks of Trojans as of late, hence try a scan with the following

Trend Online Scanner
http://housecall.trendmicro.com/

Panda
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Let us know what you find,

Deb :))
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
To post running processes - In hijackthis click config ->Misc Tools -> Open process manager. Then check the "show dll's" on the right of the screen, click refresh, then click the little floppy disk icon which will allow you to save the process list to a text file. Post that text file here too...

Deb :))
0
 
LVL 3

Expert Comment

by:hehewithbrackets
Comment Utility
I would recommend running the utilities that Debsyl99 has listed.

To check processes, you can use Task Manager.  You said that the list is huge, how many processes are currently running?

When you boot into 'safe mode with no problems', do you mean that the computer doesn't run slow in safe mode?
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
Correct. In safe mode, all seems to be in order.

I see you need more info than I can provide, so I will d/l those and post here later. This could take a while as the machine is 10 miles from my location. I'll do my best to get you the info you need asap.

Meanwhile, if there is any other information that would be helpful, or if you have an idea of what else I can look at while I'm there, I'd be grateful.
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
Is this a XEON 32bit or Itanium 64 bit. The XEON uses Extended Memory 64, this is an extension and is not a 64 bit processor. The processor is as IA-32, which is a 32 bit processor. Unless your workstation is running with more than 4 GB ram and you have applications that can utilize pages larger than 2GB, you should not be running the x64 version of WIndows 2003. So unless you have applications that are specifically written to take advantage or the Extended Memory 64, and more than 4 GB of ram in the workstations, you should go back to Windows XP Professional. The OS should run faster on your machine than Server 2003(64) on the XEON.

J
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
Sorry I posted to the wrong thread!? ;)

J
0
 
LVL 16

Expert Comment

by:robrandon
Comment Utility
To get the process list, just go to a DOS prompt and type TASKLIST.  Paste the info here.  If you want to save it out to a text file, you can run this TASKLIST > c:\tasklist.txt  
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
To post processes just follow the instructions in my posts - easier and makes sure dll's are posted too.


Deb :))

P.S Good one JD ;-)
0
 
LVL 16

Expert Comment

by:robrandon
Comment Utility
Deb, not going to argue, but that requires the installation of software...
0
 
LVL 3

Expert Comment

by:hehewithbrackets
Comment Utility
I don't think TASKLIST is an .exe that comes with Windows by default.  I don't have it on my system.
0
 
LVL 16

Expert Comment

by:robrandon
Comment Utility
Oops.  It's for WinXP.  My bad.
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
It is an XP tool, and a great one... If you are running XP, it is a very easy thing to do. Rob has a good point, as it can be run in about 10 seconds and posted. Might as well do both.



J
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
It's not really like I'm asking for an fresh install of office!!! (sighs - has had a long day..)

It requires the installation of hijackthis which let's face it is pretty small (183k) and takes up minimal system resources (about 5k - cmd takes about 2.5k). It will also enable us to have a good look at what's running on the system and will show dll's which tasklist won't show and their authors and versions. We'll also get to have a look at various areas of the registry notorious for targeting by spyware and enable us to fix it where necessary - so it will kill a lot of birds with one stone, and if for whatever reason it doesn't lead to a direct fix, it will at least enable us to rule things out.

But if Analog Kid doesn't want to use it, it's his choice ;-)) Better than manually posting various areas of the registry, because if we do identify running processes that are malware related we're going to have to kill them properly (ie via the execs and reg entries) which again you can do with hijackthis. Why don't you check it out? It's quite useful,

Deb :))

0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
Do em both, do em both!!! Run tasklist post the results.... 20 seconds max, while it is being reviewed by "the experts", run hijack This!!!!...

J

:)
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
I could not work out how to get a list of running processes but I did manage to get HijackThis.exe running which included a list. Here are the results:

processlist.txt:

Process list saved on 6:47:22 PM, on 9/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)

[full path to filename]            [file version]      [company name]
C:\WINNT\System32\smss.exe            5.0.2195.6601      Microsoft Corporation
C:\WINNT\system32\winlogon.exe            5.0.2195.6714      Microsoft Corporation
C:\WINNT\system32\services.exe            5.0.2195.6700      Microsoft Corporation
C:\WINNT\system32\lsass.exe            5.0.2195.6695      Microsoft Corporation
C:\WINNT\system32\svchost.exe            5.0.2134.1      Microsoft Corporation
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe            1.0.3.4      Symantec Corporation
C:\WINNT\system32\spoolsv.exe            5.0.2195.6659      Microsoft Corporation
C:\WINNT\System32\svchost.exe            5.0.2134.1      Microsoft Corporation
C:\Program Files\Norton AntiVirus\navapsvc.exe            9.0.5.1015      Symantec Corporation
C:\WINNT\system32\regsvc.exe            5.0.2195.6701      Microsoft Corporation
C:\WINNT\system32\MSTask.exe            4.71.2195.6704      Microsoft Corporation
C:\WINNT\system32\stisvc.exe            5.0.2195.6656      Microsoft Corporation
C:\WINNT\wanmpsvc.exe            7.0.0.2      America Online, Inc.
C:\WINNT\Explorer.EXE            5.0.3700.6690      Microsoft Corporation
C:\Program Files\Common Files\Symantec Shared\ccApp.exe            1.0.3.15      Symantec Corporation
C:\WINNT\system32\ntvdm.exe            5.0.2195.6689      Microsoft Corporation
C:\WINNT\system32\taskmgr.exe            5.0.2195.6620      Microsoft Corporation
C:\Documents and Settings\ian1\Desktop\HijackThis.exe            1.98.0.2      Soeperman Enterprises Ltd.


DLLs loaded by process C:\WINNT\System32\smss.exe:

[full path to filename]            [file version]      [company name]
C:\WINNT\system32\ntdll.dll            5.0.2195.6685      Microsoft Corporation
C:\WINNT\System32\sfcfiles.dll            5.0.2195.6717      Microsoft Corporation




startuplist.txt:

StartupList report, 9/7/2004, 6:48:37 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\ian1\Desktop\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\taskmgr.exe
C:\Documents and Settings\ian1\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\ian1\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINNT\system32\setup\wmpocm.exe /HideWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

[>{86EEAFA8-6F38-4657-B4F7-ED1033D2EA1C}S04947] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINNT\DOWNLO~1\yacscom.dll
CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab

[YInstStarter Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab

[Yahoo! Audio UI1]
InProcServer32 = C:\WINNT\Downloaded Program Files\yacsui.dll
CODEBASE = http://chat.yahoo.com/cab/yacsui.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37848.7365972222

[QDiagHUpdateObj Class]
InProcServer32 = C:\WINNT\system32\qdiagh.ocx
CODEBASE = http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
NameSpace #3: C:\WINNT\System32\nwprovau.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll
Protocol #14: C:\WINNT\system32\msafd.dll
Protocol #15: C:\WINNT\system32\msafd.dll
Protocol #16: C:\WINNT\system32\msafd.dll
Protocol #17: C:\WINNT\system32\msafd.dll
Protocol #18: C:\WINNT\system32\msafd.dll
Protocol #19: C:\WINNT\system32\msafd.dll
Protocol #20: C:\WINNT\system32\msafd.dll
Protocol #21: C:\WINNT\system32\msafd.dll
Protocol #22: C:\WINNT\system32\msafd.dll
Protocol #23: C:\WINNT\system32\msafd.dll
Protocol #24: C:\WINNT\system32\msafd.dll
Protocol #25: C:\WINNT\system32\msafd.dll
Protocol #26: C:\WINNT\system32\msafd.dll
Protocol #27: C:\WINNT\system32\msafd.dll
Protocol #28: C:\WINNT\system32\msafd.dll
Protocol #29: C:\WINNT\system32\msafd.dll
Protocol #30: C:\WINNT\system32\msafd.dll
Protocol #31: C:\WINNT\system32\msafd.dll
Protocol #32: C:\WINNT\system32\msafd.dll
Protocol #33: C:\WINNT\system32\msafd.dll
Protocol #34: C:\WINNT\system32\msafd.dll
Protocol #35: C:\WINNT\system32\msafd.dll
Protocol #36: C:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\services.exe (manual start)
Application Management: %SystemRoot%\system32\services.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (manual start)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation Service: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\system32\cisvc.exe (disabled)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (manual start)
Print Class Driver for IEEE-1284.4 hpoipr07: system32\DRIVERS\hpoipr07.sys (manual start)
3Com EtherLink XL B/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Creative AudioPCI (ES1371,ES1373) (WDM): system32\drivers\es1371mp.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
IEEE-1284.4 Driver hpoid407: system32\DRIVERS\hpoid407.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
LT Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Messenger: %SystemRoot%\System32\services.exe (disabled)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
BDA MPE Filter: system32\DRIVERS\MPE.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040825.021\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040825.021\NavEx15.Sys (manual start)
NetBEUI Protocol: System32\DRIVERS\nbf.sys (autostart)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\WINNT\system32\Drivers\SAVRT.SYS (manual start)
SAVRTPEL: \??\C:\WINNT\system32\Drivers\SAVRTPEL.SYS (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMREDRV: \??\C:\WINNT\system32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \??\C:\WINNT\system32\Drivers\SYMTDI.SYS (autostart)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (disabled)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Windows Time: %SystemRoot%\System32\services.exe (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): system32\DRIVERS\wanatw4.sys (manual start)
WAN Miniport (ATW) Service: "C:\WINNT\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (manual start)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 28,840 bytes
Report generated in 0.221 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only


hijackthis.log:

Logfile of HijackThis v1.98.2
Scan saved at 6:49:57 PM, on 9/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\taskmgr.exe
C:\Documents and Settings\ian1\Desktop\HijackThis.exe
A:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
O17 - HKLM\System\CCS\Services\Tcpip\..\{347DEE52-1768-473E-B419-FAD1B4BFC7B8}: NameServer = 64.81.159.2

0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
In Windows Task Manager, Processes tab under "Image Name" there is an item called "System Idle Process" PID 0 CPU 99 MemUsage 16k. Is this of any concern? It is the only item showing a considerable CPU time usage.

I'm desperately grasping at straws here.
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
No, I guess not - http:Q_20798928.html#9753538
0
 
LVL 10

Expert Comment

by:jayca
Comment Utility
Why is that yahoo crud there?

Go uninstall any unecessary applications.

How much free space do you have?
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
I've taken out all un-needed apps already and got rid of most of that crud. I'll post an updated log if you want.

At this time there is 2.3 GB used of 12.6 GB total.

I've noticed that on boot up (a 30 min process!) the computer seems to get stuck on "Applying security policy".
0
 
LVL 10

Expert Comment

by:jayca
Comment Utility
What GPOs do you have enabled?

What was the last thing you changed?
0
 
LVL 10

Expert Comment

by:jayca
Comment Utility
I assume this is part of a domain... they arent trying something silly like pushing a large install down via GPOs are they?
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
No, its just a desktop PC and not part of a network. I dont know what a GPO is and I'm not the primary user so I have no clue what was done before today. I can tell you that there are no audits curently enabled.
0
 
LVL 10

Expert Comment

by:jayca
Comment Utility
Well you could unplug the network cable, then login the local admin acct, then login the user offline, that would tell us something.

Iit is leaning towards a group policy issue, but we need to veerify that.
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
I could use some step-bystep instructions. There is no network cable to anything and I am now logged is as admin. (I have physical access to the machine now)
0
 
LVL 10

Assisted Solution

by:jayca
jayca earned 140 total points
Comment Utility
Ahh okay, then if it is not part of a domain, then why not try and create a new profile and see how that treats you.

You can also goto Blackviper.com and he has a list of the bare minimum services you need to run.
0
 
LVL 10

Expert Comment

by:jayca
Comment Utility
Does it matter what user you login as? Is it still super slow?
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
There has been an improvement in performance, but the boot up is still taking way too long as noted above. What would creating a new profile gain?
0
 
LVL 10

Expert Comment

by:jayca
Comment Utility
0
 
LVL 10

Assisted Solution

by:jayca
jayca earned 140 total points
Comment Utility
Well if you have a corrupt user profile, it could cause exactly what you are describing.
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
Also the unexplained disk activity has ceased so we have seen some progress.
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
Ok, I can create a new profile. How shall I proceed?

Thanks by the way for taking time to help me out  :-)
0
 
LVL 10

Expert Comment

by:jayca
Comment Utility
Using Hijack this, you can delete these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -

http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -

http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312

O17 - HKLM\System\CCS\Services\Tcpip\..\{347DEE52-1768-473E-B419-FAD1B4BFC7B8}: NameServer = 64.81.159.2
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
From the control panel, I'm unable to add a user. The button is gray.
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
Those have all been removed except for NameServer and the extra buttons.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 10

Assisted Solution

by:jayca
jayca earned 140 total points
Comment Utility
If it is a standalone machine like you said, as you are logged onto administrator.  Rt click on My Computer-- select MANAGE-- then when the MMC fires up, go into users and computers.  Create a user called test1 and add him to the administrators group.  (Remember to delete after our testing is done)

0
 
LVL 10

Expert Comment

by:jayca
Comment Utility
If it is greyed out.. re you sure this is not part of a domain?  Rt click on My computer and goto properties.  It should say WORKGROUP... if it says domain, then it is in fact part of a domain.

0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
I dont see users and computers - I have Local Users and Groups
0
 
LVL 10

Assisted Solution

by:jayca
jayca earned 140 total points
Comment Utility
http://www.geocities.com/mark_gamez/System_process_at_99_pct.html

Wow weird... this guy had the same issue and it ended up being hardware.

Hmmm something to keep in mind. popping the case off and a fan if you have one might be a good test too... but that would ba after you verify the software is not the issue.
 
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
You are correct. In the System Properties - network id tab the workgroup name is WORKGROUP
0
 
LVL 10

Expert Comment

by:jayca
Comment Utility
Local Users and groups, sorry, that is what you want. If you can create a new user there, that would help test profle when you login as that user.
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
A hardware failure has crossed my mind. I'm contemplating a drive check and testing memory, but I dont want to overlook the obvious. (actually not so obvious in my case)
0
 
LVL 10

Expert Comment

by:jayca
Comment Utility
I saw another link I had saved where the guy said it was a hard drive issue... but I kinda doubt that.

Were you able to create a user?
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
I have created user "test1" and added to the administrators group.
0
 
LVL 10

Expert Comment

by:jayca
Comment Utility
You can also dload CWshredder, extract to a floppy and run it too.  http://computercops.biz/downloads-file-349.html

0
 
LVL 10

Expert Comment

by:jayca
Comment Utility
Login as Test1 and let me know the performance and how long it takes to login.

0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
I logged off then logged back in at test1 and am presented with the Getting Started with Windows 2000 dialogue box. It seemed to work fine - took just a few seconds.
0
 
LVL 10

Assisted Solution

by:jayca
jayca earned 140 total points
Comment Utility
reboot and login again and let me know what you think of the perfrmance.  If it is now fine, then you have spyway or a corrupt user profile.

To fix a corrupt user profile, simply login as the admin and rename the old profile as whatevername.old then relogin... it will rebuld the profile.

The profiles will be listed in C:\Documents and Settings\PROFILENAMES
0
 
LVL 10

Expert Comment

by:jayca
Comment Utility
Can't wait, passing out from no sleep :)

Seems like its all fixed, so GL bud!
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
Well windows started up faster - it didnt get stuck on "Applying security policy" but the desktop icons have not yet appeared - its still thinking about it (the disk indicator is flashing and I hear the ticking).

It is behaving much the same as it had been only instead of the security policies; I'm waiting for the desktop. All I have is the task bar, clock and the blue background. Its been booting up for just under ten minutes now.

Well go to bed - this thing can wait. Thanks!
0
 
LVL 10

Assisted Solution

by:jayca
jayca earned 140 total points
Comment Utility
goto computercops.biz in the dloads section, check on all the trojan detectors and spyware tools.

To be honest, you might be time ahead with getting a USB drive and backing up th data and rebuilding.

I would be willing to bet there is spyware on there somewhere.  I had one client it litterally took me 14 logins and 3 hours to get it to where I could run spybot search and destroy :)  After that, it was all good.  (Use v 1.3)

So also run CWshredder.

It should not take 10 minutes to login to this machine unless it was an old pentium 133.

Strongly think about rebuilding the OS if you can....you will be time ahead and you can blame it on user dloads :)
0
 
LVL 4

Assisted Solution

by:jonnietexas
jonnietexas earned 110 total points
Comment Utility
Check hard drive space. (atleast 2 x memory)
Remove files from c:\temp, c:\windows\temp or c:\winnt\temp
go to registry
remove anything that you know should not be in..
[HKEY_LOCAL_MACHINE][MIcrosoft][Windows][Current Version][Run] and [RunServices]

0
 
LVL 20

Assisted Solution

by:Debsyl99
Debsyl99 earned 100 total points
Comment Utility
Hi

Gosh you've been busy! (Sorry it was bed-time here in UK) I can't see anything really untoward in your logs. So..... You can logon in safe mode fine boot it's just not booting up properly. It's unlikely to be a profile issue as you tested a new profile which logged in fine until rebooting, then gave exactly the same issue. So it would look like the systems hanging on something at boot up. You've run a repair install so at this point I'd say we should consider an installed app that's causing hanging or a driver problem, but we'll see..

Check the event logs - In control panel, double-click administrative tools, event viewer and check all the logs in there for red errors and warnings - post anything in there.
Check out you system devices in device manager - report any items with yellow exclamation marks - Access by double-clicking on the System icon in Control Panel, choosing the Hardware tab, and clicking Device Manager - again report any findings there,

Next download msconfig - it doesn't come with Win 2000 like it does with pretty much every other windows OS, so you'll need to download it and stick it in your system folder in Winnt - it works just fine with Windows 2000 (and it's small and doesn't take up lots of system resources either ;-)
See the bottom of this link for WinXP msconfig download
http://www.thetechguide.com/downloads.html
How to Use MSCONFIG
http://netsquirrel.com/msconfig/

This will allow disabling of specific startup items and services on bootup amongst other things, and so can be useful in troubleshooting start-up problems. However let's see your event logs first..

Deb :))
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
jonnietexas

I dont see anything in the registry where you pointed me that looks suspicious and the temp directory was pretty much empty to begin with. (its completely empty now).

Thanks for the help, but it appears that the problem lies elsewhere.


Good morning, Debsyl99  :-)

I do not have an Internet connection to that machine at the moment, but I do have sneaker net available. Those on-line scanners will be difficult to employ. Do you have any alternate suggestions that I might try?

I’ll go ahead at get msconfig as you’ve suggested. Jayca has suggested cwshredder, which I have yet to try.

Where might I find those event logs exactly?
0
 
LVL 16

Assisted Solution

by:robrandon
robrandon earned 70 total points
Comment Utility
I know it is time consuming, but I think you had ought to run CHKDSK.  Go to a DOS prompt and type ;
CHKDSK C: /R

You will need to reboot your compuer and it will check your hard disk on boot-up.  Let the process complete, don't reboot it in the middle of Checkdisk.

0
 
LVL 20

Assisted Solution

by:Debsyl99
Debsyl99 earned 100 total points
Comment Utility
Hi
Time zones eh? (It's afternoon here). Once trend downloads it's virus signatures it will scan regardless of online or not - but downloading on a dialup will take a bit of time.
In control panel you have a folder called Administrative Tools - In there there's a shortcut to Event Viewer (or there really should be) - Double click this icon, and you'll have three logs - application, security and system - double click each log and look for error messages particularly over boot up periods (messages to look at have a red big red X by them, warnings have a yellow !.

The security log may be blank (depends if auditing is configured or not) - but work a look anyway, particularly at any failure audits if present,

Deb :))

0
 
LVL 4

Assisted Solution

by:jonnietexas
jonnietexas earned 110 total points
Comment Utility
That's cool.  I wasn't going for something that was suspicious but rather for processes that don't need to be running.  My thought is you have a lot of processes running that is eating up your memory and the computer is having to cache a tremendous amount out to disk.  What I have listed are the usual culprits in my experience.  Enjoy!
0
 
LVL 10

Expert Comment

by:jayca
Comment Utility
good lord slacker!  This isnt fixed yet?

:)
0
 
LVL 3

Accepted Solution

by:
hehewithbrackets earned 40 total points
Comment Utility
Gee, lots of activity since yesterday.

I like Debsyl99's idea of checking the event logs.  

When you stated that the system runs fine in safe mode, that's a strong indication that your problem could be hardware related.
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
Yes, every step is painfully slow! As I said, it takes about 30 min just to boot up.

Once the desktop appeared, everything seems to be running relatively normally.

I made an Internet connection through the AOL interface and it connected without problems, but the system became bogged down just as soon as I fired up Internet Explorer. I was however able to start a Panda ActiveScan, when suddenly the system again slowed to a crawl.

Jonnietexas, about the only thing notable is the Norton antivirus protection. Perhaps that's what is misbehaving. I think I'll go ahead and remove it at the next opportunity. (I can always re-install it latter).

I've notice that when the system slows, the acoustical signature of the hard drive changes. It is the same sound that it makes while waiting for the desktop or the security policies. (Sounds more like a defrag operation rather than the typical read/write sounds that breeze right through.)

Its incredibly frustrating to have to wait 5 or ten minutes and longer for anything to respond.  

I'll post an update just as soon as possible.
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
Just a thought. I have seen many systems that have this exact problem, and it is typically related to the drive being misconfigured. Either it is set to Slave instead of Master, or Cable Select and not on the last connector, or a CD, CDRW, DVD etc, is on the same channel etc. Did you change any of the drive configurations or a dd a hard drive.

J

P.S. Way too many posts, someone may have already said this becuase I haven't read them all. If that is the case, accept my apologies ;)

J
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
No I don't think they have JD (practically know this thread off by heart now ;-) but that's a good suggestion. By the way (should have asked this before) what ARE the specs of this PC anyway? ie Processor, RAM etc?
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
Not a problem, I can filter that out in my head  :-)

But no, I have not changed anything like that and I suspect the owner/user has not either. I can check that out when the system releases control to me again.  :-/
0
 
LVL 4

Assisted Solution

by:jonnietexas
jonnietexas earned 110 total points
Comment Utility
You might consider creating a linux boot disk and performing memtest on it.  If it fails then it is definitely a hardware issue.
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
When you used the CD to reinstall/repair of the OS, did it seem to take a long time?

J
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
Hi Deb! ;)

J
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
No, that worked pretty well.

Bad news - the system crashed during the scan. But at least I can give you guys/gals the informatin you want

The unit is a Dell OptiPlex GX110 Pentium III
Win2K pro os Build 2195 SP4
Computer: X86 Family 6 Moded 8 Stepping 6 GenuineIntel
AT/AT Compatible
129,260kb ram

In the Event Viewer there are lots of warnings and errors. All or most related to disk and atapi.
"The device, \Device\ide\ideport0, did not respond within the timeout period" and
"An error was detected on device \Device\Harddisk0\DR0 during a paging operation"

Security Log is empty and the Application Log is also full of errors and warnings.

The system is now in safe mode.
0
 
LVL 16

Assisted Solution

by:robrandon
robrandon earned 70 total points
Comment Utility
I'm pretty sure you have a bad hard drive....

I know it is time consuming, but I think you had ought to run CHKDSK.  Go to a DOS prompt and type ;
CHKDSK C: /R

You will need to reboot your compuer and it will check your hard disk on boot-up.  Let the process complete, don't reboot it in the middle of Checkdisk.
 

Please do this and post results..... I'm getting waaaayyyy to many emails for this thread.....let's resolve this.
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
try Robs suggestion with the CHKDSK C: /R, plus you are a bit light on RAM for Win2k and a load of apps,



Deb :))
0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
C:\>chkdsk c: /r
The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another process.
0
 
LVL 20

Assisted Solution

by:Debsyl99
Debsyl99 earned 100 total points
Comment Utility
Should've refreshed the page first, but at least we both agree ;-)
And I think if you haven't already, now would be the time to get any data off the machine that is of value,
Dell Diagnostic Utility for Dell OptiPlex GX110 Pentium III
http://support.dell.com/support/downloads/format.aspx?c=us&l=en&s=gen&SystemID=PLX_PNT_P03_GX110&os=WNT5&osl=en&deviceid=196&devlib=13&category=13&releaseid=R31620

Deb :))

0
 
LVL 20

Assisted Solution

by:Debsyl99
Debsyl99 earned 100 total points
Comment Utility
Let it run - give it enough time and it should offer to check your drive next boot-up - so long as you select Yes (Y) and give yourself a few hors by the sound of it!
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
That was supposed to say hours by the way - Hi JD :))
0
 
LVL 9

Assisted Solution

by:jdeclue
jdeclue earned 20 total points
Comment Utility
Starting to make sense, I would suspect a configuration error, than hard drive... then controller. Too many people in here, I feel claustrophobic, beside you all got it covered! ;) See ya 'round Deb!

J
0
 
LVL 10

Expert Comment

by:jayca
Comment Utility
Do you have any spare drives you can use?  And you only have 128 megs of mem, that's not much with all that stuff they have running FYI :)

0
 
LVL 4

Author Comment

by:Analog_Kid
Comment Utility
The problem has been positively identified as a bad hard drive. The drive eventually failed completely but I did manage to retrieve the data first.

Thanks for all your help - your assistance was invaluable to me.
I’ve split the points among the comments that I found to be the most helpful and awarded the answer to hehewithbrackets for being the first to correctly identify the root cause of the trouble as hardware related.

Thanks again for all your help!
0
 

Expert Comment

by:moreinformation
Comment Utility
Perhaps he should look for *.Temp and *.tmp files in his computer and then get rid of anything to do with Norton AV...
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
HOW TO: Connect to the VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere (HTML5 Web) Host Client 6.5, and perform a simple configuration task of adding a new VMFS 6 datastore.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now