?
Solved

System running VERY slow - Urgent need help!

Posted on 2004-09-07
84
Medium Priority
?
18,454 Views
Last Modified: 2008-01-09
The computer is a Dell something or other pre-loaded with Win 2k pro.
The system is operating VERY slowly and the HD is constantly active.

I need to get it working properly again by the end of the day.

In an effort to resolve the trouble I have done the following and still have the same problem:

Defrag and scan disk - no help

Spyboy S&D scan w/updated definitions – found some items and removed but still no help

Norton A/V w/updated definitions – negative results

Turned off sharing of C: - upon re-boot the drive was again set to shared. (the PC is stand-alne not networked)

Turned off indexing service – this did seem to help, but the next day, the machine was running slow again.

I Did a repair of the OS using the install CD – still have the same problem.

The system will not allow me to shut down any running process thru task manager, but I can boot into safe mode with no problems.

I am not familiar with Win 2k pro and I need advice.

All suggestions are greatly appreciated – this has become an urgent matter.

Thanks in advance.
0
Comment
Question by:Analog_Kid
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 27
  • 21
  • 12
  • +6
84 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 80 total points
ID: 11999234
perhaps this would have been better posted in th windows 2000 TA?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11999247
it is the PC in general or network operation - or is it just pants generally?
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 11999364
Duh! Stupid me, I posted in the wrong area. I've aske that the question be moved.

Anyway, the machine is not connected to a network of any kind. What do you mean by pants?

Thanks for your help.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 4

Author Comment

by:Analog_Kid
ID: 11999383
Oh, it does have AOL for connecting to the Internet.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11999510
Please post a list of the running processes from the task manager.

J
0
 
LVL 3

Assisted Solution

by:hehewithbrackets
hehewithbrackets earned 160 total points
ID: 11999542
C$ is a default share and cannot be removed.

How much space does your hard drive have left?

Are there any processes using up a lot of system resources?  What processes are you trying to shut down and are unable to?

When was the virus software added to the system?  If you added virus software after the system was infected, it may not be working properly.
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11999549
Hi
Hi first download this and click scan - don't fix anything first, just post the logfile here,
http://tools.radiosplace.com/HijackThis.exe

Deb :))
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 11999599
>>post a list of the running processes

I don't have access to it at this very moment, so I cant say. But it is a huge list. Is there a way to thin that out to the absolute bare minimum?

>>How much space does your hard drive have left?

Its nearly completly empty - only 10% or so used.

>>Are there any processes using up a lot of system resources?  
I dont know. How do I find that info?

>>...If you added virus software after the system was infected...

I dont think that is the case. The machine is a friends, but I am aware that he has had Norton A/V installed ever since he bought the machine and this problem is recent.
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11999604
It's probably best to rule out any nasties before trying any further system fixes or repairs, particularly given the fact that you've already found some. Unfortunately Norton is missing stacks of Trojans as of late, hence try a scan with the following

Trend Online Scanner
http://housecall.trendmicro.com/

Panda
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Let us know what you find,

Deb :))
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11999633
To post running processes - In hijackthis click config ->Misc Tools -> Open process manager. Then check the "show dll's" on the right of the screen, click refresh, then click the little floppy disk icon which will allow you to save the process list to a text file. Post that text file here too...

Deb :))
0
 
LVL 3

Expert Comment

by:hehewithbrackets
ID: 11999640
I would recommend running the utilities that Debsyl99 has listed.

To check processes, you can use Task Manager.  You said that the list is huge, how many processes are currently running?

When you boot into 'safe mode with no problems', do you mean that the computer doesn't run slow in safe mode?
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 11999690
Correct. In safe mode, all seems to be in order.

I see you need more info than I can provide, so I will d/l those and post here later. This could take a while as the machine is 10 miles from my location. I'll do my best to get you the info you need asap.

Meanwhile, if there is any other information that would be helpful, or if you have an idea of what else I can look at while I'm there, I'd be grateful.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11999848
Is this a XEON 32bit or Itanium 64 bit. The XEON uses Extended Memory 64, this is an extension and is not a 64 bit processor. The processor is as IA-32, which is a 32 bit processor. Unless your workstation is running with more than 4 GB ram and you have applications that can utilize pages larger than 2GB, you should not be running the x64 version of WIndows 2003. So unless you have applications that are specifically written to take advantage or the Extended Memory 64, and more than 4 GB of ram in the workstations, you should go back to Windows XP Professional. The OS should run faster on your machine than Server 2003(64) on the XEON.

J
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11999857
Sorry I posted to the wrong thread!? ;)

J
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12000105
To get the process list, just go to a DOS prompt and type TASKLIST.  Paste the info here.  If you want to save it out to a text file, you can run this TASKLIST > c:\tasklist.txt  
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12000467
To post processes just follow the instructions in my posts - easier and makes sure dll's are posted too.


Deb :))

P.S Good one JD ;-)
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12000504
Deb, not going to argue, but that requires the installation of software...
0
 
LVL 3

Expert Comment

by:hehewithbrackets
ID: 12000539
I don't think TASKLIST is an .exe that comes with Windows by default.  I don't have it on my system.
0
 
LVL 16

Expert Comment

by:robrandon
ID: 12000617
Oops.  It's for WinXP.  My bad.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12000628
It is an XP tool, and a great one... If you are running XP, it is a very easy thing to do. Rob has a good point, as it can be run in about 10 seconds and posted. Might as well do both.



J
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12000675
It's not really like I'm asking for an fresh install of office!!! (sighs - has had a long day..)

It requires the installation of hijackthis which let's face it is pretty small (183k) and takes up minimal system resources (about 5k - cmd takes about 2.5k). It will also enable us to have a good look at what's running on the system and will show dll's which tasklist won't show and their authors and versions. We'll also get to have a look at various areas of the registry notorious for targeting by spyware and enable us to fix it where necessary - so it will kill a lot of birds with one stone, and if for whatever reason it doesn't lead to a direct fix, it will at least enable us to rule things out.

But if Analog Kid doesn't want to use it, it's his choice ;-)) Better than manually posting various areas of the registry, because if we do identify running processes that are malware related we're going to have to kill them properly (ie via the execs and reg entries) which again you can do with hijackthis. Why don't you check it out? It's quite useful,

Deb :))

0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12000741
Do em both, do em both!!! Run tasklist post the results.... 20 seconds max, while it is being reviewed by "the experts", run hijack This!!!!...

J

:)
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12002112
I could not work out how to get a list of running processes but I did manage to get HijackThis.exe running which included a list. Here are the results:

processlist.txt:

Process list saved on 6:47:22 PM, on 9/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)

[full path to filename]            [file version]      [company name]
C:\WINNT\System32\smss.exe            5.0.2195.6601      Microsoft Corporation
C:\WINNT\system32\winlogon.exe            5.0.2195.6714      Microsoft Corporation
C:\WINNT\system32\services.exe            5.0.2195.6700      Microsoft Corporation
C:\WINNT\system32\lsass.exe            5.0.2195.6695      Microsoft Corporation
C:\WINNT\system32\svchost.exe            5.0.2134.1      Microsoft Corporation
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe            1.0.3.4      Symantec Corporation
C:\WINNT\system32\spoolsv.exe            5.0.2195.6659      Microsoft Corporation
C:\WINNT\System32\svchost.exe            5.0.2134.1      Microsoft Corporation
C:\Program Files\Norton AntiVirus\navapsvc.exe            9.0.5.1015      Symantec Corporation
C:\WINNT\system32\regsvc.exe            5.0.2195.6701      Microsoft Corporation
C:\WINNT\system32\MSTask.exe            4.71.2195.6704      Microsoft Corporation
C:\WINNT\system32\stisvc.exe            5.0.2195.6656      Microsoft Corporation
C:\WINNT\wanmpsvc.exe            7.0.0.2      America Online, Inc.
C:\WINNT\Explorer.EXE            5.0.3700.6690      Microsoft Corporation
C:\Program Files\Common Files\Symantec Shared\ccApp.exe            1.0.3.15      Symantec Corporation
C:\WINNT\system32\ntvdm.exe            5.0.2195.6689      Microsoft Corporation
C:\WINNT\system32\taskmgr.exe            5.0.2195.6620      Microsoft Corporation
C:\Documents and Settings\ian1\Desktop\HijackThis.exe            1.98.0.2      Soeperman Enterprises Ltd.


DLLs loaded by process C:\WINNT\System32\smss.exe:

[full path to filename]            [file version]      [company name]
C:\WINNT\system32\ntdll.dll            5.0.2195.6685      Microsoft Corporation
C:\WINNT\System32\sfcfiles.dll            5.0.2195.6717      Microsoft Corporation




startuplist.txt:

StartupList report, 9/7/2004, 6:48:37 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\ian1\Desktop\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\taskmgr.exe
C:\Documents and Settings\ian1\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\ian1\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINNT\system32\setup\wmpocm.exe /HideWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

[>{86EEAFA8-6F38-4657-B4F7-ED1033D2EA1C}S04947] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINNT\DOWNLO~1\yacscom.dll
CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab

[YInstStarter Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab

[Yahoo! Audio UI1]
InProcServer32 = C:\WINNT\Downloaded Program Files\yacsui.dll
CODEBASE = http://chat.yahoo.com/cab/yacsui.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37848.7365972222

[QDiagHUpdateObj Class]
InProcServer32 = C:\WINNT\system32\qdiagh.ocx
CODEBASE = http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
NameSpace #3: C:\WINNT\System32\nwprovau.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll
Protocol #14: C:\WINNT\system32\msafd.dll
Protocol #15: C:\WINNT\system32\msafd.dll
Protocol #16: C:\WINNT\system32\msafd.dll
Protocol #17: C:\WINNT\system32\msafd.dll
Protocol #18: C:\WINNT\system32\msafd.dll
Protocol #19: C:\WINNT\system32\msafd.dll
Protocol #20: C:\WINNT\system32\msafd.dll
Protocol #21: C:\WINNT\system32\msafd.dll
Protocol #22: C:\WINNT\system32\msafd.dll
Protocol #23: C:\WINNT\system32\msafd.dll
Protocol #24: C:\WINNT\system32\msafd.dll
Protocol #25: C:\WINNT\system32\msafd.dll
Protocol #26: C:\WINNT\system32\msafd.dll
Protocol #27: C:\WINNT\system32\msafd.dll
Protocol #28: C:\WINNT\system32\msafd.dll
Protocol #29: C:\WINNT\system32\msafd.dll
Protocol #30: C:\WINNT\system32\msafd.dll
Protocol #31: C:\WINNT\system32\msafd.dll
Protocol #32: C:\WINNT\system32\msafd.dll
Protocol #33: C:\WINNT\system32\msafd.dll
Protocol #34: C:\WINNT\system32\msafd.dll
Protocol #35: C:\WINNT\system32\msafd.dll
Protocol #36: C:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\services.exe (manual start)
Application Management: %SystemRoot%\system32\services.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (manual start)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation Service: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\system32\cisvc.exe (disabled)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (manual start)
Print Class Driver for IEEE-1284.4 hpoipr07: system32\DRIVERS\hpoipr07.sys (manual start)
3Com EtherLink XL B/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Creative AudioPCI (ES1371,ES1373) (WDM): system32\drivers\es1371mp.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
IEEE-1284.4 Driver hpoid407: system32\DRIVERS\hpoid407.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
LT Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Messenger: %SystemRoot%\System32\services.exe (disabled)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
BDA MPE Filter: system32\DRIVERS\MPE.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040825.021\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040825.021\NavEx15.Sys (manual start)
NetBEUI Protocol: System32\DRIVERS\nbf.sys (autostart)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\WINNT\system32\Drivers\SAVRT.SYS (manual start)
SAVRTPEL: \??\C:\WINNT\system32\Drivers\SAVRTPEL.SYS (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMREDRV: \??\C:\WINNT\system32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \??\C:\WINNT\system32\Drivers\SYMTDI.SYS (autostart)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (disabled)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Windows Time: %SystemRoot%\System32\services.exe (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): system32\DRIVERS\wanatw4.sys (manual start)
WAN Miniport (ATW) Service: "C:\WINNT\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (manual start)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 28,840 bytes
Report generated in 0.221 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only


hijackthis.log:

Logfile of HijackThis v1.98.2
Scan saved at 6:49:57 PM, on 9/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\taskmgr.exe
C:\Documents and Settings\ian1\Desktop\HijackThis.exe
A:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
O17 - HKLM\System\CCS\Services\Tcpip\..\{347DEE52-1768-473E-B419-FAD1B4BFC7B8}: NameServer = 64.81.159.2

0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12002383
In Windows Task Manager, Processes tab under "Image Name" there is an item called "System Idle Process" PID 0 CPU 99 MemUsage 16k. Is this of any concern? It is the only item showing a considerable CPU time usage.

I'm desperately grasping at straws here.
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12002411
No, I guess not - http:Q_20798928.html#9753538
0
 
LVL 10

Expert Comment

by:jayca
ID: 12002970
Why is that yahoo crud there?

Go uninstall any unecessary applications.

How much free space do you have?
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12003012
I've taken out all un-needed apps already and got rid of most of that crud. I'll post an updated log if you want.

At this time there is 2.3 GB used of 12.6 GB total.

I've noticed that on boot up (a 30 min process!) the computer seems to get stuck on "Applying security policy".
0
 
LVL 10

Expert Comment

by:jayca
ID: 12003032
What GPOs do you have enabled?

What was the last thing you changed?
0
 
LVL 10

Expert Comment

by:jayca
ID: 12003051
I assume this is part of a domain... they arent trying something silly like pushing a large install down via GPOs are they?
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12003102
No, its just a desktop PC and not part of a network. I dont know what a GPO is and I'm not the primary user so I have no clue what was done before today. I can tell you that there are no audits curently enabled.
0
 
LVL 10

Expert Comment

by:jayca
ID: 12003117
Well you could unplug the network cable, then login the local admin acct, then login the user offline, that would tell us something.

Iit is leaning towards a group policy issue, but we need to veerify that.
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12003152
I could use some step-bystep instructions. There is no network cable to anything and I am now logged is as admin. (I have physical access to the machine now)
0
 
LVL 10

Assisted Solution

by:jayca
jayca earned 560 total points
ID: 12003161
Ahh okay, then if it is not part of a domain, then why not try and create a new profile and see how that treats you.

You can also goto Blackviper.com and he has a list of the bare minimum services you need to run.
0
 
LVL 10

Expert Comment

by:jayca
ID: 12003165
Does it matter what user you login as? Is it still super slow?
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12003180
There has been an improvement in performance, but the boot up is still taking way too long as noted above. What would creating a new profile gain?
0
 
LVL 10

Expert Comment

by:jayca
ID: 12003183
0
 
LVL 10

Assisted Solution

by:jayca
jayca earned 560 total points
ID: 12003188
Well if you have a corrupt user profile, it could cause exactly what you are describing.
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12003191
Also the unexplained disk activity has ceased so we have seen some progress.
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12003197
Ok, I can create a new profile. How shall I proceed?

Thanks by the way for taking time to help me out  :-)
0
 
LVL 10

Expert Comment

by:jayca
ID: 12003210
Using Hijack this, you can delete these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -

http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -

http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312

O17 - HKLM\System\CCS\Services\Tcpip\..\{347DEE52-1768-473E-B419-FAD1B4BFC7B8}: NameServer = 64.81.159.2
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12003212
From the control panel, I'm unable to add a user. The button is gray.
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12003215
Those have all been removed except for NameServer and the extra buttons.
0
 
LVL 10

Assisted Solution

by:jayca
jayca earned 560 total points
ID: 12003218
If it is a standalone machine like you said, as you are logged onto administrator.  Rt click on My Computer-- select MANAGE-- then when the MMC fires up, go into users and computers.  Create a user called test1 and add him to the administrators group.  (Remember to delete after our testing is done)

0
 
LVL 10

Expert Comment

by:jayca
ID: 12003230
If it is greyed out.. re you sure this is not part of a domain?  Rt click on My computer and goto properties.  It should say WORKGROUP... if it says domain, then it is in fact part of a domain.

0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12003237
I dont see users and computers - I have Local Users and Groups
0
 
LVL 10

Assisted Solution

by:jayca
jayca earned 560 total points
ID: 12003243
http://www.geocities.com/mark_gamez/System_process_at_99_pct.html

Wow weird... this guy had the same issue and it ended up being hardware.

Hmmm something to keep in mind. popping the case off and a fan if you have one might be a good test too... but that would ba after you verify the software is not the issue.
 
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12003246
You are correct. In the System Properties - network id tab the workgroup name is WORKGROUP
0
 
LVL 10

Expert Comment

by:jayca
ID: 12003247
Local Users and groups, sorry, that is what you want. If you can create a new user there, that would help test profle when you login as that user.
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12003256
A hardware failure has crossed my mind. I'm contemplating a drive check and testing memory, but I dont want to overlook the obvious. (actually not so obvious in my case)
0
 
LVL 10

Expert Comment

by:jayca
ID: 12003266
I saw another link I had saved where the guy said it was a hard drive issue... but I kinda doubt that.

Were you able to create a user?
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12003276
I have created user "test1" and added to the administrators group.
0
 
LVL 10

Expert Comment

by:jayca
ID: 12003278
You can also dload CWshredder, extract to a floppy and run it too.  http://computercops.biz/downloads-file-349.html

0
 
LVL 10

Expert Comment

by:jayca
ID: 12003280
Login as Test1 and let me know the performance and how long it takes to login.

0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12003289
I logged off then logged back in at test1 and am presented with the Getting Started with Windows 2000 dialogue box. It seemed to work fine - took just a few seconds.
0
 
LVL 10

Assisted Solution

by:jayca
jayca earned 560 total points
ID: 12003298
reboot and login again and let me know what you think of the perfrmance.  If it is now fine, then you have spyway or a corrupt user profile.

To fix a corrupt user profile, simply login as the admin and rename the old profile as whatevername.old then relogin... it will rebuld the profile.

The profiles will be listed in C:\Documents and Settings\PROFILENAMES
0
 
LVL 10

Expert Comment

by:jayca
ID: 12003335
Can't wait, passing out from no sleep :)

Seems like its all fixed, so GL bud!
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12003339
Well windows started up faster - it didnt get stuck on "Applying security policy" but the desktop icons have not yet appeared - its still thinking about it (the disk indicator is flashing and I hear the ticking).

It is behaving much the same as it had been only instead of the security policies; I'm waiting for the desktop. All I have is the task bar, clock and the blue background. Its been booting up for just under ten minutes now.

Well go to bed - this thing can wait. Thanks!
0
 
LVL 10

Assisted Solution

by:jayca
jayca earned 560 total points
ID: 12003356
goto computercops.biz in the dloads section, check on all the trojan detectors and spyware tools.

To be honest, you might be time ahead with getting a USB drive and backing up th data and rebuilding.

I would be willing to bet there is spyware on there somewhere.  I had one client it litterally took me 14 logins and 3 hours to get it to where I could run spybot search and destroy :)  After that, it was all good.  (Use v 1.3)

So also run CWshredder.

It should not take 10 minutes to login to this machine unless it was an old pentium 133.

Strongly think about rebuilding the OS if you can....you will be time ahead and you can blame it on user dloads :)
0
 
LVL 4

Assisted Solution

by:jonnietexas
jonnietexas earned 440 total points
ID: 12003402
Check hard drive space. (atleast 2 x memory)
Remove files from c:\temp, c:\windows\temp or c:\winnt\temp
go to registry
remove anything that you know should not be in..
[HKEY_LOCAL_MACHINE][MIcrosoft][Windows][Current Version][Run] and [RunServices]

0
 
LVL 20

Assisted Solution

by:Debsyl99
Debsyl99 earned 400 total points
ID: 12004130
Hi

Gosh you've been busy! (Sorry it was bed-time here in UK) I can't see anything really untoward in your logs. So..... You can logon in safe mode fine boot it's just not booting up properly. It's unlikely to be a profile issue as you tested a new profile which logged in fine until rebooting, then gave exactly the same issue. So it would look like the systems hanging on something at boot up. You've run a repair install so at this point I'd say we should consider an installed app that's causing hanging or a driver problem, but we'll see..

Check the event logs - In control panel, double-click administrative tools, event viewer and check all the logs in there for red errors and warnings - post anything in there.
Check out you system devices in device manager - report any items with yellow exclamation marks - Access by double-clicking on the System icon in Control Panel, choosing the Hardware tab, and clicking Device Manager - again report any findings there,

Next download msconfig - it doesn't come with Win 2000 like it does with pretty much every other windows OS, so you'll need to download it and stick it in your system folder in Winnt - it works just fine with Windows 2000 (and it's small and doesn't take up lots of system resources either ;-)
See the bottom of this link for WinXP msconfig download
http://www.thetechguide.com/downloads.html
How to Use MSCONFIG
http://netsquirrel.com/msconfig/

This will allow disabling of specific startup items and services on bootup amongst other things, and so can be useful in troubleshooting start-up problems. However let's see your event logs first..

Deb :))
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12005248
jonnietexas

I dont see anything in the registry where you pointed me that looks suspicious and the temp directory was pretty much empty to begin with. (its completely empty now).

Thanks for the help, but it appears that the problem lies elsewhere.


Good morning, Debsyl99  :-)

I do not have an Internet connection to that machine at the moment, but I do have sneaker net available. Those on-line scanners will be difficult to employ. Do you have any alternate suggestions that I might try?

I’ll go ahead at get msconfig as you’ve suggested. Jayca has suggested cwshredder, which I have yet to try.

Where might I find those event logs exactly?
0
 
LVL 16

Assisted Solution

by:robrandon
robrandon earned 280 total points
ID: 12005319
I know it is time consuming, but I think you had ought to run CHKDSK.  Go to a DOS prompt and type ;
CHKDSK C: /R

You will need to reboot your compuer and it will check your hard disk on boot-up.  Let the process complete, don't reboot it in the middle of Checkdisk.

0
 
LVL 20

Assisted Solution

by:Debsyl99
Debsyl99 earned 400 total points
ID: 12005394
Hi
Time zones eh? (It's afternoon here). Once trend downloads it's virus signatures it will scan regardless of online or not - but downloading on a dialup will take a bit of time.
In control panel you have a folder called Administrative Tools - In there there's a shortcut to Event Viewer (or there really should be) - Double click this icon, and you'll have three logs - application, security and system - double click each log and look for error messages particularly over boot up periods (messages to look at have a red big red X by them, warnings have a yellow !.

The security log may be blank (depends if auditing is configured or not) - but work a look anyway, particularly at any failure audits if present,

Deb :))

0
 
LVL 4

Assisted Solution

by:jonnietexas
jonnietexas earned 440 total points
ID: 12005437
That's cool.  I wasn't going for something that was suspicious but rather for processes that don't need to be running.  My thought is you have a lot of processes running that is eating up your memory and the computer is having to cache a tremendous amount out to disk.  What I have listed are the usual culprits in my experience.  Enjoy!
0
 
LVL 10

Expert Comment

by:jayca
ID: 12008134
good lord slacker!  This isnt fixed yet?

:)
0
 
LVL 3

Accepted Solution

by:
hehewithbrackets earned 160 total points
ID: 12008561
Gee, lots of activity since yesterday.

I like Debsyl99's idea of checking the event logs.  

When you stated that the system runs fine in safe mode, that's a strong indication that your problem could be hardware related.
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12008664
Yes, every step is painfully slow! As I said, it takes about 30 min just to boot up.

Once the desktop appeared, everything seems to be running relatively normally.

I made an Internet connection through the AOL interface and it connected without problems, but the system became bogged down just as soon as I fired up Internet Explorer. I was however able to start a Panda ActiveScan, when suddenly the system again slowed to a crawl.

Jonnietexas, about the only thing notable is the Norton antivirus protection. Perhaps that's what is misbehaving. I think I'll go ahead and remove it at the next opportunity. (I can always re-install it latter).

I've notice that when the system slows, the acoustical signature of the hard drive changes. It is the same sound that it makes while waiting for the desktop or the security policies. (Sounds more like a defrag operation rather than the typical read/write sounds that breeze right through.)

Its incredibly frustrating to have to wait 5 or ten minutes and longer for anything to respond.  

I'll post an update just as soon as possible.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12008735
Just a thought. I have seen many systems that have this exact problem, and it is typically related to the drive being misconfigured. Either it is set to Slave instead of Master, or Cable Select and not on the last connector, or a CD, CDRW, DVD etc, is on the same channel etc. Did you change any of the drive configurations or a dd a hard drive.

J

P.S. Way too many posts, someone may have already said this becuase I haven't read them all. If that is the case, accept my apologies ;)

J
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12008796
No I don't think they have JD (practically know this thread off by heart now ;-) but that's a good suggestion. By the way (should have asked this before) what ARE the specs of this PC anyway? ie Processor, RAM etc?
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12008816
Not a problem, I can filter that out in my head  :-)

But no, I have not changed anything like that and I suspect the owner/user has not either. I can check that out when the system releases control to me again.  :-/
0
 
LVL 4

Assisted Solution

by:jonnietexas
jonnietexas earned 440 total points
ID: 12008841
You might consider creating a linux boot disk and performing memtest on it.  If it fails then it is definitely a hardware issue.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12008842
When you used the CD to reinstall/repair of the OS, did it seem to take a long time?

J
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12008971
Hi Deb! ;)

J
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12009106
No, that worked pretty well.

Bad news - the system crashed during the scan. But at least I can give you guys/gals the informatin you want

The unit is a Dell OptiPlex GX110 Pentium III
Win2K pro os Build 2195 SP4
Computer: X86 Family 6 Moded 8 Stepping 6 GenuineIntel
AT/AT Compatible
129,260kb ram

In the Event Viewer there are lots of warnings and errors. All or most related to disk and atapi.
"The device, \Device\ide\ideport0, did not respond within the timeout period" and
"An error was detected on device \Device\Harddisk0\DR0 during a paging operation"

Security Log is empty and the Application Log is also full of errors and warnings.

The system is now in safe mode.
0
 
LVL 16

Assisted Solution

by:robrandon
robrandon earned 280 total points
ID: 12009139
I'm pretty sure you have a bad hard drive....

I know it is time consuming, but I think you had ought to run CHKDSK.  Go to a DOS prompt and type ;
CHKDSK C: /R

You will need to reboot your compuer and it will check your hard disk on boot-up.  Let the process complete, don't reboot it in the middle of Checkdisk.
 

Please do this and post results..... I'm getting waaaayyyy to many emails for this thread.....let's resolve this.
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12009157
try Robs suggestion with the CHKDSK C: /R, plus you are a bit light on RAM for Win2k and a load of apps,



Deb :))
0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12009253
C:\>chkdsk c: /r
The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another process.
0
 
LVL 20

Assisted Solution

by:Debsyl99
Debsyl99 earned 400 total points
ID: 12009256
Should've refreshed the page first, but at least we both agree ;-)
And I think if you haven't already, now would be the time to get any data off the machine that is of value,
Dell Diagnostic Utility for Dell OptiPlex GX110 Pentium III
http://support.dell.com/support/downloads/format.aspx?c=us&l=en&s=gen&SystemID=PLX_PNT_P03_GX110&os=WNT5&osl=en&deviceid=196&devlib=13&category=13&releaseid=R31620

Deb :))

0
 
LVL 20

Assisted Solution

by:Debsyl99
Debsyl99 earned 400 total points
ID: 12009279
Let it run - give it enough time and it should offer to check your drive next boot-up - so long as you select Yes (Y) and give yourself a few hors by the sound of it!
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12009289
That was supposed to say hours by the way - Hi JD :))
0
 
LVL 9

Assisted Solution

by:jdeclue
jdeclue earned 80 total points
ID: 12009523
Starting to make sense, I would suspect a configuration error, than hard drive... then controller. Too many people in here, I feel claustrophobic, beside you all got it covered! ;) See ya 'round Deb!

J
0
 
LVL 10

Expert Comment

by:jayca
ID: 12011363
Do you have any spare drives you can use?  And you only have 128 megs of mem, that's not much with all that stuff they have running FYI :)

0
 
LVL 4

Author Comment

by:Analog_Kid
ID: 12084827
The problem has been positively identified as a bad hard drive. The drive eventually failed completely but I did manage to retrieve the data first.

Thanks for all your help - your assistance was invaluable to me.
I’ve split the points among the comments that I found to be the most helpful and awarded the answer to hehewithbrackets for being the first to correctly identify the root cause of the trouble as hardware related.

Thanks again for all your help!
0
 

Expert Comment

by:moreinformation
ID: 12284477
Perhaps he should look for *.Temp and *.tmp files in his computer and then get rid of anything to do with Norton AV...
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question