[crdenny]

Hi,

Over a period of a week or so, I worked with a great tech on the malware forum under the assumption that it was a malware problem causing my CPU to max out so often and causing various system errors. What precipitated this was a HJT log for which an automated analyzer recommended that I consult an expert. Now it seems that malware probably wasn't involved, or at least not to a great degree, and my computer's problems are more likely appropriate to this forum. Mpascal told me to start a new thread here, linking to the previous thread, and that he would speak to someone here about it as well.

The link is: http://www.geekstogo...on-t275017.html. If you'd be willing to take a look at this and advise me how to proceed, I would greatly appreciate your help.

Since my last post in the previous thread, I've installed avast! AV (replacing my long, torturous relationship with McAfee) and Comodo Firewall (NOT including the added AV, obviously). I also am trying the NoScript add-on in the newest version of Firefox, as well as a trial (which seems to help performance so far) of Process Lasso 3.84. I mention this only to note that my problems with CPU hitting and staying at 100% during various tasks, especially when I attempt to watch most kinds of streaming video (other than very low quality YouTube), as well as the BSOD "device-or-driver"-related errors are identical to what they were while I was working - temporarily, at mpascal's request - without any AV installed or any of the other software I just listed.

Today's Event Log errors and "popups" were typical, so just to help give you some idea I'll copy below a section of that log with accompanying info from Microsoft. I apologize in advance if this is too much information - in case there's a clue that I don't recognize, I'm including some innocuous entries before the registry recovery ones (in the middle) and the blue screen error (the last entry here). I'll limit what I post to whatever you specifically request from this point on.

Thanks very much for any help you can provide.

crdenny



PARTIAL EVENT LOG 5-5-10:

Event Type: Information
Event Source: iPod Service
Event Category: None
Event ID: 0
Date: 5/5/2010
Time: 1:38:07 PM
Description:
The description for Event ID ( 0 ) in Source ( iPod Service ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
____________________________________________________________________________

Event Type: Information
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 5/5/2010
Time: 2:10:45 PM
Description: Service started

____________________________________________________________________________

Event Type: Information
Event Source: gupdate1c8ee19b2d69640
Event Category: None
Event ID: 0
Date: 5/5/2010
Time: 2:10:45 PM

Description:
The description for Event ID ( 0 ) in Source ( gupdate1c8ee19b2d69640 ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
_____________________________________________________________________________

Event Type: Information
Event Source: gusvc
Event Category: None
Event ID: 0
Date: 5/5/2010
Time: 2:10:45 PM

Description:
The description for Event ID ( 0 ) in Source ( gusvc ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.
_____________________________________________________________________________

Time: 2:10:49

The description for Event ID ( 0 ) in Source ( LVCOMSer ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service started.

______________________________________________________________________________

Time: 2:11:21

The description for Event ID ( 0 ) in Source ( gupdate1c8ee19b2d69640 ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Service stopped.
_______________________________________________________________________________

Event: 100
Time: 2:11:23

SearchIndexer (1624) The database engine 5.01.2600.5512 started.

Details
Product: Windows Operating System
ID: 100
Source: ESENT
Version: 5.2
Symbolic Name: START_ID
Message: %1 (%2) %3The database engine %4.%5.%6.%7 started.

Explanation
The extensible storage engine database engine started.
_______________________________________________________________________________

Event: 1800
Time: 2:11:23

The Windows Security Center Service has started.
_______________________________________________________________________________

Event: 102
Time: 2:11:23

Windows (1624) Windows: The database engine started a new instance (0).
________________________________________________________________________________

Event: 300
Time: 2:11:23
Windows (1624) Windows: The database engine is initiating recovery steps.
________________________________________________________________________________

Time: 2:11:24
Type: Information
Source: ESENT
Category: Logging/Recovery
Event: 301

Windows (1624) Windows: The database engine has begun replaying logfile C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log.

Details
Product: Windows Operating System
ID: 301
Source: ESENT
Version: 5.2
Symbolic Name: STATUS_REDO_ID
Message: %1 (%2) %3The database engine has begun replaying logfile %4.
_________________________________________________________________________________

Time: 2:11:25
Type: Information
Source: ESENT
Category: Logging/Recovery
Event: 302

Windows (1624) Windows: The database engine has successfully completed recovery steps.

Details
Product: Windows Operating System
ID: 302
Source: ESENT
Version: 5.2
Symbolic Name: STOP_REDO_ID
Message: %1 (%2) %3The database engine has successfully completed recovery steps.

Explanation
The Exchange store database engine successfully completed recovery steps. Event ID 302 can be associated with System Event ID 4224 or Event ID 7023. You may also see ESENT Event ID 100, 300, or 301 in the Application log file.
__________________________________________________________________________________
__________________________________________________________________________________

Time: 3:45:33
Type: Error
Source: ESENT
Category: Database Page Cache
Event ID: 474

wuauclt (996) The database page read from the file "C:\windows\SoftwareDistribution\DataStore\DataStore.edb" at offset 38678528 (0x00000000024e3000) for 4096 (0x00001000) bytes failed verification due to a page checksum mismatch. The expected checksum was 2061508858 (0x7ae020fa) and the actual checksum was 2059411706 (0x7ac020fa). The read operation will fail with error -1018 (0xfffffc06). If this condition persists then please restore the database from a previous backup.
___________________________________________________________________________________
___________________________________________________________________________________

[IDENTICAL ENTRY - TWICE, A FEW SECONDS APART:]

Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 5/5/2010
Time: 7:04:25 PM and 7:04:44
Description:

Application popup: Windows - Registry Recovery : One of the files containing the system's Registry data had to be recovered by use of a log or alternate copy. The recovery was successful. For more information, see Help and Support Center at http://go.microsoft....link/events.asp.

File name: ntdll.dll
File version: 5.1.2600.5755

Details
Product: Windows Operating System
ID: 26
Source: Application Popup
Version: 5.2
Symbolic Name: STATUS_LOG_HARD_ERROR
Message: Application popup: %1 : %2

Explanation
The program could not load a driver because the program user doesn't have sufficient privileges to access the driver or because the drive is missing or corrupt.


User Action
To correct this problem:

Ensure that the program user has sufficient privileges to access the directory in which the driver is installed.
Reinstall the program to restore the driver to the correct location.
___________________________________________________________________________________

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 5/5/2010
Time: 7:04:44 PM
User: NT AUTHORITY\SYSTEM
Description:
The Fast User Switching Compatibility service was successfully sent a start control.

File: netevent.dll
File version: 5.1.2600.0
___________________________________________________________________________________

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7036
Date: 5/5/2010
Time: 7:04:44 PM
User: N/A
Description:
The Fast User Switching Compatibility service entered the running state.
___________________________________________________________________________________

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 5/5/2010
Time: 7:05:27 PM
User: NT AUTHORITY\SYSTEM
Description:
The Google Software Updater service was successfully sent a start control.
___________________________________________________________________________________

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7036
Date: 5/5/2010
Time: 7:05:27 PM
User: N/A
Description:
The Google Software Updater service entered the running state.

Details
Product: Windows Operating System
ID: 7036
Source: Service Control Manager
Version: 5.2
Symbolic Name: EVENT_SERVICE_STATUS_SUCCESS
Message: The %1 service entered the %2 state.

Explanation
The specified service changed to the state indicated in the message.
___________________________________________________________________________________

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 5/5/2010
Time: 7:05:29 PM
User: NT AUTHORITY\SYSTEM
Description:
The iPod Service service was successfully sent a start control.
___________________________________________________________________________________

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7036
Date: 5/5/2010
Time: 7:05:29 PM
User: N/A
Description:
The iPod Service service entered the running state.

Details
Product: Windows Operating System
ID: 7036
Source: Service Control Manager
Version: 5.2
Symbolic Name: EVENT_SERVICE_STATUS_SUCCESS
Message: The %1 service entered the %2 state.

Explanation
The specified service changed to the state indicated in the message.
___________________________________________________________________________________

[IMMEDIATELY AFTER I LOGGED ON WITH PWD:]

Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 5/5/2010
Time: 7:06:16 PM
Description:

Error code 00000024, parameter1 001902fe, parameter2 f7903920, parameter3 f790361c, parameter4 f72de36e.

Data:

System Error
Error code: 00000024
Parameters: 001902fe, f7903920, f790361c, f72de36e

0000: 53 79 73 74 65 6d 20 45
0008: 72 72 6f 72 20 20 45 72
0010: 72 6f 72 20 63 6f 64 65
0018: 20 30 30 30 30 30 30 32
0020: 34 20 20 50 61 72 61 6d


Details
Product: Windows Operating System
ID: 1003
Source: System Error
Version: 5.2
Symbolic Name: ER_KRNLCRASH_LOG
Message: Error code %1, parameter1 %2, parameter2 %3, parameter3 %4, parameter4 %5.

Explanation
A blue screen (Stop error) was reported. The message contains details about the error. A matching event with Event ID 1001 might also appear in the event log. This matching event displays information about the specific error that occurred.

0028: 65 74 65 72 73 20 30 30
0030: 31 39 30 32 66 65 2c 20
0038: 66 37 39 30 33 39 32 30
0040: 2c 20 66 37 39 30 33 36
0048: 31 63 2c 20 66 37 32 64
0050: 65 33 36 65

[Advertisements]

I don't have the time to read the other thread...
did you try running chkdsk /r yet
or memtest
try this...Create a new user account with administrative rights ...reboot and log onto the new account...does it have the same problems

Edited by happyrock, 06 May 2010 - 06:17 PM.

[happyrock]

I don't have the time to read the other thread...
did you try running chkdsk /r yet
or memtest
try this...Create a new user account with administrative rights ...reboot and log onto the new account...does it have the same problems

Edited by happyrock, 06 May 2010 - 06:17 PM.

[crdenny]

Well, obviously you did NOT need to read the previous thread, as I think you've already pinpointed the major source of the problem(s). Running Memtest, it turns out that there are memory reading/writing errors all over the place, so I guess I must have defective memory, either in the two additional cards I installed a couple of years ago (raising the RAM from 512 to 1 GB) or, in a worse scenario, in the motherboard itself. I've also wondered if my laptop's fans are working properly - I had them checked and cleaned just a year ago, but they've gotten quite noisy again and don't put out a lot of air - and I see that my CPU temperature is up to about 71C, where I think ~76C is the max for an Intel Pentium 4. Could that be hot enough to cause all of those errors?

I had run thorough CHKDSK's before, but I ran the /r version from the command line as you suggested and it found no discernible problems, just as in the past. But I actually had never used Memtest before, so I downloaded the free version of Memtest 4.0 from Softpedia and ran it, first in regular mode and then in safe mode. It had already counted 28 errors by the time it reached 2.0% coverage... I assume I'll have to open (or have someone more experienced with laptops open) the computer up and swap out the memory cards, running Memtest each time in the hopes that one of the added ones is defective and causing the errors.

Interestingly, though, in spite of these fairly definitive results, I also found that following your suggestion to create a new profile with admin rights, reboot and log in to the test profile, I could then watch saved HD video on GOM Player with no real problem - instead of sitting at 100% as it's been doing, the CPU now hovered from 50-75% and there was no noticeable jerkiness, no freezing and no sync problem. (This was very new... What could I do to get those same results when logged onto my own main profile?)

However, when I tried playing iTunes video (which I think of as the acid test since it used to play perfectly on this laptop and more recently can't be played at all), it was just as it has been of late - freezing, jerking from still frame to still frame while the audio continued ahead, with the CPU stuck at 100%. Streaming video was bad, but a little better than it has been: Testing it on CW.com, the CPU sat at 100% but the video was largely watchable anyway except for a few times when a/v sync was lost. On nbc.com, though, it would only play for twenty seconds before starting to freeze, stagger, etc., with the CPU maxed out at 100%.

I'd really appreciate getting your best step-by-step advice on how to troubleshoot and, with a lot of luck, fix my memory problem, plus any other advice on what I can do to improve things.

Thanks very much for your help.

[happyrock]

if you get any errors running memtest the ram HAS to be replaced...
go here to see what your computer can support as far as memory is concerned...you can just have them scan your system...we just need to know EXACTLY what your computer will support...

[crdenny]

I ran the crucial.com scan and, if I understood right, it looks like all of the RAM in my system is replaceable, which I did not know. That's fantastic news!

Below are the scan results. So, based on this, should I just order two new 512MB's from here and replace the current ones with those, then run Memtest again (and pray)? If so, please let me know if there are any special instructions or precautions to take in doing that... Thanks for your help!
___________________________________________________________________________________________________

Currently installed memory:

512MB
DDR PC2700

512MB
DDR PC2700

Each memory slot can hold DDR PC2700 with a maximum of 512MB per slot.

* Maximum Memory Capacity: 1024MB
* Currently Installed Memory: 1GB
* Available Memory Slots: 0
* Total Memory Slots: 2
* Dual Channel Support: No
* CPU Manufacturer: GenuineIntel
* CPU Family: Intel® Pentium® 4 CPU 2.80GHz Model 2, Stepping 9
* CPU Speed: 2093 MHz

2 of 2 compatible DDR upgrades:

US $39.99
compatible upgrade
512MB
Part #: CT720703 • DDR PC2700 • CL=2.5 • Unbuffered • NON-ECC • DDR333 • 2.5V

-OR-

US $17.99
compatible upgrade
256MB
Part #: CT499014 • DDR PC2700 • CL=2.5 • Unbuffered • Non-parity • DDR333 • 2.5V • 32Meg x 64

[happyrock]

order the two new 512MB sticks...when they arrive...unplug computer from the wall ...remove the battery...remove the ram cover...replace the ram and put it all back together ...fire it up and go back to work/play

[crdenny]

I've placed the order and will receive the memory sticks in about 2 days. Will install and report back regarding new Memtest results and (hopefully much improved) system performance after installation. Thanks.

[happyrock]

I wouldn't bother running memtest unless your having issues...

[crdenny]

Hi,

I've received and installed the new memory sticks, and that went without a hitch. The memory is now error-free and I can feel a difference in the speed with which the computer performs normal tasks.

However, surprisingly, when I put it to the test with those same kinds of iTunes, HD and streaming video, I found that only when playing an HD video file, saved on the hard drive, on GOM Player had playback truly returned to normal. This is true now whether I'm using the memory-monitoring utility I recently installed, Process Lasso, or not. (Playing low-quality saved video files, such as downloaded normal YouTube files, on an app like GOM Player has never been a problem.) Playing (protected) iTunes video - whether HD or standard, whether using files stored on the hard drive or on an external drive, and whether logging into my normal user account or the alternate, relatively bare "test" account you had me set up last week - resulted, sometimes after a few seconds of more normal playback, in the same problems as before: CPU at 100%, freezing and staggering from one still frame to another while the sound continued out of sync. (This is particularly puzzling and aggravating because I can't even begin to play the oldest non-HD iTunes video I have, which had always played perfectly for years until... whenever these problems began in earnest.) Attempting to play streaming video on abc.com or cw.com was pointless, as it just hiccuped from frame to frame and fell out of a/v sync quickly, again with CPU maxed out.

One thing which is instantly noticeable since installing the new RAM is that, using the "test" account, the bootup (with Firewall, AV, Process Lasso, etc., all running) was almost instantaneous, whereas with my normal account the Local Area Connection icon often takes minutes to appear, while the AV may or may not seem to be partially disabled; generally, when that happens, once the LAC icon appears the AV returns to normal at the same moment. That may have nothing to do with these other issues, but I thought it worth mentioning. I wish I could pare down my normal account's startup enough to have anywhere near that fast a bootup...

Since the memory replacement, I've had no registry or BSOD errors (knock on wood!).

And, by the way, all my drivers seem to be up-to-date.

I'd appreciate any help you can give me to repair this ongoing problem! Thanks...

[happyrock]

did you run memtest on the new ram...
press ctrl + alt + delete keys (all three at the same time) then processes tab...get a screenshot for the old slow account and the new account...
drag the bottom of the task manager window down so that all the processes are showing before taking the screenshots...

if you don't know how to post a screenshot...go here...

[crdenny]

Yes, I did run memtest on the new memory, and testing "all available memory" it displayed no errors. Below is the screenshot of processes. Thanks for replying, and for whatever you can do.

Attached Thumbnails

• 

[happyrock]

log into your normal account...go to START..RUN...type in MSCONFIG...then press ENTER..
click on START UP TAB...uncheck everything EXCEPT your AV and firewall...

if its a laptop you have to be careful about what you uncheck or your touch pad and wireless and things like that will not function for you..or get a screenshot and I will tell you what to leave checked

the next thing we are going to do is turn off indexing ....its a resource hog and if you aren't searching for things on your computer 10 times a day it will only slow down your system....

click on start...my computer...right click on C: drive....properties...on the general tab..uncheck ...allow indexing on this drive and compress drive....

To clean your temp folder, recycle bin, index.dat etc..please download this free tool...

CCleaner

Don't install any Toolbars, or other programs, should it ask you...Just
uncheck the option of installing the Yahoo toolbar....if you get
the slim version it does not have the toolbar
thats the one I recommend...
It will put a shortcut on your Desktop.

Click on CCleaner to start it....
Before first use...
Select Options then Advanced.
UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
also UNCHECK Old Prefetch data..
The rest of the standard settings are fine...

Then click "Run Cleaner"

DO NOT USE ANY OF THE OTHER TOOLS...RUNNING THEM MAY CAUSE OTHER PROBLEMS

next get diskeeper lite here...

after installing it...click on the icon...close the "nag" screen...click on your c drive to select it ...then down towards the bottom ...click on defragment now...first time you use it it may take 15 to 30 minutes to complete...do it about every two weeks and it will complete in about 7 minutes...
reboot and tell me hows its running...

[crdenny]

Hi,

Okay, I've done everything you listed. Unfortunately, the disabling 100% CPU phonomenon continues.

I had already unchecked indexing and drive compression, as it turns out.

I had also run CCleaner recently, but using your settings and an updated version I deleted more this time.

I've been using a defragmenter, probably not quite often enough, called Smart Defrag. Diskeeper Lite found a lot to do, though, on both my C: and (partitioned) D: drives, so I must have needed to defrag again by now. Or maybe Smart Defrag just isn't as good an app.

I unchecked everything in msconfig Startup except avastUI, ipoint, cfp, and apoint. After rebooting, I tried the acid test, namely playback of iTunes video because it's been utterly unwatchable lately and used to be absolutely perfect. At this point, its performance was just as bad as it has been recently, with CPU stuck at 100% and the picture either freezing completely or stuttering from one freeze-frame to another. So I looked at the Task Manager and was amazed to find many of the startup items I had unchecked running in the process list anyway. I went back to msconfig and to the Process tab; after checking "Hide all Microsoft services", I unchecked everything except avast! Antivirus, avast! Email Scanner and avast! Web Scanner; plus COMODO Live Support (probably could have unchecked that) and COMODO Internet Security. Restarted again. This time, only the intended, minimal processes appeared (as far as I can tell, anyway) in the Task Manager process list. So I tried iTunes again - this time, I would say it was up to 50% better, which seemed correlated to the CPU load being a whopping 2% better at times - jumping down to 98% or so here and there instead of always stuck at 100%. After a couple of minutes of playback, though, the CPU would eventually edge back up to 100% and the performance would then fail as before.

I also tested streaming video (on nbc.com, cwtv.com, etc.) in each of my three browsers - IE7, Firefox 3.6 and Google Chrome. In short, it was bad in all three of them even when I set video quality to standard rather than HD, though if I used a smaller window on cwtv.com, I could sometimes get a fluid streaming video playback.

I mention the browsers because I was surprised, after using them, to find that on my msconfig startup list, three items had added themselves back with new checked entries, and two of the three of them didn't make sense to me: ezSP_px.exe - which is in the system32 folder and is apparently part of the Pinnacle video software (which I like but haven't used in awhile, since I only use it occasionally to digitize VHS); ctfmon.exe - which is also in the system32 folder as it should be but which seems to have nothing to do with anything I was doing; and GoogleToolbarNotifier - probably added by Google Chrome. I'm curious - does any of that look suspicious to you?

I should add, though, that in my previous thread on the malware forum (http://www.geekstogo...on-t275017.html), we seemed to have exhausted every possible means of finding any kind of malware. After having done all that, it would be mind-bending to find something still hiding at this stage.

Just in case this is useful, I'm attaching three screenshots: One is the Task Manager process list during (frozen) iTunes video playback; the next is the same list a couple of minutes later, with the system at rest and no video or other known resource hogs running. The last one is my original msconfig startup list, the way I had it before beginning to follow your instructions. Could you tell me which of the items on that list I should check normally and which I should permanently leave unchecked?

Thanks again. Hope you find some helpful clue in all this...

Attached Thumbnails

• 
• 
• 

[happyrock]

uncheck cfp too...then try again...
nojoy.... try uninstalling itunes...then try going to nbc.com, cwtv.com, etc

[crdenny]

Hi,

I'm really bummed to be such a drag, but with one small exception (I'll explain), I couldn't get any improvement with this yet again. Uninstalling iTunes doesn't seem to have affected anything regarding streaming video CPU load, etc. While I was at it, I also uninstalled a few other pieces of video-related software (though there are still others installed) like Any Video Converter and an FLV editor, hoping that some rogue driver was messing me up - but again, no difference.

The attempt to get around the firewall was a pain, and not really successful. I don't want to uninstall the whole COMODO firewall unless you think it's necessary, as I seem to recall that installation was laborious (safe mode, etc.), but... Unchecking cpf and restarting led to all my browsers being unwilling to connect to the internet. So I rechecked cpf, restarted, and then disabled the firewall directly; once, I disabled it while already online and playing video on nbc.com - the video quickly improved (still jerky, but better), but within a minute the browser had frozen again. Other times, I went online and then disabled both the firewall and the AV, which led to whichever browser(s) I was using quickly going offline. The one possible clue I noticed is that, even though the firewall indicated that all of its shields were disabled, and a warning popped up to that effect, the Security Manager in the Control Panel still listed firewall as "ON"; I'm guessing that there might be a default setting in Comodo Firewall that prevents internet access when the firewall is down, much as it does during startup before XP fully loads and before the firewall icon appears. Is that possible? Anyway, very frustrating!

I should mention that, towards the end of my working with the previous tech on the malware forum, I had completely uninstalled McAfee (which at the time was my antivirus AND firewall) at his request and then, with no AV active, toggled the Windows FW on and off while testing things - during that time, the iTunes video performance and CPU issues never improved no matter whether a firewall (or AV) was enabled or not. So I doubt the CPU and video problems are directly related to the firewall being on or off. (I think I did turn the Windows FW on, for safety's sake, whenever I went online to test streaming video - under those conditions, it never improved.)

All that said, if you want me to completely uninstall Comodo firewall and check things out again that way, of course I'll do it.

Do any other approaches come to mind? Or are we running out of things to test?

Sorry not to have more interesting results to report. I do appreciate your help.