Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Repeated Intermittent Episodes of Runaway Disk Activity


  • Please log in to reply

#46
britechguy

britechguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 221 posts

OK, based on the above I did turn off thumbnails and clean them out using Disk Cleanup on C:.  I think it's important to note that this is the only disk on which Disk Cleanup will recognize the presence of Thumbs.db files.  I have my hard drive partitioned into two logical drives and all user data is kept on the D: drive.  If you try running Disk Cleanup on that drive the option to remove Thumbs.db files is not offered.   I removed them by doing a find using Search Everything and then deleting every instance found.  It also looked as though Disk Cleanup missed an instance or two on the C: drive, too.  I hand nuked those as well.

 

The first pair of VEW files is from a reboot immediately following my having turned off the thumbnails feature and having removed existing ones.

 

The second pair of VEW files is from a subsequent reboot after I'd turned the thumbnails feature back on.

 

I have had an instance or two of high disk usage.  The two process explorer snapshots were taken just before the shutdown after I'd turned the thumbnails feature off.  What I need to keep an eye on now, though, is whether this usage "sticks" like it used to, effectively causing the system to become unusable or if it resolves.  I've been doing so many shutdown/startup cycles the last several days I haven't really had a typical "the computer's been on for a couple of days now and suddenly the disk drive light is staying on solid again" moments.   I will now begin monitoring this again.

 

This morning my startup/shutdown cycles are moving briskly, but I think that's as much a function of the system having not been up for very long as anything else.  I've always been able to get fast shutdowns if they're done fairly promptly after any given startup.

 

I really want to thank you, sincerely, for all the time and effort you've put in to helping me.  This has been a long, iterative process and I'm sure that it's getting old for you by now.  Having been on "your side of the fence" in the past gives me an even greater appreciation for your patient assistance.  I hope I'm considered "a cooperative patient."

Attached Files


  • 0

Advertisements


#47
britechguy

britechguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 221 posts

As it so happens just experienced another period or runaway disk activity that has just resolved.  This was very shortly after a full system restart from a complete shutdown, which I did to create a "clean slate for monitoring."  When I went to start entering this post I got one of my classic "not responding" episodes with Firefox that tends to accompany these.  I had Process Explorer up and hope I might have captured something in the snapshot that will prove useful.

Attached Files


  • 0

#48
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP

I'm wondering if these:

 

Log: 'Application' Date/Time: 04/02/2015 3:17:35 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   6 user registry handles leaked from \Registry\User\S-1-5-21-3700817450-263443993-1340972289-1001:
Process 520 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001
Process 520 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001
Process 1392 (\Device\HarddiskVolume2\Windows\SysWOW64\Fast Boot\FastBootAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001
Process 520 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\My
Process 520 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\CA
Process 520 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\Disallowed
 
 
Are caused by your Zimbra Desktop.  Process Explorer is saying the certificate is expired for: zdesktop.exe 0.62 230,440 K 132,828 K 404 (Certificate expired)  Perhaps there is a connection.  Is there a newer Zimbra available?
 
Also your ETDCtrl.exe 10.61 3,340 K 2,452 K 2828 ETD Control Center ELAN Microelectronic Corp. (Verified) Microsoft Windows Hardware Compatibility Publisher is taking too much CPU time for what it does.  Can you see if there is a newer version on Asus' website?  Do you really use it?  "Preinstalled on certain laptops such as Asus Eee and developed by ELANTECH Devices Corp, this program makes possible multi-touch functions like scrolling, zooming, and rotating pictures using the touchpad."
 
I see Spybot had a hiccup.  Is this the latest version of Spybot?
 
Looks like the thumbs.db helped for one boot then it was back to being sick.
 
The process Explorer you caught after your last episode show a much higher Interrupts value.  Probably a driver problem.  So I'm wondering if the ETD Control Center software is at fault.
 
Panda is also taking more CPU time than I would expect.  Is this the free version?

  • 0

#49
britechguy

britechguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 221 posts

 

I'm wondering if these:

 

Log: 'Application' Date/Time: 04/02/2015 3:17:35 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   6 user registry handles leaked from \Registry\User\S-1-5-21-3700817450-263443993-1340972289-1001:
Process 520 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001
Process 520 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001
Process 1392 (\Device\HarddiskVolume2\Windows\SysWOW64\Fast Boot\FastBootAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001
Process 520 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\My
Process 520 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\CA
Process 520 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\Disallowed
 
 
Are caused by your Zimbra Desktop.  Process Explorer is saying the certificate is expired for: zdesktop.exe 0.62 230,440 K 132,828 K 404 (Certificate expired)  Perhaps there is a connection.  Is there a newer Zimbra available?
 
I am currently on the latest version of Zimbra.  It does not automatically start when the system comes up, I have to start it myself (and that includes background processes, which don't trigger until I start Zimbra Desktop for the first time).
 
Also your ETDCtrl.exe 10.61 3,340 K 2,452 K 2828 ETD Control Center ELAN Microelectronic Corp. (Verified) Microsoft Windows Hardware Compatibility Publisher is taking too much CPU time for what it does.  Can you see if there is a newer version on Asus' website?  Do you really use it?  "Preinstalled on certain laptops such as Asus Eee and developed by ELANTECH Devices Corp, this program makes possible multi-touch functions like scrolling, zooming, and rotating pictures using the touchpad."
 
I was on v 3.5.0.7 and there is 3.0.5.9, which is now installed.  I do "use it" in that it's the device driver for the mousepad on the laptop with additional software for various controls like gestures, etc.
 
I see Spybot had a hiccup.  Is this the latest version of Spybot?
 
It is.
 
Looks like the thumbs.db helped for one boot then it was back to being sick.
 
The process Explorer you caught after your last episode show a much higher Interrupts value.  Probably a driver problem.  So I'm wondering if the ETD Control Center software is at fault.
 
Take a look at the first two process explorer snapshots attached  (#s 3 & 4).
 
Panda is also taking more CPU time than I would expect.  Is this the free version?
 
Yes.
 
I should mention that the Spybot issue appears to have cropped up after I put Speed Fan in Startup.  I can, of course, back this out and see if the problem disappears.
 
When I restarted the system earlier, and took the first two attached snapshots, it was in a disk thrashing period.  It seems that if I try to "rush" the system by starting programs shortly after boot up I can induce this behavior (though I'm not trying to do so).  If I walk away it eventually stops.   This is not the same as when it happens "spontaneously" (or at least it generally isn't) in that those "after the machine's been running" episodes don't ever seem to resolve.
 
The last process snapshot (#6) was taken a few moments ago.
 
 
 

 

Attached Files


  • 0

#50
britechguy

britechguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 221 posts

For amusement's sake, I decided to clear the System and Application logs and take Speed Fan out of the StartUp program group.

 

The results:

 

VEW System Log:

--------------------------------------------------------------------

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 04/02/2015 9:07:53 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 05/02/2015 2:03:06 AM
Type: Error Category: 0
Event: 7034 Source: Service Control Manager
The Realtek DHCP Service service terminated unexpectedly.  It has done this 1 time(s).

Log: 'System' Date/Time: 05/02/2015 2:03:03 AM
Type: Error Category: 0
Event: 4 Source: Microsoft-Windows-Time-Service
The time provider 'VMICTimeProvider' failed to start due to the following error: The specified module could not be found. (0x8007007E)

Log: 'System' Date/Time: 05/02/2015 2:02:58 AM
Type: Error Category: 0
Event: 7006 Source: Service Control Manager
The ScRegSetValueExW call failed for FailureActions with the following error:  Access is denied.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 05/02/2015 2:01:45 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 05/02/2015 2:01:42 AM
Type: Warning Category: 0
Event: 10002 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN Extensibility Module has stopped.  Module Path: C:\Windows\system32\Rtlihvs.dll

--------------------------------------------------------------------

 

VEW Application Log:

--------------------------------------------------------------------

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 04/02/2015 9:08:49 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 05/02/2015 2:00:48 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   6 user registry handles leaked from \Registry\User\S-1-5-21-3700817450-263443993-1340972289-1001:
Process 480 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001
Process 480 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001
Process 1636 (\Device\HarddiskVolume2\Windows\SysWOW64\Fast Boot\FastBootAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001
Process 480 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\My
Process 480 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\CA
Process 480 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3700817450-263443993-1340972289-1001\Software\Microsoft\SystemCertificates\Disallowed

--------------------------------------------------------------------

 

I now seem to be consistently getting a period of really heavy disk activity for a period of time after startup.  This is actually new.


Edited by britechguy, 04 February 2015 - 08:24 PM.

  • 0

#51
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP

Looks like speedfan and spybot do not like each other.  Good to know.

 

Since this is the free version of Panda, let's download and save  the free version of Avast:

 

http://files.avast.c...virus_setup.exe

 

Then uninstall Panda and then reboot and right click ont eh Avast installer and Run As Admin.  Once it settles down it will want to reboot again.  Clear the alarms before it does.  Be careful when installing.  We want the Basic version not the trial and uncheck any optionsl stuff like Chrome or the Googletoolbox or Dropbox..  

 

After the reboot run VEW again as before and also a Process Explorer log.


  • 0

#52
britechguy

britechguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 221 posts

Scratch that last request.  I'd might as well give Avast! a go again.  It will let me know whether they still require an annual re-up on their licensing key (yes, it's free, but the others don't do that and Avast! had been the last time I used it).


Edited by britechguy, 04 February 2015 - 10:22 PM.

  • 0

#53
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP

Open Chrome and go into Settings, (Three line symbol in the top right). Settings.  Show Advanced Settings.  Under System uncheck Keep Running Background Apps when Chrome is closed.

 

That may cut down on the number of Chromes in Process Explorer.

 

 

Please use Avast.  It's just for a test and it is what I use on my PC so I know what to expect.  You still need to reregister after a year but it's not a big deal.  Just stick with the basic option and don't accept their trial.  (Uncheck any optional software like Chrome, Google Toolbox or Dropbox)

 

 Some people object to the voice notification of updates.  To turn it off, click on the Avast ball then on Settings.  Then on Sounds and uncheck Automatic Updates OK.  (It will still update it just won't tell you about in a loud voice in the middle of the night.)
 

They have also started using their info popup to try and get you to upgrade so I go into Settings, Popups and change the first two to 1 second.

 

Once you have Avast installed, clear the logs and reboot

 

If you get it done tonight you can let it run a boot-time scan while you sleep:

 

How to do a boot-time scan while you sleep:
First mute the speakers so it won't wake you up when Windows loads.  Click on the Orange ball.  Click on Scan, then on Scan for Viruses.  Change Quickscan to Boot-time Scan.  Click on Settings.  Where it says Heuristic Sensitivity click on the last rectangle so that all of them are  orange and it says High.  Check both boxes.  Then change When a threat is found ... to:  Move to Chest.  OK.  Now click on Start.  Close the Avast window and then reboot.  The scan will start.  It will tell you where it will save the report.  Usually it's 
C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt but it might change so verify the location.  When Windows loads Click on the Orange Ball then Scan, Then Scan History (at the bottom of the page). Click on the last scan and then Detailed Report.  If it found anything then open the aswBoot.txt file and copy and paste it.  If you can't find it then take a screen shot of the Detailed Report:

  • 0

#54
britechguy

britechguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 221 posts

Oh, my, but the installation of Avast! has not made my situation better!!

 

I just checked and I already have the "Continue running background apps when Chrome is closed" checkbox unchecked.

 

Attached are the VEW Logs and four process explorer snapshots taken over the last 10 minutes or so.  My disc activity light is still on solid as I type.

 

The last 15 minutes or so, and its still ongoing, have been one continuous disk-thrash cycle.  The light is just on solid and I'm having some really ugly wait times before being able to type, etc.

 

The number 5 process explorer snapshot was just taken and I've still got solid disk activity light.

 

I'm off to bed and I'll see if this is still going on in the morning!

Attached Files


  • 0

#55
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
This is the Process Explorer log from my PC.  I'm having a little problem with WmiPrvSE.exe but otherwise it looks good.  I have Chrome open with two tabs.  I have fewer Chromes and they each use a lot less CPU.  How many Chrome windows and tabs do you have open?
 
 
 
Process PID CPU Private Bytes Working Set Description Company Name
System Idle Process 0 90.98 0 K 24 K
procexp64.exe 4792 3.41 28,956 K 48,008 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com
WmiPrvSE.exe 2644 2.09 10,168 K 17,008 K WMI Provider Host Microsoft Corporation
dwm.exe 2132 0.58 35,592 K 32,636 K Desktop Window Manager Microsoft Corporation
Interrupts n/a 0.50 0 K 0 K Hardware Interrupts and DPCs
System 4 0.40 284 K 7,412 K
ExpressTray.exe 1088 0.34 80,968 K 74,604 K Express Tray Garmin Ltd or its subsidiaries
chrome.exe 4168 0.24 71,256 K 113,920 K Google Chrome Google Inc.
speedfan.exe 2852 0.21 5,992 K 16,416 K Almico Software (www.almico.com)
csrss.exe 676 0.19 3,104 K 9,468 K Client Server Runtime Process Microsoft Corporation
chrome.exe 4424 0.17 141,544 K 161,300 K Google Chrome Google Inc.
svchost.exe 668 0.15 27,544 K 43,656 K Host Process for Windows Services Microsoft Corporation
AvastSvc.exe 1452 0.13 180,096 K 41,908 K avast! Service AVAST Software
BrYNSvc.exe 3476 0.10 4,656 K 9,712 K BrYNCSvc Brother Industries, Ltd.
BrStMonW.exe 2828 0.06 41,588 K 49,012 K Status Monitor Application Brother Industries, Ltd.
explorer.exe 2788 0.05 79,032 K 111,152 K Windows Explorer Microsoft Corporation
DiscWizardMonitor.exe 1412 0.05 3,520 K 5,452 K Seagate DiscWizard Monitor Seagate
avastui.exe 1292 0.05 24,172 K 20,392 K avast! Antivirus AVAST Software
unchecky_svc.exe 2384 0.04 5,820 K 10,548 K Unchecky Service RaMMicHaeL
CCC.exe 4936 0.04 96,856 K 20,424 K Catalyst Control Center: Host application ATI Technologies Inc.
MOM.exe 4836 0.04 39,484 K 7,052 K Catalyst Control Center: Monitoring program Advanced Micro Devices Inc.
PDFProFiltSrvPP.exe 2184 0.03 1,160 K 3,568 K PDFPro IFilter Service Nuance Communications, Inc.
svchost.exe 596 0.02 205,476 K 210,400 K Host Process for Windows Services Microsoft Corporation
lsass.exe 736 0.02 6,580 K 14,476 K Local Security Authority Process Microsoft Corporation
chrome.exe 5364 0.02 47,804 K 81,288 K Google Chrome Google Inc.
wmpnetwk.exe 3912 0.01 12,144 K 11,608 K Windows Media Player Network Sharing Service Microsoft Corporation
chrome.exe 5836 0.01 49,568 K 77,296 K Google Chrome Google Inc.
svchost.exe 552 0.01 15,412 K 24,428 K Host Process for Windows Services Microsoft Corporation
ISUSPM.exe 2068 0.01 2,756 K 7,284 K Acresso Software Manager Acresso Corporation
taskhost.exe 1264 0.01 17,312 K 17,860 K Host Process for Windows Tasks Microsoft Corporation
svchost.exe 932 < 0.01 4,732 K 9,028 K Host Process for Windows Services Microsoft Corporation
svchost.exe 1408 < 0.01 8,524 K 16,284 K Host Process for Windows Services Microsoft Corporation
svchost.exe 1308 < 0.01 15,084 K 16,820 K Host Process for Windows Services Microsoft Corporation
SearchIndexer.exe 3944 < 0.01 54,584 K 49,872 K Microsoft Windows Search Indexer Microsoft Corporation
dllhost.exe 3384 < 0.01 4,388 K 11,560 K COM Surrogate Microsoft Corporation
ABService.exe 2000 < 0.01 4,424 K 8,464 K AOMEI Backupper Schedule task service AOMEI Tech Co., Ltd.
csrss.exe 584 < 0.01 2,244 K 4,736 K Client Server Runtime Process Microsoft Corporation
spoolsv.exe 1720 < 0.01 8,392 K 14,900 K Spooler SubSystem App Microsoft Corporation
WmiPrvSE.exe 5900 2,556 K 5,960 K WMI Provider Host Microsoft Corporation
winlogon.exe 388 2,888 K 7,464 K Windows Logon Application Microsoft Corporation
wininit.exe 652 1,508 K 4,428 K Windows Start-Up Application Microsoft Corporation
unsecapp.exe 4500 1,900 K 6,080 K Sink to receive asynchronous callbacks for WMI client application Microsoft Corporation
unchecky_bg.exe 2164 1,196 K 5,212 K Unchecky Background Process RaMMicHaeL
TeamViewer_Service.exe 2328 4,420 K 12,244 K TeamViewer 9 TeamViewer GmbH
svchost.exe 1136 3,212 K 7,276 K Host Process for Windows Services Microsoft Corporation
svchost.exe 840 4,476 K 10,512 K Host Process for Windows Services Microsoft Corporation
svchost.exe 1752 11,504 K 13,980 K Host Process for Windows Services Microsoft Corporation
svchost.exe 348 27,192 K 24,400 K Host Process for Windows Services Microsoft Corporation
svchost.exe 952 2,696 K 7,492 K Host Process for Windows Services Microsoft Corporation
smss.exe 444 500 K 1,140 K Windows Session Manager Microsoft Corporation
services.exe 728 6,076 K 12,268 K Services and Controller app Microsoft Corporation
schedul2.exe 2236 2,208 K 5,916 K Seagate Scheduler 2 Seagate
schedhlp.exe 2912 1,240 K 4,448 K Seagate Scheduler Helper Seagate
RAVCpl64.exe 3856 9,140 K 10,968 K Realtek HD Audio Manager Realtek Semiconductor
procexp.exe 4528 2,024 K 6,896 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com
PresentationFontCache.exe 4236 26,720 K 18,564 K PresentationFontCache.exe Microsoft Corporation
pptd40nt.exe 3748 1,480 K 4,600 K PaperPort Print to Desktop for NT Nuance Communications, Inc.
pdfPro5Hook.exe 3480 1,536 K 5,168 K PdfCreateHook Application Nuance Communications, Inc.
notepad.exe 2768 1,404 K 6,508 K Notepad Microsoft Corporation
msdtc.exe 5208 3,484 K 7,880 K Microsoft Distributed Transaction Coordinator Service Microsoft Corporation
mDNSResponder.exe 1076 2,368 K 5,600 K Bonjour Service Apple Inc.
lsm.exe 748 2,648 K 4,360 K Local Session Manager Service Microsoft Corporation
Garmin.Cartography.MapUpdate.CoreService.exe 1284 28,028 K 41,076 K Garmin Core Update Service Garmin Ltd or its subsidiaries
CouponPrinterService.exe 1336 3,508 K 9,800 K Coupon Printer Service Coupons.com Inc.
chrome.exe 5296 74,704 K 93,940 K Google Chrome Google Inc.
chrome.exe 4444 32,180 K 56,380 K Google Chrome Google Inc.
chrome.exe 3460 9,204 K 45,996 K Google Chrome Google Inc.
BrCtrlCntr.exe 2268 2,124 K 7,536 K ControlCenter Main Process Brother Industries, Ltd.
BrCcUxSys.exe 1680 1,716 K 6,420 K ControlCenter UX System Brother Industries, Ltd.
audiodg.exe 5132 19,156 K 18,060 K Windows Audio Device Graph Isolation Microsoft Corporation
atiesrxx.exe 996 1,424 K 4,232 K AMD External Events Service Module AMD
atieclxx.exe 1500 2,104 K 6,160 K AMD External Events Client Module AMD
armsvc.exe 1836 1,184 K 3,876 K Adobe Acrobat Update Service Adobe Systems Incorporated
AERTSr64.exe 1860 1,000 K 2,668 K Andrea filters APO access service (64-bit) Andrea Electronics Corporation

  • 0

Advertisements


#56
britechguy

britechguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 221 posts

I had one Chrome Window with about 10 tabs.

 

This morning the system is much calmer, but process explorer will not start anymore.

 

I'm attaching the two VEW files and the Avast boot scan log.   I'll then clear and restart to see if Process Explorer comes back to life.  I'm wondering if Avast is nuking it.

 

 

Attached Files


  • 0

#57
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
This is with Chrome closed.  (WmiPrvSE.exe is causing my readings to jump all over the place so I do File then hover over the Save button until the System Idle hits 90.)
 
Process PID CPU Private Bytes Working Set Description Company Name
System Idle Process 0 93.23 0 K 24 K
System 4 0.29 284 K 7,412 K
 Interrupts n/a 0.31 0 K 0 K Hardware Interrupts and DPCs
 smss.exe 444 500 K 1,140 K Windows Session Manager Microsoft Corporation
csrss.exe 584 2,244 K 4,728 K Client Server Runtime Process Microsoft Corporation
wininit.exe 652 1,508 K 4,428 K Windows Start-Up Application Microsoft Corporation
 services.exe 728 6,128 K 12,276 K Services and Controller app Microsoft Corporation
  svchost.exe 840 4,528 K 10,540 K Host Process for Windows Services Microsoft Corporation
   WmiPrvSE.exe 2644 2.64 10,260 K 17,024 K WMI Provider Host Microsoft Corporation
   unsecapp.exe 4500 1,868 K 6,060 K Sink to receive asynchronous callbacks for WMI client application Microsoft Corporation
  svchost.exe 932 4,832 K 9,068 K Host Process for Windows Services Microsoft Corporation
  atiesrxx.exe 996 1,424 K 4,232 K AMD External Events Service Module AMD
   atieclxx.exe 1500 2,104 K 6,160 K AMD External Events Client Module AMD
  svchost.exe 348 27,108 K 24,368 K Host Process for Windows Services Microsoft Corporation
  svchost.exe 596 0.21 190,280 K 198,612 K Host Process for Windows Services Microsoft Corporation
   dwm.exe 2132 0.15 35,592 K 32,632 K Desktop Window Manager Microsoft Corporation
  svchost.exe 552 < 0.01 15,240 K 24,316 K Host Process for Windows Services Microsoft Corporation
  svchost.exe 668 0.18 27,412 K 42,928 K Host Process for Windows Services Microsoft Corporation
  svchost.exe 1136 3,264 K 7,296 K Host Process for Windows Services Microsoft Corporation
  svchost.exe 1308 0.03 15,084 K 16,824 K Host Process for Windows Services Microsoft Corporation
  AvastSvc.exe 1452 0.03 178,848 K 41,352 K avast! Service AVAST Software
  spoolsv.exe 1720 < 0.01 8,392 K 14,892 K Spooler SubSystem App Microsoft Corporation
  svchost.exe 1752 11,452 K 13,960 K Host Process for Windows Services Microsoft Corporation
  armsvc.exe 1836 1,184 K 3,876 K Adobe Acrobat Update Service Adobe Systems Incorporated
  AERTSr64.exe 1860 1,000 K 2,668 K Andrea filters APO access service (64-bit) Andrea Electronics Corporation
  ABService.exe 2000 0.06 4,424 K 8,464 K AOMEI Backupper Schedule task service AOMEI Tech Co., Ltd.
  mDNSResponder.exe 1076 2,368 K 5,600 K Bonjour Service Apple Inc.
  svchost.exe 1408 < 0.01 8,104 K 16,016 K Host Process for Windows Services Microsoft Corporation
  PDFProFiltSrvPP.exe 2184 0.03 1,160 K 3,568 K PDFPro IFilter Service Nuance Communications, Inc.
  schedul2.exe 2236 2,208 K 5,916 K Seagate Scheduler 2 Seagate
  TeamViewer_Service.exe 2328 4,420 K 12,244 K TeamViewer 9 TeamViewer GmbH
  unchecky_svc.exe 2384 0.04 5,820 K 10,544 K Unchecky Service RaMMicHaeL
   unchecky_bg.exe 2164 1,196 K 5,212 K Unchecky Background Process RaMMicHaeL
  wmpnetwk.exe 3912 < 0.01 12,128 K 11,592 K Windows Media Player Network Sharing Service Microsoft Corporation
  SearchIndexer.exe 3944 < 0.01 54,104 K 48,548 K Microsoft Windows Search Indexer Microsoft Corporation
  CouponPrinterService.exe 1336 < 0.01 3,508 K 9,804 K Coupon Printer Service Coupons.com Inc.
  taskhost.exe 1264 0.01 17,316 K 17,872 K Host Process for Windows Tasks Microsoft Corporation
  BrYNSvc.exe 3476 4,652 K 9,696 K BrYNCSvc Brother Industries, Ltd.
  svchost.exe 952 2,696 K 7,492 K Host Process for Windows Services Microsoft Corporation
  PresentationFontCache.exe 4236 26,720 K 18,564 K PresentationFontCache.exe Microsoft Corporation
  dllhost.exe 3384 < 0.01 4,388 K 11,560 K COM Surrogate Microsoft Corporation
  msdtc.exe 5208 3,484 K 7,880 K Microsoft Distributed Transaction Coordinator Service Microsoft Corporation
  Garmin.Cartography.MapUpdate.CoreService.exe 1284 28,028 K 41,076 K Garmin Core Update Service Garmin Ltd or its subsidiaries
 lsass.exe 736 0.01 6,580 K 14,476 K Local Security Authority Process Microsoft Corporation
 lsm.exe 748 2,540 K 4,332 K Local Session Manager Service Microsoft Corporation
csrss.exe 676 0.07 3,100 K 9,144 K Client Server Runtime Process Microsoft Corporation
winlogon.exe 388 2,888 K 7,464 K Windows Logon Application Microsoft Corporation
explorer.exe 2788 0.05 78,204 K 110,648 K Windows Explorer Microsoft Corporation
 RAVCpl64.exe 3856 9,140 K 10,968 K Realtek HD Audio Manager Realtek Semiconductor
 schedhlp.exe 2912 0.01 1,240 K 4,448 K Seagate Scheduler Helper Seagate
 chrome.exe 3460 < 0.01 9,460 K 46,156 K Google Chrome Google Inc.
 ISUSPM.exe 2068 2,916 K 7,364 K Acresso Software Manager Acresso Corporation
 ExpressTray.exe 1088 0.35 80,968 K 74,604 K Express Tray Garmin Ltd or its subsidiaries
 speedfan.exe 2852 0.20 5,992 K 16,416 K Almico Software (www.almico.com)
 procexp.exe 4528 2,024 K 6,896 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com
  procexp64.exe 4792 1.93 28,816 K 48,000 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com
 notepad.exe 4508 1,688 K 6,288 K Notepad Microsoft Corporation
avastui.exe 1292 0.05 24,176 K 20,432 K avast! Antivirus AVAST Software
DiscWizardMonitor.exe 1412 0.05 3,508 K 5,452 K Seagate DiscWizard Monitor Seagate
pdfPro5Hook.exe 3480 1,536 K 5,168 K PdfCreateHook Application Nuance Communications, Inc.
pptd40nt.exe 3748 1,480 K 4,600 K PaperPort Print to Desktop for NT Nuance Communications, Inc.
BrCtrlCntr.exe 2268 2,124 K 7,536 K ControlCenter Main Process Brother Industries, Ltd.
 BrCcUxSys.exe 1680 1,716 K 6,420 K ControlCenter UX System Brother Industries, Ltd.
BrStMonW.exe 2828 0.01 41,844 K 49,272 K Status Monitor Application Brother Industries, Ltd.
MOM.exe 4836 0.02 38,460 K 7,036 K Catalyst Control Center: Monitoring program Advanced Micro Devices Inc.
 CCC.exe 4936 0.03 97,888 K 20,452 K Catalyst Control Center: Host application ATI Technologies Inc.
notepad.exe 2768 1,404 K 6,508 K Notepad Microsoft Corporation
 
 
Here is one with  WmiPrvSE.exe suspended, running Firefox (1 tab open to google) and Chrome 2 tabs, one to Geekstogo and one to gmail.  Things settle down after a minute and only vary 2 to 3 points excepts when Avast wakes up jumps to the top momentarily)
 
Process PID CPU Private Bytes Working Set Description Company Name
System Idle Process 0 87.75 0 K 24 K
procexp64.exe 4792 7.75 29,876 K 48,476 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com
firefox.exe 4168 1.01 176,092 K 204,456 K Firefox Mozilla Corporation
dwm.exe 2132 0.54 35,604 K 35,468 K Desktop Window Manager Microsoft Corporation
Interrupts n/a 0.48 0 K 0 K Hardware Interrupts and DPCs
svchost.exe 596 0.46 194,220 K 202,472 K Host Process for Windows Services Microsoft Corporation
ExpressTray.exe 1088 0.40 80,968 K 74,604 K Express Tray Garmin Ltd or its subsidiaries
System 4 0.33 284 K 7,412 K
speedfan.exe 2852 0.20 5,992 K 16,424 K Almico Software (www.almico.com)
csrss.exe 676 0.15 3,024 K 10,904 K Client Server Runtime Process Microsoft Corporation
chrome.exe 3436 0.14 59,068 K 101,688 K Google Chrome Google Inc.
BrYNSvc.exe 3476 0.11 4,660 K 9,716 K BrYNCSvc Brother Industries, Ltd.
AvastSvc.exe 1452 0.08 179,596 K 42,952 K avast! Service AVAST Software
BrStMonW.exe 2828 0.06 41,844 K 49,272 K Status Monitor Application Brother Industries, Ltd.
avastui.exe 1292 0.05 24,176 K 20,436 K avast! Antivirus AVAST Software
DiscWizardMonitor.exe 1412 0.05 3,508 K 5,452 K Seagate DiscWizard Monitor Seagate
ABService.exe 2000 0.05 4,424 K 8,464 K AOMEI Backupper Schedule task service AOMEI Tech Co., Ltd.
svchost.exe 668 0.05 27,124 K 43,016 K Host Process for Windows Services Microsoft Corporation
CCC.exe 4936 0.05 96,856 K 20,428 K Catalyst Control Center: Host application ATI Technologies Inc.
explorer.exe 2788 0.04 77,996 K 110,156 K Windows Explorer Microsoft Corporation
chrome.exe 5888 0.03 143,284 K 163,216 K Google Chrome Google Inc.
PDFProFiltSrvPP.exe 2184 0.03 1,160 K 3,568 K PDFPro IFilter Service Nuance Communications, Inc.
unchecky_svc.exe 2384 0.03 5,820 K 10,496 K Unchecky Service RaMMicHaeL
chrome.exe 5384 0.03 38,584 K 71,384 K Google Chrome Google Inc.
MOM.exe 4836 0.02 39,488 K 7,048 K Catalyst Control Center: Monitoring program Advanced Micro Devices Inc.
lsm.exe 748 0.02 2,536 K 4,324 K Local Session Manager Service Microsoft Corporation
svchost.exe 1308 0.02 15,156 K 16,892 K Host Process for Windows Services Microsoft Corporation
taskhost.exe 1264 0.02 17,564 K 18,104 K Host Process for Windows Tasks Microsoft Corporation
wmpnetwk.exe 3912 0.01 12,176 K 11,632 K Windows Media Player Network Sharing Service Microsoft Corporation
chrome.exe 6124 0.01 56,712 K 85,876 K Google Chrome Google Inc.
svchost.exe 552 < 0.01 15,240 K 24,328 K Host Process for Windows Services Microsoft Corporation
SearchIndexer.exe 3944 < 0.01 53,984 K 48,532 K Microsoft Windows Search Indexer Microsoft Corporation
dllhost.exe 3384 < 0.01 4,388 K 11,560 K COM Surrogate Microsoft Corporation
svchost.exe 1408 < 0.01 8,084 K 16,008 K Host Process for Windows Services Microsoft Corporation
spoolsv.exe 1720 < 0.01 8,392 K 14,892 K Spooler SubSystem App Microsoft Corporation
csrss.exe 584 < 0.01 2,244 K 4,732 K Client Server Runtime Process Microsoft Corporation
WmiPrvSE.exe 2592 4,356 K 7,628 K WMI Provider Host Microsoft Corporation
winlogon.exe 388 2,888 K 7,464 K Windows Logon Application Microsoft Corporation
wininit.exe 652 1,508 K 4,428 K Windows Start-Up Application Microsoft Corporation
unsecapp.exe 4500 1,836 K 6,040 K Sink to receive asynchronous callbacks for WMI client application Microsoft Corporation
unchecky_bg.exe 2164 1,196 K 5,212 K Unchecky Background Process RaMMicHaeL
TeamViewer_Service.exe 2328 4,420 K 12,244 K TeamViewer 9 TeamViewer GmbH
svchost.exe 348 27,160 K 24,396 K Host Process for Windows Services Microsoft Corporation
svchost.exe 932 4,732 K 9,036 K Host Process for Windows Services Microsoft Corporation
svchost.exe 952 2,696 K 7,492 K Host Process for Windows Services Microsoft Corporation
svchost.exe 840 4,472 K 10,508 K Host Process for Windows Services Microsoft Corporation
svchost.exe 1136 3,212 K 7,280 K Host Process for Windows Services Microsoft Corporation
svchost.exe 1752 11,504 K 13,972 K Host Process for Windows Services Microsoft Corporation
smss.exe 444 500 K 1,140 K Windows Session Manager Microsoft Corporation
services.exe 728 6,076 K 12,268 K Services and Controller app Microsoft Corporation
schedul2.exe 2236 2,208 K 5,916 K Seagate Scheduler 2 Seagate
schedhlp.exe 2912 1,240 K 4,448 K Seagate Scheduler Helper Seagate
RAVCpl64.exe 3856 9,140 K 10,968 K Realtek HD Audio Manager Realtek Semiconductor
procexp.exe 4528 2,024 K 6,896 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com
PresentationFontCache.exe 4236 26,720 K 18,564 K PresentationFontCache.exe Microsoft Corporation
pptd40nt.exe 3748 1,480 K 4,600 K PaperPort Print to Desktop for NT Nuance Communications, Inc.
pdfPro5Hook.exe 3480 1,536 K 5,168 K PdfCreateHook Application Nuance Communications, Inc.
notepad.exe 2768 1,404 K 6,508 K Notepad Microsoft Corporation
notepad.exe 4508 1,688 K 6,292 K Notepad Microsoft Corporation
msdtc.exe 5208 3,484 K 7,880 K Microsoft Distributed Transaction Coordinator Service Microsoft Corporation
mDNSResponder.exe 1076 2,368 K 5,600 K Bonjour Service Apple Inc.
lsass.exe 736 6,580 K 14,476 K Local Security Authority Process Microsoft Corporation
ISUSPM.exe 2068 2,756 K 7,284 K Acresso Software Manager Acresso Corporation
Garmin.Cartography.MapUpdate.CoreService.exe 1284 28,028 K 41,076 K Garmin Core Update Service Garmin Ltd or its subsidiaries
CouponPrinterService.exe 1336 3,512 K 9,804 K Coupon Printer Service Coupons.com Inc.
chrome.exe 1436 60,344 K 83,260 K Google Chrome Google Inc.
chrome.exe 1636 31,484 K 55,088 K Google Chrome Google Inc.
chrome.exe 3460 9,216 K 46,008 K Google Chrome Google Inc.
BrCtrlCntr.exe 2268 2,124 K 7,536 K ControlCenter Main Process Brother Industries, Ltd.
BrCcUxSys.exe 1680 1,716 K 6,420 K ControlCenter UX System Brother Industries, Ltd.
audiodg.exe 4848 18,608 K 17,628 K Windows Audio Device Graph Isolation Microsoft Corporation
atiesrxx.exe 996 1,424 K 4,232 K AMD External Events Service Module AMD
atieclxx.exe 1500 2,104 K 6,160 K AMD External Events Client Module AMD
armsvc.exe 1836 1,184 K 3,876 K Adobe Acrobat Update Service Adobe Systems Incorporated
AERTSr64.exe 1860 1,000 K 2,668 K Andrea filters APO access service (64-bit) Andrea Electronics Corporation
 

  • 0

#58
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP

 Avast has never killed my Process Explorer so I don't think that's it.  I run boot-time scan once a week.  Remember to right click and Run As Admin when you run Process Explorer. 


  • 0

#59
britechguy

britechguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 221 posts

Things have remained significantly calmer after this reboot.

 

Process Explorer still will not run.  It starts and its screen pops up, but within seconds I get the Windows dialog that a problem was encountered with the program, checking for a solution, etc.  Obviously I've not done anything to it and I never did a "run as administrator" when starting it before, nor did I have the "Run as Administrator" checkbox checked in the Advanced shortcuts properties.

 

Here are the four latest VEW logs.  I ran two right after I logged in and two just now so you could see the ProcExp errors.   I'm going to try an uninstall, reboot, reinstall on Process Explorer and see if that makes any difference at all.  If it doesn't, the only thing changed system-wise is the replacement of Panda with Avast.

Attached Files


  • 0

#60
britechguy

britechguy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 221 posts

No dice with a new copy of process explorer.  I'm attaching the VEW Applications Log.

 

I realized that Process Explorer is not installed in the conventional sense.  The first two attempts are with the .exe that was downloaded on 2/1 and that I'd been using up through yesterday with success.  The second two attempts are from the fresh copy, and when I tried to run that the first time I got the standard Windows warning about signatures and the "Do you want to run this file?" question, which is what I got the first time I ran the original copy, too.  I just tell Windows not to ask the question on subsequent runs.

 

An Avast scan of procexp.exe comes back clean.

 

I cannot explain what would be stopping this program from running.  The only things I've done since it did were to uninstall Panda and install Avast (along with running the boot scan).  No other programs have been added or removed.

 

I should also note that I've now got a Zimbra error with syncing my e-mail, which has occurred post-Avast.  I've attached the error dialog box.  This is occurring on all three of the gmail accounts that I've been using in that e-mail client.   It appears this is the result of Avast's e-mail scanner inserting itself between Google's IMAP server and Zimbra and that it can be remedied.  See the second screen shot from the accounts screen.

 

Attached Thumbnails

  • New_Zimbra_Error.jpg
  • Avast_Insert.jpg

Attached Files


Edited by britechguy, 05 February 2015 - 09:51 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP