Crazy CPU usage and slow system startup

[Surrender2Virus]

Hello everyone:

System spec: Hp compaq nx6325
Amd sempron 3400+ (1800mhz)
memory 512mb(448mb system and 64mb video)
60gb hd

ive posted in another forum to no success. There is a reward of my eternal love for anyone who can help me out.

PROBLEM( it has been this way for abotu 2 weeks now): From turning on the laptop to getting to the desktop and being able to open apps takes about 20 minutes. When i get there any audio/video application (itunes, WMP etc) causes the CPU to sky rocket to 100%. it then comes down after about 10 seconds but continues to hover around the 40-65% Range. The Audio playback is terrible, jumpy , laggy, broken etc etc. Also the mouse pointer freezes every 5 seconds for about a second.

I have run spybot, adaware, norton(which i have now removed) none of them found anything. I Have downloaded and run CCleaner and lots of other programmes recommended to me on this website with no luck.

ANY IDEAS ANYONE!!! Im pretty desperate to sort this out. I really dont want to have to resort to re-installing windows cos i have nearly 20gb of music and "bothered" to back it up.

:mad

[Surrender2Virus]

might want to look at this HJT log file i figured:

Logfile of HijackThis v1.99.1
Scan saved at 18:51:46, on 09/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/gam...s/y/poti_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1170125068765
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: IfxWlxEN - C:\WINDOWS\SYSTEM32\IfxWlxEN.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Train]

I do not see any of the antivirus programs.
I suggest following the instructions posted at
http://discussions.virtualdr.com/sho...d.php?t=167915

[lgbpop]

Also, another thing to look at is in Control Panel | Administrative Tools | Event Viewer; look in all three viewers and check for anything out of the ordinary that occurred about the time your problem started. If you find something, let us know what it is.

Corrupted video drivers could be causing this. Malware doesn't usually attack the video, but it could be a secondary effect. However, your HJT log looks clean.

[Surrender2Virus]

in the event manager, there are a lot of warnings concerning "Usererv" & "EvntAgnt". also there is a section of about 100 "Automatic liveupdate installer" information events. not sure what this all means?

[lgbpop]

Double-click on a few of the Automatic live updates and see where they're from. Are they Windows/Microsoft updates?

Once you've opened one of the events, just use the Up/Down buttons in the upper right of the small window to check different events.

[Surrender2Virus]

it says that it is from NT AUTHORITY/SYSTEM. it says execution could not be completed and is rolling it back by 5 mins.
"Userenv" says it is happening because something is still using the registry when logging off.
"EvntAgnt" says it cant find things in the registry at trace level

Some other things that might help diagnosis, whenever i log off i always get the"asghost end now" box. Whenever the windows log on music plays it is always really crackled and stalls. Also in the task manager "CLI.exe" is running 3 times. when loading iexplore CPU usage goes up to 100% with most of it unnacounted for. hope this helps

[lgbpop]

asghost.exe appears to be related to a security recognizance program, such as fingerprint-recognition computer access, available on H-P computers. Do a File search for it (make sure files/folders are not hidden) and upload it to Jotti for an online scan when you find it.

CLI.exe is normally an ATI component of the Catalyst Control Center, but that name has been used by malware. Upload this file to Jotti also. Please post the two file scans when finished, let's see what they look like.

[Surrender2Virus]

ok i search for both. 3 replies (including prefetch) for asghost, nothing out of the ordinary. 11(1 prefetch for CLI.exe i dont know which ones to scan on jotti as i cant get on it for high usage.

yet in task manager there are 8 running Svchost.exe. when i search it yields 2 (1 prefetch result) is this a concern?

also my sound care has stopped working completely

[Train]

Start, Run[type in] CMD and click OK
[now type in] tasklist /svc >C:\tasklist.txt

Now you can then go into C:\ and open the tasklist.txt in notepad.

You can copy and paste the Svchost lines in your next post.

[Surrender2Virus]

ok here is the whole breakdown: hope it helps

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>tasklist\ svc >C:\tasklist.txt
'tasklist\' is not recognized as an internal or external command,
operable program or batch file.

C:\>tasklist/svc

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 816 N/A
csrss.exe 908 N/A
winlogon.exe 936 N/A
services.exe 984 Eventlog, PlugPlay
lsass.exe 996 NtLmSsp, PolicyAgent, ProtectedStorage, SamSs
ati2evxx.exe 1156 Ati HotKey Poller
svchost.exe 1172 DcomLaunch, TermService
svchost.exe 1268 RpcSs
svchost.exe 1304 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
dmserver, ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
lanmanserver, lanmanworkstation, Netman,
Nla, RasMan, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, srservice,
TapiSrv, Themes, TrkWks, W32Time, winmgmt,
wscsvc, wuauserv, WZCSVC
svchost.exe 1356 LmHosts, RemoteRegistry, SSDPSRV, upnphost,
WebClient
vsmon.exe 1460 vsmon
spoolsv.exe 2032 Spooler
msdtc.exe 284 MSDTC
svchost.exe 400 ASChannel
svchost.exe 512 HTTPFilter
IFXSPMGT.exe 588 IFXSpMgtSrv
IFXTCS.exe 628 IFXTCS
inetinfo.exe 292 IISADMIN, SMTPSVC, W3SVC
PSDsrvc.EXE 760 PersonalSecureDriveService
snmp.exe 944 SNMP
svchost.exe 1336 stisvc
mqsvc.exe 1564 MSMQ
wmpnetwk.exe 1572 WMPNetworkSvc
hpqwmiex.exe 2124 hpqwmiex
mqtgsvc.exe 2396 MSMQTriggers
alg.exe 2568 ALG
ati2evxx.exe 2956 N/A
asghost.exe 3008 N/A
explorer.exe 3088 N/A
wscntfy.exe 3116 N/A
PSDrt.exe 3288 N/A
wmiprvse.exe 3428 N/A
pthosttr.exe 3756 N/A
SynTPEnh.exe 3792 N/A
vsnpstd2.exe 3816 N/A
DLACTRLW.EXE 3824 N/A
HP Wireless Assistant.exe 3832 N/A
zlclient.exe 3852 N/A
smax4pnp.exe 3892 N/A
qttask.exe 3984 N/A
ctfmon.exe 4028 N/A
HPQTOA~1.EXE 4056 N/A
wmpnscfg.exe 528 N/A
WZQKPICK.EXE 2324 N/A
CLI.exe 2948 N/A
CLI.exe 576 N/A
McciTrayApp.exe 3644 N/A
iexplore.exe 8336 N/A
hpgs2wnf.exe 8304 N/A
cmd.exe 11480 N/A
tasklist.exe 12268 N/A
wmiprvse.exe 9384 N/A

C:\>>c:\tasklist.txt
The syntax of the command is incorrect.

thanks again

[Surrender2Virus]

oh and my sound card is working again. audio playback, video playback, start up and unnaccounted CPU usage are still mental. BTW HP are sending me my windows discs and they will be here in 7 days. we have a week to sort this problem or its a windows re-install for me . The heat is on!

[Train]

Where we differ.
BITS - seems to be http://en.wikipedia.org/wiki/Backgro...ansfer_Service

WZCSVC - http://www.microsoft.com/technet/pro.../wlansupp.mspx

svchost.exe 400 ASChannel

svchost.exe 512 HTTPFilter - http://www.softwaretipsandtricks.com...TTPFilter.html


Sorry, best I can do. Hope someone can help out.

[wilq]

I got the same problem and It is not related with any virus or program. In my case, installing new BIOS for nx6325 from HP support page solved problem. I hope that helps!

Cheers!