What is accessing my Disks [HijackThis Log]

What is accessing my Disks

My PC has contimuous disk activity, I can hear the disks seeking, all of the time that it is running. How can I find out which task is doing all of this activity? Can you tell which program puts in an i/o request?

I suspect that it is some housekeeping routine that is doing it. I have a NAS network storage server and the drive on that is accessed at times as well.

The system is Windows XP SP2 with 2 IDE drives, a network drive and a DVD burner. The drives have a lot of partitions, leftover from when partitions were limited to 512K, but that should not affect anything.

I do not run MS indexing and have removed Google Desktop Search. Has anyone any hints on which apps cause disk access? Short of unchecking the entries in MSCONFIG one by one I do not know where to start.

Hoping to get some pointers,

Nev

 

Download and run HiJackThis and post the log here for review.

http://www.tomcoyote.org/hjt/

 

HiJackThis Log

Here is the log. I should have added it to my first post.

Many thanks

Nev

Logfile of HijackThis v1.99.1
Scan saved at 14:19:04, on 06/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
J:\WINDOWS\System32\smss.exe
J:\WINDOWS\system32\winlogon.exe
J:\WINDOWS\system32\services.exe
J:\WINDOWS\system32\lsass.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\spoolsv.exe
J:\WINDOWS\system32\ssoftsrv.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\ZoneLabs\vsmon.exe
J:\WINDOWS\Explorer.EXE
J:\Program Files\FSI\F-Prot\F-Sched.exe
L:\QUICKENW\QAGENT.EXE
J:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
M:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
J:\WINDOWS\SOUNDMAN.EXE
J:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
J:\Program Files\Common Files\Real\Update_OB\realsched.exe
M:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
J:\Program Files\MSI\Live Update 3\LMonitor.exe
M:\Program Files\iTunes\iTunesHelper.exe
J:\Program Files\MSN Messenger\MsnMsgr.Exe
J:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
J:\WINDOWS\system32\mrtMngr.EXE
E:\PROGRA~1\Zinio\ZDLM.exe
E:\Program Files\ADOBE\Acrobat 6.0\Distillr\acrotray.exe
L:\QUICKENW\QWDLLS.EXE
J:\WINDOWS\system32\ntvdm.exe
M:\PROGRA~1\CAERE\OPLIMIT\ocrawr32.exe
J:\Program Files\iPod\bin\iPodService.exe
M:\MSOffice\OFFICE11\OUTLOOK.EXE
M:\MSOffice\OFFICE11\WINWORD.EXE
J:\Program Files\FSI\F-Prot\F-StopW.exe
J:\Program Files\Mozilla Firefox\firefox.exe
M:\Download\Web\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - G:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - J:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - j:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - J:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - j:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - J:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [F-StopW] J:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] J:\Program Files\FSI\F-Prot\F-Sched.exe
O4 - HKLM\..\Run: [QAGENT] L:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] J:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [PaperPort PTD] m:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] m:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [msnappau] "J:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe "
O4 - HKLM\..\Run: [TkBellExe] "J:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] m:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [LiveMonitor] J:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [iTunesHelper] "M:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [msnmsgr] "J:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "J:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE "
O4 - HKCU\..\Run: [Zinio DLM] e:\PROGRA~1\Zinio\ZDLM.exe /hide
O4 - Startup: OCRAWARE.lnk = M:\Program Files\CAERE\OPLIMIT\OCRAWARE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\ADOBE\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Quicken Startup.lnk = L:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Copy Location - J:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Google Search - res://j:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://j:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://j:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://M:\MSOffice\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://j:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://j:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - J:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - J:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - J:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - M:\MSOffice\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - J:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - J:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - J:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - J:\WINDOWS\system32\webzone.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - J:\WINDOWS\system32\oline.dll
O12 - Plugin for .bcf: J:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O15 - Trusted Zone: http://www.abbeynational.co.uk
O15 - Trusted Zone: http://housecall.antivirus.com
O15 - Trusted Zone: http://www.dell.co.uk
O15 - Trusted Zone: http://www.freshdevices.com
O15 - Trusted Zone: http://www.nevill.net
O15 - Trusted Zone: http://www.viamichelin.com
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/264887ce1464c2542c15/netzip/RdxIE601.cab
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A21F278C-2A2C-4E6F-B55D-9814E4825D27}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6E4D29C-6953-4D6E-BA94-793CE09C25CC}: NameServer = 158.152.1.58,158.152.1.43
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - J:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - J:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - J:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

I don't see anything "nasty" running, do see some useless startup stuff though - an example: O4 - HKLM\..\Run: [TkBellExe] "J:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Look up your bootup processes: http://www.windowsbbs.com/showthread.php?t=39425

FWIW: XP does low level defrags (if the Task Schedular Service is running) and if monitored, creates System Restore points on your partitions. These may be part of what you're noticing as well.

Regards - Charles

 

Are you sure Tony? I get [206E52E0-D52E-11D4-AD54-0000E86C26F6] as being:
http://www.freshdevices.com/freshdown.html
which says it has no spyware hidden within. ?? It appears to be a download manager that rates pretty high with some folks.

Of course, if you have specifics I'll accept that.

 

Thanks for that folks. I will get rid of the TKBell RealSched startup again.

I think that you are right about the defrags because if I leave the machine on overnight, the activity does stop eventually. This may be a drawback of having so many partitions, the system has a lot of options to try.

The access of my network drive may have been a hardware fault because it did it again on Thursday evening and developed a sqeak between the clicks of seeking, whereapon it gave i/o errors when I accessed the drive and is now unreadable.

Thanks again

Nev

 

Disk still busy

I could not find where background defragmentation was switched on. Not in the defrag program.

I am very busy with work at the moment so I have not had much time to investigate further. I did bring up the Task Manager when there should have been nothing running and found that explorer.exe was very busy with the cpu % varying from 3% to 70%. I had no forground tasks running and cannot think what explorer was doing.

Does anyone know why explorer is busy on an empty machine?

Nev

 

Hi Nevill,

You're not going to find it, not user accessable. The only reason I know is because I use an application/process firewall which intercepts app activity and OS extension activity asking for permission/denial or run once/deny once.

What you might try if feasable is disabling the Task Schedular Service temporarily to disable auto defraging and see if that has an effect. That will disable System Restore auto checkpoints as well, so if you use it, create manual ones.

Regards - Charles