Hourglass in task bar

This is curious but not particularly serious, just irritating.
On start-up in Windows XP Home Edition if I try to access anything in the task bar, the hour-glass appears and stays for about 2 minutes. I can access programmes on the desktop, but nothing on the taskbar, including the Start button, until the hourglass eventually disappears.

I've checked what programmes are loaded on startup using StartupCop and there don't appear to be any rogues, and have got the latest edition of Adaware6, Spy Doctor, and Spyware blaster.
All seems normal in the HJT log which I've pasted below. Is there anything that might cause this delay?



Logfile of HijackThis v1.99.0
Scan saved at 19:44:17, on 25/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe
C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108218555765
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PRTG 4 Service - Paessler Router Traffic Grapher - Paessler GmbH - C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe

 

Hello Fitz,

Have you tried shutting down the running apps one by one to see which might the culprit? That's the only way I can think of trouble shooting this sort of problem.

EDIT: I meant disabling startups one by one. Before trying that, bootup in safe mode and see if you get the symptom - if not, then try the app disabling. If that doesn't get you anywhere, then try the various startup configuratins in msconfig - one is the OS + all the drivers for example.

Regards - Charles

 

Shot in the dark, might luck out ....

After startup / windows view comes up, Ctrl/alt/del to display Task Manager.
Click on CPU column to bring highest CPU processes to the top of list.
Now click on any "Taskbar access" that has previously created the problem.
What shows up at top of list. Could give you a place to start.

 

Sorry, I don't understand what you meant by click on any "Taskbar access "...


I've tried disabling all startup programmes butthere is still a delay on the taskbar.
The only "cure" is to start up in diagnostic mode using msconfig, but this disables access to internet and e-mail.

I have recently upgraded to higher speed download access and adjusted the RWIN settings to a higher level, but can't see how this would affect startup...

 

"Taskbar access" refers to your following statement ...

Maybe edit it back to default setting and see if it helps?

 

I agree with the others comments. Good ways of troubleshooting the issue.

The HJT log looks clean of not only critters but of some of the usual resource hogs. I am sorta beginning to wonder about Spyware Doctor but only because this is the 2nd or 3rd thread recently about XP systems with performance issues where that app was loaded and running. May just be coincidence but maybe stop it and see if you notice improvement.

Get SP2. More secure by far and lots of PCs seem to run faster with SP2 than without.

 

Hi Newt,
I like to keep startup programmes well trimmed and take quite frequent soundings with HJT to weed out any nasties as well as twice-weekly updates on anti-virus and spyware. This is a fairly recent development so I'm trying to asociate it with tweaks and changes that I may have performed in the last week or so. The only thing that comes to mind is adjustment of the RWIN settings, which I've now reset to default settings having raised them before to enable the greater download speed that I was expecting having upgraded by service to 2MBps. I've also followed your suggestion and removed Spy Doctor as I have enough good spyware loaded, and removed some Bandwidth monitors that I'd previously installed. There ae just six Startup programmes and all very innocent. I can't think what might be causing that delay.

 

Fitz - this is an unusual problem and I can't think of anything that would cause this behavior either.

You might try going to a start->run line and

Code:

sfc /scannow

followed by a cmd window and chkdsk /f. This pair of utilities can clear up some of these one-off issues. If they do, you still won't know what was broken but if it's fixed, you probably won't care.

 

I think I may have solved this now.
I noticed that the Events Log in Admin Tools (which I found out how to use here) kept showing this error in loading:-
"Paessler Router Traffic Grapher service hung on starting. "
which is the Bandwidth Monitor that I installed, (which I found totally unreliable by the way- Tiscali's own monitor was much better.)

The startup delay is down to about 15 seconds which is much better than 90 seconds.
I notice I still get the folowing Error message, which is a little baffling:-
"The General Purpose USB Driver (adildr.sys) service failed to start due to the following error: The system cannot find the file specified. "

I've searched for adildr.sys and cannot find it on my computer. I had a Sagem modem when I first installed Broadband which was connected via the USB port, but then switched to a Speedtouch wireless router and have a printer connected to that port now. Maybe it's the vestige of that.

 

First let me say you Hijackthis log looks clean, and emphasize that Hijackthis is primarily designed as an ennumerator. IT shows the entries in specific locations of the registry and system files. As a side feature it can delete some of these, but it really was not designed as an automated removal tool and only affects the single entry. Often malware involves much more detailed action and specific removal tools, not just "fixing" it with Hijackthis. Removing the entry before an expert has reviewed it just makes the infestation much harder to detect.


THe next thing to remember, is that XP was designed to show the desktop as soon as possible in the boot sequence; even before the computer is finished loading files and launching services and programs. Often one of these , such as an antivirus or firewall will demand priority and keep you from doing other things .

One way to trouble shoot this is to disable suspect items , either by using their built in controls (this is advisable with complex programs such as Norton Internet Security which have both program and service entries).
Code Stuff Starter
is a useful tool for easily temporary disabling program startups as well as removing the registry entries and viewing dependencies of both the startup entry and running processes.


Looking over your log, I would guess that you have removed an entry (probably an 04 startup entry) which should load before the corresponding service is loaded (remember, services are loaded in batches depending on which hiv file they are in and where in the registry the service entry is loaded) . This is causing the service to hang.

Another probable cause is that a recent windows update or program update has changed a shared DLL. Thus when it reaches the point where this dll is called by anything other than the program which updated it, you get a hang while it is verified. Often running update on all antivirus and firewalls will solve this. In the past, I have seen cases where you had to manually run the live update and choose the patch with certain antivirus programs.

If it is a windows dll, the best measure is to run system file checker.
GO to start/ run and type cmd
in the command prompt type
sfc /scanonce
hit enter. (alternatively you can go to start/ run and type sfc /scannow and hit enter which will run it in windows)
It should ask if you want to run on reboot. Agree and restart. When it prompts, insert your windows CD.
If it says failed,hit retry, it means the file was in use when windows tried to replace the damaged version , this may take several attempts on some files.

When it finishes, the next step is to go to Belarc.com
And get the free belarc advisor.
Run it and at the bottom of its analysis it will show your installed windows updates. Any which are damaged, it will give you links to a KB article so you can download a replacement.

Finally after all that, make sure to manually update your antivirus etc.



But if I were on the clock, I would start with the fact that these service entries
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PRTG 4 Service - Paessler Router Traffic Grapher - Paessler GmbH - C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe

do not have any corresponding 04 program entries.
I would suspect that someone disabled them either by removing the entry with hijackthis or by using msconfig (or startup cop). I would say if just disabled, try reenabling the entries and if you do not want them running, disable them using the programs options and check to see that the service is also disabled. Or use services.msc to disable the corresponding service for the programs you have disabled. If you removed the entry with hijackthis, reinstall the program or uninstall it completely if you do not want it running.

 

Thanks for that detailed advice.
The main problem seems to be fixed now and you are quite right in supposing that I have disabled some of the programmes that still appear later in the HJT log. In fact, the very last entry, namely
"O23 - Service: PRTG 4 Service - Paessler Router Traffic Grapher - Paessler GmbH - C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe "

refers to the programme which I think was at the root of the problem as this used to sit in the taskbar very much as a background tool which I disabled after finding that its results did not match with the bandwidth and download monitor of my ISP.

I've tried "fixing ", ie removing this item in the HJT log, but it keeps coming back; as you indicated it may need deletion from the registry even though I've now removed the programme.

Logfile of HijackThis v1.99.0
Scan saved at 16:48:43, on 26/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe
C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Owner\My Documents\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108218555765
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PRTG 4 Service - Paessler Router Traffic Grapher - Paessler GmbH - C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe

 

Boot to safe mode
Try going to start/ run and type
services.msc
Locate the offending service and double click
If running click stop service
Change its startup mode to disabled.


Reboot and check for the hijackthis entry.,
If it is there, choose fix and reboot to safe mode and locate and delete
C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe

 

Thanks for that Oshwyn, that seems to have removed it.

I must say, as well as curing the problem, I have learned more about monitoring what goes on in the complex Windows startup process, and what to do about it. I think I've been depending too much on MsConfig and StartupCop to monitor and understand exactly what is going on.
As well as attracting very helpful and detailed advice, it's good to know that I can refer to these archives should I need to do so.

Any final thoughts on this line from the latest HJT log:-
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

It's the only one I can't really identify or explain.

 

Hi Fitz.

I think I've been depending too much on MsConfig and StartupCop to monitor and understand exactly what is going on.

http://www.sysinternals.com/Utilities/Autoruns.html autoruns, shows more startup locations than any other program I know of.

http://www.mlin.net/StartupMonitor.shtml Mike Lin has two apps - one to disable startups, the other to monitor the startups for any app that wants to insert itself into the startups.

http://castlecops.com/CLSID.html is one place to lookup CLSID's - the one you have belongs to Spyware Doctor.

Regards - Charles

 

Hi Charlesvar,
I've had a look and reckon these are useful links and tools.
Thanks for those.