XP system REALLY sluggish [HJT Log]

Please be patient. I do not consider myself a computor wizz, but can get by reasonably well.

I am running XP SP2 on my HP laptop. It has slowly become really sluggish, although still works. My touchpad mouse hardly works at all although, when I plug in a USB mouse it seems to work fine. When I rerun the touchpad driver software, it runs fine for a while and then slows right down again to a point where I can hardly see the cursor. When I run the Windows Task Manager, it shows the Process "taskmgr.exe" consuming 98% of my processor capacity and 4536k Mem usage which seems very suspicious to me. I also cannot run a DVD anymore as it is really jumpy.

I have AVG AV installed and have tried running all the software recommended by Lonny Jones AdAware and SpyBot, which doesn't seem to have unearthed anything significant, although each time I restart the PC, and run the program, (Adaware) it seems to find more items to quarantine.

I have run the HJT and attach below.

I am not really sure where to go, and hope I have posted in the right forum.

Logfile of HijackThis v1.99.1
Scan saved at 21:11:21, on 02/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AEIWLSVC.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spyware Nuker\swnxt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/homepage-o
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe "
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/homepage-o
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1109489774401
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Aeiwsvc - Unknown owner - C:\WINDOWS\system32\AEIWLSVC.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe



Thanks in anticipation

 

Welcome to the bbs!

First glance: a place to start:
Delete ALL possible files from all temp folders, temporary internet files folders, and windows\prefetch folder and finally the recycle/recycler bin.
There will be a few that won't delete; leave them for now. Then:
See this symantec web page and remove spyware nuker as directed.

One of us will further examine the HJT log and get back to you.

 

A closer look thru your log reveals an enormous amount of software starting at boot and running constantly in the background. This uses lots of CPU time, which should rather be available to your productive programs.

Suggest you download startup.exe and run it. You can use it to see and stop lots of programs that run at startup; just uncheck them and exit. You decisions will take effect after the next boot.

None of the HP software that came with your computer is necessary, IMHO, for windows to run. Would stop it all, if the decision were mine. Would also include in this category the google "helpers" and the MS Office startup stuff. You can start those things manually if and when you need them.

There's one file running in the background about which there's no information on a google search: C:\WINDOWS\system32\AEIWLSVC.EXE
Non-windows files in the windows or windows\system32 folders are always suspect. If it doesn't disappear after you've removed nuker, or if you don't know that it's part of something you need, would remove it manually (or if you're nervous about that you can just rename it to AEIWLSVC.EXE.BAK); you need to go to safe mode, probably, or at least end it in task manager before trying to remove/rename it.

 

Depending on your decisions based on the above, suggest you re-run Hijackthis in safe mode and check the following for removal; then click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/homepage-o
Not sure about this one:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 leave it for now.
O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O23 - Service: Aeiwsvc - Unknown owner - C:\WINDOWS\system32\AEIWLSVC.EXE
(if still present and as indicated in prev. post.)

Please post your progress and any questions.

 

Sparrow, your help has been invaluable - thanks for all your suggestions and advice. Please bear in mind I live in Australia, hence the seemingly slow response in getting back to you. While you were hard at work, disecting my problem, I was sleeping - now you are probably sleeping! Having done what is described below, the system is faster and does seem far more stable.

OK, I have done the following:

Deleted all temporary files/cookies etc. from IE
Deleted all unnecessary temporary files from folders
Removed Spyware Nuker
Removed Google Searchbar
Deleted HP printer/scanner installation
Deleted HP DVDwriter installation
Emptied Recycler
Run AdAware - no issues
Ran XP disk cleanup - (only 3kB left to remove)

Installed Startup Control Panel and ran:
- Startup user - disabled Palm PDA Hotsync manager (can manually start it when I need it)
- Startup common - disabled DataViz Messenger
- disabled Microsoft Office as suggested
- HKLM Run - Left AVG (antivirus)
- Left DVDBitSet/DVD Tray (I assume something to do with removable DVD drive)
- Left SynTPEnh (something to do with the touchpad mouse)
- Disabled HP Software update and HPDJ Taskbar utility
- HKCU/Run - left ctfmon.exe (not sure but looks "system like ")
- Disabled RecordNow
- Disabled Yahoo Pager
Restarted Computor

Ran HJT and ...Oops - not in Safe Mode - done that and rerun HJT

Logfile of HijackThis v1.99.1
Scan saved at 11:20:03, on 03/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe "
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/homepage-o
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1109489774401
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

A few questions on this HJT report?
Why would the line "C:\WINDOWS\system32\svchost.exe" run three times?

Regarding your question on the line: "R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 ", I am not sure what this is - I am not currently connected to a work network - and only use a pretty standard DSL connection. Would you recommend I remove this?

Do I just assume that my HP6110 USB printer/scanner/fax (now removed) will "plug and play" with the standard XP drivers on my system? If not, how do you suggest I manage this?

 

Glad you've got some help. Thanks for the report.

Re: 127.0.0.1, that's your own computer. The notation is sometimes used in network printer setup. Can't hurt.

The items you have disabled in startup.exe by unchecking them are not removed; they just don't run constantly in the background. If you find that you need some running, just replace the check mark in the box in startup.exe.

BTW, hijackthis is run in normal mode for diagnosis and safe mode for repairs. To check your computer now, please use it in normal mode.

The items you have 'fixed' with hijackthis are the registry and win/system.ini entries that start the programs running. None of those programs are deleted. Think that's true of the printer/scanner software and the HP DVDwriter installation also.
The only software that should be gone is the nuker which you removed in add/remove programs in control panel.

Here's info from MS on ctfmon.exe along with pros and cons of disabling it.

Continue of course to run AVG, and make sure that XP's firewall is on (windows firewall in control panel). Run AdAware and Spybot S&D and clean the various temp folders mentioned above manually once or twice a month, or oftener if you're finding a lot. Personally, I also run spywareblaster and spywareguard at startup. Some of those programs have an immunize feature which should be turned on. All those programs are free. There's no need to buy ANY.

Be careful of XP disk cleanup, i.e., look carefully at what is being deleted. Don't use it myself.

You installed Startup Control Panel so you don't need to use the teatimer part of SpybotS&D.

Believe that RecordNow is useful if you leave the DVD in place and use it to frequently back up data. Experiment to see if you miss it.

Best wishes.

 

Forgot to mention svchost.exe runing three times; that's normal. Here's MS explanation.

 

Thanks - all seems much happier!

I did delete the HP setup programs, but not really concerned as I have the OEM disks to reinstall if necessary.

Should my printer and DVD writer (both standard commercial HP items) just plug and play with standard XP, or would I need to reinstall the software supplied with the equipment - I am not at home at the moment so cannot check, but maybe just better to download some specific drivers although that opens up mor opportunities for spyware infiltration!

 

Sorry if you deleted programs on your own. In these situations it's important to follow directions exactly except where you're given options. However, don't think any harm done; most of hp's programs are quite unnecessary. Your backup should be very adequate. If you mean you have an OEM XP disk, no drivers except windows default are present. Drivers you need should be on an OEM CD with the word drivers on its label, or at least visible when you examine the CD in explorer.exe.

At this point you should make certain you have drivers for the motherboard hardware, your NIC, and sound and video chips/cards because you'll need them down the road when the need arises to reinstall XP; it always does ; I reinstall every year or two and am always amazed how much better everything works.

You'll have to see for yourself. Suspect everything should work when run manually.

Please let us know how this turns out.

 

After all the help and my trying guess what - was easier to backup my data file overnight onto a external HD and reloaded the OS and my programs. It works like a dream again.

I guess sometimes it is just quicker and easier to start at the beginning. I learned a lot and had fun trying (amongst the frustration) but in the end it takes too long to figure out all the issues if you are not in the upper l=evels of computer understanding. Thanks for your help guys.

 

Agree. Good decision. Thanks for the follow-up.