Everything works ..... after a delay

[Avatar]

On this Win XP Pro SP3 machine with all updates installed -

From the last few days, we find that everything - opening an application,
opening Windows Explorer, starting Internet Explorer, opening a picture... -
takes upto half-a-minute to happen.

Even while stopping and exiting Windows Media Player in the middle of a song
makes the song audible well after the exit of WMP which itself takes quite a
few seconds.

System checked for all malaware and additional services and processes. Works
normally after a reboot but this behavior starts soon thereafter.

This dual-core Athlon with 2GB RAM was the fastest machine in the house -
beating two Windows 7 machines for speed and response.

Any insights welcome. Regards and TIA.

Avatar
-------

 

[Peter Foldes]

Avatar

Does this issue happens when you boot into Safe mode ??

--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/protect

 

[(PeteCresswell)]

Per Avatar:

Any insights welcome. Regards and TIA.

"Insight" might be too grand a word, considering I know next to
nothing.

Having said that, I went through a similar scenario on my WSH
box.

The root cause in that case was a drive that had started throwing
errors.

Windows caught on to the errors and downgraded the access mode to
that drive from something called "DMA" to "PIO". Haven't got a
clue about either one except that "PIO" is way slower.

Confirmation (and temporary fix) of the problem was to open up
the props of the controller, observe "PIO" as the access mode,
change it to DMA, and observe the increased performance.

Final fix was to replace the drive - although the offending drive
has been functioning a-ok as a backup....

 

[Avatar]

What other processes are running with windows open?

These are the running processes on this machine with no applications open,
after a boot.
Earlier we had Acronis, PeerBlock as well as VirtualCD running as well but
these were temporarily disabled to see if that had any effect on the
problem. None.

Image Name PID Session Name Session# Mem Usage

System Idle Process 0 0 28 K
System 4 0 240 K
smss.exe 840 0 408 K
csrss.exe 1060 0 3,692 K
winlogon.exe 1084 0 4,000 K
services.exe 1128 0 3,476 K
lsass.exe 1140 0 1,432 K
svchost.exe 1316 0 3,624 K
svchost.exe 1364 0 4,368 K
svchost.exe 1456 0 21,088 K
svchost.exe 1536 0 7,868 K
spoolsv.exe 1828 0 4,736 K
sched.exe 1892 0 852 K
explorer.exe 732 0 51,084 K
avguard.exe 1104 0 12,996 K
Homer.exe 1496 0 2,040 K
taskmgr.exe 1560 0 1,976 K
avgnt.exe 1676 0 1,556 K
avshadow.exe 1996 0 2,804 K
firefox.exe 2440 0 74,596 K
cmd.exe 2856 0 2,728 K
wmiprvse.exe 3676 0 6,068 K
tasklist.exe 1900 0 4,416 K

 

[Avatar]

Avatar

Does this issue happens when you boot into Safe mode ??

--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no
rights.
http://www.microsoft.com/protect

No, it does not happen in safe mode.

 

[Avatar]

Per Avatar:

"Insight" might be too grand a word, considering I know next to
nothing.

Having said that, I went through a similar scenario on my WSH
box.

The root cause in that case was a drive that had started throwing
errors.

Windows caught on to the errors and downgraded the access mode to
that drive from something called "DMA" to "PIO". Haven't got a
clue about either one except that "PIO" is way slower.

Confirmation (and temporary fix) of the problem was to open up
the props of the controller, observe "PIO" as the access mode,
change it to DMA, and observe the increased performance.

Final fix was to replace the drive - although the offending drive
has been functioning a-ok as a backup....

Just checked this - every drive - hard as well as optical - are running in
Ultra mode. Most in mode 6 (hard drived) - both optical drives in Ultra mode
2.

 

[Bob CP]

These are the running processes on this machine with no applications open,
after a boot.
Earlier we had Acronis, PeerBlock as well as VirtualCD running as well but
these were temporarily disabled to see if that had any effect on the
problem. None.

Image Name PID Session Name Session# Mem Usage

System Idle Process 0 0 28 K
System 4 0 240 K
smss.exe 840 0 408 K
csrss.exe 1060 0 3,692 K
winlogon.exe 1084 0 4,000 K
services.exe 1128 0 3,476 K
lsass.exe 1140 0 1,432 K
svchost.exe 1316 0 3,624 K
svchost.exe 1364 0 4,368 K
svchost.exe 1456 0 21,088 K
svchost.exe 1536 0 7,868 K
spoolsv.exe 1828 0 4,736 K
sched.exe 1892 0 852 K
explorer.exe 732 0 51,084 K
avguard.exe 1104 0 12,996 K
Homer.exe 1496 0 2,040 K
taskmgr.exe 1560 0 1,976 K
avgnt.exe 1676 0 1,556 K
avshadow.exe 1996 0 2,804 K
firefox.exe 2440 0 74,596 K
cmd.exe 2856 0 2,728 K
wmiprvse.exe 3676 0 6,068 K
tasklist.exe 1900 0 4,416 K

Homer.exe has been known to acquire infections. If stopping that
service doesn't change anything, what happens when you disable your
anti-virus?

 

[Peter Foldes]

No, it does not happen in safe mode.

Avatar

Then it is a bad driver . What did you load or install a few days ago when this
issue started happening

--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/protect

 

[Jan Alter]

Avatar

Then it is a bad driver . What did you load or install a few days ago when
this issue started happening

--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no
rights.
http://www.microsoft.com/protect

If the problem doesn't happen in safe mode, and it didn't start happening
until a few days ago, and you're not showing any infection, then it could
certainly be a 'bad' or corrupt piece of software driver. Try a system
restore point before any new software was installed.

 

[Avatar]

Homer.exe has been known to acquire infections. If stopping that service
doesn't change anything, what happens when you disable your anti-virus?

Disabling Homer has no effect.
Avira took almost a minute to be 'disabled'.
No effect.
After reboot, the delay effect started - after a delay.

 

[Avatar]

I found this about homer.exe:

HOMER.EXE has been seen to perform the following behavior:

* Executes a Process
* Writes to another Process's Virtual Memory (Process Hijacking)
* Disables Access to the Windows Registry Editior
* Modifies Windows Security Policies to restrict/expand User
Privileges on the machine
* Adds a Registry Key (RUN) to auto start Programs on system start up
* Modifies System Runtime Policies to limit system usability
* Disables the built in Windows File Protection System
* The Process is packed and/or encrypted using a software packing
process
* This process creates other processes on disk
* This Process Deletes Other Processes From Disk

HOMER.EXE has been the subject of the following behavior:

* Executed as a Process
* Has code inserted into its Virtual Memory space by other programs
* Deleted as a process from disk
* Created as a process on disk
* Added as a Registry auto start to load Program on Boot up


Stop it running and the see what happens regarding delays.

The homer.exe on this machine comes from the following software :
http://www.funkytoad.com/index.php?option=com_content&view=article&id=14&Itemid=32
It is not a virus!
I do realize that there also exists a virus with the same name.

 

[Avatar]

Avatar

Then it is a bad driver . What did you load or install a few days ago when
this issue started happening

--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no
rights.
http://www.microsoft.com/protect

No hardware or software has been installed or changed on this machine for
some months now.
Only the monthly Microsoft updates are installed. That is yet to happen this
month as yet though.

 

[Nil]

Any insights welcome. Regards and TIA.

Check the System and Application event logs for clues.

 

[(PeteCresswell)]

Per Nil:

Check the System and Application event logs for clues.

Also, try downloading the TaskMan-analog freebie: "Process
Explorer".

Sometimes MIPS are hiding under TaskMan's "System Idle" and
Process Explorer shows them more explicitly.

 

[Avatar]

Per Nil:

Also, try downloading the TaskMan-analog freebie: "Process
Explorer".

Sometimes MIPS are hiding under TaskMan's "System Idle" and
Process Explorer shows them more explicitly.

Event Viewer was already check any leads - no items were found that seemed
to tie in with the delay.
Process Explorer revealed the same running processes as posted here earlier:

Process PID CPU Description Company Name
System Idle Process 0 96.88
Interrupts n/a Hardware Interrupts
DPCs n/a 1.56 Deferred Procedure Calls
System 4
smss.exe 840 Windows NT Session Manager Microsoft Corporation
csrss.exe 1112 Client Server Runtime Process Microsoft Corporation
winlogon.exe 1136 Windows NT Logon Application Microsoft Corporation
services.exe 1180 Services and Controller app Microsoft Corporation
svchost.exe 1368 Generic Host Process for Win32 Services Microsoft
Corporation
svchost.exe 1416 Generic Host Process for Win32 Services Microsoft
Corporation
svchost.exe 1508 Generic Host Process for Win32 Services Microsoft
Corporation
svchost.exe 1588 Generic Host Process for Win32 Services Microsoft
Corporation
spoolsv.exe 1868 Spooler SubSystem App Microsoft Corporation
sched.exe 1928 Antivirus Scheduler Avira GmbH
schedul2.exe 1156 Acronis Scheduler 2 Acronis
avguard.exe 1456 Antivirus On-Access Service Avira GmbH
avshadow.exe 1880 AntiVir shadow copy service Avira GmbH
lsass.exe 1192 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 812 Windows Explorer Microsoft Corporation
Homer.exe 2032 Homer - Localhost webserver funkytoad.com
taskmgr.exe 2100 Windows TaskManager Microsoft Corporation
avgnt.exe 2108 Antivirus System Tray Tool Avira GmbH
VCDDaemon.exe 2148 Virtual CloneDrive Daemon Elaborate Bytes AG
peerblock.exe 2196 PeerBlock PeerBlock, LLC
msimn.exe 2964 Outlook Express Microsoft Corporation
Process Explorer.exe 3672 1.56 Sysinternals Process Explorer Sysinternals -
www.sysinternals.com

 

[Jan Alter]

No hardware or software has been installed or changed on this machine for
some months now.
Only the monthly Microsoft updates are installed. That is yet to happen
this month as yet though.

OK, no software has been installed lately. Is it possible to find and try a
restore point, say a week ago, before the problem began? It's possible a MS
update has caused the problem, or clearly something that has not been
thought of yet. If you can find a restore point a week or two ago, before
trying to restore, create a restore point at the current date if one has not
already been made.

 

[glee]

Event Viewer was already check any leads - no items were found that
seemed
to tie in with the delay.
Process Explorer revealed the same running processes as posted here
earlier:

Process PID CPU Description Company Name
System Idle Process 0 96.88
Interrupts n/a Hardware Interrupts
DPCs n/a 1.56 Deferred Procedure Calls
System 4
smss.exe 840 Windows NT Session Manager Microsoft Corporation
csrss.exe 1112 Client Server Runtime Process Microsoft Corporation
winlogon.exe 1136 Windows NT Logon Application Microsoft
Corporation
services.exe 1180 Services and Controller app Microsoft
Corporation
svchost.exe 1368 Generic Host Process for Win32 Services
Microsoft
Corporation
svchost.exe 1416 Generic Host Process for Win32 Services
Microsoft
Corporation
svchost.exe 1508 Generic Host Process for Win32 Services
Microsoft
Corporation
svchost.exe 1588 Generic Host Process for Win32 Services
Microsoft
Corporation
spoolsv.exe 1868 Spooler SubSystem App Microsoft Corporation
sched.exe 1928 Antivirus Scheduler Avira GmbH
schedul2.exe 1156 Acronis Scheduler 2 Acronis
avguard.exe 1456 Antivirus On-Access Service Avira GmbH
avshadow.exe 1880 AntiVir shadow copy service Avira GmbH
lsass.exe 1192 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 812 Windows Explorer Microsoft Corporation
Homer.exe 2032 Homer - Localhost webserver funkytoad.com
taskmgr.exe 2100 Windows TaskManager Microsoft Corporation
avgnt.exe 2108 Antivirus System Tray Tool Avira GmbH
VCDDaemon.exe 2148 Virtual CloneDrive Daemon Elaborate Bytes AG
peerblock.exe 2196 PeerBlock PeerBlock, LLC
msimn.exe 2964 Outlook Express Microsoft Corporation
Process Explorer.exe 3672 1.56 Sysinternals Process Explorer
Sysinternals -
www.sysinternals.com

No, Process Explorer is showing *more* processes than your first list
taken from Task Manager.
What did you use to check for malware?

Be aware that some drivers still load even if you disable the
applications GUI from running at startup, so the fact that you disabled
things like Homer, PeerBlock and VirtualCD did not necessarily stop
their drivers from loading. To stop that, you would need to uninstall
the apps.

PeerBlock only recently added a signed driver...before that it used an
unsigned driver....the drivers are open source and could be a suspect in
this investigation. ;-) Are you using the newest version of PeerBlock
and the other apps?

Since the issue doesn't occur in Safe Mode, it is likely a driver issue
as others have mentioned already. You can try a Clean Boot, and if the
issue does not occur then, systematically re-enable startup items till
the issue occurs, until you have narrowed down which driver or service
is the culprit.

You can re-enable items using the "rule of halves." From a clean boot,
re-enable half the startup items, and reboot. If the issue returns, you
know it's one of the items in that group, so disable half of those, and
reboot. If the issue disappears, you know it's one of the items in that
small group that caused it, and this shortens your diagnostic time.

How to configure Windows XP to start in a "clean boot" state
http://support.microsoft.com/kb/310353