• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

-Update- Resolved-Screen refreshes/ redraws closing things

Recommended Posts

Geoffrey B.    1,415

This is an interesting issue that has come to light today on at least 7 Windows XP machines today at work.

At first the users expressed it as Flickering. When I look at it, i see the screen redrawing. All icons dissappear for a second and reappear. Also if you have any context menu's open they will close.

This is happening on a rather wide range of hardware. Here are the similarities.

All Dell machines

All Intel Chipsets

Windows XP Pro (fully updated)

McAfee VSE870i Antivirus

Java 6 Update 20

All users also have the Citrix Program Neighborhood on them.

This does NOT Effect any Windows 7 machines that have the same AV, Java and Citrix versions.

I have checked the auto refresh rate (changed it to 12000)

I checked to make sure ALL drivers and Bios are updated on all the machines.

Any ideas?

~ISSUE RESOLVED~

Turns out we had a group policy that was looking every 15 seconds for an executable on a server to install something via SCCM

the processes that were showing up where because they were used to authenticate to the SCCM server and look for the installer.

Since there was no installer it would retry... every 15 seconds.

Edited by littleneutrino

Share this post


Link to post
Share on other sites
Geoffrey B.    1,415

This is now effecting nearly 15 Windows XP machines.

Share this post


Link to post
Share on other sites
Detection    2,255

Scheduled maintenance task running ?

Share this post


Link to post
Share on other sites
Geoffrey B.    1,415

Scheduled maintenance task running ?

Nope nothing schedule and it is not currently effecting all of our XP machines just some of them. And if it was a scheduled task it would not persist through reboot and otherwise.

We installed Sophos on a few of these machines and it has not resolved the issue either and no scans come up with any virus's (scanning with Sophos, Malwarebytes, McAfee, MSE...)

Share this post


Link to post
Share on other sites
Detection    2,255

Has their been a windows update that has installed a new driver or other software update that doesn't agree with the machines on the ones affected but is still waiting to install on the ones not affected ?

Maybe check Event Logs on the problem machines against them on the working machines ?

Share this post


Link to post
Share on other sites
Geoffrey B.    1,415

Nothing strange in the event logs, I have two test machines on my work bench that one experiences the issue and the other one does not. They are both Fully updated in Windows, They both have the same Bios Version and they Both have the latest Hardware drivers.

Share this post


Link to post
Share on other sites
Geoffrey B.    1,415

Couple things I found

1. (157) Prevent Automatic Folder and Icon Refresh

http://www.tomshardw...icon-refreshing

2. (121) Increase Icon Cache

http://www.pctools.c...resh-themselves

http://www.kellys-ko...m/xp_tweaks.htm

Already tried that a few days ago, it did not resolve the issue. If it helps this issue does not simply happen when you are looking at the desktop. It will refresh the screen every 15 or so seconds no matter what is on the screen.

Share this post


Link to post
Share on other sites
Detection    2,255

Someone hasn't added a shortcut to the desktop into a 15 second scheduled task have they ? or some other XP joke program

How about sfc /scannow ?

Broken F5 keyboard button? (Are the keyboards wireless ? )

Does it happen offline too ?

Share this post


Link to post
Share on other sites
Geoffrey B.    1,415

have not given that a try yet, i can do that shortly.

Share this post


Link to post
Share on other sites
Detection    2,255

have not given that a try yet, i can do that shortly.

Could the AV on the affected machines have a new definition update that has not yet installed on the others ?

Also try disabling everything in msconfig, reboot, if its stopped happening, enable 1 by 1 until it starts again and see if you can narrow it down to a program causing the problem

Share this post


Link to post
Share on other sites
Geoffrey B.    1,415

we know there is a flaw with a recent McAfee update however, McAfee has not released any info if it is causing this particular issue. and their fix for that particular patch did not resolve anything.

Share this post


Link to post
Share on other sites
Detection    2,255

we know there is a flaw with a recent McAfee update however, McAfee has not released any info if it is causing this particular issue. and their fix for that particular patch did not resolve anything.

If you system restore to before McAfee's problem update does it solve it ?

Share this post


Link to post
Share on other sites
Geoffrey B.    1,415

SFC /Scannow did not resolve the issue.

We do not have system restore enabled on our machines.

Share this post


Link to post
Share on other sites
Detection    2,255

SFC /Scannow did not resolve the issue.

We do not have system restore enabled on our machines.

I'd try uninstalling the AV on your test bench machine just to rule it out, or at least completely disable it in msconfig, but not sure if that will 100% disable every service too, might need services.msc to completely kill it, uninstalling would be easier I'd say

Share this post


Link to post
Share on other sites
Geoffrey B.    1,415

Uninstalled all AV, disabled the firewall and the issue is still there.

We just found something interesting though.

If you disconnect the computer from the network. the issue goes away.

We installed a firewall suite (Sophos End Point Security) and it has yet to see anything out of the ordinary for traffic.

I am running a system restore to the week prior to the beginning of the issue to see if that helps anything.

Share this post


Link to post
Share on other sites
Geoffrey B.    1,415

New information

After looking over some things we have noticed the following

Winlogin

CSRSS

and Explorer.exe

All of these will spike to the top of the CPU usage monitor while the "Flicker" occurs.

However, as stated before, If you disconnect the computer from the network the flicker will stop. Not really sure where the connection is yet but we are slow making progress tracking down the flicker. still no idea though.

Share this post


Link to post
Share on other sites
Detection    2,255

New information

After looking over some things we have noticed the following

Winlogin

CSRSS

and Explorer.exe

All of these will spike to the top of the CPU usage monitor while the "Flicker" occurs.

However, as stated before, If you disconnect the computer from the network the flicker will stop. Not really sure where the connection is yet but we are slow making progress tracking down the flicker. still no idea though.

You sure its not some remote access trojan and the flicker (refresh) is them connecting to the machine ?

Process Explorer might be handy to see what else is running with those processes

http://technet.micro...s/bb896653.aspx

Share this post


Link to post
Share on other sites
Geoffrey B.    1,415

When running a netstat on the machine we can see every time it flickers the computer attempts to do an LDAP using 37 different ports to our Domain Controller.

This is now affecting Every Single XP machine in the company.

Share this post


Link to post
Share on other sites
Geoffrey B.    1,415

Here is the process Explorer log.

post-120066-0-90676200-1346936953_thumb.

Share this post


Link to post
Share on other sites
Detection    2,255

When running a netstat on the machine we can see every time it flickers the computer attempts to do an LDAP using 37 different ports to our Domain Controller.

This is not affecting Every Single XP machine in the company.

I think Budman needs to jump in for networking help like this

Share this post


Link to post
Share on other sites
Geoffrey B.    1,415

Corrected a typo up there, this is NOW Affecting all of our XP machines not Not.

  • Like 1

Share this post


Link to post
Share on other sites
Haggis    1,006

You said you did malware scans on the system etc did you check the DC?

Share this post


Link to post
Share on other sites
Geoffrey B.    1,415

we have run scans on the DC as well.

Share this post


Link to post
Share on other sites
Geoffrey B.    1,415

Not that i think it will be helpful at this point but its worth a try.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 2:08:59 PM, on 9/6/2012

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\TIREMOTE\TIRemoteService.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\WINDOWS\RTDCPL.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Documents and Settings\tonya\Local Settings\Temporary Internet Files\Content.IE5\NRT0C1UA\HijackThis[1].exe

C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://beta.weather....LocalUndeclared

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MPW Industrial Services, Inc.

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL

O2 - BHO: Java? Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices

O4 - HKLM\..\Run: [RTHDCPL] RTDCPL.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Client Access Service] C:\Program Files\IBM\Client Access\cwbsvstr.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Global Startup: VPN Client.lnk = ?

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Internal Trusted Sites

O16 - DPF: {00130000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (13.0)) - http://www.napaaccou...eb/LTOCX13N.cab

O16 - DPF: {CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0) - http://InternalTimeServer/wf...dows-i586-p.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab

O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 5.0 (SP2)) - http://www.napaaccou...eb/comdlg32.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Internal Domain

O17 - HKLM\Software\..\Telephony: DomainName = Internal Domain

O17 - HKLM\System\CCS\Services\Tcpip\..\{61357CFA-6CD3-4C60-8312-723C74B661F4}: NameServer = 172.16.0.10,172.16.0.16

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Internal Domain

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Internal Domain

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: System i Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\cwbrxd.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe

--

End of file - 9869 bytes

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.