-Update- Resolved-Screen refreshes/ redraws closing things


Recommended Posts

Geoffrey B.

This is an interesting issue that has come to light today on at least 7 Windows XP machines today at work.

At first the users expressed it as Flickering. When I look at it, i see the screen redrawing. All icons dissappear for a second and reappear. Also if you have any context menu's open they will close.

This is happening on a rather wide range of hardware. Here are the similarities.

All Dell machines

All Intel Chipsets

Windows XP Pro (fully updated)

McAfee VSE870i Antivirus

Java 6 Update 20

All users also have the Citrix Program Neighborhood on them.

This does NOT Effect any Windows 7 machines that have the same AV, Java and Citrix versions.

I have checked the auto refresh rate (changed it to 12000)

I checked to make sure ALL drivers and Bios are updated on all the machines.

Any ideas?

~ISSUE RESOLVED~

Turns out we had a group policy that was looking every 15 seconds for an executable on a server to install something via SCCM

the processes that were showing up where because they were used to authenticate to the SCCM server and look for the installer.

Since there was no installer it would retry... every 15 seconds.

Edited by littleneutrino
Link to post
Share on other sites
Geoffrey B.

This is now effecting nearly 15 Windows XP machines.

Link to post
Share on other sites
Detection

Scheduled maintenance task running ?

Link to post
Share on other sites
Geoffrey B.

Scheduled maintenance task running ?

Nope nothing schedule and it is not currently effecting all of our XP machines just some of them. And if it was a scheduled task it would not persist through reboot and otherwise.

We installed Sophos on a few of these machines and it has not resolved the issue either and no scans come up with any virus's (scanning with Sophos, Malwarebytes, McAfee, MSE...)

Link to post
Share on other sites
Detection

Has their been a windows update that has installed a new driver or other software update that doesn't agree with the machines on the ones affected but is still waiting to install on the ones not affected ?

Maybe check Event Logs on the problem machines against them on the working machines ?

Link to post
Share on other sites
Geoffrey B.

Nothing strange in the event logs, I have two test machines on my work bench that one experiences the issue and the other one does not. They are both Fully updated in Windows, They both have the same Bios Version and they Both have the latest Hardware drivers.

Link to post
Share on other sites
Geoffrey B.

Couple things I found

1. (157) Prevent Automatic Folder and Icon Refresh

http://www.tomshardw...icon-refreshing

2. (121) Increase Icon Cache

http://www.pctools.c...resh-themselves

http://www.kellys-ko...m/xp_tweaks.htm

Already tried that a few days ago, it did not resolve the issue. If it helps this issue does not simply happen when you are looking at the desktop. It will refresh the screen every 15 or so seconds no matter what is on the screen.

Link to post
Share on other sites
Detection

Someone hasn't added a shortcut to the desktop into a 15 second scheduled task have they ? or some other XP joke program

How about sfc /scannow ?

Broken F5 keyboard button? (Are the keyboards wireless ? )

Does it happen offline too ?

Link to post
Share on other sites
Geoffrey B.

have not given that a try yet, i can do that shortly.

Link to post
Share on other sites
Detection

have not given that a try yet, i can do that shortly.

Could the AV on the affected machines have a new definition update that has not yet installed on the others ?

Also try disabling everything in msconfig, reboot, if its stopped happening, enable 1 by 1 until it starts again and see if you can narrow it down to a program causing the problem

Link to post
Share on other sites
Geoffrey B.

we know there is a flaw with a recent McAfee update however, McAfee has not released any info if it is causing this particular issue. and their fix for that particular patch did not resolve anything.

Link to post
Share on other sites
Detection

we know there is a flaw with a recent McAfee update however, McAfee has not released any info if it is causing this particular issue. and their fix for that particular patch did not resolve anything.

If you system restore to before McAfee's problem update does it solve it ?

Link to post
Share on other sites
Geoffrey B.

SFC /Scannow did not resolve the issue.

We do not have system restore enabled on our machines.

Link to post
Share on other sites
Detection

SFC /Scannow did not resolve the issue.

We do not have system restore enabled on our machines.

I'd try uninstalling the AV on your test bench machine just to rule it out, or at least completely disable it in msconfig, but not sure if that will 100% disable every service too, might need services.msc to completely kill it, uninstalling would be easier I'd say

Link to post
Share on other sites
Geoffrey B.

Uninstalled all AV, disabled the firewall and the issue is still there.

We just found something interesting though.

If you disconnect the computer from the network. the issue goes away.

We installed a firewall suite (Sophos End Point Security) and it has yet to see anything out of the ordinary for traffic.

I am running a system restore to the week prior to the beginning of the issue to see if that helps anything.

Link to post
Share on other sites
Geoffrey B.

New information

After looking over some things we have noticed the following

Winlogin

CSRSS

and Explorer.exe

All of these will spike to the top of the CPU usage monitor while the "Flicker" occurs.

However, as stated before, If you disconnect the computer from the network the flicker will stop. Not really sure where the connection is yet but we are slow making progress tracking down the flicker. still no idea though.

Link to post
Share on other sites
Detection

New information

After looking over some things we have noticed the following

Winlogin

CSRSS

and Explorer.exe

All of these will spike to the top of the CPU usage monitor while the "Flicker" occurs.

However, as stated before, If you disconnect the computer from the network the flicker will stop. Not really sure where the connection is yet but we are slow making progress tracking down the flicker. still no idea though.

You sure its not some remote access trojan and the flicker (refresh) is them connecting to the machine ?

Process Explorer might be handy to see what else is running with those processes

http://technet.micro...s/bb896653.aspx

Link to post
Share on other sites
Geoffrey B.

When running a netstat on the machine we can see every time it flickers the computer attempts to do an LDAP using 37 different ports to our Domain Controller.

This is now affecting Every Single XP machine in the company.

Link to post
Share on other sites
Geoffrey B.

Here is the process Explorer log.

post-120066-0-90676200-1346936953_thumb.

Link to post
Share on other sites
Detection

When running a netstat on the machine we can see every time it flickers the computer attempts to do an LDAP using 37 different ports to our Domain Controller.

This is not affecting Every Single XP machine in the company.

I think Budman needs to jump in for networking help like this

Link to post
Share on other sites
Geoffrey B.

Corrected a typo up there, this is NOW Affecting all of our XP machines not Not.

  • Like 1
Link to post
Share on other sites
Haggis

You said you did malware scans on the system etc did you check the DC?

Link to post
Share on other sites
Geoffrey B.

we have run scans on the DC as well.

Link to post
Share on other sites
Geoffrey B.

Not that i think it will be helpful at this point but its worth a try.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 2:08:59 PM, on 9/6/2012

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\TIREMOTE\TIRemoteService.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\WINDOWS\RTDCPL.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Documents and Settings\tonya\Local Settings\Temporary Internet Files\Content.IE5\NRT0C1UA\HijackThis[1].exe

C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://beta.weather....LocalUndeclared

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MPW Industrial Services, Inc.

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL

O2 - BHO: Java? Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices

O4 - HKLM\..\Run: [RTHDCPL] RTDCPL.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Client Access Service] C:\Program Files\IBM\Client Access\cwbsvstr.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Global Startup: VPN Client.lnk = ?

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Internal Trusted Sites

O16 - DPF: {00130000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (13.0)) - http://www.napaaccou...eb/LTOCX13N.cab

O16 - DPF: {CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0) - http://InternalTimeServer/wf...dows-i586-p.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab

O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 5.0 (SP2)) - http://www.napaaccou...eb/comdlg32.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Internal Domain

O17 - HKLM\Software\..\Telephony: DomainName = Internal Domain

O17 - HKLM\System\CCS\Services\Tcpip\..\{61357CFA-6CD3-4C60-8312-723C74B661F4}: NameServer = 172.16.0.10,172.16.0.16

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Internal Domain

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Internal Domain

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: System i Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\cwbrxd.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe

--

End of file - 9869 bytes

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By DrSAM
      i was a big fan of Micro XP.. and Tiny 7 ... micro xp was only 150 mb and Tiny 7 around 700 mb... now i am searching for windows 10 which is modded like this.. can please anyone help???
      win 10 is too bloated and complicated often.. 
    • By GOD666
      I hate Microsoft asking people to activate.  I paid for my copy of Windows XP and it suddenly became inactive.  My computer came with Windows Vista pre-installed and both HP and MS argued on who's fault it was that my install became invalid.  I bought Windows 7 and faced much of the same problem.   After all this... I decided to buy my copy DIRECTLY from Microsoft themselves when Windows 8 came out.  You can see the order yourself (see screenshot)   http://postimg.org/image/zczj4c243/   I even got that cool deal where you could get Microsoft Media Center    http://postimg.org/image/3m577aekd/   Bought it directly from Microsoft... Guess what...   Being valid only means I watch my money get wasted and I have to find ways around them.  As Windows 10 comes around the corner.... I wonder...
    • By sinetheo
      With hundreds of millions still using Windows XP with no plans to change anytime soon forced Googles hand to continue supporting it. At least until the end of 2016. China still has 1/3 of it's pcs still running the obsolete OS. Many still use IE 6 as well causing Web designers to use 15 year old hacks.


      http://www.zdnet.com/article/google-extends-chrome-support-for-millions-still-on-windows-xp/
    • By Ian S.
      Longtime Internet Explorer leader Dean Hachamovitch is leaving Microsoft

       
      Dean Hachamovitch introducing Internet Explorer 10 in 2011. (Microsoft photo, via Flickr.)
      Dean Hachamovitch is leaving Microsoft. And yes, of course, there is an IE shirt associated with this milestone, too.
      Dean Hachamovitch?s farewell present, an homage to the IE shirts that he wore at events over the years.
      The longtime Internet Explorer leader, who led the efforts to modernize and revitalize Microsoft?s web browser, is making his departure after 24 years with the company.
      Hachamovitch, most recently Microsoft?s chief data scientist, isn?t taking another full-time executive position in the short term, but he will be working as an adviser to LifeQ, a company that uses data to create digital simulations of human physiology.
      ?I?m overdue for a change. The company really has changed a lot,? Hachamovitch said in an interview with GeekWire this morning. ?It?s a good time to get a different point of view on tech and life.?
      A former corporate vice president at the company, Hachamovitch is the latest in a series of respected Windows leaders to exit the company, as part of a broader regime change under operating systems chief Terry Myerson, who previously led the Windows Phone group and is leading a revamp of the operating system with the upcoming Windows 10 release.
      Earlier departures included Jon DeVaan, the longtime Windows engineering leader; Tami Reller, who was the Windows marketing and finance chief before taking a larger marketing position inside the company; and Antoine Leblond, a Microsoft exec known for his leadership roles on the Office and Windows teams.
       
       In college I loved my Mac and had strong feelings about Microsoft Word. Making Word better sounded cool. I got a job offer from the company and thought, ?I?ll try this for a year.? ?
      For years, Internet Explorer suffered from a lack of active development, serving as the bane of web developers and a high-profile target for attacks. ?I want to be clear: We messed up,? Hachamovitch said at a Microsoft conference in 2006, in a refreshing moment of candor from a Microsoft executive. ?We messed up. As committed as we are to the browser, we just didn?t do a good job demonstrating it.?
       
      Under his leadership, in the following years, IE went through a series of major upgrades to adopt web standards and become a platform for modern web applications.
      Hachamovitch took on the new role as chief data scientist a little more than a year ago. Mary Jo Foley of ZDNet reported in July that he was no longer in that companywide position. He originally joined Microsoft out of Harvard to work on Word for Mac.
      ?In college I loved my Mac and had strong feelings about Microsoft Word. Making Word better sounded cool. I got a job offer from the company and thought, ?I?ll try this for a year.?,? he writes today in a blog post announcing his decision to leave. ?The opportunity to work with strong people across the industry and to contribute to technology and products that matter has lasted much longer than that.?
      Microsoft isn?t issuing a statement on his departure, but people we spoke with inside the company say Hachamovitch is leaving on good terms.
      During his time leading the IE team, Hachamovitch was known for appearing on stage in shirts created by his team, featuring the Internet Explorer logo as part of a word referencing whichever IE release he was unveiling at the time. His executive assistant, Kelli Marks, continued the tradition for his departure from the company, giving him the ?bye? shirt above as a gift.
      Source:
      http://www.geekwire.com/2014/longtime-ie-leader-dean-hachamovitch-leaving-microsoft/
      http://www.winbeta.org/news/internet-explorer-guru-dean-hachamovitch-leaves-microsoft