Sign in with
Sign up | Sign in
Your question
Solved

Rundll32.exe Thrashing HDD

Last response: in Windows 7
Share
December 15, 2009 10:56:10 PM

Im having a problem with a process thrashing my HDD when it goes idle anywhere from 5-15 minutes of inactivity. The activity light turns solid and the HDD can be heard making a squealing/grinding noise. This has been going on for over a month, my HDD's pass all SMART tests and are in healthy condition according to Speedfan. Ive disabled every possible service, all non microsoft services as well as indexing, superfetch, it still didnt help. The service causing the problem seems to be rundll32.exe and Trusted Installer, it stops as soon as I (a) Move my mouse (b) Log in and open task manager. Ive scoured google for answers but cannot find a solution. Rundll32 shows about 700,000,000 IO Read, while the next highest process is 90,000,000. If I let it go, it wont stop until I terminate it, my system specs are as follows:

Windows 7 Ultimate 64 bit
Athlon 64 X2 5000 Black Edition O.C. to 2.9 Ghz
4 GB DDR2 800
Evga GeForce 8600Gt 512MB
WD 320 GB Sata II (Windows)
Seagate 500 GB Sata II

I have all the latest updates for windows and video drivers

Here is the Hijack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:02 PM, on 12/15/2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files (x86)\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{5953DB74-D059-4E21-A321-19458F273FCA}: NameServer = 74.84.119.150,97.64.180.153
O17 - HKLM\System\CS1\Services\Tcpip\..\{5953DB74-D059-4E21-A321-19458F273FCA}: NameServer = 74.84.119.150,97.64.180.153
O17 - HKLM\System\CS2\Services\Tcpip\..\{5953DB74-D059-4E21-A321-19458F273FCA}: NameServer = 74.84.119.150,97.64.180.153
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\x64\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\Windows\system32\lxdicoms.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\SysWOW64\ZoneLabs\vsmon.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 6914 bytes


Any help would be much appreciated.
a b $ Windows 7
December 16, 2009 3:08:15 AM

For running at 64bits, have you adjusted the BIOS to enable HPET for 64bits?

For the HJT log, I suspect you can delete the entries indicating (file missing).
m
0
l
December 16, 2009 3:51:44 AM

HPET is enabled, could it have something to do with my video card possibly, seeing as the process terminates as soon as I move the mouse or open task manager?
m
0
l
Related resources
a b $ Windows 7
December 16, 2009 4:41:18 AM

You might try booting into the Safe mode (F8).
Do you get the same symptoms in the Safe mode?
m
0
l
December 16, 2009 5:51:53 AM

Ok I booted into safe mode, and no problem, but Id like to note that my monitor is set to turn off after 15 min, and it didnt do so in safe mode, and thats usually when the problem occurs about 15 seconds before the monitor turns off. Which is why I assumed the video card or drivers, as soon as I move the mouse to bring the monitor back on, it stops usually.
m
0
l
a b $ Windows 7
December 16, 2009 6:14:41 AM

It sounds like you have a bad driver. The Safe mode is a minimum driver boot up.
If your computer worked find in the Safe mode and if you suspect your video driver, then download this Driver Sweeper program...

http://downloads.guru3d.com/Guru3D---Driver-Sweeper-%28...

Run it from the Safe mode, because in the Safe mode the video drivers won't be running and therefore can be uninstalled.

After they are uninstalled, go to the video card manufacture's website and download the card's drivers. Don't get the drivers from a third party source. That is how you can get bad drivers.

m
0
l
December 16, 2009 12:01:15 PM

It could be system restore aka shadow copy backing stuff.

I have noticed a couple of times the shadow copy service to be using the HDD intensively. I am not sure if it runs under rundll32.exe, but give it a try.
m
0
l
December 16, 2009 4:55:13 PM

Adding to the driver thing. Usually the video driver itself doesn't use rundll32.exe, but the "control panel" extra crap usually does.

could try install just the drivers and not the whole suite
m
0
l
December 16, 2009 9:30:12 PM

Well i ran the driver sweep and then download my drivers direct from nvidia, no luck, xserver I tried disabling the shadow copy, again no luck, Kewlx25 as far as installing just the drivers itself, there is no option to custom install and deselect what I don want, any suggestions?
m
0
l

Best solution

December 16, 2009 9:34:29 PM

There are some advanced task managers that can tell you which files the .dll is accessing/modifying. I can't think of anything now, but that is the only way we can deeply track what is accessing the HD.
Share
December 16, 2009 11:22:00 PM

It seems according to Process Monitor v2.8 "Microsoft .Net Framework ngen" is causing the problem, so I disabled it temporarily and let the system go idle, and no issue at all, so Im pretty sure this is the process causing the problem. Its on "Automatic Delay Startup." There are two instances of the process though, x86 for 32bit Apps, and of course the x64, the 64bit instance is set to manual, ive never seen it run, and x86 is the one that starts automatically, but it seems to run two instances of the 32bit version (mscorsvw.exe *32) If I disable it, what are some of the issues I may face if any?
m
0
l
December 17, 2009 8:45:43 AM

Look it up on google and see what it says. The .Net Framework is a large library of coded solutions, but not sure how it could affect your daily work.

Try installing something and see if you will get an error.
m
0
l
December 17, 2009 10:26:35 AM

I searched google and came up empty, the only suggestions for disabling were for Windows XP 32 bit. So I disabled .net framework x86 and installed Fences by stardock which requires .Net, but it didnt require the service running to install it and therefore installed just fine. So in conclusion, I set .Net framework to manual start and that seems to have fixed my problem. Thx Gandalf, Kewlx25, and xsever for your help, much appreciated.
m
0
l
December 17, 2009 11:15:55 AM

No problem. You are most welcome!
m
0
l
!