Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something Is Thrashing My Hard Drive


  • Please log in to reply
7 replies to this topic

#1 Randy in Seattle

Randy in Seattle

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 01 September 2006 - 01:27 PM

I have a Panasonic Toughbook CF-W2 that keeps accessing its hard drive every 3 seconds or so, even when I'm not using any active programs and nothing should be happening. I know it's happening because disk accesses are audible and visible from the drive light, and lasts less than one second. I'm worried that something inappropriate is running, plus this uses up the battery way too fast.

I'm not sure how long ago this started. It even happens when I start up in diagnostic mode using MSCONFIG. I've tried to correlate the drive access visually with I/O reads and writes using Task Manager. VSMON.exe (ZoneAlarm) and CPVND.exe seem to be doing I/O when the drive is accessed, although I'm not sure that the TaskManager "I/O" is disk access. It might be internet access, too. Also, stopping ZA didn't eliminate the drive accesses. My network access is via ethernet cable to a router, and my built-in wireless is currently turned off.

One other oddity. When I ran Msconfig to change to diagnostic mode, it said there was a service it couldn't stop because I didn't have admin rights. However, I do have admin rights.

I have run MS Windows Defender, Adaware, and Ewido. AdAware and WinDefender showed nothing. Ewido showed WhyPPC adware (medium risk) and a few tracking cookies, which I removed. I also did a Norton AV full scan in Safe Mode. I don't see the drive being accessed in Safe Mode.

The first log is running in MSCONFIG diagnostic mode. The second log is running in normal startup.
_______________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 9:43:00 AM, on 8/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
D:\Updates\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106777685739
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144882545908
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA7BF89C-6E36-4A6B-AEE5-54EEE247F1EF}: NameServer = 64.139.101.8,206.253.194.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
----------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:54:14 AM, on 8/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
D:\Program Files\CPal\CPBrWtch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\PeoplePC\ISP6230\Browser\Bartshel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PeoplePC\ISP6230\Browser\PPShared.exe
C:\Program Files\Panasonic\TouchPad\Touchpad.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\FTC VPN\cvpnd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Updates\Hijack\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [PRunOnce] C:\util\prunonce\PRunOnce.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\PCINFO\SetDiag.exe /FirstLogin
O4 - HKLM\..\Run: [Panasonic HotKey Manager] "C:\Program Files\Panasonic\HotKey Appendix\HKEYAPP.EXE"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hotkey] C:\WINDOWS\System32\hkeyman.exe
O4 - HKLM\..\Run: [Cookie Pal] "D:\Program Files\CPal\CPBrWtch.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6230\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKCU\..\Run: [TClockEx] D:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NDETECT.EXE.lnk = C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
O4 - Global Startup: Touch Pad utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106777685739
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144882545908
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA7BF89C-6E36-4A6B-AEE5-54EEE247F1EF}: NameServer = 64.139.101.8,206.253.194.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\FTC VPN\cvpnd.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--------------------------------------

Thanks for any help.

BC AdBot (Login to Remove)

 


#2 Randy in Seattle

Randy in Seattle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 05 September 2006 - 12:38 AM

I tried Msconfig diagnostic mode again and now in that mode, and in Safe mode, there is no improper disk access. I may have simply done something wrong in setting up the initial test of diagnostic mode before my first posting. The thrashing continues in full startup mode. Here is the new Hijack log in diagnostic mode with no thrashing:

Logfile of HijackThis v1.99.1
Scan saved at 10:04:25 PM, on 9/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
D:\Updates\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106777685739
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144882545908
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA7BF89C-6E36-4A6B-AEE5-54EEE247F1EF}: NameServer = 64.139.101.8,206.253.194.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

#3 Randy in Seattle

Randy in Seattle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 06 September 2006 - 10:58 AM

I should add one other oddity. Sometimes when shutting down, I get a Windows alert box saying that a program won't close. The name is "Sample", with no suffix. I cannot find any program with this in its name in the HijackThis log, nor as a process in Task Manager.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:43 PM

Posted 11 September 2006 - 11:44 AM

The log itself looks clean.

What service were you not able to stop? Also lets a good program to use to determine what program is writing to the hard drive is FileMon from sysinternals.

You can download it here: http://www.sysinternals.com/Utilities/Filemon.html

Simply run the program and it will start logging what programs are reading/writing to the disk. May help to determine what is reading/writing when your computer is idle.

Thats going to be the best way to determine which of those programs is accessing the drive.

#5 Randy in Seattle

Randy in Seattle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 12 September 2006 - 09:10 PM

Great program. To the extent I can tell by watching Filemon as I hear the noisy HD access and see the HD light, it appears to be vsmon.exe and cvpnd.exe that are doing the accesses. There's some other stuff in the log below, but the noisy accesses occur sometimes with nothing but those two programs showing up. This really drives me batty when working on the laptop. The sound is really aggravating, sort of like aak-aak. Then I may get a very quick light flash without really hearing the access. Then the aak-aak a second or two later.

635 9:55:27 PM vsmon.exe:1032 WRITE C:\WINDOWS\Internet Logs\IAMDB.RDB SUCCESS Offset: 3072000 Length: 4096
636 9:55:27 PM vsmon.exe:1032 WRITE C:\WINDOWS\Internet Logs\IAMDB.RDB SUCCESS Offset: 3072000 Length: 4096
637 9:55:27 PM vsmon.exe:1032 FLUSH C:\WINDOWS\Internet Logs\IAMDB.RDB SUCCESS
638 9:55:28 PM CCEVTMGR.EXE:632 QUERY INFORMATION C:\PROGRA~1\COMMON~1\SYMANT~1\SNDCON.log SUCCESS Length: 65500
639 9:55:28 PM CCEVTMGR.EXE:632 READ C:\PROGRA~1\COMMON~1\SYMANT~1\SNDCON.log SUCCESS Offset: 58432 Length: 40
640 9:55:28 PM CCEVTMGR.EXE:632 WRITE C:\PROGRA~1\COMMON~1\SYMANT~1\SNDCON.log SUCCESS Offset: 58432 Length: 40
641 9:55:28 PM CCEVTMGR.EXE:632 WRITE C:\PROGRA~1\COMMON~1\SYMANT~1\SNDCON.log SUCCESS Offset: 58472 Length: 188
642 9:55:28 PM CCEVTMGR.EXE:632 WRITE C:\PROGRA~1\COMMON~1\SYMANT~1\SNDCON.log SUCCESS Offset: 32 Length: 16
643 9:55:28 PM vsmon.exe:1032 READ C:\WINDOWS\Internet Logs\IAMDB.RDB SUCCESS Offset: 3033600 Length: 512
644 9:55:28 PM vsmon.exe:1032 READ C:\WINDOWS\Internet Logs\IAMDB.RDB SUCCESS Offset: 3073536 Length: 512
645 9:55:28 PM vsmon.exe:1032 READ C:\WINDOWS\Internet Logs\IAMDB.RDB SUCCESS Offset: 3074048 Length: 512
646 9:55:29 PM vsmon.exe:1032 OPEN C:\WINDOWS\system32\zllictbl.dat SUCCESS Options: Open Access: Read
647 9:55:29 PM vsmon.exe:1032 READ C:\WINDOWS\system32\zllictbl.dat SUCCESS Offset: 0 Length: 4096
648 9:55:29 PM vsmon.exe:1032 READ C:\WINDOWS\system32\zllictbl.dat SUCCESS Offset: 4096 Length: 4096
649 9:55:29 PM vsmon.exe:1032 CLOSE C:\WINDOWS\system32\zllictbl.dat SUCCESS
650 9:55:29 PM vsmon.exe:1032 OPEN C:\Program Files\FTC VPN\cvpnd.exe SUCCESS Options: Open Access: Read
651 9:55:29 PM vsmon.exe:1032 QUERY INFORMATION C:\Program Files\FTC VPN\cvpnd.exe SUCCESS Length: 1422528
652 9:55:29 PM vsmon.exe:1032 QUERY INFORMATION C:\Program Files\FTC VPN\cvpnd.exe SUCCESS Length: 1422528
653 9:55:29 PM vsmon.exe:1032 CLOSE C:\Program Files\FTC VPN\cvpnd.exe SUCCESS
654 9:55:29 PM vsmon.exe:1032 OPEN C:\WINDOWS\system32\services.exe SUCCESS Options: Open Access: Read
655 9:55:29 PM vsmon.exe:1032 QUERY INFORMATION C:\WINDOWS\system32\services.exe SUCCESS Length: 108032
656 9:55:29 PM vsmon.exe:1032 QUERY INFORMATION C:\WINDOWS\system32\services.exe SUCCESS Length: 108032
657 9:55:29 PM vsmon.exe:1032 CLOSE C:\WINDOWS\system32\services.exe SUCCESS
658 9:55:29 PM vsmon.exe:1032 OPEN C:\??\C:\WINDOWS\system32\winlogon.exe NAME INVALID Options: Open Access: Read
659 9:55:29 PM vsmon.exe:1032 OPEN C:\SystemRoot\System32\smss.exe PATH NOT FOUND Options: Open Access: Read
660 9:55:29 PM vsmon.exe:1032 SET INFORMATION C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 28672
661 9:55:29 PM vsmon.exe:1032 SET INFORMATION C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 32768
662 9:55:29 PM vsmon.exe:1032 WRITE C:\WINDOWS\system32\config\software.LOG SUCCESS Offset: 0 Length: 512
663 9:55:29 PM vsmon.exe:1032 FLUSH C:\WINDOWS\system32\config\software.LOG SUCCESS
664 9:55:29 PM vsmon.exe:1032 WRITE C:\WINDOWS\system32\config\software.LOG SUCCESS Offset: 512 Length: 6144
665 9:55:29 PM vsmon.exe:1032 WRITE C:\WINDOWS\system32\config\software.LOG SUCCESS Offset: 6656 Length: 4096
666 9:55:29 PM vsmon.exe:1032 WRITE C:\WINDOWS\system32\config\software.LOG SUCCESS Offset: 10752 Length: 4096
667 9:55:29 PM vsmon.exe:1032 WRITE C:\WINDOWS\system32\config\software.LOG SUCCESS Offset: 14848 Length: 4096
668 9:55:29 PM vsmon.exe:1032 WRITE C:\WINDOWS\system32\config\software.LOG SUCCESS Offset: 18944 Length: 4096
669 9:55:29 PM vsmon.exe:1032 WRITE C:\WINDOWS\system32\config\software.LOG SUCCESS Offset: 23040 Length: 4096
670 9:55:29 PM vsmon.exe:1032 WRITE C:\WINDOWS\system32\config\software.LOG SUCCESS Offset: 27136 Length: 4096
671 9:55:29 PM vsmon.exe:1032 FLUSH C:\WINDOWS\system32\config\software.LOG SUCCESS
672 9:55:29 PM vsmon.exe:1032 WRITE C:\WINDOWS\system32\config\software.LOG SUCCESS Offset: 0 Length: 512
673 9:55:29 PM vsmon.exe:1032 FLUSH C:\WINDOWS\system32\config\software.LOG SUCCESS
674 9:55:29 PM vsmon.exe:1032 FLUSH C:\WINDOWS\system32\config\software SUCCESS
675 9:55:29 PM vsmon.exe:1032 WRITE C:\WINDOWS\system32\config\software SUCCESS Offset: 0 Length: 16384
676 9:55:29 PM vsmon.exe:1032 FLUSH C:\WINDOWS\system32\config\software SUCCESS
677 9:55:29 PM vsmon.exe:1032 WRITE C:\WINDOWS\system32\config\software SUCCESS Offset: 6684672 Length: 16384
678 9:55:29 PM vsmon.exe:1032 WRITE C:\WINDOWS\system32\config\software SUCCESS Offset: 0 Length: 16384
679 9:55:29 PM vsmon.exe:1032 WRITE C:\WINDOWS\system32\config\software SUCCESS Offset: 10584064 Length: 16384
680 9:55:29 PM vsmon.exe:1032 WRITE C:\WINDOWS\system32\config\software SUCCESS Offset: 10485760 Length: 16384
681 9:55:29 PM vsmon.exe:1032 WRITE C:\WINDOWS\system32\config\software SUCCESS Offset: 11698176 Length: 16384
682 9:55:29 PM vsmon.exe:1032 WRITE C:\WINDOWS\system32\config\software SUCCESS Offset: 18137088 Length: 16384
683 9:55:29 PM vsmon.exe:1032 FLUSH C:\WINDOWS\system32\config\software SUCCESS
684 9:55:29 PM vsmon.exe:1032 WRITE C:\WINDOWS\system32\config\software SUCCESS Offset: 0 Length: 4096
685 9:55:29 PM vsmon.exe:1032 FLUSH C:\WINDOWS\system32\config\software SUCCESS
686 9:55:29 PM vsmon.exe:1032 SET INFORMATION C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 1024
687 9:55:29 PM cvpnd.exe:356 OPEN C:\WINDOWS\system32\zllictbl.dat SUCCESS Options: Open Access: Read
688 9:55:29 PM cvpnd.exe:356 READ C:\WINDOWS\system32\zllictbl.dat SUCCESS Offset: 0 Length: 4096
689 9:55:29 PM cvpnd.exe:356 READ C:\WINDOWS\system32\zllictbl.dat SUCCESS Offset: 4096 Length: 4096
690 9:55:29 PM cvpnd.exe:356 CLOSE C:\WINDOWS\system32\zllictbl.dat SUCCESS
691 9:55:29 PM cvpnd.exe:356 OPEN C:\WINDOWS\system32\zllictbl.dat SUCCESS Options: Open Access: Read
692 9:55:29 PM cvpnd.exe:356 READ C:\WINDOWS\system32\zllictbl.dat SUCCESS Offset: 0 Length: 4096
693 9:55:29 PM cvpnd.exe:356 READ C:\WINDOWS\system32\zllictbl.dat SUCCESS Offset: 4096 Length: 4096
694 9:55:29 PM cvpnd.exe:356 CLOSE C:\WINDOWS\system32\zllictbl.dat SUCCESS
695 9:55:29 PM cvpnd.exe:356 OPEN C:\WINDOWS\system32\zllictbl.dat SUCCESS Options: Open Access: Read
696 9:55:29 PM cvpnd.exe:356 READ C:\WINDOWS\system32\zllictbl.dat SUCCESS Offset: 0 Length: 4096

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:43 PM

Posted 12 September 2006 - 09:27 PM

Hmmm...this is a bit concerning. I am concerned that aak aak sound may be the hard drive having problems. If you go into the administrative tools folder in your control panel and double-click on the event viewer, look through the system logs and see if you have any ide/atapi timeouts errors etc. Its hard for me to know if the sound you are desribing is what I am envisioning though.

Vsmon is part of Zonealarm. What is probably happening is that when its denying activity in the firewall its writing it to the log. What most people do not know is that for the most part almost every computer is constantly under probes to see if they are vulnerable. For the most part the firewalls block these attacks and the end user goes about their day unknowing what they are being protected from. So it is quite normal for vsmon to be loggin these entries. if on the other hand, you do not ever use/view these logs, there should be a setting in Zonealarm that can disable these denys being written to the log.

The SNDCON.log is fir norton...but I am not sure what that log is for.

cvpnd.exe should be the cisco vpn client. Do you have that installed for work?

#7 Randy in Seattle

Randy in Seattle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 17 September 2006 - 08:27 PM

Yes, I am concerned, too.
The Cisco VPN service is necessary for my work. If I disable it, I get some fewer disk accesses, but it isn't enough to be the problem.

I can't see how to disable the ZoneAlarm log. However, if I look at it while the disk is being accessed, and then do a refresh on it, I don't see any recent log activity.

Here's something that does seem odd, disk accesses mostly by VSMON to:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk

Then there are lots of writes by ZLClient and reads by VSMon to various logs.
There shouldn't be any dialup going once I'm connected, and particularly when my connection is ethernet or wireless. In Internet Options/Connections, I have "Never dial a connection" checked. If I do a dialup, it is always manual.

#8 Randy in Seattle

Randy in Seattle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 18 September 2006 - 12:51 AM

ZoneAlarm was the necessary clue. Then I found there is a dedicated ZA forums site. I came up with a topic that started with:

"I bought a new harddrive which is a little noisy ( "seeking noises" ). It makes nasty noises even when I do nothing and I expect Windows to be idle and quiet, too."

Further discussion in the topic showed it was my issue exactly. The thread of answers basically said that ZA logging was causing the drive thrashing and it could not be turned off. There is an environment variable that can reduce it somewhat, but that variable must be set interactively each time and will reset on every reboot.

Seems like I need another firewall. I usually (but not always) go through a router, so something as basic as ZA free version would be fine.

Thanks for the suggestions here that led me to this point. I'd consider this issue solved or at least understood.

Edited by Randy in Seattle, 18 September 2006 - 12:53 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users