Full screen aps being minimised every 5 minutes in XP

TwoShedsJackson · 26-07-2010 8:50am #1

Running Windows XP, in the last couple of days if I run a full-screen program (usually a game), every 5 minutes it minimises to desktop - it can just be maximised again but obviously this is aggravating. If it's something windowed like a browser or Excel, the window loses focus and has to be clicked in again to continue typing etc.

Nothing new has been installed recently, I've run anti-virus and malware scanners, no problems found, I've disabled everything I could in Task Manager but it's still happening.

What's the best way to find the cause and stop this? Here's a log from HijackThis (which I have never used before so I'm not 100% sure how to interpret these results) if this helps:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:18:27, on 26/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
Z:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
Z:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RaUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\uTorrent\uTorrent.exe
Z:\Program Files\Opera 9\opera.exe
Z:\Program Files\Kalypso\Tropico 3\tropico3.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "Z:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "Z:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\WINDOWS\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/...nAxControl.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab3.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.5.0.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B5CE6DF-3CE1-4BF2-860F-AAB53ACA4FC5}: NameServer = 83.147.160.2,83.147.160.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O21 - SSODL: Btmchk - {ED2EB971-E719-4FDD-98BF-58379A1263D2} - C:\Documents and Settings\Conor\Local Settings\Temp\Adobe\AdobeRdrPlug.dll
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - Z:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - Z:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NBService - Nero AG - Z:\Program Files\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nb) (pr2ah4nb) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nb.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe

woolymammoth · 26-07-2010 10:45am

sounds like somthing else is stealing the focus from your active windows. I'd tru running in safe mode for a short bit, see if it still happens. maybe try creating a new user and log in under it to see if it's just your profile.

any chance you got a windows update recently?

TwoShedsJackson · 26-07-2010 11:31am

After extensive Googling it seems the main culprits are either AVG 9.0 antivirus, which I don't use, or hpcmpmgr.exe, a piece of bloat from HP for their printers. I do have an HP Printer attached, but I've had it there for about two years now and never had this problem before Saturday so not sure.

Anyway will try disabling it in msconfig this eve and see if that gets me anywhere, failing that will try safe mode. Would have updated probably last week or so with Windows Update, I have it set to notify me when new downloads are there, but not actually download or install until I want it to.

Capt'n Midnight · 26-07-2010 12:55pm

TwoShedsJackson wrote: »

never had this problem before Saturday

system restore

simples

Fysh · 26-07-2010 1:35pm

TwoShedsJackson wrote: »

After extensive Googling it seems the main culprits are either AVG 9.0 antivirus, which I don't use, or hpcmpmgr.exe, a piece of bloat from HP for their printers. I do have an HP Printer attached, but I've had it there for about two years now and never had this problem before Saturday so not sure.

Anyway will try disabling it in msconfig this eve and see if that gets me anywhere, failing that will try safe mode. Would have updated probably last week or so with Windows Update, I have it set to notify me when new downloads are there, but not actually download or install until I want it to.

Disable anything with HP's name on it in msconfig and see if that makes a difference, the amount of shyteware they bundle with their drivers is astonishing at times.

JonathanAnon · 26-07-2010 2:12pm

Have you turned off any screensaver on the PC as well.

TwoShedsJackson · 27-07-2010 8:52am

Disabled all the HP stuff, still happening. Using Process Explorer I was able to slow down the launch/close and a couple of times an Internet Explorer process started at the same time as the minimisation.

I don't use IE so there's no reason for that to open - if I disable my internet connection I get a message from IE saying 'cannot connect in offline mode, please connect to access the webpage', so something is launching IE and trying to go to a site. I'm basically assuming this has to be something dodgy, but anti-virus, malware scanners, rootkit removers etc. are picking up nothing.

Anything else I can check or use to try and nail this down?

woolymammoth · 27-07-2010 9:02am

have you checked under safe mode yet?

alternatively, you can open msconfig, and set it for a diagnostic startup. only essential services are run on your next boot. if the system runs fine, you can change to a selective startup, and start turning on services one by one.

interesting one on internet explorer though. do you know what page "it" was trying to access?

TwoShedsJackson · 27-07-2010 9:11am

No, the only way I found the process at all was to slow it down - at normal speed it opens and closes in less than half a second. Didn't try safe mode yet, actually, will give that a go this eve.

Fysh · 27-07-2010 9:15am

Autoruns from Sysinternals might be able to help you. You might also want to try using Process Monitor to try and catch whatever it is that's invoking IE.

The various bits of cruftware that Nero started adding into their software a while back have repeatedly caused me grief, so it's worth removing the whole thing and seeing if that makes a difference.

Alternatively, you could try something like Housecall (online scan from Trend) or the F-Secure Rescue CD (bootable AV-scanner CD) if you think it's malware. Certainly it sounds like it could be malware.

woolymammoth · 27-07-2010 9:15am

if it's any use;

Virus Info
http://www.trustedsource.org/
http://home.mcafee.com/VirusInfo/Default.aspx
http://www.symantec.com/norton/security_response/threatexplorer/index.jsp
http://threatinfo.trendmicro.com/vinfo/default.asp
http://www.virusbtn.com/index
http://www.eset.com/threat-center
http://housecall.trendmicro.com/housecall7/

trustedsource is pretty good with information. From what you said, it does smell like virus, or something like that. As said already, sys restore might be the simplest option. However i think i'd want to know what the hell it was myself!

Oh, just thought, MS Bootvis and another app called soluto, both startup monitors. They give you information on what's starting up when the PC starts and how long it takes and all that. might be useful.

TwoShedsJackson · 27-07-2010 9:29am

Fysh wrote: »

Autoruns from Sysinternals might be able to help you. You might also want to try using Process Monitor to try and catch whatever it is that's invoking IE.

The various bits of cruftware that Nero started adding into their software a while back have repeatedly caused me grief, so it's worth removing the whole thing and seeing if that makes a difference.

Alternatively, you could try something like Housecall (online scan from Trend) or the F-Secure Rescue CD (bootable AV-scanner CD) if you think it's malware. Certainly it sounds like it could be malware.

Thanks, have used Process Explorer already to slow it down and catch what it was in the first place, Autoruns looks like a good idea, will try it out.

Fysh · 27-07-2010 9:48am

TwoShedsJackson wrote: »

Thanks, have used Process Explorer already to slow it down and catch what it was in the first place, Autoruns looks like a good idea, will try it out.

Process Monitor is more log-based than Process Explorer, so might make it easier to see what sequence of events leads to IE launching.

Capt'n Midnight · 27-07-2010 10:06am

IE will do things like automatic updates and is used as a front end by lots of stuff

if it isn't a malware problem I'd still recommend system restore over trying to figure out what the problem was, takes about as long as two or three reboots using msconfig

TwoShedsJackson · 28-07-2010 9:01am

It was still happening after a System Restore and seeing as I built this PC two years ago and had done nothing but install stuff on it since, I decided for the first time in my life to reinstall XP and be done with it

Full screen aps being minimised every 5 minutes in XP

Comments