[1STLITE]

Gary - just paste it in here, or how do you want me to go about this?

Thanks, Gary. And thanks, Jerry.

[1STLITE]

Well, I am gonna go ahead and post it here. I'd say it looks ok to me, but I am not really sure what i am looking at, at lesat not 100% - LOL.

Logfile of HijackThis v1.99.1
Scan saved at 5:21:17 PM, on 11/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us5.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us5.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us5.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB002" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



ALSO - I ran a dish check, and nothing came up saying anything on the disk was bad. Dunno if that means anything really, but thought you all should know.

Dawn

[1STLITE]

Hmm - I am thinking maybe it was the WinDefender program that was the problem. I am in Photoshop right now with a full size image and seems to be workign well.

Crossing everything here while I post this - lol.

Dawn

Thanks, Everyone!!

Oh - Gary - I used to have a program on here that cleaned up the registry (I think) I can't remember the name of it- which do you recommend, that's free - lol. Thanks so much!!!

[Gary Richardson]

Hi Dawn,

Sorry I'm a bit late getting back to you, sleep kinda got in the way .

OK had a look through your log, and it's a squeaky clean as I've seen in a long while, certainly no indications there of anything that would cause the kind of problems you were having.

Nothing to remove in Startup that would significantly improve boot time, you run a pretty lean machine.

Does Trend Micro come with a Firewall, (can't keep up with which versions of which programmes do or don't)? If not you need one, the one that comes with Windows is rubbish.

If you need links for Freebies, look in the RetouchPro library (I think I've posted links there).

I see you've also got a HP (Hewlett Packard) toolbar installed, not Malicious, but it does report your browsing habits back to HP (not sure how detailed these are).

If you want to stop it running just run HJT and check this item.

O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

Close all open windows and click Fix Checked.

Doesn't remove the program, just removes the Registry entry that calls it up, so shouldn't have any knock on effects.

WinDefender is tied in to a lot of Kernel level processes and drivers, so if it had got corrupted it would have had some pretty fundamental effects on your system. It could well be that this was the cause of your problems.

However I'd still back things up just in case it's early signs of a Hardware (disk) problem.


OOPS, almost forgot.

Don't generally recommend using Registry Cleaners too much, as some of them can be a bit over zealous and cause more problems than they solve.

However if used cautiously they can occasionally be beneficial.

I use them only very, very, occasionally, and only after a lot of installs/uninstalls, and never until after I've created a Systems Restore point.

I've used the one below without problems. Not as "severe" as some, but creates backups and does give you a lot of control.

RegScrubXP

[CJ Swartz]

Quote:

Originally Posted by Gary Richardson

...
Don't generally recommend using Registry Cleaners too much, as some of them can be a bit over zealous and cause more problems than they solve.

However if used cautiously they can occasionally be beneficial.

I use them only very, very, occasionally, and only after a lot of installs/uninstalls, and never until after I've created a Systems Restore point.

I've used the one below without problems. Not as "severe" as some, but creates backups and does give you a lot of control.

RegScrubXP

Well, Gary, I'm going to give RegScrubXP a try on your "say-so", in spite of your other post picturing yourself "wearing a red tin-foil fez to repel the hypnowaves sent by the government or aliens". I'm going to create a Systems Restore point first, but not because of the fez...

[1STLITE]

Cool - thanks, Gary. Well, I think cool. Not too keen on hearing it still may be my drive. Is there any way to know if that is the case? I can't afford to get caught with this thing not working any time before Christmas. I guess it would not be toooo big of a deal if I have to replace it now, since I planned to get a new system after Christmas anyway.

Speaking of which, I think I am going to have one built. My brother does that kind of thing. It costs alot less that way usually,right? My big dilemna right now is I wonder if I should stick with AMD. I think as far as this computer I have now goes, I really lucked up with the AMD AthalonXP. From what I have read it operates better at higher temps than others, and I had no clue of this when I bought it. I really think that considering this environment any other processor would have burned up by now. I have also read that the Athalon Duo's (I think that's what they are called) run better overall than Pentium's. I'd love your thoughts on this.

I was thinking of switching to Mac, but I really don't think that is necessary, is it? Seriously - isn't it mostly just personal preference?

Thanks for everything, Gary and everyone! And Happy Thanksgiving!!

Dawn

[Gary Richardson]

Hi Dawn,

Hardware's not really my field of expertise. If your brother's into building PCs he's probably much more clued up on processors than I am.

The only thing I would advise, is to get the best PSU (power supply unit) you can afford, as the stability of your power supply has more influence on the rest of your computer than you can imagine.

Particularly so if you're operating in a hot climate where the constant switching on and off of fans will put "shock" loads on it.

Choice of PC or Mac is always a personal one, and your usage and finances will dictate which is best for you. I'd say that generally you get more bang for your buck with a PC and spares are cheaper and easier to come by, on the other hand Macs have a good reputation for reliability and stability.

As for checking your disk, keep an eye on your system log (as described in my earlier post) and look for any errors connected to your disk. A disk on its way out will generally kick out a lot of errors. Don't get too paranoid about this, most disks kick out some errors even when they're working fine.

If you open the event properties box by double clicking the error, you will find a link to the Help and Support at M$ which may give you more info.

[Kraellin]

dawn,

well, hopefully my fearmongering was all hot air with no substance. if your system now seems stable and faster after removing windefender, then it may well have gotten corrupted and if, like gary says, it was tied in closely to the kernal routines, then that would make sense. and since you lost your systray icon for it, that may well indicate, along with your now faster speed, that it was corrupted. so, that may be it.

and, as gary mentioned, keep an eye on the system logs. one or two errors dont mean much, but if you get a daily log entry of a drive showing errors, that would be a first sign. if the system reboots itself....and i do mean by itself; it's just sitting there idle and suddenly reboots, then that's a warning sign of a drive going bad. if you're doing something on the machine and it reboots, that's more a sign of poor software.

another sign of a drive going bad would be that when you boot up or reboot you start getting a lot of CHKDSK operations before the machine will boot into windows.

another sign would be if you start getting bios warnings/errors. you'll normally see those in the black and white text screens as you boot up.

every once in a while you might also check device manager and see if you have any yellow exclamation marks next to a device, regardless of if that device is a drive or not. (or any other mark next to a device).

you might also want to get a heat monitor. there are several decent ones and some free. i normally dont bother with these until i start getting unexplained, frequent error on my system. but they can be life savers.

diagnostic and informational programs are also a good idea. Sandra 2000 was a standard for a while... it's probably more like Sandra 2005 or 2006 by now, but that is pretty much the gold standard in system diagnostics. Belarc was a great free system informational program, but they've gone commercial now, so you'd have to pay for that one too. so, if you cant afford those, just the various windows dianostic/information programs can be used. and i'm sure there are other freebies out there. i just happen to be most familiar with those.

drives can go bad in various ways. the usual way is in the mechanical parts of the drive; a motor goes bad, the bearings wear out and so on. the next most common is the electronics, but this is a lot more rare. usually the mechanical will go first. another way is the heads or platter go bad. this is also fairly rare, though still fairly common on cd roms and dvd roms because the heads and patter are exposed where harddrives are sealed.

the mechanical failures are the real killers. this is because the drive is still there and to the bios and to windows, seems like it is working when it's not. and that's the source of the extra heat and errors. when something locks up, juice is still being applied and that causes heat. calls to the drive dont get acknowledged correctly because the drive cant spin, so you end up with tons of loops going on which is why your system slows down. the queues/stacks in the o/s dont get acknowledged and things bog down as a result. and this is why when someone says 'my system is extremely slow and is rebooting itself' i go, 'sounds like a drive going bad'.

one other way to check for bad drives is to run CHKDSK yourself. back up before doing so. if the drive is going bad you can lose data doing this. in fact, if the drive is going bad you probably will lose data. you can run a sort of quick CHKDSK from windows itself, though i was told once that it's more reliable to do this from dos (dont know if that's true or not for sure).

at any rate, if your system is now back to normal after doing the removal of windendender and not showing any other signs of trouble, then that was most likely the culprit and i'm glad

as for building your own or having one built, it used to be the case that there was a tremendous savings there, but now, prices have gone down so much that it's a bit of a toss-up and the margin is very close if not actually more economical to buy 'off the rack'. i still prefer custom rigs, mainly because i dont lock myself into proprietary hardware and there, mainly due to video cards. onboard graphics cards generally suck and that's often what you get in an ecomomical off-the-shelf rig. sometimes you cant even add your own card to bypass the onboard crap. another savings with custom rigs is that if you buy fairly much one type of computer, the ease of saving old parts to a new rig is better and that can cut down your costs when moving to a new machine. i saved several things in my last move. some things will transfer almost regardless, like cd roms and dvd roms, but ram and video cards not always. also, with custom rigs you pretty much know what you're getting. so, usually no big surprises.

amd vs intel is a toss-up. intels may have a slight edge in reliability and heat management, but amd's are usually the speed leaders (though you really have to read the fine print any more). amd's USED to be easier to overclock. not sure that's true any more. amd's used to be cheaper. that may have changed also.

dual-core processors are what's coming into vogue with quad-core coming pretty soon. the more cores, the faster the processing (up to a point, i would think). but for now, dual core is going to be faster than pentiums. it's also going to be more expensive and if all you're doing is photoshop, you dont need it. the current pentiums can handle Photoshop and the likes quite nicely. games are another matter. and, with pentiums now NOT on the cutting edge, you're going to get better bang for the buck there than with dual core.

macs are tempting, especially for 'multi-media' anything. they just do it better. and now that they are running windows stuff quite nicely and quite fast AND reliably, it's even more tempting. and i love their new television ads you WILL pay a higher initial cost and service and replacement is going to be more expensive. i cant really speak to reliability except that mac people tend to swear by mac. and i love the fact that mac takes risks and innovates, where intel/microsoft tend to not... especially microsoft.

so, this is an area you're going to have to study. my ideal would be a mac for my graphic/art work and a pc for internet and gaming and to be able to network them, mostly so i could transfer my graphic stuff to the internet.

so, how's that for bogging you down with information

[Syd]

Gary I have been watching this thread with interest because my computer has been playing up of late as well, although, with the help of some of the advice in this thread I think it may be sorted out now. However, I still have a question. I opened my task manager just to see what programmes were running in the background and with the help of the excellent advice at Answers that work I deleted quite a few unecessary ones and things (touch wood seem to be running a lot smoother now). However there are still one or two tasks that I am not sure about and that even Answers that work don't have any info on. One of them is a programme called Conime.exe .

I googled it and some said it could be a virus and some said that it was a legitimate Microsoft file. I went to the WINDOWS\system32 directory and there it was but how do I know it is the legitimate Microsoft programme running and not the virus. What is the purpose of this programme anyway? Is it because I don't have an English browser as one site suggested? Should I be alarmed. And how do I even go about deleting it. Everyone's advice in this thread has really been excellent.

Sincerely Syd

[Kraellin]

syd,

i have it too. it's short for 'console ime' and is, i'm pretty sure, a microsoft file. i believe it works with the 'console.dll' file. if you really want to be sure, go to microsoft.com and do a search in the knowledge base or even on the entire site and you shld find something on it there.

[Syd]

Thanks Craig I will go and check it out. I just got the impression from this site that there were quite a few viruses out there masquerading as legitimate files and this has got me a bit spooked. How is one ever able to tell the difference?

Syd

[Gary Richardson]

First of all, to find out more about the file, browse to it and right click it.
Select Properties. A properties window will pop up with details of the file, click on the Version tab, if it is a legit Microsoft file it will say so.

If you're still worried about this particular file, check it out at Jottis or VirusTotal.

• Go to VirusTotal or Jotti's, and scan the following file(s).

Quote:

Conime.exe

• Click on the Browse button at the top of the screen.
• Browse to the file.
• Click OK.
• Click Send, and the file will upload to VirusTotal / Jotti, where it will be scanned by several anti-virus programmes.
• After a while, a window will open, with details of what the scans found.
• Note details of any viruses found.
• Post me the details please.

Quote:

How is one ever able to tell the difference?

File location is everything, Malware (Virus) files may have the same name, but are usually in a different location to the legit one (Windows does not allow 2 files of the same name in the same directory).

There are occasions when a virus will replace a file, but with system files this is a very difficult thing to do, so such occurencies are rare.

[Syd]

Thanks Gary I will do as you suggest.

"File location is everything..." Yes, that is exactly what the Answers that Work site suggested. What I didn't know how to test was if the programme running in my Task Manager Window was from the Windows\system32 Directory or some other Directory (in which case it would definitely be a virus). But thanks Gary I will scan as you suggested and post the results.

Sincerely Syd

[Gary Richardson]

Hi Syd,

If you've got a copy of HJT, there's a seperate process manager included with it that does show the file paths of the running processes.

Open HJT, click on Config.
Click on Misc Tools.
Click on Open process manager.

Now you can scan down the list of processes to find the one you want, the file path will be indicated.

If you haven't got a copy, one can be downloaded from http://downloads.malwareremoval.com/HijackThis.exe

CAUTION: HJT is a diagnostic tool, it must not be used to remove things unless you KNOW what you're doing. It is a very powerful programme, and in unskilled hands can make your computer into a very lovely paperweight in no time at all.

[1STLITE]

Thanks Craig and Gary. I appreciate all the time you have put into helping me get this sorted out. You guys are awesome!

Whether to buy or build is something I will have to work out in the next couple months I guess. I may just go with a refurbished unit, and work from there.

Well, back to work for me. Thanks everyone!!

Syd - hope you get your issue sorted out.

Dawn