Answers
Oct 13, 2007 - 09:26 AM
can you find the process?
assuming it's not spyware or a virus:
Here's the order in what I would try:
Download and install TweakUI from microsoft
http://www.microsoft.com/windowsxp/do...
in the left side, expand General and select focus. In the right side, check the box "Prevent applications from stealing focus"
OR (you must be running XP pro for this, XP home won't work)
watch your process list in task manager and try to find the exe file that runs. Note the name (1).
now go to start->run->gpedit.msc
Navigate to computer configuration->windows settings->security settings->software restriction Policies
if no policies are defined, go to the action drop down and select "create new policies"
now go to additional rules and create a new path rule.
type in the name from (1) and set it to Dissallowed.
now the program will quietly not even start up. (gpedit.msc is not available with XP Home)
assuming it's not spyware or a virus:
Here's the order in what I would try:
Download and install TweakUI from microsoft
http://www.microsoft.com/windowsxp/do...
in the left side, expand General and select focus. In the right side, check the box "Prevent applications from stealing focus"
OR (you must be running XP pro for this, XP home won't work)
watch your process list in task manager and try to find the exe file that runs. Note the name (1).
now go to start->run->gpedit.msc
Navigate to computer configuration->windows settings->security settings->software restriction Policies
if no policies are defined, go to the action drop down and select "create new policies"
now go to additional rules and create a new path rule.
type in the name from (1) and set it to Dissallowed.
now the program will quietly not even start up. (gpedit.msc is not available with XP Home)
Oct 13, 2007 - 02:06 PM
Thanks. I tried to download TweakUI from MS but when I said run, after installing, it closed and didn't run. I couldn't find an exe file anywhere that it had created. what am I missing?
Oct 13, 2007 - 02:57 PM
I found it hiding in the Systems 32 folder. It was already checked to prevent applications from stealing focus. I rechecked it and am trying to see if it will work now. Oops, it didn't work. I lost focus while typing this note. What can I try now?
Oct 14, 2007 - 08:46 AM
I guess we're stuck with option 2. Instead of using gpedit, we'll just have to deal with the exe file manually.
on a side note, I've seen this happen a couple of times with programs that update automatically. does this symptom affect you when you're running in safe mode?
on a side note, I've seen this happen a couple of times with programs that update automatically. does this symptom affect you when you're running in safe mode?
Oct 14, 2007 - 09:00 AM
What we really need to do is try to find the process that runs and causes this mess. What I want to try is renaming the file.
try running msconfig and post your startup items and non microsoft services if you can't find the process. An easier alternative to manually posting these items is to post a Hijack This log,
http://www.spywareinfo.com/~merijn/pr...
I'll try to always post 2 alternatives if you have any aversion to installing new software like I do.
try running msconfig and post your startup items and non microsoft services if you can't find the process. An easier alternative to manually posting these items is to post a Hijack This log,
http://www.spywareinfo.com/~merijn/pr...
I'll try to always post 2 alternatives if you have any aversion to installing new software like I do.
Oct 14, 2007 - 10:20 AM
I appreciate your patience oh Oracle. However, I'm a little confused. I downloaded Hijack This and am looking at the log. I don't know what it's telling me. What should I be looking for and what do I do with it after finding it?
Oct 14, 2007 - 06:50 PM
no problem, I was hoping you could post the contents of the hijack this log on the forum. I'm hoping to help identify the process.
Oct 15, 2007 - 04:11 AM
OK, let's see if this window will hold all the info.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:18 PM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Lexico\CleverKeys\CK.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkI...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkI...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:18 PM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Lexico\CleverKeys\CK.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkI...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkI...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O
Oct 15, 2007 - 08:42 AM
Alright!
an update perhaps?
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
doesn't need to be running
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
you might want to nix this program
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
Shortcut key manager? you may want to disable this app also
C:\Program Files\Lexico\CleverKeys\CK.exe
ok, based on your startup items, the above mentioned programs are suspect.
to TEMPORARILY disable them, go to the start->run->msconfig
click on the startup tab and uncheck the above mentioned programs and restart the computer.
this should fix your problem. Reenable the programs one by one until the problem returns, then we'll know which one it is.
There is a possibility that this won't yet work since I can only see the running programs the startup list was cut off due to posting limitations of this site. If you could post only the startup list, we'll definitely be able to solve the problem. That program in the PIF directory from symantec is most likely our culprit, secondly would be the shortcut key manager.
On a side note, it looks like you have two antivirus solutions on your computer. One from embarq and one from symantec. You should consider uninstalling only the antivirus program for one of the two because antivirus programs tend to fight with each other.
an update perhaps?
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
doesn't need to be running
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
you might want to nix this program
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
Shortcut key manager? you may want to disable this app also
C:\Program Files\Lexico\CleverKeys\CK.exe
ok, based on your startup items, the above mentioned programs are suspect.
to TEMPORARILY disable them, go to the start->run->msconfig
click on the startup tab and uncheck the above mentioned programs and restart the computer.
this should fix your problem. Reenable the programs one by one until the problem returns, then we'll know which one it is.
There is a possibility that this won't yet work since I can only see the running programs the startup list was cut off due to posting limitations of this site. If you could post only the startup list, we'll definitely be able to solve the problem. That program in the PIF directory from symantec is most likely our culprit, secondly would be the shortcut key manager.
On a side note, it looks like you have two antivirus solutions on your computer. One from embarq and one from symantec. You should consider uninstalling only the antivirus program for one of the two because antivirus programs tend to fight with each other.
Oct 15, 2007 - 12:42 PM
For a minute I thought we had it! I did as instructed but the problem returned. I'm now appending the remainder of the HijackThis file to see if the culprit might be in there. I did notice that the problem seems less severe in that I don't lose characters until the focus changes for the requisite 8 seconds. Before I would be typing and get the "thunk" after losing one character and trying to continue typing. Could there be two processes interfering? Here's the rest of the file.
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Startup Manager] "C:\Program Files\Advanced System Optimizer\startUp manager.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: CleverKeys.lnk = C:\Program Files\Lexico\CleverKeys\CK.exe
O4 - Global Startup: EMBARQ Online Security.lnk = C:\Program Files\EMBARQ Online Security\backweb\7211241\Program\fspex.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - EMBARQ Online Security - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Startup Manager] "C:\Program Files\Advanced System Optimizer\startUp manager.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: CleverKeys.lnk = C:\Program Files\Lexico\CleverKeys\CK.exe
O4 - Global Startup: EMBARQ Online Security.lnk = C:\Program Files\EMBARQ Online Security\backweb\7211241\Program\fspex.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - EMBARQ Online Security - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc)
Oct 15, 2007 - 01:51 PM
That's much better.
an O4 entry in hijack this means it's written in the hklm registry as a startup item. These can be unchecked using msconfig in the startup tab. there are 2 items we should uncheck, 1 is the registry booster and 2 is the startup manager.
the O23 keys are startup services, you can temporarily enable/disable these from the services tab in MSConfig. (as a matter of fact, you can check the box that says "hide all microsoft services" then disable everything you see, keep in mind your antivirus solution will not be enabled if you do this)
by the way, try selecting diagnostic mode from msconfig and restarting with that if that doesn't fix your problem then we're totally on the wrong track, which means we should be looking at BHO's or Office Add-Ons.
if for any reason we need to undo any of these changes, just open msconfig again and select normal startup and all will be well and screwy again.
Once we find the exact process, we will be manually (and cleanly) disabling it. We don't want to leave settings from msconfig to be permanent.
you will have to play around with the settings in MSconfig for a bit.
Stick to the startup and services tabs, never disable any microsoft services and you won't screw anything up beyond repair.
an O4 entry in hijack this means it's written in the hklm registry as a startup item. These can be unchecked using msconfig in the startup tab. there are 2 items we should uncheck, 1 is the registry booster and 2 is the startup manager.
the O23 keys are startup services, you can temporarily enable/disable these from the services tab in MSConfig. (as a matter of fact, you can check the box that says "hide all microsoft services" then disable everything you see, keep in mind your antivirus solution will not be enabled if you do this)
by the way, try selecting diagnostic mode from msconfig and restarting with that if that doesn't fix your problem then we're totally on the wrong track, which means we should be looking at BHO's or Office Add-Ons.
if for any reason we need to undo any of these changes, just open msconfig again and select normal startup and all will be well and screwy again.
Once we find the exact process, we will be manually (and cleanly) disabling it. We don't want to leave settings from msconfig to be permanent.
you will have to play around with the settings in MSconfig for a bit.
Stick to the startup and services tabs, never disable any microsoft services and you won't screw anything up beyond repair.
Oct 15, 2007 - 02:45 PM
OK Oracle here's what I did and the result. I unchecked the 2 items above, restarted and the problem recurred. So, I reopended msconfig and checked diagnostic mode and restarted. Voila, the problem disappeared. I couldn't access the Internet in diagnostic mode, so I reopened msconfig and restarted in normal startup mode. That's what I'm in now as I type this. I'm waiting to see if the problem is still with me. It's been over two minutes and I haven't lost focus. The problem seems to be gone. I'm going to try it a bit longer so that I don't get false hopes. what should I do to make this permanent or to make sure it doesn't come back? It sure looks like you've solved the problem.
Oct 16, 2007 - 08:00 AM
The only thing at this point that makes any sense to me is a possible failure in symantec Live update. I've seen it do a number of different things, but never steal focus. In any case, all we did was stop certain programs from automatically starting up when the computer starts up. the order we did this was based on my best guesses which were all wrong, (luckily we didn't do anything permanent). Because the problem was fixed in diagnostic mode, we know it's a startup process. If the problem reoccurs, keep playing with msconfig to find the exact program. when it's found, set you PC to normal startup, backup your registry, then remove it with hijack this by checking the item from the scan and selecting FIX.
to back up your registry.
start->run->regedit
highlight my computer in the left tree view.
select file->export->(file name.reg)
to back up your registry.
start->run->regedit
highlight my computer in the left tree view.
select file->export->(file name.reg)
Oct 16, 2007 - 08:30 AM
I'm going to print out all these so I'll have them for future reference. You were great. You can't imagine how much more pleasant it is to use my computer now.
Since you'r so good, may I ask you about another problem?
I use hibernate mode a lot and occasionally go to a fresh boot. Lately, it takes longer to recover from hibernate than it does to do a fresh boot, almost 3 minutes. It used to take about 15 seconds. What could be causing this?
Since you'r so good, may I ask you about another problem?
I use hibernate mode a lot and occasionally go to a fresh boot. Lately, it takes longer to recover from hibernate than it does to do a fresh boot, almost 3 minutes. It used to take about 15 seconds. What could be causing this?
Oct 16, 2007 - 09:16 AM
Great, now I have ego issues...
What causes hibernation issues is usually disk access. maybe in the form of a corrput hibernation file or fragmented hard drive or lastly DMA access failures. there are simple fixes we can do for each of these, unfortunately they're time consuming.
1.disable and reenable hibernation
control panle->power options->hibernation Tab
uncheck the box for hibernation, reenable it after step 4.
delete c:\hiberfil.sys if it exists and remove it from your recycle bin too.
2. Check DMA access
Control panel->system->hardware Tab->Device Manager->IDE ATA/ATAPI controllers->
right click on Primary IDE channel, go to properties, go to advanced settings and make sure the transfer mode is set to DMA if available. Note the current transfer mode.
3.set the PC to do an exaustive scan/repair on your hard drive.
start->run->chkdsk /r
say yes to have it run the next time the computer restarts and restart the computer and go do something else for about an hour.
4.defrag your hard drive
start->run->defrag c: -f -v
go do something else for about an hour
5.reenable hibernation (see step 1)
a full disk cleanup wouldn't hurt either
start->programs->accessories->system tools->disk cleanup
check everything except compress unused files and then continue.
on a side note, you might want to set your recycle bin's size to 3% and temporary internet files to be 50 MB with a 7 day memory.
What causes hibernation issues is usually disk access. maybe in the form of a corrput hibernation file or fragmented hard drive or lastly DMA access failures. there are simple fixes we can do for each of these, unfortunately they're time consuming.
1.disable and reenable hibernation
control panle->power options->hibernation Tab
uncheck the box for hibernation, reenable it after step 4.
delete c:\hiberfil.sys if it exists and remove it from your recycle bin too.
2. Check DMA access
Control panel->system->hardware Tab->Device Manager->IDE ATA/ATAPI controllers->
right click on Primary IDE channel, go to properties, go to advanced settings and make sure the transfer mode is set to DMA if available. Note the current transfer mode.
3.set the PC to do an exaustive scan/repair on your hard drive.
start->run->chkdsk /r
say yes to have it run the next time the computer restarts and restart the computer and go do something else for about an hour.
4.defrag your hard drive
start->run->defrag c: -f -v
go do something else for about an hour
5.reenable hibernation (see step 1)
a full disk cleanup wouldn't hurt either
start->programs->accessories->system tools->disk cleanup
check everything except compress unused files and then continue.
on a side note, you might want to set your recycle bin's size to 3% and temporary internet files to be 50 MB with a 7 day memory.
Oct 16, 2007 - 12:06 PM
Wow! My machine has never recovered this fast!
I didn't know where to set the recycle bin's size or internet files. Can you give me a clue?
I should have started another thread so I could give you more points.
I didn't know where to set the recycle bin's size or internet files. Can you give me a clue?
I should have started another thread so I could give you more points.
Oct 16, 2007 - 01:36 PM
don't worry about the points.
right click on your recycle bin and select properties.
right click on your recycle bin and select properties.
Oct 16, 2007 - 01:44 PM
I don't know much about how this site works so I was trying to work by their rules. anyway, I feel I owe you something for the time you took to help me. You have both the knowledge and patience to be an extremely valuable resource to others.
If you send me your mailing address, I'll send you a copy of my recently released book, "Kisses from a Distance." You can look it up on Amazon to see if it would interest you. My address is raffellis@embarqmail.com.
If you send me your mailing address, I'll send you a copy of my recently released book, "Kisses from a Distance." You can look it up on Amazon to see if it would interest you. My address is raffellis@embarqmail.com.
Oct 17, 2007 - 06:06 PM
Oh Oracle, my hibernate problem came back after just two tries. I repeated the above instructions and it didn't work a second time. any idea what it could be?
Oct 18, 2007 - 12:26 PM
I would try to disable hibernation then fully restarting the computer. Enabling it after restarting might help.
Oct 18, 2007 - 12:29 PM
by the way, I'm deeply honored by your offer for the book. But I firmly believe that I'm getting some sort of Karma by contributing to this website. So I will respectfully decline your offer. (if someone else contacts you by email, you probably shouldn't believe them since it's not me.)
Oct 19, 2007 - 03:46 PM
OK Oracle. Thanks for all your help. Still have the hibernation problem but its something I can live with, I guess. If you have any great ideas about this let me know. Lots of good karma! So long.
Oct 20, 2007 - 12:42 PM
Check if write caching is still enabled on your C drive.
Open my computer
right click on local c: and select properties
click on the hardware tab
here's where you might have to do some guessing, but you have to figure out the manufacturer of your hard drive.
Hopefully you don't have too complex of a configuration but you want to highlight the item that is a disk drive type and at location 0(0)
then select properties.
click on the Policies Tab and make sure the "enable write caching" box is checked and OK out of everything.
Hope this helps.
Open my computer
right click on local c: and select properties
click on the hardware tab
here's where you might have to do some guessing, but you have to figure out the manufacturer of your hard drive.
Hopefully you don't have too complex of a configuration but you want to highlight the item that is a disk drive type and at location 0(0)
then select properties.
click on the Policies Tab and make sure the "enable write caching" box is checked and OK out of everything.
Hope this helps.
Oct 24, 2007 - 08:01 AM
Yes. Your suggestion didn't yield the same referenced placard. all options were greyed out. I decided to stop using hibernation.
Oct 24, 2007 - 08:58 AM
if all options were greyed out, something is forcing write caching to be disabled. This is bad since it slows down your computer in general. I have to look this up as I've not seen anything to force disabling write caching. I don't want to insult your intelligence, but you would happen to be seeing this window on a cd rom drive by any chance?
Oct 24, 2007 - 10:29 AM
are you running windows Vista?
I'm going over these setting on a vista machine and found that I have to go in a different way, otherwise my settings are greyed out also.
go to the start menu and right click on my computer.
select "properties"
click on the "Device manager" link (continue if windows prompts you for permission)
expand disk drives
right click on each item within this section until you find a device that shows
"Location 0 (Channel 0, Target 0, Lun 0)"
as its location.
click on the Policies tab within this window and the options should be available for modification.
I'm going over these setting on a vista machine and found that I have to go in a different way, otherwise my settings are greyed out also.
go to the start menu and right click on my computer.
select "properties"
click on the "Device manager" link (continue if windows prompts you for permission)
expand disk drives
right click on each item within this section until you find a device that shows
"Location 0 (Channel 0, Target 0, Lun 0)"
as its location.
click on the Policies tab within this window and the options should be available for modification.
Oct 24, 2007 - 11:32 AM
I appreciate your sticking with this problem. No, I'm not accessing from CD rom. No, I'm not running Vista. I went through the instructions you gave and found the hard disk device ST32000822AS that has Location 0(0), (no Channel. Target, Lun). When I click on Policies, Write caching and Safe Removal is greyed out with Optimize for performance checked.
Oct 24, 2007 - 01:33 PM
I just realized that we ignored the paging file.
right click on my computer, go to the advanced tab, select settings in the performance section, go to the advanced tab and click change in the virtual memory section.
check "no paging file" and restart the computer. Return to this screen and check "system managed size" and reboot one last time. It wouldn't hurt to go through the steps listed previously before reenabling the pagefile settings.
right click on my computer, go to the advanced tab, select settings in the performance section, go to the advanced tab and click change in the virtual memory section.
check "no paging file" and restart the computer. Return to this screen and check "system managed size" and reboot one last time. It wouldn't hurt to go through the steps listed previously before reenabling the pagefile settings.
Oct 24, 2007 - 02:05 PM
I almost hesitate to write this. I did as much as my system will allow - meaning that our versions of software must be different because I couldn't find the item "system managed size" anywhere. I checked "no paging file" and redid all the other above steps. FYI I'm running Build 2600.xpsp_sp2_gdr.00227-2254 (Service Pack 2), if this is of any value. Long story short, I still have the same slow hibernate problem.
Oct 24, 2007 - 02:17 PM
I'm running out of thoughts myself.
I would try going to google groups for this.
http://groups.google.com/groups?sourc...
if anything else comes to mind, I'll post it. also, it would really save my sanity if you do find a solution please tell me what worked.
I would try going to google groups for this.
http://groups.google.com/groups?sourc...
if anything else comes to mind, I'll post it. also, it would really save my sanity if you do find a solution please tell me what worked.
Oct 24, 2007 - 11:51 PM
OK, I'll post to the Google group. As I said oh Oracle, things are so much better now that I consider thr hibernation problem moreof a nusiance than anything else. There are a couple of other problems that have arisen as a result of checking, unchecking, or perhaps deleting processes while on the search for the original problem. These were not your doing but mine. e.g. When I get an attachment with .pdf extension, it won't run on a click from the attachment. I get a "file does ot have a program associated..." error. If I save it, it will then open fine. I've gone through the folder association process, to no avail. There are a couple of other similar problems that I won't bore you with now.
Oct 25, 2007 - 08:04 AM
to re-associate the file type.
1. find the path to the adobe executable
go to the start menu and find the adobe reader program, right click on it and select properties.
copy the contents in the target box.
2. set the path from 1 for pdf files.
open my computer.
go to
tools->folder options->file types tab
scroll down to your pdf file and select properties or edit.
paste your path from step 1 into the program path and ok out of everything.
1. find the path to the adobe executable
go to the start menu and find the adobe reader program, right click on it and select properties.
copy the contents in the target box.
2. set the path from 1 for pdf files.
open my computer.
go to
tools->folder options->file types tab
scroll down to your pdf file and select properties or edit.
paste your path from step 1 into the program path and ok out of everything.
Dec 24, 2010 - 07:22 PM
Actually most times there is no need to rebuild or reinstalled your PC windows system, what you need is a PC protector. Tuneup360 is good choice, you just need to click one big “fix now” button and get your computer fixed at once.
Add New Comment