disk Check

Hi! Yesterday, when my computer was running slow, as it is now, I decided I would do a defrag. When I clicked Analyze I got a message that a disk check had been scheduled and to do that first. Problem is, I had not scheduled a disk check. I decided to do so though. I scheduled it, restarted my computer, and the disk check started. I've done disk checks before but had nothing like this happen. Can anyone please tell me what happened?

Checking file system on C:
The type of the file system is NTFS.

One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x4743f for possibly 0x4 clusters.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x4743f for possibly 0x4 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x40fd is already in use.
Deleting corrupt attribute record (128, " ")
from file record segment 16637.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x4abe6 for possibly 0x1 clusters.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x4abe6 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0x488b is already in use.
Deleting corrupt attribute record (128, " ")
from file record segment 18571.
Attribute record of type 0x80 and instance tag 0x0 is cross linked
starting at 0x582365 for possibly 0x10 clusters.
Attribute record of type 0x80 and instance tag 0x0 is cross linked
starting at 0x582365 for possibly 0x10 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x0
in file 0x49b2 is already in use.
Deleted corrupt attribute list entry
with type code 128 in file 18866.
Unable to locate attribute with instance tag 0x0 and segment
reference 0x2c000000011f74. The expected attribute type is 0x80.
Deleting corrupt attribute record (128, " ")
from file record segment 73588.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x58fcd5 for possibly 0xf clusters.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x58fcd5 for possibly 0xf clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x4f5b is already in use.
Deleting corrupt attribute record (128, " ")
from file record segment 20315.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x5820cb for possibly 0x11 clusters.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x5820cb for possibly 0x11 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0xf20e is already in use.
Deleting corrupt attribute record (128, " ")
from file record segment 61966.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x49f61 for possibly 0x1 clusters.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x49f61 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0x107d9 is already in use.
Deleting corrupt attribute record (128, " ")
from file record segment 67545.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x584ea5 for possibly 0x10 clusters.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x584ea5 for possibly 0x10 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x11a51 is already in use.
Deleting corrupt attribute record (128, " ")
from file record segment 72273.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x4aff5 for possibly 0x4 clusters.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x4aff5 for possibly 0x4 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0x11ac9 is already in use.
Deleting corrupt attribute record (128, " ")
from file record segment 72393.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x49a64 for possibly 0x1 clusters.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x49a64 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x11b79 is already in use.
Deleting corrupt attribute record (128, " ")
from file record segment 72569.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x48ed5 for possibly 0x4 clusters.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x48ed5 for possibly 0x4 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0x11d92 is already in use.
Deleting corrupt attribute record (128, " ")
from file record segment 73106.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x473d7 for possibly 0x1 clusters.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x473d7 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x11eec is already in use.
Deleting corrupt attribute record (128, " ")
from file record segment 73452.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x4abe3 for possibly 0x1 clusters.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x4abe3 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x11f4b is already in use.
Deleting corrupt attribute record (128, " ")
from file record segment 73547.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x4abe4 for possibly 0x2 clusters.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x4abe4 for possibly 0x2 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x129fd is already in use.
Deleting corrupt attribute record (128, " ")
from file record segment 76285.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x58c7c7 for possibly 0x3 clusters.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x58c7c7 for possibly 0x3 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x131bf is already in use.
Deleting corrupt attribute record (128, " ")
from file record segment 78271.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x47447 for possibly 0x2 clusters.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x47447 for possibly 0x2 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x135fb is already in use.
Deleting corrupt attribute record (128, " ")
from file record segment 79355.
The file reference 0x2ab000000003abb of index entry TrustedDomains.xml.bin of index $I30
with parent 0xf694 is not the same as 0x2a9000000003abb.
Deleting index entry TrustedDomains.xml.bin in index $I30 of file 63124.
The file reference 0x2ab000000003abb of index entry TRUSTE~1.BIN of index $I30
with parent 0xf694 is not the same as 0x2a9000000003abb.
Deleting index entry TRUSTE~1.BIN in index $I30 of file 63124.
The file reference 0x18c000000003b96 of index entry URLAnalysis.xml.bin of index $I30
with parent 0xf694 is not the same as 0x18a000000003b96.
Deleting index entry URLAnalysis.xml.bin in index $I30 of file 63124.
The file reference 0x18c000000003b96 of index entry URLANA~1.BIN of index $I30
with parent 0xf694 is not the same as 0x18a000000003b96.
Deleting index entry URLANA~1.BIN in index $I30 of file 63124.
The file reference 0x422000000004042 of index entry WebHostingSites.xml.bin of index $I30
with parent 0xf694 is not the same as 0x420000000004042.
Deleting index entry WebHostingSites.xml.bin in index $I30 of file 63124.
The file reference 0x422000000004042 of index entry WEBHOS~1.BIN of index $I30
with parent 0xf694 is not the same as 0x420000000004042.
Deleting index entry WEBHOS~1.BIN in index $I30 of file 63124.
The file reference 0x2b9000000004085 of index entry Identifiers.xml.bin of index $I30
with parent 0x11621 is not the same as 0x2b7000000004085.
Deleting index entry Identifiers.xml.bin in index $I30 of file 71201.
The file reference 0x2b9000000004085 of index entry IDENTI~1.BIN of index $I30
with parent 0x11621 is not the same as 0x2b7000000004085.
Deleting index entry IDENTI~1.BIN in index $I30 of file 71201.
Cleaning up minor inconsistencies on the drive.
CHKDSK is recovering lost files.
Recovering orphaned file TRUSTE~1.BIN (16450) into directory file 63124.
Recovering orphaned file TrustedDomains.xml.bin (16450) into directory file 63124.
Recovering orphaned file URLANA~1.BIN (16517) into directory file 63124.
Recovering orphaned file URLAnalysis.xml.bin (16517) into directory file 63124.
Cleaning up 18 unused index entries from index $SII of file 0x9.
Cleaning up 18 unused index entries from index $SDH of file 0x9.
Cleaning up 18 unused security descriptors.
Inserting data attribute into file 16637.
Inserting data attribute into file 18571.
Inserting data attribute into file 18866.
Inserting data attribute into file 20315.
Inserting data attribute into file 61966.
Inserting data attribute into file 67545.
Inserting data attribute into file 72273.
Inserting data attribute into file 72393.
Inserting data attribute into file 72569.
Inserting data attribute into file 73106.
Inserting data attribute into file 73452.
Inserting data attribute into file 73547.
Inserting data attribute into file 76285.
Inserting data attribute into file 78271.
Inserting data attribute into file 79355.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.
Correcting errors in the master file table's (MFT) BITMAP attribute.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.

117178078 KB total disk space.
20951924 KB in 82762 files.
26492 KB in 6344 indexes.
0 KB in bad sectors.
163714 KB in use by the system.
65536 KB occupied by the log file.
96035948 KB available on disk.

4096 bytes in each allocation unit.
29294519 total allocation units on disk.
24008987 allocation units available on disk.

Internal Info:
d0 6b 01 00 27 5c 01 00 62 ba 01 00 00 00 00 00 .k..'\..b.......
56 02 00 00 01 00 00 00 d0 03 00 00 00 00 00 00 V...............
e0 f7 05 04 00 00 00 00 14 c6 97 29 00 00 00 00 ...........)....
40 d2 df 03 00 00 00 00 94 9d 87 9d 03 00 00 00 @...............
5e 08 30 13 06 00 00 00 62 4e 29 ea 09 00 00 00 ^.0.....bN).....
99 9e 36 00 00 00 00 00 88 38 07 00 4a 43 01 00 ..6......8..JC..
00 00 00 00 00 d0 cd fe 04 00 00 00 c8 18 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.

I'm stumped as to what happened and why there was so much for the disk check to fix. It also took my entire inbox in Outlook Express.

 

Only from what I have worked out myself about chkdsk (mainly from Scandisk in Win 98 and 95). The errors can come from an unexpected shutdown. Files are left open and incomplete.

From the look of it, you may have had several windows or tabs open in the browser and Outlook Express open (probably with emails opened).

One thing I would suggest is to look in Control Panel -> Power Options for the setting "When I press the power button..." It may not be relevant, but I have walked up the computer and not noticed the power LED was on, pressed the button and so shutdown the machine while it was in power saving mode. There will probably also be a setting in the BIOS/Startup settings to make a 4 second delay when the power button is pressed (this may be controlled by the Windows settings, but I have not tested it).

Had any power blackouts you can remember or the machine lose power?

Matt

 

Mattman: No, no power failures. My computer is not on a grounded outlet (I know that is a no-no) so every time there is a storm coming we unplug it. Anyway, it has been freezing up on me (I think it has something to do with that darn System Idle Process or my spyware updates, etc) so I have had to push the power button a few times to shut things down. That is probably what caused the disk check as it was. Thanks for your input.

 

Hi, sull48vg.

I did a little research last night regarding your issue but I didn't come up with anything conclusive yet (for me anyway).

I don't know whether you'll be able to retrieve your OE inbox data or not.

What anti-malware applications (anti-spyware, anti-virus, and firewall) are you running? (Perhaps we can identify a possible conflict.)


I would also be inclined to investigate via two courses of action: Event Viewer and System File Checker.

==========

Instructions About How to Access and Use "Event Viewer ":

• Click Start.
• Right-click My Computer.
• Select "Manage" to open the "Computer Management" window.
  (Event Viewer will be displayed under the "System Tools" directory item.)
• Expand "Event Viewer" and then select "Application ", "Security ", and "System" to view the logs.
• Look for "error" events that occurred around the time your problem occurred. These events will be displayed as icons with either a white X on red background or a black exclamation point on yellow background. In the security section of Event Viewer, events of possible concern are ones that display a padlock icon instead of a key icon.
• Double-click on an individual event to open the "Event Properties" window which shows details about the event.
  • You can use the up/down arrow buttons in the "Event Properties" window to move your focus to other events in the list.
  • Use the button below the up/down arrows to copy the details for an event to your clipboard for pasting elsewhere.
  • Click on the "http://go.microsoft.com/fwlink/events.asp" link in the "Event Properties" window to view more information from Microsoft about the event.

Alternatively, Event Viewer may be accessed as follows.

• Click Start > Run...
• Type [FONT= "Courier New"][SIZE= "3"]eventvwr.msc[/SIZE][/FONT] in the "Open:" field.
• Click the OK button.

==========

Perhaps Windows XP's System File Checker (SFC) will help you resolve your issue.

• Have your Windows XP CD handy because you may be prompted to insert it into your CD drive during this process.
• Click Start > Run...
• Type [FONT= "Courier New"][SIZE= "3"]sfc /scannow[/SIZE][/FONT] in the "Open:" field.
• Click the OK button.

A "Windows File Protection" window will open and display its progress. If SFC runs successfully without any intervention from you, it will take approximately 15-25 minutes to complete. When SFC completes, the "Windows File Protection" window will simply disappear.

To see any changes that may have been made by SFC after it completes:

• Click Start > Run...
• Type [FONT= "Courier New"][SIZE= "3"]eventvwr.msc[/SIZE][/FONT] in the "Open:" field.
• Click the OK button.
• Click the "System" item on the left side of the "Event Viewer" window.

Any changes made by SFC will be displayed (in reverse order) as "Windows File Protection" events between Event ID 64016 (Windows File Protection started) and 64017 (Windows File Protection completed).

Double-click on an event (or right-click on the event and select "Properties ") to view details about the event. You can use the up/down arrow buttons on the right side of the event's "Properties" window to view details about adjacent events without having to close the event's "Properties" window.

If you want to copy event details to your clipboard (for pasting into Notepad or a forum message, for example), use the button immediately below the up/down arrow buttons in the event's "Properties" window.

==========

If you find any possibly relevant issues identified, then please post details here.

 

sull48vg, I'm guessing you're also seeking help with this issue in the Tech Support Guy forums.

• http://forums.techguy.org/windows-nt-2000-xp/617168-disk-check.html

I'm providing a link here for everyone's reference/convenience in case you arrive at a solution via a TSG suggestion and so we don't waste time/effort offering suggestions that might be offered there.

 

Mailman: I checked Event Viewer and right around where I had to do the disk check, the only thing I could see was that I had pushed the button to shut down my computer because my whole desktop was frozen. That's been happening a lot. I have Norton Internet Security 2007, Spyware Doctor and Counter Spy. I had Norton to automatically update without bothering me. I have since changed that because I believe that is the reason I got so many freeze-ups. I also had updated recently the Spyware Doctor program and it had a Virus program attached to it. I have had to remove that also because of a conflict between it and Norton. I'm now back to my orginal Spyware Doctor. I'm just hoping everything is okay. I haven't done the second thing you suggested yet, but I will.

 

Mailman: I did the System File Checker and these are the results:

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64020
Date: 8/31/2007
Time: 11:15:37 PM
User: N/A
Computer: COMPUTERROOM
Description:
Windows File Protection scan found that the system file c:\windows\system32\danim.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.3.1.146.

There was two entries in Event Viewer that said exactly the same thing. They were placed in Event Viewer a minute apart.
I'm still having some freeze ups, the BBS page did a little while ago, but mostly its my desktop. That's getting me away from disk check, but I can't help but think that the freeze ups are why the disk check was done.

 

According to ProgramChecker.com, danim.dll is a DirectX (DirectAnimation) file. There are also other versions listed at ProgramChecker.com so you might want to consider investigating whether you want to reinstall/upgrade your DirectX or not. If you want to perform some DirextX diagnostics, then

• Click Start > Run...
• Type [FONT= "Courier New"][SIZE= "3"]dxdiag.exe[/SIZE][/FONT] in the "Open:" field.
• Click the OK button.

NOTE: I am not familiar with the reputation/reliablity of ProgramChecker. Therefore, I do not currently endorse ProgramChecker information or the software offered on the page I linked.

I am assuming you are referring to the Event Viewer details you posted above. Seems strange that SFC would flag the same file twice in the same scan. Are you certain both the path and filename identified are identical?

I don't know whether investigating/fixing DirextX will solve the freeze issue or not.

When your computer freezes, do you still have to press the power button to force a shutdown or can you wait a few minutes before it becomes responsive again? Next time your computer freezes, it might be worthwhile to do something else (non-computer-related) and then come back to your computer a half-hour later to see whether it is still unresponsive or has become responsive again.

Seems there might be some active processes interfering with each other. The only handy way I currently know of to get a list for posting into a message is by running HijackThis (HJT) and copy/pasting a HJT log. The log produced with HJT's default settings might be a good start.

HijackThis is a tool commonly used by malware-removal experts (which helps explain the application's name) but it might help us with this issue as well. We might be able to identify potential/known conflicting applications. If you want to get an idea about what kind of information a HJT log will produce, then have a look at some threads in the Removing Spyware & Viruses forum.

CAUTION: DO NOT have HijackThis "fix" anything without carefully following expert guidance. Otherwise, you might render your computer unstable or even unbootable.

I do not know what caused your chkdsk issue (and all those errors) except for mattman's hunch it might be due to an unexpected shutdown (or you pressing the power button to force a shutdown) that produced the cross link, index, attribute, and orphaned file issues. I do not understand what those errors really mean either. Might be worthwhile to investigate by searching the MS KB for some of those strings produced by chkdsk.

 

Mailman: Things seemed to be working pretty good until I came here and tried to reply to your post. The site froze up and I had to open task manager to end it. I then tried again and it worked.

I did the diagnostic of direct X. The results showed no problems.

Here's the log from Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:52 AM, on 9/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820 "
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /A "C:\WINDOWS\system32\E_SA4.tmp "
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181445924500
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181445912921
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AED7F7F-C4E3-45E9-837C-942147472026}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: aawservice - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 9028 bytes

Maybe you can see something that would be causing freeze-ups. One thing I think it could be is SBCSSvc.exe. That has something to do with Counter Spy. The last time it froze (before BBS) was my desktop. When I finally could do something I brought up task manager and simply shut everything down. Took a long time to get Task Manager to come up. This SBCSSvc.exe was using 100% CPU. I have contacted Counter Spy support about this.

I'm pretty sure my shutting down the computer suddenly was the cause of the disk check as mattmann said. I took your suggestion and waited a while and could at least bring up Task Manager.

I did post on Tech Guy but got no response.

 

I cannot analyse the log for hidden programs. What I notice though, is that you have several checking programs. It appears you have Norton Internet Security, Spybot and Counter Spy running in the background. All three will be trying to test and check files constantly. I might not wonder that they are clashing occasionally.

I don't install Tea-timer and "Innoculate" for Spybot, I run it manually on a regular basis (say, if I leave the computer for a period). I don't know Counter Spy, but Norton Internet Security has it's own spyware checker.

If the computer is running slowly, watch the HDD LED. If the LED is running constantly, a check is being done. If one "checker" is running and another starts up, I expect it will cause problems for the system... "Check this. No, check this. No this" If you open a program or maybe the system wants to call up something from the HDD while this is happening, uuummm, I don't expect the system would react very well.

Watch that HDD LED.

I would disable/stop Spybot and Counter Spy from running at startup, and just run them manually ( "bad" spyware/trojans, etc., will ask to install some sort program or ActiveX and you will be asked if you want allow the install). If you want to install things that are "suspect ", then try to remove them with removal tools (antivirus, antispyware, etc.,), your system may end up being "sick" anyway.

I have learned how to avoid malware. I don't, then, have to remove it.

Another suggestion, if say, Counter Spy, seems to be a bugbear, if it is a download and you are a registered user, uninstall it and reinstall it. Download the lastest version or update it again.

Once there is a lot of checking to do, the checking programs may turn your system into a slug.

Matt
Drat Pete, posted before me

 

Pete C: Thanks. I did receive a reply from Sunbelt about Counter Spy and unstalled Counter Spy and installed the new V2.5. We'll see if that helps.

 

Mattmann: Thanks. I do not have Spybott installed. I have Spyware Doctor and I am working at that with PC Tools. We'll see what happens there.

 

sull48vg,
If you had two conflicting anti-spyware and/or anti-virus apps that scanned your e-mail at the same time, I suppose that might have produced your cross-linked files and such. That's just a hunch though. I have not done any research to back it up.

 

Hi mailman, I would be reasonably certain (at least, I would expect), that the chkdsk errors were from the "forced shutdown ", well put. A freeze is not the same as a BSOD. With BSOD, Windows can take control, if only to report that something has gone wrong and it can record the information it has available. With a freeze all control is lost, the only avenue of escape is a "hard" shutdown. This will trigger an automatic file system scan (chkdsk) at the next startup.

sull48vg, Spyware Doctor - Spybot, I got lost in rechecking the log (getting late for me). Pete can't see any problem apart from the Counter Spy "reset ". Interesting that I also mentioned reinstall, even though I had not seen Pete's reply (I reinstall checking programs with updated versions if possible, if the original has been patched a lot, I find it is best to throw it out and install the latest version).

Me, I find NIS is aggressive, I have not used Counter Spy and only installed Spyware Doctor as a test. As I said, I would run one or the other (or the other) at startup, I would run the others manually (see for yourself how many programs they are running from startup).

Matt

 

Mattmann: I haven't had any freeze ups since I installed the update to Counter Spy. I have reinstalled Spyware Doctor and so far so good. You can be sure I will post again if I have more trouble. I'm going to close this one for now. Thanks to everyone who responded and helped me.