Monday, May 01, 2006
Scratching around for disk space
Question : I keep getting a message saying my "scratch disk" is full when I try to save a photo I've been working on, and I'm unable to save the file. How can I fix this?
Answer : Adobe's Photoshop program and its offshoots temporarily grab extra hard drive space while you're editing and enhancing images. This extra space - which gives the software its own little workspace for processing and short-term data storage - is called the scratch disk.
One common reason for the error message is that all the computer's memory is in use, and its hard drive lacks the room the photo program needs. A scratch disk may be three to five times the size of the file you're working on, depending on the file and what you're doing to it.
Defragmenting your hard drive and deleting old files and documents to free disk space might help. You should also check the image size settings for the files you are working on.
Photoshop measures resolution in pixels per inch as opposed to the dots-per-inch standard printers use; increasing the photo's resolution to match the printer's resolution can result in huge space-eating files. (Resolutions of 200 x 300pixels per inch are usually fine for printers.)
If your computer has several drives or partitions, you can pick a place other than the main drive for Photoshop to use for its scratch disk.
To do so, go to the program's preferences area, and in the Plug-Ins & Scratch Disks section, select the drive or partition to use. increasing the memory the program is allowed to use might also help; these settings are in the Memory & Image Cache area of the program's preferences.
Answer : Adobe's Photoshop program and its offshoots temporarily grab extra hard drive space while you're editing and enhancing images. This extra space - which gives the software its own little workspace for processing and short-term data storage - is called the scratch disk.
One common reason for the error message is that all the computer's memory is in use, and its hard drive lacks the room the photo program needs. A scratch disk may be three to five times the size of the file you're working on, depending on the file and what you're doing to it.
Defragmenting your hard drive and deleting old files and documents to free disk space might help. You should also check the image size settings for the files you are working on.
Photoshop measures resolution in pixels per inch as opposed to the dots-per-inch standard printers use; increasing the photo's resolution to match the printer's resolution can result in huge space-eating files. (Resolutions of 200 x 300pixels per inch are usually fine for printers.)
If your computer has several drives or partitions, you can pick a place other than the main drive for Photoshop to use for its scratch disk.
To do so, go to the program's preferences area, and in the Plug-Ins & Scratch Disks section, select the drive or partition to use. increasing the memory the program is allowed to use might also help; these settings are in the Memory & Image Cache area of the program's preferences.
Thursday, April 27, 2006
Your own address on the NET
IF YOU want to prolong the life of an old PC, the good news is that it can be converted into a personal web server, file server or game server.
But doing so creates a new problem: How would other users (or even you) find your PC over the Internet?
Of course, you can easily contact all your users and give out the IP (Internet Protocol) address of your PC.
When you connect to the Internet, your ISP (Internet Service Provider) assigns a temporary IP address to your PC, which looks something like 219.95.45.33.
But if you accidentally or intentionally disconnect, and later reconnect, the IP address of your PC will change.
That means other users can no longer access your website or game server because it now has a different IP address.
To avoid this problem, you can use dynamic DNS (Domain Name System), or DDNS services.
These services allow you to assign a domain name to your PC, such as ahbeng.servegame.com, much like real websites.
Using dynamic DNS, you can maintain a website or a game server and not have to worry about updating users when the IP address changes.
Free DDNS services are available from various DNS hosting companies ( www.no-pi.com www.dyndns.com http://freedns.afraid.org/ ).
Typically, all you need to do is sign up for an account, pick from a list of domain names, download and run a DDNS program, and your PC now has a "real" Internet address.
The DNS company retains the current addresses in a database, while the provided DDNS program updates the service whenever the PC's IP address has changed.
Your users only need to know the domain name for your PC, which will remain constant.
A few broadband routers also have built-in support for DDNS, so users don't even need to download any software.
But doing so creates a new problem: How would other users (or even you) find your PC over the Internet?
Of course, you can easily contact all your users and give out the IP (Internet Protocol) address of your PC.
When you connect to the Internet, your ISP (Internet Service Provider) assigns a temporary IP address to your PC, which looks something like 219.95.45.33.
But if you accidentally or intentionally disconnect, and later reconnect, the IP address of your PC will change.
That means other users can no longer access your website or game server because it now has a different IP address.
To avoid this problem, you can use dynamic DNS (Domain Name System), or DDNS services.
These services allow you to assign a domain name to your PC, such as ahbeng.servegame.com, much like real websites.
Using dynamic DNS, you can maintain a website or a game server and not have to worry about updating users when the IP address changes.
Free DDNS services are available from various DNS hosting companies ( www.no-pi.com www.dyndns.com http://freedns.afraid.org/ ).
Typically, all you need to do is sign up for an account, pick from a list of domain names, download and run a DDNS program, and your PC now has a "real" Internet address.
The DNS company retains the current addresses in a database, while the provided DDNS program updates the service whenever the PC's IP address has changed.
Your users only need to know the domain name for your PC, which will remain constant.
A few broadband routers also have built-in support for DDNS, so users don't even need to download any software.
Tuesday, April 25, 2006
Security feature may need tinkering
Question : My web browser often gives me a message that says "Your current security settings prohibit running ActiveX controls on this page." What is ActiveX?
Answer : ActiveX controls are little programs that work within a web browser to provide things like interactivity and animation to webpages. They can be helpful tools that let you do calculations in a browser window or upload pictures to a photo-sharing site. But there are also rogue ActiveX controls that secretly install software on your computer or do other malicious deeds.
Internet Explorer has security settings that can prevent pages from using ActiveX controls, which may be causing the browser messages. You can see and adjust those settings by going to the Tools menu, then to Internet Options, and clicking on the Security tab.
Browsers set to Medium security block downloading of unknown ActiveX controls. The High security setting blocks even more potential threats, but it can limit the functions of some webpages. You can tinker with the settings yourself by clicking on the Custom Level button and adjusting the browser handling of ActiveX controls.
Internet security software and antispyware programs can also block ActiveX controls from running on a webpage. You can usually adjust your security settings within these programs as well, but loosening the default restrictions can make your computer more vulnerable.
Answer : ActiveX controls are little programs that work within a web browser to provide things like interactivity and animation to webpages. They can be helpful tools that let you do calculations in a browser window or upload pictures to a photo-sharing site. But there are also rogue ActiveX controls that secretly install software on your computer or do other malicious deeds.
Internet Explorer has security settings that can prevent pages from using ActiveX controls, which may be causing the browser messages. You can see and adjust those settings by going to the Tools menu, then to Internet Options, and clicking on the Security tab.
Browsers set to Medium security block downloading of unknown ActiveX controls. The High security setting blocks even more potential threats, but it can limit the functions of some webpages. You can tinker with the settings yourself by clicking on the Custom Level button and adjusting the browser handling of ActiveX controls.
Internet security software and antispyware programs can also block ActiveX controls from running on a webpage. You can usually adjust your security settings within these programs as well, but loosening the default restrictions can make your computer more vulnerable.
Thursday, April 13, 2006
Filtering results on search engines
Question : Is there a way to keep sexually explicit sites from showing up in web searches?
Answer : As you may have noticed, the Internet is full of sexually
explicit material. While blocking all of it may be a Sisyphean chore, there are a few things you can do to help cut down on the number of these sites landing on your search results page.
Most big search engines, including Google, MSN Search, and Yahoo!, include a
SafeSearch filter in their preferences, which you can use to sift out results
from sexually-oriented websites. (The filter is not related to an old adware program, also called SafeSearch, which redirected web browsers to certain sites.)
To use the SafeSearch filter with Google, for example, click the Preferences link on the main Google search page and select the level of screening you want to use with our search.
You can choose strict filtering, which blocks text and images, or moderate filtering, which just blocks images. Moderate filtering is the default in most cases. You can also use SafeSearch filtering when using the Advanced and Image search pages on Google, MSN, and Yahoo!
You can turn the filter off in the browser preferences as well. Filtering search results is an imperfect science, and depending on what you are searching for, you may block websites with information about reproductive health or political issues.
Filtering programs like ContentProtect from ContentWatch and Net Nanny can be bought and may be useful if you have children.
Microsoft's Internet Explorer browser also has a Content Advisor setting that can block sites with potentially offensive material. To use it, go on the Tools menu, click the Internet Options box, click on the Content tab, and adjust the settings.
Answer : As you may have noticed, the Internet is full of sexually
explicit material. While blocking all of it may be a Sisyphean chore, there are a few things you can do to help cut down on the number of these sites landing on your search results page.
Most big search engines, including Google, MSN Search, and Yahoo!, include a
SafeSearch filter in their preferences, which you can use to sift out results
from sexually-oriented websites. (The filter is not related to an old adware program, also called SafeSearch, which redirected web browsers to certain sites.)
To use the SafeSearch filter with Google, for example, click the Preferences link on the main Google search page and select the level of screening you want to use with our search.
You can choose strict filtering, which blocks text and images, or moderate filtering, which just blocks images. Moderate filtering is the default in most cases. You can also use SafeSearch filtering when using the Advanced and Image search pages on Google, MSN, and Yahoo!
You can turn the filter off in the browser preferences as well. Filtering search results is an imperfect science, and depending on what you are searching for, you may block websites with information about reproductive health or political issues.
Filtering programs like ContentProtect from ContentWatch and Net Nanny can be bought and may be useful if you have children.
Microsoft's Internet Explorer browser also has a Content Advisor setting that can block sites with potentially offensive material. To use it, go on the Tools menu, click the Internet Options box, click on the Content tab, and adjust the settings.
Tuesday, April 04, 2006
Getting around notebook troubles
Question : The screen on my notebook computer went black, and I can't get it back on. What could be the problem?
Answer : This could point to some serious issue with the notebook. Before you panic, though, do what a service technician would tell you to do.
First, shut down the computer and let it sit for thirty seconds or so. Turn it back on, and see if the problem is resolved.
Make sure that your notebook is not "docked" in a docking station, and be sure that you haven't accidentally activated the external video out mode and shut off the machine's main display.
After that, if the display still isn't working, it may be time to call the technical support number of your notebook manufacturer.
You'll probably be asked to run your machine through a "diagnostic mode." A diagnostic mode will allow the computer to emit a series of sounds that will tell you, or a service technician, whether a subsystem on the notebook has failed.
On Dell notebooks, the diagnostic mode is entered by turning the machine off, holding down the Fn key and the power button simultaneously, and then releasing both.
Question : My Windows XP notebook computer won't connect automatically to wireless networks that are within range. Why is this?
Answer : If the wireless network is "secured," you'll need a passkey, or password, to access it. Make sure you have a passkey, and double-click the wireless access icon in your Windows taskbar.
You should see a list of wireless networks available. Click the one for which you have a passkey, and then click the Connect button.
You should be prompted for the key. You will need to type it twice for verification purposes. Once you click OK, you should connect within a few seconds.
Windows remembers the wireless networks to which you've connected. The next time you're in range of a network that you have used previously, your notebook should connect automatically.
Answer : This could point to some serious issue with the notebook. Before you panic, though, do what a service technician would tell you to do.
First, shut down the computer and let it sit for thirty seconds or so. Turn it back on, and see if the problem is resolved.
Make sure that your notebook is not "docked" in a docking station, and be sure that you haven't accidentally activated the external video out mode and shut off the machine's main display.
After that, if the display still isn't working, it may be time to call the technical support number of your notebook manufacturer.
You'll probably be asked to run your machine through a "diagnostic mode." A diagnostic mode will allow the computer to emit a series of sounds that will tell you, or a service technician, whether a subsystem on the notebook has failed.
On Dell notebooks, the diagnostic mode is entered by turning the machine off, holding down the Fn key and the power button simultaneously, and then releasing both.
Question : My Windows XP notebook computer won't connect automatically to wireless networks that are within range. Why is this?
Answer : If the wireless network is "secured," you'll need a passkey, or password, to access it. Make sure you have a passkey, and double-click the wireless access icon in your Windows taskbar.
You should see a list of wireless networks available. Click the one for which you have a passkey, and then click the Connect button.
You should be prompted for the key. You will need to type it twice for verification purposes. Once you click OK, you should connect within a few seconds.
Windows remembers the wireless networks to which you've connected. The next time you're in range of a network that you have used previously, your notebook should connect automatically.
Tuesday, March 28, 2006
Speeding up Firefox browser
Question : I am using Mozilla Firefox 1.0. How do I change the settings of the browser so it sends several requests instead of the default one, to transmit responses faster? Are there other ways to increase the download speed of the browser? Please help.
Answer : There are several ways to speed up Mozilla's Firefox. But before that, let's look at Firefox's configuration screen. To do that, start Firefox, type "about:config" (without the quotes) into the address box, and press the Enter key. This will bring up a page with a list of settings that can be configured.
The feature you're probably referring to is called pipelining. Pipelining is a method of speeding up data transfer between a browser and a Web server. Basically, it entails sending several requests at once instead of one at a time as is usually done. This can save quite a bit of time if everything goes well. This can also result in a reduction in traffic because with pipelining you will be able to put in several requests into one packet (which is a little like putting several letters to the same person into one envelope).
The main disadvantage of pipelining is that the whole page may take longer to display if the connection is less than perfect. This is because if a packet goes missing, several requests will have to be resent instead of just one. Also, for best results, both the browser and the server should be capable of pipelining requests and replies.
To turn on pipelining, look in the configuration window for the setting "network.http.pipelining" and right-click on it.
When the pop-up menu appears, select Toggle. The word "False" under the Value column to the right of this setting should change to "True". This will enable pipelining for this browser.
Do the same for the setting "network.http.proxy.pipelining" to enable pipelining for proxies, and set "network.http.pipelining.maxrequests" to "8" for better efficiency. To do this, right-click on the setting, select Modify, type "8" (without the quotes) into the text box, and press the Enter key. If this is done right, the Value column to the right of the setting "network.http.pipelining.maxrequests" should display the number "8".
The values for "network.http.max-connections", "network-http.max-connections-per-server", "network-http.max-persistent-connections-per- proxy" and "network-http.max-persistent-connections-per-server" can also be increased in the same way.
The Web page www.bitstorm.org/extensions/tweak/ contains an extension that will automate the modification of these settings. To install it, enter the Web site name in the list of sites allowed to install extensions.
To do this, select Tools --> Options --> Web Features and click on the button to the right of "Allow Web sites to install software". When the window labelled "Allowed Sites" opens, type "www.bitstorm.org" (without the quotes) into the text box under Address of Web site. Check the spelling to see if it's accurate. After the spelling is verified, click on the Allow button to add the site to the list. Click on the OK button to close the window and then on the OK button to close the Options window.
After that's done, visit www.bitstorm.org/extensions/ tweak/ and click on Install Tweak Network Settings. After a while, a window will pop up with the title "Software Installation". Click on the Install Now button. A window will pop up with the title "Extensions". This window will show "This item will be installed after you restart Firefox" when the installation is complete. The next time Firefox is started, a new option called Tweak Network Settings will be visible under Tools.
Another way to make Firefox seem faster is to turn off the built-in rendering delay. Firefox waits a little before actually rendering a page. This prevents elements of the page from "jumping around" as it's being reconfigured by incoming data. Turning off the built-in rendering delay will stop this from happening. This will appear to increase response time because "something happens" almost immediately after the Enter key is pressed.
In reality, this doesn't necessarily make the page load faster. It just makes the browser display the elements as they arrive instead of waiting for everything to settle down before displaying the page. Some people regard this as "faster" because they spend less time staring at a blank screen.
To make this change, add the entry "nglayout.initial paint.delay" to the configuration list. To do this, right-click anywhere in the configuration window and select New --> Integer from the pop-up window. A new window with the title "New Integer Value" should pop up.
In the text box under New Preference Name, type "nglayout.initialpaint. delay" (without the quotes) and press the Enter key. A new box will display, this time with the title "Enter Integer Value". Type the number "0" into the box under "nglayout.initialpaint.delay", and press the Enter key. If this is done correctly, the new setting should be listed in the configuration window.
After this is done, close the browser (File --> Exit). The new setting should take effect the next time it's started.
Answer : There are several ways to speed up Mozilla's Firefox. But before that, let's look at Firefox's configuration screen. To do that, start Firefox, type "about:config" (without the quotes) into the address box, and press the Enter key. This will bring up a page with a list of settings that can be configured.
The feature you're probably referring to is called pipelining. Pipelining is a method of speeding up data transfer between a browser and a Web server. Basically, it entails sending several requests at once instead of one at a time as is usually done. This can save quite a bit of time if everything goes well. This can also result in a reduction in traffic because with pipelining you will be able to put in several requests into one packet (which is a little like putting several letters to the same person into one envelope).
The main disadvantage of pipelining is that the whole page may take longer to display if the connection is less than perfect. This is because if a packet goes missing, several requests will have to be resent instead of just one. Also, for best results, both the browser and the server should be capable of pipelining requests and replies.
To turn on pipelining, look in the configuration window for the setting "network.http.pipelining" and right-click on it.
When the pop-up menu appears, select Toggle. The word "False" under the Value column to the right of this setting should change to "True". This will enable pipelining for this browser.
Do the same for the setting "network.http.proxy.pipelining" to enable pipelining for proxies, and set "network.http.pipelining.maxrequests" to "8" for better efficiency. To do this, right-click on the setting, select Modify, type "8" (without the quotes) into the text box, and press the Enter key. If this is done right, the Value column to the right of the setting "network.http.pipelining.maxrequests" should display the number "8".
The values for "network.http.max-connections", "network-http.max-connections-per-server", "network-http.max-persistent-connections-per- proxy" and "network-http.max-persistent-connections-per-server" can also be increased in the same way.
The Web page www.bitstorm.org/extensions/tweak/ contains an extension that will automate the modification of these settings. To install it, enter the Web site name in the list of sites allowed to install extensions.
To do this, select Tools --> Options --> Web Features and click on the button to the right of "Allow Web sites to install software". When the window labelled "Allowed Sites" opens, type "www.bitstorm.org" (without the quotes) into the text box under Address of Web site. Check the spelling to see if it's accurate. After the spelling is verified, click on the Allow button to add the site to the list. Click on the OK button to close the window and then on the OK button to close the Options window.
After that's done, visit www.bitstorm.org/extensions/ tweak/ and click on Install Tweak Network Settings. After a while, a window will pop up with the title "Software Installation". Click on the Install Now button. A window will pop up with the title "Extensions". This window will show "This item will be installed after you restart Firefox" when the installation is complete. The next time Firefox is started, a new option called Tweak Network Settings will be visible under Tools.
Another way to make Firefox seem faster is to turn off the built-in rendering delay. Firefox waits a little before actually rendering a page. This prevents elements of the page from "jumping around" as it's being reconfigured by incoming data. Turning off the built-in rendering delay will stop this from happening. This will appear to increase response time because "something happens" almost immediately after the Enter key is pressed.
In reality, this doesn't necessarily make the page load faster. It just makes the browser display the elements as they arrive instead of waiting for everything to settle down before displaying the page. Some people regard this as "faster" because they spend less time staring at a blank screen.
To make this change, add the entry "nglayout.initial paint.delay" to the configuration list. To do this, right-click anywhere in the configuration window and select New --> Integer from the pop-up window. A new window with the title "New Integer Value" should pop up.
In the text box under New Preference Name, type "nglayout.initialpaint. delay" (without the quotes) and press the Enter key. A new box will display, this time with the title "Enter Integer Value". Type the number "0" into the box under "nglayout.initialpaint.delay", and press the Enter key. If this is done correctly, the new setting should be listed in the configuration window.
After this is done, close the browser (File --> Exit). The new setting should take effect the next time it's started.
Monday, February 27, 2006
Finding model number the easy way
Question : I’m trying to find the model number of my digital versatile disc (DVD) combo drive, but I’ve lost the packaging. How do I find the model number?
Answer : There’s an easy way to find the model designations of many peripherals in the PC without having to actually open the system case. Many model numbers are listed on the “Device Manager” window.
To open this window, first open the “System Properties” window. In the classic interface, this window can be opened by selecting Start -> Control Panel and then double-clicking on “System” and selecting the “Hardware” tab.
Select Start -> Control Panel -> Performance and Maintenance -> System to do the same in the new (Luna) interface. From here, click on the “Device Manager” button and the Device Manager window should open. Click on the plus (+) signs next to the hardware classes to reveal the model numbers.
Answer : There’s an easy way to find the model designations of many peripherals in the PC without having to actually open the system case. Many model numbers are listed on the “Device Manager” window.
To open this window, first open the “System Properties” window. In the classic interface, this window can be opened by selecting Start -> Control Panel and then double-clicking on “System” and selecting the “Hardware” tab.
Select Start -> Control Panel -> Performance and Maintenance -> System to do the same in the new (Luna) interface. From here, click on the “Device Manager” button and the Device Manager window should open. Click on the plus (+) signs next to the hardware classes to reveal the model numbers.
Friday, January 27, 2006
Overcoming printing woes on dot-matrix printer
Question : I am trying to use an old dot-matrix printer. When I install the printer, everything goes well, but when I want to print, it prints out garbled characters. What settings do I need to set? I went into the basic input/output system (BIOS) and there are a few settings for my parallel port (ECP, SPP). Which one should I choose?
Answer : Most parallel printers will work with the printer port set to “SPP”.
There are several reasons why a printer might print out what appears to be garbage characters instead of what should actually be printed.
One reason is that the parallel port mode is set wrong. The parallel port mode should usually be set to “Standard Parallel Port” or “SPP”.
To determine the correct mode, check the printer documentation.
If the printer supports Enhanced Capabilities Port (ECP) or Extended Capabilities Port (ECP), it will say that in the printer documentation.
Otherwise it would be a good idea to set the parallel port to SPP mode. Another possible reason is that the drivers are incorrect or buggy.
To remedy this, install the latest drivers for the printer.
Garbled printing can also be caused by a faulty or loose printer cable. Check that the cable is properly secured at the personal computer (PC) end, and also that the cable is connected at the printer end.
Unlike many other connector cables, a parallel cable must be properly secured – the screws on the connector at the PC end must be securely tightened, and the latches on the printer connector fastened onto the connector at the end of the cable.
Also try printing with a known-good printer cable to eliminate cable damage as a cause.
One little-known reason for garbled printing is wrong settings on the printer itself. Many dot-matrix printers came with various character sets.
The character set to use for printing can usually be predetermined by pushing a button combination, or setting a bank of dual inline package (DIP) switches on the printer.
The important thing to remember is that this setting usually overrides any setting on the PC.
If the PC is set to print using one character set, but the printer is set to print using another, the result will be utter chaos – the printer will misinterpret all the characters and produce nothing more than a page full of garbled characters.
To prevent this, ensure that the correct character set is selected on the printer.
For most of us in the English-speaking world, the correct character set would most likely be ISO Latin 1 (also known as ISO 8859-1) or ISO Latin 9 (also known as ISO 8859-15), the main difference being that the ISO 8859-15 character set includes the “Euro” symbol, whereas the ISO 8859-1 character set does not.
Answer : Most parallel printers will work with the printer port set to “SPP”.
There are several reasons why a printer might print out what appears to be garbage characters instead of what should actually be printed.
One reason is that the parallel port mode is set wrong. The parallel port mode should usually be set to “Standard Parallel Port” or “SPP”.
To determine the correct mode, check the printer documentation.
If the printer supports Enhanced Capabilities Port (ECP) or Extended Capabilities Port (ECP), it will say that in the printer documentation.
Otherwise it would be a good idea to set the parallel port to SPP mode. Another possible reason is that the drivers are incorrect or buggy.
To remedy this, install the latest drivers for the printer.
Garbled printing can also be caused by a faulty or loose printer cable. Check that the cable is properly secured at the personal computer (PC) end, and also that the cable is connected at the printer end.
Unlike many other connector cables, a parallel cable must be properly secured – the screws on the connector at the PC end must be securely tightened, and the latches on the printer connector fastened onto the connector at the end of the cable.
Also try printing with a known-good printer cable to eliminate cable damage as a cause.
One little-known reason for garbled printing is wrong settings on the printer itself. Many dot-matrix printers came with various character sets.
The character set to use for printing can usually be predetermined by pushing a button combination, or setting a bank of dual inline package (DIP) switches on the printer.
The important thing to remember is that this setting usually overrides any setting on the PC.
If the PC is set to print using one character set, but the printer is set to print using another, the result will be utter chaos – the printer will misinterpret all the characters and produce nothing more than a page full of garbled characters.
To prevent this, ensure that the correct character set is selected on the printer.
For most of us in the English-speaking world, the correct character set would most likely be ISO Latin 1 (also known as ISO 8859-1) or ISO Latin 9 (also known as ISO 8859-15), the main difference being that the ISO 8859-15 character set includes the “Euro” symbol, whereas the ISO 8859-1 character set does not.
Thursday, January 05, 2006
Step-by-step guide to remove stubborn malware
Question : Here are some attached files for your reference. The problem causes my PC to slow down dramatically and eventually I can hardly do anything with it. Before this, my PC was infected by malware/adware. The Internet Explorer was damaged, thus I had to get it fixed. From the Task Manager, there is a file called SVCHOST.EXE which uses most of the central processing unit bandwidth. Can any virus/malware/adware do such a thing?
Answer : They not only can do such a thing, they usually DO do such a thing. Malware is, by and large, very badly written. Because of this, a lot of malware have the tendency to slow down or otherwise impact the system in a negative way. It's gotten so indicative that the first thing troubleshooters look at when a system deviates from the norm is the presence of malware.
After looking through the logs, we noticed some suspicious behaviour. First of all, the line "C:\WINNT\TEMP\DS3C68.EXE" under "Running processes" tells us that the file "DS3C68.EXE" is running from a temporary folder in the WINNT directory.
The "TEMP" folder under the main directory (which is WINNT in this case) is usually used to store data files that are used by a running program. Because of this, any program running directly from the "TEMP" folder is highly suspect.
Another suspect entry is "04-HKLM\..\Run: [winsync]C:\WINNT\system32\wkrior.exe reg_run" -- this is probably where your problem is. It's malware that many virus cleaners call "Qoologic", and it is not easy to remove. Basically, Qoologic has three major components.
The first component runs from a "winsync" entry in HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run -- this is the aforementioned entry. The filename is typically a random set of six characters.
The next component is typically a DLL (that would probably be the one eating up all the processor bandwidth). In some versions, this DLL is called "wuauclt.dll" and usually placed in the system directory (C:\WINNT in this case).
Note that the offending file is called "wuauclt.dll" and not "wuauclt.exe". Also, with many variants, an entry can be found in C:\Documents and Settings\All Users\Start Menu\Programs\Startup that refers to another executable file -- this is another location where programs can be started automatically.
We don't usually advocate wholesale re-installing for any Trojan infection, but this is one of the times that we're going to say it might be easier to just re-install it. Before we go to that extreme, though, we'll try to take it out.
The first thing to do is to figure out what DLL is causing svchost.exe to do this. The offending DLL can be located with Sysinternals' "Process Explorer" (available from www.systinternals.com). After downloading the program, run it, and then locate the "svchost.exe" entries (they're under "services.exe").
One of the "svchost.exe" entries may have a large number under "CPU". If one such entry exists, right-click on it and select "Properties". If not, note the number in the "PID" column of the offending "svchost.exe" entry, and select the entry with the same PID in Process Explorer.
Once this is done, click on the "Performance Graph" tab to confirm CPU usage. Once this is confirmed, click on the "Threads" tab to view all the DLLs that are being supported by this instance of "svchost.exe".
If there's only one listed, then we've found our culprit. If there's more than one DLL, use a search engine to identify the offending DLL.
Just type the DLL names (including the extensions) into a search engine and read what comes up. In this way, the offending DLL can be identified.
Now that we've identified every file and location, it's time to remove them. Before doing anything, update the browser at windowsupdate.microsoft.com (or download the IE6 service pack 1 from www.microsoft.com/ie and install it). This is a crucial step to ensure that the operating system doesn't get reinfected after the malware is removed.
After this is done, restart the OS in "safe" mode and use HijackThis to remove "04-HKLM\..\Run: [winsync]C:\WINNT\system32\wkrior.exe reg_run" (click on the checkbox to the left of it and then on "Fix Checked").
While you're here, open Windows Explorer, navigate to the "C:\WINNT\TEMP" directory and delete every file in it. Do the same for the "temporary" directories of every user (each user has a temporary directory named C:\Documents and Settings\(user name)\Local Settings\Temp (where (user name) is the name of the user).
The startup entries are more difficult to remove. Look through the entries in "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" to see if all programs there are recognised. If the programs are not easily identifiable, just delete everything in it.
Each user will also have a Startup directory, usually called "C:\Documents and Settings\(user name)\Start Menu\Programs\Startup" where user name is, again, the user name of the particular user account.
The same should be done with these directories as well.
Also look in the C:\WINNT directory for a file called "wuauclt.dll". If it's there, remove it. Note that the name is "wuauclt.dll" not' "wuauclt.exe". "wuauclt.exe" is usually a legitimate program.
Okay, now it's time to cross your fingers and restart the OS.
After restarting the OS, run regedit again and see if it's gone. If it is, allow yourself a small pat on the back. It's gone for now. Don't bring out the champagne yet, however.
After this, run HijackThis periodically to see if it's coming back. If you see "04-HKLM\..\Run: [winsync]C:\WINNT\system32\wkrior.exe reg_run", or "04-HKLM\..\Run: [winsync]C:\WINNT\system32\(x) reg_run" again (where x is some random filename), you've been infected again, in which case you might just want to re-install, and remember to update the browser this time.
If you've removed everything from the "startup" directories, also remember to uninstall and re-install any firewall software/malware cleaners installed on this PC to replace the automatically loaded components.
Answer : They not only can do such a thing, they usually DO do such a thing. Malware is, by and large, very badly written. Because of this, a lot of malware have the tendency to slow down or otherwise impact the system in a negative way. It's gotten so indicative that the first thing troubleshooters look at when a system deviates from the norm is the presence of malware.
After looking through the logs, we noticed some suspicious behaviour. First of all, the line "C:\WINNT\TEMP\DS3C68.EXE" under "Running processes" tells us that the file "DS3C68.EXE" is running from a temporary folder in the WINNT directory.
The "TEMP" folder under the main directory (which is WINNT in this case) is usually used to store data files that are used by a running program. Because of this, any program running directly from the "TEMP" folder is highly suspect.
Another suspect entry is "04-HKLM\..\Run: [winsync]C:\WINNT\system32\wkrior.exe reg_run" -- this is probably where your problem is. It's malware that many virus cleaners call "Qoologic", and it is not easy to remove. Basically, Qoologic has three major components.
The first component runs from a "winsync" entry in HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run -- this is the aforementioned entry. The filename is typically a random set of six characters.
The next component is typically a DLL (that would probably be the one eating up all the processor bandwidth). In some versions, this DLL is called "wuauclt.dll" and usually placed in the system directory (C:\WINNT in this case).
Note that the offending file is called "wuauclt.dll" and not "wuauclt.exe". Also, with many variants, an entry can be found in C:\Documents and Settings\All Users\Start Menu\Programs\Startup that refers to another executable file -- this is another location where programs can be started automatically.
We don't usually advocate wholesale re-installing for any Trojan infection, but this is one of the times that we're going to say it might be easier to just re-install it. Before we go to that extreme, though, we'll try to take it out.
The first thing to do is to figure out what DLL is causing svchost.exe to do this. The offending DLL can be located with Sysinternals' "Process Explorer" (available from www.systinternals.com). After downloading the program, run it, and then locate the "svchost.exe" entries (they're under "services.exe").
One of the "svchost.exe" entries may have a large number under "CPU". If one such entry exists, right-click on it and select "Properties". If not, note the number in the "PID" column of the offending "svchost.exe" entry, and select the entry with the same PID in Process Explorer.
Once this is done, click on the "Performance Graph" tab to confirm CPU usage. Once this is confirmed, click on the "Threads" tab to view all the DLLs that are being supported by this instance of "svchost.exe".
If there's only one listed, then we've found our culprit. If there's more than one DLL, use a search engine to identify the offending DLL.
Just type the DLL names (including the extensions) into a search engine and read what comes up. In this way, the offending DLL can be identified.
Now that we've identified every file and location, it's time to remove them. Before doing anything, update the browser at windowsupdate.microsoft.com (or download the IE6 service pack 1 from www.microsoft.com/ie and install it). This is a crucial step to ensure that the operating system doesn't get reinfected after the malware is removed.
After this is done, restart the OS in "safe" mode and use HijackThis to remove "04-HKLM\..\Run: [winsync]C:\WINNT\system32\wkrior.exe reg_run" (click on the checkbox to the left of it and then on "Fix Checked").
While you're here, open Windows Explorer, navigate to the "C:\WINNT\TEMP" directory and delete every file in it. Do the same for the "temporary" directories of every user (each user has a temporary directory named C:\Documents and Settings\(user name)\Local Settings\Temp (where (user name) is the name of the user).
The startup entries are more difficult to remove. Look through the entries in "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" to see if all programs there are recognised. If the programs are not easily identifiable, just delete everything in it.
Each user will also have a Startup directory, usually called "C:\Documents and Settings\(user name)\Start Menu\Programs\Startup" where user name is, again, the user name of the particular user account.
The same should be done with these directories as well.
Also look in the C:\WINNT directory for a file called "wuauclt.dll". If it's there, remove it. Note that the name is "wuauclt.dll" not' "wuauclt.exe". "wuauclt.exe" is usually a legitimate program.
Okay, now it's time to cross your fingers and restart the OS.
After restarting the OS, run regedit again and see if it's gone. If it is, allow yourself a small pat on the back. It's gone for now. Don't bring out the champagne yet, however.
After this, run HijackThis periodically to see if it's coming back. If you see "04-HKLM\..\Run: [winsync]C:\WINNT\system32\wkrior.exe reg_run", or "04-HKLM\..\Run: [winsync]C:\WINNT\system32\(x) reg_run" again (where x is some random filename), you've been infected again, in which case you might just want to re-install, and remember to update the browser this time.
If you've removed everything from the "startup" directories, also remember to uninstall and re-install any firewall software/malware cleaners installed on this PC to replace the automatically loaded components.
Tuesday, December 06, 2005
Deleting entries in software installation programs
Question : Whenever I switch on my personal computer (PC), these appear on the screen:
1) "Missing File: Windows Registry or System.INI. Please download this file." This is just the gist of what actually appears. I have to click "Enter" about nine times before anything appears on the screen.
2) "Advanced INF Install Error: Could not locate INF file D:\content\Win9X\Win98\W98resume.inf." I have to lick "OK" before the next message appears.
3) "RUNDLL Error loading C:\PROGRA"1\HOTBAR\HOTBAR1.DLL. The system cannot find the path specified." Again, pressing "OK" helps to continue.
Answer : The preferred (and ideal) method of updating Windows is via Windows Update (windowsupdate.microsoft.com).
All these problems stem from the one thing that most people are surprised by when they turn on the PC.
Many operating systems allow software installation programs to place entries in the OS' configuration routines. These entries can start other programs that are required by some software when the OS starts. A problem occurs when the programs that the entries refer to are inaccessible (for instance, if they were deleted or never installed).
If this happens, you'd have a lot of "Missing File" and "Error loading" error messages popping up one after another. This typically happens when the OS starts because that's when the entries request the OS to start the programs.
So basically what the OS is saying is, "I'm being asked to run a program (or programs) after I start, but I can't find the program (or programs)".
There are actually several ways to fix these errors. The easiest way is to delete the entries that call for these programs to be started when Windows starts. Here are the steps to delete these entries:
1) Click on the "Start" button and select (click on) "Run...".
2) Type "regedt32" (without the quotes) into the white box to the left of "Open:"
3) Click on the "OK" button just below the box. A window titled "Registry Editor" will open. This provides access to the OS' "registry". The "registry" is where a lot of the configuration data for the OS is stored.
4) The registry has a tree structure and this is reflected in the "registry editor" window. If one looks at the structure, one will see an arrangement that looks like the way branches are arranged on a tree -- the larger "main branches" are attached to the "trunk". Several smaller branches branch off from each main branch. Still smaller branches branch off from those. This continues until one reaches the last, or smallest branch, after which there are no more branches.
In the "registry tree" The main branches are typically "HKEY_CLASSES_ROOT", "HKEY_CURRENT_USER", "HKEY_LOCAL_MACHINE", "HKEY USERS" and "HKEY_CURRENT_CONFIG".
Smaller branches branch off these, but they are initially hidden.
To reveal a sub-branch, click on the plus (+) sign to the right of a branch. For instance, clicking on the plus (+) sign next to "HKEY_LOCAL_MACHINE" will typically reveal the sub-branches "HARDWARE", "SAM", "SECURITY", "SOFTWARE" and "SYSTEM". Also notice that the plus (+) sign next to "HKEY_LOCAL_MACHINE" turns into a minus (-) sign. This is to signify that the branch has been expanded (the sub-branches have been revealed).
Clicking on the minus (-) sign next to "HKEY_LOCAL_MACHINE" will compact the branch (hide the sub-branches). In this way, the sub-branches for a particular branch can be hidden and revealed.
5) Click on the plus (+) sign next to "HKEY_ LOCAL_MACHINE" to reveal the sub-branches. After the sub-branches are revealed, notice that they themselves have hidden sub-branches.
These sub-branches can be revealed in the same way (by clicking on the plus (+) signs). Also notice that the sub-branches are indented inwards. A branch of another branch will be indented inwards under its parent branch. For instance, clicking on the "HARDWARE" sub-branch will reveal the "ACPI" sub-branch. Notice that the "HARDWARE" sub-branch is indented to the right under the "HKEY_LOCAL_MACHINE branch, and the "ACPI" sub-branch is indented to the right under the "HARDWARE" sub-branch.
6) The "leaves" on a particular "branch" are listed on the right pane of the window. These are the actual configuration commands. For instance, if one navigates to the "HKEY_CURRENT_USER\AppEvents\Event Labels\.Default", one might see in the right pane "Disp FileName" followed by "REG_SZ" and "@mmsys. cpl,-5824". These are the actual configuration settings.
Now that we know how the registry and "regedt32" works, all that's left to be done is to remove the entries that are causing this.
To do so, navigate to the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" section of the registry, look in the right pane for entries containing "W98resume.inf" and "HOTBAR1.DLL", right-click on the relevant entries and select "Delete" from the pop-up window.
The next time Windows starts, the error messages should no longer appear.
1) "Missing File: Windows Registry or System.INI. Please download this file." This is just the gist of what actually appears. I have to click "Enter" about nine times before anything appears on the screen.
2) "Advanced INF Install Error: Could not locate INF file D:\content\Win9X\Win98\W98resume.inf." I have to lick "OK" before the next message appears.
3) "RUNDLL Error loading C:\PROGRA"1\HOTBAR\HOTBAR1.DLL. The system cannot find the path specified." Again, pressing "OK" helps to continue.
Answer : The preferred (and ideal) method of updating Windows is via Windows Update (windowsupdate.microsoft.com).
All these problems stem from the one thing that most people are surprised by when they turn on the PC.
Many operating systems allow software installation programs to place entries in the OS' configuration routines. These entries can start other programs that are required by some software when the OS starts. A problem occurs when the programs that the entries refer to are inaccessible (for instance, if they were deleted or never installed).
If this happens, you'd have a lot of "Missing File" and "Error loading" error messages popping up one after another. This typically happens when the OS starts because that's when the entries request the OS to start the programs.
So basically what the OS is saying is, "I'm being asked to run a program (or programs) after I start, but I can't find the program (or programs)".
There are actually several ways to fix these errors. The easiest way is to delete the entries that call for these programs to be started when Windows starts. Here are the steps to delete these entries:
1) Click on the "Start" button and select (click on) "Run...".
2) Type "regedt32" (without the quotes) into the white box to the left of "Open:"
3) Click on the "OK" button just below the box. A window titled "Registry Editor" will open. This provides access to the OS' "registry". The "registry" is where a lot of the configuration data for the OS is stored.
4) The registry has a tree structure and this is reflected in the "registry editor" window. If one looks at the structure, one will see an arrangement that looks like the way branches are arranged on a tree -- the larger "main branches" are attached to the "trunk". Several smaller branches branch off from each main branch. Still smaller branches branch off from those. This continues until one reaches the last, or smallest branch, after which there are no more branches.
In the "registry tree" The main branches are typically "HKEY_CLASSES_ROOT", "HKEY_CURRENT_USER", "HKEY_LOCAL_MACHINE", "HKEY USERS" and "HKEY_CURRENT_CONFIG".
Smaller branches branch off these, but they are initially hidden.
To reveal a sub-branch, click on the plus (+) sign to the right of a branch. For instance, clicking on the plus (+) sign next to "HKEY_LOCAL_MACHINE" will typically reveal the sub-branches "HARDWARE", "SAM", "SECURITY", "SOFTWARE" and "SYSTEM". Also notice that the plus (+) sign next to "HKEY_LOCAL_MACHINE" turns into a minus (-) sign. This is to signify that the branch has been expanded (the sub-branches have been revealed).
Clicking on the minus (-) sign next to "HKEY_LOCAL_MACHINE" will compact the branch (hide the sub-branches). In this way, the sub-branches for a particular branch can be hidden and revealed.
5) Click on the plus (+) sign next to "HKEY_ LOCAL_MACHINE" to reveal the sub-branches. After the sub-branches are revealed, notice that they themselves have hidden sub-branches.
These sub-branches can be revealed in the same way (by clicking on the plus (+) signs). Also notice that the sub-branches are indented inwards. A branch of another branch will be indented inwards under its parent branch. For instance, clicking on the "HARDWARE" sub-branch will reveal the "ACPI" sub-branch. Notice that the "HARDWARE" sub-branch is indented to the right under the "HKEY_LOCAL_MACHINE branch, and the "ACPI" sub-branch is indented to the right under the "HARDWARE" sub-branch.
6) The "leaves" on a particular "branch" are listed on the right pane of the window. These are the actual configuration commands. For instance, if one navigates to the "HKEY_CURRENT_USER\AppEvents\Event Labels\.Default", one might see in the right pane "Disp FileName" followed by "REG_SZ" and "@mmsys. cpl,-5824". These are the actual configuration settings.
Now that we know how the registry and "regedt32" works, all that's left to be done is to remove the entries that are causing this.
To do so, navigate to the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" section of the registry, look in the right pane for entries containing "W98resume.inf" and "HOTBAR1.DLL", right-click on the relevant entries and select "Delete" from the pop-up window.
The next time Windows starts, the error messages should no longer appear.
