Hi guys,
I thought I had everything back to normal after last week's cleanup fest but last night the computer just crashed...twice! Since that was the original issue, I guess I didn't accomplish anything.

I was in the middle of going to Accuweather in IE when it happened the first time...very strange, the second time I wasn't doing anything. After the reorg and HJT cleanup, I even went to the IE page and reinstalled IE7 last week because I was getting some strange messages - I tried to copy the log files but I couldn't and they were much too long to take down manually. Obviously, that wasn't the problem. I can't figure why it waited a week to crash again. The first time, it did a CHKDSK on startup, the second time, it just restarted normally. This week, no strange messages, though (it was just those where the system wants to send a log to Microsoft - I couldn't find a file associated with them to copy, too bad)

I don't know what else to do, so here is the latest HJT log, I hope somebody can see something. Thanks in advance.

zeroth

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:31 AM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~4\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1217943070764
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {9E065E4A-BD9D-4547-8F90-985DC62A5591} (PlayerPT Control) - http://192.168.1.102/PlayerPT.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://192.168.1.109/NetCamPlayerWeb11gv2.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://192.168.1.105/activex/AMC.cab
O16 - DPF: {FA478DB9-803F-4154-9DDB-765EA9E35333} (Sony SNC-P1 Control) - http://192.168.1.111/program/SonySncP1View.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2902DADA-98FF-4EEC-9630-01E0B626B8F6}: NameServer = 24.25.5.60,24.25.5.61
O17 - HKLM\System\CS1\Services\Tcpip\..\{2902DADA-98FF-4EEC-9630-01E0B626B8F6}: NameServer = 24.25.5.60,24.25.5.61
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 8125 bytes

Well rats! zeroth, I thought we had this licked last week!
I really don't see a thing in the log.
Tell me, how much RAM is installed on the sytem?
Have you done "general housecleaning" of the computer lately? Don't mean disk cleanup or anything like that, I mean checking for dust inside the case, vents, on fan blades, etc.?
Also, go to Start, Control Panel, Administrative Tools, Event Viewer. Click on Application and take note of errors showing there around the time of the shut downs. Double click on one of them to actually see what caused the error.
Do the same in System. This "might" give us a clue, can't promise it will but it cannot hurt to check.

I thought we did too! computer has 4G RAM

there are some errors, since all was reorged, etc. Since I can't copy from that box, here's some info

8/3 4:37PM mshtml.dll failed running IE
8/4 6:39AM kernal32.dll failed running IE
8/4 6:40AM kernal32.dll failed running IE
8/5 9:25AM jscript.dll failed running IE

these are the only events besides the following that are errors since last week. I remember the system crashing twice on 8/6, though. There is one more error on that date

Ad-aware internal error 2753 - but I got rid of Ad-aware (it's possible that's the date I removed it but I don't remember - thought it was last week)

I'm not certain these times match the crashes. Next time I'll pay more attention. Plus I'm not sure what you mean when you say do the same with System.

Thanks again,
zeroth

Have found this information you might try, now you didn't say if you have the pop-up blocker turned on or off but try this and see if it makes a difference go to that Accuweather site where you had the problem and try changing your settings to always allow pop-ups for this site.
You need to check
your Internet Privacy Options (which will be the same in IE6 &7). If you are
using IE7 then at the bottom of the page for the site you should see a small
icon for changing the security options for the site and you can do it there
online. Allow all popups.
See if this makes a difference.

I didn't respond right away simply because it was my daughter's birthday and didn't get a chance but I did look at your suggestions - couldn't figure out what you meant. I'm looking at the bottom of this page and I see:

privacy report
security settings
zoom level

I checked in security settings and didn't see anywhere I could block/unblock popups - I do see where you can block cookies. Can you give me more info on popups?


Besides that, I think I have narrowed this thing down, at least in my mind. I finally looked at the event monitor for System (after re-reading one of your posts) and there ARE some errors listed, especially around the time of the last crash. It's saying there are processes that weren't loaded at startup.

So, I've suspected for some time that my copy of XP has been compromised somehow and that the crashes come when the system calls one of these subroutines that's not there. What that would mean by now is that the backup for XP now doesn't have the files either. Short of buying a full copy of XP, how can I clean this up since the O/S no longer comes with the machine?

Thanks,
zeroth

In IE go to Tools, Internet Options, Privacy Tab. There is where you will find the option to turn on or off the pop up blocker.
Number 1;
What ARE the processes which are not being loaded?
Number 2; No, this does not necessarily mean your copy of XP is compromised, this just means they are disabled. It is very possible they can be turned back on, but I need to know what they are. That does NOT mean the backup doesn't have the files either. Backup is exactly what it means...a backup copy. A working copy may have compromised or corrupted files but the backup copy isn't used...it is sitting there as backup...usually untouched.
Number 3. Did your system come with a restore disk? If so, then you DO have a copy of XP. If the computer has a restore partition, then you DO have a copy of XP. However, if this was/is a pirated copy of XP then no, you do not have any backups and would very likely have to purchase a full NEW XP.

it's a legit copy, I even have two of these HP machines. I feel better about my system backup now, though, with you explanation. I don't have a restore disk, these machines don't come with any disks.

I haven't played with any O/S since Win98, I'm one of the dinosaur mainframe programmers left over from the 60s and don't like to upgrade to buggy software when I have already gotten a machine stable (although my 9 year old has Vista). Anyway, don't know much about XP as you can see. A good reference book suggestion would be appreciated. Meanwhile, I really appreciate your educating me!! I owe you one...I'm a wireless engineer if I can return the favor.

Back to the subject, we're getting somewhere I think:

Looking at all the event errors under System, I found a pattern that now makes sense. It's Avira with something still running in the machine that I can't find. The Avira Scheduler Service and Guard Service are trying to run and there's nothing to run. missing files are avgio avipbb ftsata2 and ssmdrv. Sorry I can't copy the lines...there's a repeating three errors, first the scheduler can't run, then Guard can't run, then the 4 files that weren't loaded (the first two with avi seem to indicate Avira, no)? This is repeated back in time...remember that I told you the system would not let me add/remove the Avira software, it would crash when I tried. Finally, I just removed the files myself...obviously didn't get them all...

So, I guess all I have to do is find whatever scheduler and guard programs are still resident. Don't have a clue where to start, though.

Go to Start, Control Panel, Administrative Tools, Services. When this opens everything is listed in alphabetical order and scroll down to Avira listings, there are probably two of them like it shows in my first attachment.
One at a time double click on each entry. Change Start up type to Disabled. Click Apply.
See both of my other attachments.
Once you have done that then reboot the machine and see if errors are still appearing.

I got this last task done and got rid of Avira and just let it run for a couple days to try and get a pattern. This is getting strange as, since that exercise, IE has not been listed at the core of crashes, since 8/11 anyway. On 8/12 skype crashed it 4 times...however, I just downloaded skype a few days ago so it could not have been the culprit - plus, each time I tried to update my outlook contacts into skype, it crashed after the task was complete - the times match exactly, so I'm going to discount that as a cause. Additionally, system didn't ask for a chkdsk on these events.

After this series of 4 events, there are two more:

8/12 15:11 App Error module ntdll.dll outlook.exe crashed
8/13 08:53 App Error module oleaut32.dll wmipruse.exe crashed

These DID require a chkdsk - I've tried to skip chkdsk before to see what happens and after the system starts up, it immediately crashes when the system tried a disk retrieve.

Anyway, these last two seem to eliminate IE

This last one just now I was on daniweb and the event log says outlook. fyi, it just went black screen and restarted without warning...

Thanks,
zeroth

Are you sure it isn't wmiprvse.exe?