1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hard drive space

Discussion in 'Windows Vista' started by donpb, Mar 30, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. donpb

    donpb Thread Starter

    Joined:
    Jun 19, 2009
    Messages:
    12
    I have an HP G60 with Vista, my pc has been running slow so i checked out how much space was used on my hard drive, it is just under 70 gigs, yet i ran treesize and it shows just under 30 gigs, witch is about where it was when i bought it, why is it showing 70 gigs used ?
     
  2. TheOutcaste

    TheOutcaste

    Joined:
    Aug 7, 2007
    Messages:
    9,028
  3. donpb

    donpb Thread Starter

    Joined:
    Jun 19, 2009
    Messages:
    12
    Thank you, this time you matched the answer to the question, i just got rid of allmost 40 gigs, was this causing my PC to run slow,? i have 7 on the PC at work, will the same thing happen to it?
     
  4. TheOutcaste

    TheOutcaste

    Joined:
    Aug 7, 2007
    Messages:
    9,028
    Restore points by themselves shouldn't slow the system. Data files that end up with fragments that are on either side of a large section of data will take longer to access, but were are talking milliseconds longer, and only for that file. Defragging the drive would clear that up.

    Having a large number of Temp files in either the System Temp folder or the User Temp folder can slow it down. Before creating a temp file the system has to check for a duplicate file name, so it has to read and compare to the entire list of file names. These files should be included in the drive usage, but in this case it's more the number of files than the sizes that is an issue.
    You can run various tools to remove temp files, Windows Built in Disk Cleanup, CCleaner, ATF Cleaner. I find it easier to just manually delete them every once in a while:
    Delete System Temp files in %SystemRoot%\Temp
    Delete User temp files in %temp% (Do this on each account)
    Easy way to access these folders is from Start | Run. Type %temp% to access the current user's Temp folder; type just temp for the system temp folder. Some files might not delete. Just deselect them, and delete the rest.

    If you have a Broadband internet connection, having too large of a browser cache can slow down browsing. Each time you access a page, the browser first gets the header info for the page, which includes the date of the page, and if should be cached or not. If it can be cached, the browser searches the cache for the page, then checks to see if the cached version is current. It then has to check each image and picture on the page in the same way.
    It can take longer to search a large cache to do this check than it takes to just download the page again.
    IE6 sets the cache to 10% of the hard drive size, so on a 500GB drive that's 50 GB. IE7 limits this to 1 GB, but only if you've clicked the settings button to actually look at it, so if you upgraded from XP to Vista, you could have a very large cache.
    And many people feel 1 GB is too large. It all depends on what types of sites you visit. If you watch a lot of videos or visit sites with lots of images, a larger cache can help, mainly to keep the videos from deleting the cached info from the other sites you visit. Mainly trial and error to see if you even notice a difference. I can't tell a difference using just 50 MB or 100 MB for the cache size, but I don't often visit media rich sites.

    One of the biggest reasons for a slow system is the accumulation of programs starting up and running every time you boot the system. Seems every program was to add itself to your startups so it will be running as soon as you boot. Handy if you use that program frequently, or first thing, but useless for something you don't use often.
    There's is also the possibility of malware that slipped by your Anti-Virus/Malware/Spyware programs.
    A HiJack This log can shows us what's running, so if you want to post one we can take a look at it.

    • Go here to Download HiJack This
    • Click the Download HijackThis Installer link.
    • Save HJTInstall.exe to your desktop.
    • Double click on the HJTInstall.exe icon on your desktop.
    • By default it will install to C:\Program Files\Trend Micro\HijackThis
    • Click Install
    • Click the I Accept button on the License Agreement Window
    • The Main Menu window will open
    • Click on the Do a system scan and save a log file button.
    • It will scan, save the log in C:\Program Files\Trend Micro\HijackThis, and then the log will open in Notepad.
    • In Notepad, click on Format and make sure Word Wrap is unchecked
    • In Notepad, click on Edit | Select All then click on Edit | Copy to copy the entire log.
    • Paste the log in your next reply. (Click in the Reply window, press CTRL+V to paste).
    • DO NOT have HijackThis fix anything yet. Most of what it finds is required or harmless.
     
  5. donpb

    donpb Thread Starter

    Joined:
    Jun 19, 2009
    Messages:
    12
    I can't get the Hijack This program to save the log file in notepad, it will deny write access to the host file, then say it cannot find it, i do not get the option to run as administrator when i right click the icon. I know i need to disable a lot of BS that is running, right now i'm at 35% memory usage, i've got 3 gigs of memory, i reboot often, this will drop it back to 28-30. I have diabled some in the past, but it seems that over time they will restart
     
  6. TheOutcaste

    TheOutcaste

    Joined:
    Aug 7, 2007
    Messages:
    9,028
    I'm sure I've installed and run it on Vista before without running as Administrator, but I may have been using the standalone file from the Desktop. The very first run should work as the installer launches it using Run as administrator, but after that you have to right click and choose Run as administrator.

    But you are saying the Run as administrator option doesn't appear in the context menu? That could have been removed/hidden by malware.
    Let's try this:
    Right click the HijackThis shortcut on the Desktop, then click Properties
    On the Shortcut tab, click the Advanced... button
    Check the box for Run as administrator
    Click OK
    Click OK
    Now try running it.

    If that doesn't work, go back to the Hijack Download page, and this time download the executable instead of the installer to your desktop, and run it. It will create the log on the desktop.

    The Hosts file message is normal if you don't run as administrator, won't affect the scan. Only affects trying to remove things from the hosts file.

    To check if the Run as Administrator command has been hidden, copy the text in the following code block into Notepad.
    Save it on the desktop as Query.cmd. Be sure to change the Save as Type: box to All Files when saving.
    Code:
    [plain]Reg Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer /s>"%userprofile%\Desktop\Query.txt" 2>&1
    Reg Query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer /s>>"%userprofile%\Desktop\Query.txt" 2>&1
    notepad "%userprofile%\Desktop\Query.txt"[/plain]
    Double click the file to run it. It will create a file named Query.txt on the Desktop and open it in Notepad. Copy and paste the text into your next Reply.
     
  7. donpb

    donpb Thread Starter

    Joined:
    Jun 19, 2009
    Messages:
    12
    Hi,

    I'm not sure how i got it to save the log, but i think this is what you need, still trying to get the query.cmd to copy to the desktop, it seems that the machine is fighting me,( or it's just that i'm not good at this) also when i try to click the box to run as administrator, it will not let me.

    Thanks for your help,

    Don
     

    Attached Files:

  8. TheOutcaste

    TheOutcaste

    Joined:
    Aug 7, 2007
    Messages:
    9,028
    Reposted for easier viewing:

    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 6:17:35 PM, on 4/13/2010
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18248)
    Boot mode: Normal

    Running processes:
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Internet Explorer\ieuser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Users\Owner\Downloads\HijackThis(3).exe
    C:\Users\Owner\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
    O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 6560 bytes

    Nothing suspicious that jumps out at me in there.

    Does look like something is blocking the Run as Administrator feature if it won't let you check the box either.

    I've attached the query.cmd file to this post in a zip file, lets see if this will be easier for you.
    Download the query.zip file and save it on your Desktop.
    Double click the query.zip file to open it in Windows Explorer.
    Drag the query.cmd file to your Desktop.
    Double click to run.
    It should open the results file in Notepad.
    Click once in the Notepad window to select the window
    Press CTRL+A. Everything should be highlighted
    Press CTRL+C. This will copy it to the Windows Clipboard.
    Switch back to your browser and start a reply to this thread. Click in the Reply box
    Press CTRL+V. This will past the query.txt file contents.
     

    Attached Files:

  9. donpb

    donpb Thread Starter

    Joined:
    Jun 19, 2009
    Messages:
    12
    ERROR: The system was unable to find the specified registry key or value.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDesktopCleanupWizard REG_DWORD 0x1


    It didn't seem to work, i think i may have the virtumonde virus, when i scan with spybot i see several versions of it (.dll ect)and it is more than half the 930k objects scaned, when i do norton, i don't see it and it shows 330k objects, both found a few tracking cookies last night,i tried to log onto norton live chat, and the PC locked up, could this be my problem?
     
  10. TheOutcaste

    TheOutcaste

    Joined:
    Aug 7, 2007
    Messages:
    9,028
    No, that's what the output would be. I wanted to see if this value was present:
    HideRunAsVerb REG_DWORD 0x1
    If it is, it will prevent the Run as administrator item from appearing on the context menu.

    Certainly sounding like malware, something that can hide from HijackThis and Norton. Let's see if you can run Malwarebyte's Anti-Malware

    Download Malwarebytes' Anti-Malware to your desktop.


    1. Double-click mbam-setup.exe and follow the prompts to install the program.
    2. At the end make sure you have both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    3. Click Finish.
    4. If an update is found, it will be downloaded and installed.
      The program may need to close and restart.
    5. After the updates are installed, select the Scanner tab
    6. Select Perform quick scan, then click the Scan button
    7. When the scan is complete, click OK on the Popup notification.
    8. Click Show Results to view the results.
    9. Be sure that everything is checked then click Remove Selected.
    10. A Notepad will open with the scan log.
    11. If prompted to restart, click Yes.
      Note: The restart prompt may be hidden behind the Notepad Window, minimize it to check.
    12. If you rebooted, restart Malwarebytes' Anti-Malware.
    13. Click the Logs tab
    14. Select the Scan log that was just completed
    15. Click the Open button.
    16. Copy and Paste the log here.
    17. Run HijackThis again, and post another log from it as well.
     
  11. donpb

    donpb Thread Starter

    Joined:
    Jun 19, 2009
    Messages:
    12
    Hi,

    after 7 tries, i got the hijack log, hope this helps, how do i know if i have the vertumonde virus if it hides itself from detection?, i have to reboot often to get the memory back down below 30%, and the machine seems to be running way hotter than it used to, is that another symtom
     

    Attached Files:

  12. TheOutcaste

    TheOutcaste

    Joined:
    Aug 7, 2007
    Messages:
    9,028
    Reposting for easier viewing.
    Malwarebytes' Anti-Malware 1.45
    www.malwarebytes.org

    Database version: 3988

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 7.0.6001.18000

    4/14/2010 6:12:24 PM
    mbam-log-2010-04-14 (18-12-24).txt

    Scan type: Quick scan
    Objects scanned: 105281
    Time elapsed: 3 minute(s), 36 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Hijack This:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:54:22 PM, on 4/14/2010
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18248)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Internet Explorer\ieuser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\wuauclt.exe
    C:\Users\Owner\Downloads\HijackThis(12).exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
    O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 6494 bytes

    Mbam didn't find anything either. I'm thinking it's time to let the malware experts take a look. THey have tools that are much better than Hijack.

    So to summarize:
    System runs slow
    Edit: You can see virtumonde.dll files when spybot scans, but it doesn't report finding the virus. The files don't appear when you scan with Norton Internet Security
    The Run as Administrator option does not appear when you right click a shortcut or program file. And we
    ve confirmed this is not due to the HideRunAsVerb policy being set.
    The Run as Administrator box is greyed out on shortcut Properties | Shorcut tab | Advanced button.

    are there any other symptoms?
    Any popup adds?
    Websites you can't get to like Google or Microsoft
    Does Windows Update work?
     
  13. donpb

    donpb Thread Starter

    Joined:
    Jun 19, 2009
    Messages:
    12
    yes, except spy bot does not find it, i see it while it scans, 2/3 of the scan is virtumonde dot something, before the problem there were only 300k plus files to scan, now it's 930k, plus the machine runs real hot, and will exceed 40% of memory, after reboot, it's back to 25-28. I see removal software on the net, is any of it safe? , plus I've read that if I'm infected, it's real hard to get rid of. how can i confirm what i have, other than the obvious symptoms.

    Thanks,
    Don
     
  14. TheOutcaste

    TheOutcaste

    Joined:
    Aug 7, 2007
    Messages:
    9,028
    I'll report this and we'll leet one of th malware experts take a look.

    They are always busy, so it may take a while before someone gets a chance to look.
     
  15. TheOutcaste

    TheOutcaste

    Joined:
    Aug 7, 2007
    Messages:
    9,028
    One more thing to check for the Run as administrator problem. Try holding shift down, then right click on HijackThis, or some other program, see if Run as administrator appears when holding shift down.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/913682

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice