1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Possible undetected virus on my XP

Discussion in 'Windows XP' started by ren, Mar 20, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. ren

    ren Thread Starter

    Joined:
    Dec 28, 2004
    Messages:
    23
    I think I have something malicious that's not being picked up by Norton Antivirus or Spy Sweeper, or Adaware. Too many weird things are happening to name them all, but my task manager shows a bunch of processes working in the background, and I can't figure out what they are, though I've tried. Also, right after turning on the computer, with nothing else running, it shows the CPU flashing up to 90-100% use about four times a minute. It does suspicious things, like my Spy Sweeper has been acting strangely, and I've recently gone to the Microsoft website for their antispyware program which was recomended, but I can't download it, or any other security program they offer, even though I could download other kinds of programs from the website. Then I tried to go to "trend micro housecall" online system scan, but I couldn't get it to scan, although I've done it before. When I look in WINDOWS there are a bunch of identical files repeated over and over again, and I don't know what they are, or where they came from. There are a whole bunch of $NtUninstall files in blue characters that are unknown to me. Sometimes I have to keep unhiding files, often, I can't delete questionable files. I'm inches away from reinstalling windows. Can you save me from this drastic measure? Here is my HJT logfile:

    Logfile of HijackThis v1.99.0
    Scan saved at 5:29:22 PM, on 20/03/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Winter Fun Pack 2004 for Windows XP\WinterWallToy\WinterWalltoy.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\ServicePackFiles\i386\lsass.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\MDG\MDGnotify.exe
    C:\Program Files\Winter Fun Pack 2004 for Windows XP\WinterWallToy\WinterWalltoy.exe
    C:\Program Files\WinMX\WinMX.exe
    C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Microsoft Works\WkDStore.exe
    C:\Documents and Settings\renee\Desktop\Unused Desktop Shortcuts\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mdg.ca
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Shortcut to MDGnotify.lnk = C:\WINDOWS\MDG\MDGnotify.exe
    O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.mdg.ca
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} - http://www.errorguard.com/installation/Install.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52....com/pthalo/us/win/QuickTimeFullInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel NCS NetService - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
     
  2. Old Rich

    Old Rich

    Joined:
    Jan 17, 2003
    Messages:
    10,254
    Download, update and run these three spyware tools . . then download the newest version of HiJack This and post another log . . one of the gurus will be along to help you.
     
  3. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You're right, although there is no apparent "malware" showing, something very strange is going on.

    NONE of Lsass.exe process running out of the I386 folder belong in running processes:

    C:\WINDOWS\ServicePackFiles\i386\lsass.exe

    Only these ones belong:

    C:\WINDOWS\system32\lsass.exe

    How long has this problem existed? And when did you update to SP2

    It's possible a bad SP2 install caused this, and you might want uninstall it or do a System Restore to a prior date.
     
  4. ren

    ren Thread Starter

    Joined:
    Dec 28, 2004
    Messages:
    23
    Dear Rollin Rog,

    How long has this problem existed, and when did I update to SP2? By SP2 I assume you mean a Microsoft Service Pack? I've downloaded several at different times, so I'm not sure, and the problem has been a gradual annoyance with no real noticeable beginning. For months the computer's been just really slow and inefficient. It gets to the point where it's ridiculous, then I get some help, or tweak it till it's tolerable again, but it's never quite right. This time though, it's been doing really weird things it's never done before. This started with our losing internet connection. We ruled out the router, the motem, the plug-in cord, and the cable guy said his computer showed we were connected. Our vendor's technical support helped us solve that problem, but it's been particularly disobedient since that time (about two weeks ago) and no, I can't think of anything that was downloaded around that time. Let me know what you think?


    And Dear simpswr,

    All I can say is, I'm really sorry for the delay, it's a long boring story, but I was able to download Microsoft AntiSpyware this time for some reason (I love it, by the way) and I updated, and downloaded, and botchecked, and scanned, and rebooted, and logged, just like you asked me to. So does this code tell you anything about my little problem?

    Logfile of HijackThis v1.99.1
    Scan saved at 5:54:21 PM, on 22/03/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\MDG\MDGnotify.exe
    C:\Program Files\Winter Fun Pack 2004 for Windows XP\WinterWallToy\WinterWalltoy.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Documents and Settings\renee\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mdg.ca
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Shortcut to MDGnotify.lnk = C:\WINDOWS\MDG\MDGnotify.exe
    O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.mdg.ca
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    Thanks so much for your help!
    Ren
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    All those mysterious lsass.exe files running out of the ServicePack folder are gone in this scan.

    How is it behaving now?

    And did any of the scans you ran detect anything suspicious with regard to that?

    What is this, do you know?

    O4 - Global Startup: Shortcut to MDGnotify.lnk = C:\WINDOWS\MDG\MDGnotify.exe
     
  6. ren

    ren Thread Starter

    Joined:
    Dec 28, 2004
    Messages:
    23
    MDG is the vendor, and our printer ink is low, that's all I can think of. As far as the lsass stuff, I really don't even know what that is, but I don't remember the scans picking up a whole bunch of the same thing, and I'm not sure the problem is fixed because I just sat down to it informing me that it was having virtual memory problems it was trying to remedy, but it's been sitting idle for hours. So I'm still pretty confused really.
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Report exactly any messages like that you receive.

    Virtual memory is usually not a problem unless you are low on physical ram. Virtual memory is the amount of available hard drive space allocated to the "paging file" which is used as a substitute for physical memory.

    Are you low on hard drive space?

    You can see how much "stress" your system is under by opening the Task Manager, looking at the performance tab and checking what is called the "commit charge" ratio.

    The second part of the fraction is the total amount of both physical and virutal memory available. The first part is what is currently in use. They should never come close to being equal.

    You should also note the total Physical memory and that which is actually available.
     
  8. ren

    ren Thread Starter

    Joined:
    Dec 28, 2004
    Messages:
    23
    Ok,

    "Virtual memory is usually not a problem unless you are low on physical ram."

    We're not. It's a fairly good, fairly new system which came with adequate ram.

    "Virtual memory is the amount of available hard drive space allocated to the paging file which is used as a substitute for physical memory."

    I read this over about twenty times and can't get my head around it. I get lost starting at "allocated".

    However, I do know that our hard drive is nowhere near full. My rough estimate would be that we're using about 10% of it.

    It's going to take time and caffeine for me to figure out the rest of your message, but for now I thought I'd give you this much because I just can't say at this point how much time and caffeine this is going to take.

    Will report back when I can.
     
  9. Citizen_D

    Citizen_D

    Joined:
    Mar 23, 2005
    Messages:
    18
    Ren,

    "there are a whole bunch of $NtUninstall files in blue characters that are unknown to me."

    These are compressed folders containing backups that Windows makes when it installs updates or patches. This is normal.

    As Rollin' Rog said, more detailed description of behaviour or error messages will give more of an insight into what is going on.

    Cheers,

    D
     
  10. ren

    ren Thread Starter

    Joined:
    Dec 28, 2004
    Messages:
    23
    I'm back.

    That wasn't as bad as I expected. Here's what I got:

    Commit Charge:

    Total - 385392
    Limit - 706044
    Peak - 600344

    PF Usage was 375 MB

    CPU fluctuated from 2% to an occassional 7 or 8%, rarely getting as high as 15 or even 25%. When I first brought up the screen, the graph showed that it had recently peaked out at 100% though it didn't happen while I was watching.

    I know you didn't ask for all this info but I thought I'd be thorough, since I'm getting the impression you don't think my problem has to do with malware or a virus or anything related to windows. Am I right?
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Something's not right here:

    Total - 385392
    Limit - 706044
    Peak - 600344

    Notice your "peak" usage is pretty close to your "limit", although your current total doesn't seem a problem.

    What this suggests is you have run some memory intensive program that is pushing the limit. And it is using "virtual memory", the paging file on your hard drive instead of physical ram. This is alot slower and you will see your drive being accesed more frequently.

    It looks like you have about 256 mb installed ram, although you did not give me the figure for that, and the programs you are running are needing more memory space and are using the virtual memory (hard drive cache) to make up for it.

    How much ram is installed? Frankly I think 512 is a good recommended level these days.

    And the total available for "limit" seems low.

    If you open the "System" applet in the Control Panel, or press the pause and windows key at the same time, then go to Advanced > Performance > Advanced > Virtual Memory > Change --

    Is the Virtual Memory system managed or "custom"? And if "Custom" what is the initial and maximum mb settings there? You might want to double those.
     
  12. ren

    ren Thread Starter

    Joined:
    Dec 28, 2004
    Messages:
    23
    OK, I did what you suggested, so I'll let you know how that goes. Do you still recommend installing more ram anyway? I don't know how much we have, I'm assuming you have some way of guessing accurately, so if you say I have 256 MB I'll take your word for it. All I ever understood about this computer was that it came with "plenty" of hard drive space, and "plenty" of memory, but if it needs more to run properly, I'd rather just go buy it than keep limping along.

    Also, do you think I should send back another Commit Charge reading in a day or two? And one last question; a lot of people have been telling me you have to reinstall windows periodically for it to run efficiently, and that it's about time I did so. What's your take?

    And in case I haven't said it yet, thank you so very much for all your help. It's really generous of you guys to give up your time and talents to help all us computer dunces out there. Bless you!
     
  13. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I'm just guessing. To find out just right click on "My Computer" and select "properties".

    Also, there is a very useful, and free, System Information utility here. I recommend installing it. It will help you provide answers to many questions that may come up.

    http://www.lavalys.com/products/download.php?pid=1&lang=en&pageid=3

    It will also assist in telling you just what type of ram is installed and what you would need to match up with if you get more.

    What you should see after making the change to virutal memory is a higher "limit" on the commit charge reading. This probably won't improve performance much because unless you increase physical ram, you are still going to the hard drive for memory when the system is stressed.

    However it should mean that you don't get any error messages or warnings about insufficient "virtual memory".
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Possible undetected virus
  1. SilverSurf
    Replies:
    20
    Views:
    1,040
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/343729

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice