Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Followed Instructions - Please Check My Hijackthis Log.


  • This topic is locked This topic is locked
27 replies to this topic

#1 jbcleere

jbcleere

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 15 November 2006 - 05:58 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:53:33 PM, on 11/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\HiJackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140665375233
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:12:19 PM

Posted 18 November 2006 - 01:20 PM

Hi jbcleere,

Welcome to Bleeping Computer. :thumbsup:

I don't see any signs of active malware in this log. Are you having popups or any other symptoms?

Frankly, the item that most concerns me is your poker sites. Gaming websites are dangerous, as many of them if not all support themselves with advertising, including links that will install spyware. If you are concerned about security, the best step you could take would be to uninstall those poker programs.

If you wish to keep playing poker on the web, please be very careful not to click any ads on those sites and don't accept any free offers -- they may not be free. Also scan your machine frequently with Ewido and make sure your antivirus and firewall are updated.

BTW, Ewido has been upgraded and the name changed to AVG Antispyware7.5. You should go to their website and follow the instructions to upgrade to the new version.

There are two lines in your log that can be fixed. One is a leftover from Webroot, which you must have installed on this machine at some point.

Open HJT and run a scan. Place a check mark by the following lines:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)


Make sure all other windows on your desktop are closed, and HJT is the only item in your taskbar. Then click Fix Checked. Close HijackThis.

That is all that I can see in this log. If you have popups or other definite symptoms, please post back with them, we can do some more digging to try to diagnose your problem.

Cheers,

Dave

#3 jbcleere

jbcleere
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 18 November 2006 - 04:40 PM

Dave, thank you for taking the time to help me. I posted because my computer is running very slow. Taking up to 30 sec. to open programs.

...John

#4 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:12:19 PM

Posted 18 November 2006 - 10:56 PM

Hi John,


I take it that the slow start is typical of all programs, not just one or two. Do they also run slowly? If so, is it so bad that you notice lags between keyboard input and when characters appear on screen for example? What about downloads or installing applications?

To rule out malware, we can run a few other scans, but first I would like to suggest a simple check of Task Manager. Press <Ctrl>-<Alt>-<Del> to open Task Manager, then click on the Processes tab. Place a check next to Show processes from all users. Scroll down and see if any of the processes is running at a high percentage of CPU usage. On a normal system at idle the System Idle Process should show about 99 percent, meaning nothing else is using the CPU. The next column to the right, memory usage, may also show something out of line if one process is using a large amount of memory. The Performance tab shows a graph of CPU usage history; it may be helpful in showing a pattern of high peak usage.

If you see a process with high CPU or memory usage, the next thing is to track it down. I will try to help you with that if you see it. Please post a reply here if you spot something, don't go on with the rest of these instructions, just describe the situation. Do not terminate any process except on my instructions!

If you don't see anything with Task Manager, then it's time to run a few more scans. First let's look for a rootkit.

Please download Blacklight Beta here. You can read the information on the download page for an idea of what it will do. Download it to your desktop and double click to open. Accept the agreement, then on the next screen click the Scan button. When the scan is finished, click Next. If anything was found, let Blacklight clean it. Then exit the program. You will find a log file on your desktop, named fsbl-xxxxxxxxxxxxx.log. The x's are numbers, the first four being the current year. This is a text file and can be opened with Notepad.

Then, since no rootkit scanner is perfect, let's use another one. Please download Rootkit Revealer here. The download link is at the bottom of the page. Save the file to your desktop. It is a .zip file, right click it and extract. It will create a folder on your desktop. Open the folder and double click the program icon to run it. Accept the license agreement, then you will see the main program screen, which will look blank. Click Scan in the lower right hand corner. Once the scan is finished, Click File, Save. The default name is RootkitReveal, you may want to change the location.

Lastly, download Silent Runners here. It checks a few things that HijackThis does not. Download the script to your desktop. Double click the icon, click Yes, then read the message that pops up and click OK. When the scan is finished the report log will appear on your desktop, and a message will pop up saying the scan is finished. Note that the report may appear before the message. Wait for the message. Then Click OK to close.

Note: some antispyware programs will identify Silent Runners as a malicious script. It is a VBS script, a type often used by virus writers, but it is not malicious. If you get a warning message, tell your AV program to allow the script to run.

Please post the three scan logs to a reply here.

Good luck,

Dave

#5 jbcleere

jbcleere
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 19 November 2006 - 03:17 AM

Hi Dave,

You're right, the slow start is typical of all programs. They do also run slowly. It is so bad that I notice lags between keyboard input and when characters appear on screen. Downloads or installing applications seems to be ok. Task Manager shows the system idle process is 97-98%. The svchost.exe is using the most memory at 53368k, next is firefox at 31840k and then something called vsmon.exe at 11468k. The PF usage is at 301mb and is about half way up the graph. I will wait to proceed with the rest of your instructions until I hear from you.

thanks again,
...John

#6 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:12:19 PM

Posted 19 November 2006 - 10:42 AM

Hi again John,

My Firefox shows 27xxxK so that's normal. 97-98% system idle process is normal. I am guessing the Svchost.exe with 50xxxK usage is the one marked SYSTEM. This can vary a lot depending on how many system services you have running. If it's a different Svchost.exe, tell me which one. Vsmon.exe is your firewall, by the way. Point is there's nothing working in the background and using up your CPU cycles, which is one thing that would account for the lags you describe.

The pagefile usage will depend on how much physical RAM you have. If you've got 512 megs or less then your pagefile usage is not out of line. Can you give me the numbers in the Totals, Physical Memory, Commit Charge, and Kernel Memory boxes on the Performance tab?

Also, try doing something simple. Open Word or some other big program. See what happens to CPU usage. You should be able to watch this because Task Manager is set for "Always on top" by default. You can check or uncheck this under the Options tab. Then try typing on a blank document and watch what happens when you're doing this. When you open a program your CPU usage should rise momentarily, but it should not max out and stay there any length of time.

Let me know what you see. Also, please tell me when this performance drop first appeared. Did it coincide with any other event, such as installing a program? And when you did your prep work for posting the HJT log, did Ewido or the other scans find anything?

Oh one more question -- did you do the HijackThis fix?

If you don't see anything unusual when you launch a program or cannot correlate this issue with some other event then go ahead and run those scans now. If you do just post the logs along with your other information. A rootkit could account for your issue and it needs to be ruled out at this point.

Regards,

Dave

#7 jbcleere

jbcleere
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 20 November 2006 - 10:50 AM

Dave,

Physical Memory- 260080
Commit Charge - 351276
Kernel Memory - 56472

The CPU usage looked ok when I opened Word and started typing. Can't remember if the performance drop coincided with any other event. Haven't installed anything in awhile. Ewido found some small stuff like tracking cookies. I did do the Hijack this fix you recommended, it seemed to speed things up a little. I will run the scans next and post the results.

thanks,

...John

#8 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:12:19 PM

Posted 20 November 2006 - 11:41 AM

Hi John,

please post all the numbers in those boxes along with the scan results.

Thanks,

Dave

#9 jbcleere

jbcleere
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 20 November 2006 - 12:09 PM

Hi Dave,

Below are the results of the scans:

Blacklight:

11/20/06 07:50:01 [Info]: BlackLight Engine 1.0.47 initialized
11/20/06 07:50:01 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/20/06 07:50:01 [Note]: 7019 4
11/20/06 07:50:01 [Note]: 7005 0
11/20/06 07:50:12 [Note]: 7006 0
11/20/06 07:50:12 [Note]: 7011 360
11/20/06 07:50:12 [Note]: 7026 0
11/20/06 07:50:12 [Note]: 7026 0
11/20/06 07:50:33 [Note]: FSRAW library version 1.7.1020
11/20/06 08:04:37 [Note]: 7007 0


Rootkit Revealer:

HKLM\SECURITY\Policy\Secrets\SAC* 5/21/2004 9:03 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 5/21/2004 9:03 AM 0 bytes Key name contains embedded nulls (*)
C:\Documents and Settings\John Cleere\Desktop\Silent Runners 11/20/2006 8:36 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\John Cleere\Desktop\Silent Runners.zip 11/20/2006 8:35 AM 84.07 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Desktop\Silent Runners\Silent Runners.vbs 11/20/2006 8:36 AM 338.77 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\08AB6089d01 11/20/2006 8:31 AM 20.54 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\08AE6089d01 11/20/2006 8:31 AM 33.33 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\0C005FE3d01 11/20/2006 8:13 AM 142.23 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\151AF2CFd01 11/20/2006 8:10 AM 143.96 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\22DD1EF3d01 11/20/2006 8:12 AM 89.51 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\271B0990d01 11/20/2006 8:12 AM 43.79 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\319E5B11d01 11/20/2006 8:26 AM 23.97 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\32298420d01 11/20/2006 8:10 AM 42 bytes Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\338B3C18d01 11/20/2006 8:32 AM 42 bytes Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\48C2AE3Bd01 11/20/2006 8:12 AM 26.16 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\54AFE551d01 11/20/2006 8:10 AM 142.70 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\59FE6BA9d01 11/20/2006 8:30 AM 42 bytes Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\5C16E1CDd01 11/20/2006 8:10 AM 330.57 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\5DE6E51Ed01 11/20/2006 8:11 AM 143.61 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\760058A9d01 11/20/2006 8:32 AM 142.05 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\77A93B1Ed01 11/20/2006 8:26 AM 26.29 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\87D8D7B6d01 11/20/2006 8:30 AM 95.12 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\87E56FD7d01 11/20/2006 8:10 AM 90.43 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\9DBECA50d01 11/20/2006 8:26 AM 26.22 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\AD54D78Cd01 11/20/2006 8:26 AM 338.77 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\AD54DB3Fd01 11/20/2006 8:34 AM 84.07 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\B2424C54d01 11/20/2006 8:20 AM 54.88 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\C6EDBBA4d01 11/20/2006 8:31 AM 107.47 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\D244BCE4d01 11/20/2006 8:30 AM 143.25 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\D4AE9D0Dd01 11/20/2006 8:12 AM 19.85 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\D6AA6E0Dd01 11/20/2006 8:10 AM 20.04 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\D8A2E153d01 11/20/2006 8:19 AM 69.77 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\E35EA7EEd01 11/20/2006 8:10 AM 97.87 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\EBDDEBC3d01 11/20/2006 8:31 AM 42 bytes Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\ED8931CAd01 11/20/2006 8:26 AM 19.28 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\F3A8C58Cd01 11/20/2006 8:14 AM 32.53 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\F3F273CCd01 11/20/2006 8:30 AM 42 bytes Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\F4005BE7d01 11/20/2006 8:30 AM 142.75 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\F7A3B17Dd01 11/20/2006 8:10 AM 20.04 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\FC0F4A27d01 11/20/2006 8:31 AM 21.64 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Application Data\Mozilla\Firefox\Profiles\93piclna.default\Cache\FCAE1BD9d01 11/20/2006 8:30 AM 107.79 KB Hidden from Windows API.
C:\Documents and Settings\John Cleere\Local Settings\Temp\plugtmp 11/20/2006 8:16 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\John Cleere\Recent\Silent Runners.zip.lnk 11/20/2006 8:35 AM 445 bytes Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 11/20/2006 8:38 AM 64.00 KB Visible in directory index, but not Windows API or MFT.


Sorry, could not figure out how to run Silent Runners, it just downloaded a notepad file. I don't know how to run it.

...John

#10 jbcleere

jbcleere
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 20 November 2006 - 12:15 PM

Sorry didn't see you reply until after I posted. Here are all the numbers in the Task Manager Performance tab boxes:

Totals
Handles 7293
Threads 376
Processes 30

Commit Charge (k)
Total 345432
Limit 639948
Peak 44492

Physical Memory (k)
Total 260080
Available 51516
System Cache 114216

Kernel Memory (k)
Total 61884
Paged 52864
Nonpaged 9020

#11 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:12:19 PM

Posted 20 November 2006 - 12:50 PM

Hi John, sorry about that download, I forgot to tell you -- if you left click the link the script is displayed in Firefox in a new window. To save the file, right click the link and select <Save Link As>. Then Firefox should save the file to your desktop or whatever your default download location is. Double clicking the icon will run the script.

Dave

Edited by DaveM59, 20 November 2006 - 01:53 PM.


#12 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:12:19 PM

Posted 21 November 2006 - 09:00 AM

John, did you manage to download Silent Runners?

#13 jbcleere

jbcleere
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 21 November 2006 - 10:23 AM

Hi Dave,
I followed your instructions and got the silent runners icon on my desktop but when I doubleclick it I just get the script in notepad. I don't know how to run it.

#14 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:12:19 PM

Posted 21 November 2006 - 12:38 PM

Hi John,

The file should be named Silent Runners.vbs. The icon should look like a blank page with a blue-green scroll inside it, shaped like the letter "S" -- is that what your icon looks like? If the file extension is wrong, try renaming the file and see if it will run.

If you right click the icon and select Properties, it should tell you that the file is a VBScript Script File. The "Opens With" line should say Microsoft Windows Based Script Host. Let me know if that is not how your script is reported. It's also possible that your script hosting has been disabled or removed. If that's the case you should know it, since the program (wscript.exe) is installed by default.

In any case, I'm not sure we need to do Silent Runners. The rootkit scan logs are okay, and your Task Manager numbers strongly suggest that your problem is a lack of physical memory. Any time the "committed charge" exceeds your total physical memory then your system is going to have to use the hard drive to supplement the installed RAM. Swapping program code between the hard drive and the RAM chips slows down operations significantly.

There are diagnostics that can confirm this, but I prefer a seat-of-the-pants approach. Try to borrow another stick of compatible RAM and install it in your machine. I'm willing to bet that doubling your RAM, from 256 to 512 megs, will speed up your machine's performance dramatically.

This is in line with the practical experience of system builders. The rule of thumb for Windows XP is that it's happiest with at least 512 megs of RAM.

For specific advice about boosting your RAM and determining which modules are compatible with your machine, I refer you to the Hardware forum. There are experts there with years of experience in upgrading PCs.

The only alternative is to try to slim down your system by reducing the number of running processes. If you want to try this approach, have a look at the BC startup list. The Forum dedicated to questions about the list is located here.

Please let me know what you find out about Silent Runners. I'm a little puzzled as to why it won't run. Did you ever have Norton installed on this machine? It offers to disable script hosting, and I'm not sure if removing the program reinstates the script hosting.

Cheers,

Dave

Edited by DaveM59, 21 November 2006 - 12:39 PM.


#15 jbcleere

jbcleere
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 22 November 2006 - 10:31 AM

Hi Dave,

Sorry its taking so long to get back to you, I've been working 12 hour night shifts. The silent runners icon is how you descripe it on my desktop. It is a .vbs file. When I go to properties it says it will open with notepad. There is no script host option.

...John




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users