[hotshotvz]

To whom it may concern,

In Dec 2008, I noticed a problem with RAM being drained. In Windows Task Manager, several processes (explorer.exe, iexplorer.exe, svchost.exe, System, wuauclt.exe) were all running at 25,000K+ each. I went to malware forums, they discovered I had a rootkit, and helped me in removing it. After removal, I noticed that those processes were running at 10,000K and below under Memory Usage. In Jan 09, I noticed the exact same symptoms, I again went to Malware Forums, but this time, all of my logs came up clean, and a new symptom emerged. I now had 21 processes running at 15,000K+ each. A list is below. Currently, only those I mentioned in parentheses are running at insane levels. Also, when I start up my computer, I've noticed that svchost.exe reaches levels of 160,000K, wuauclt.exe reaches 60,000K and then disappears after about 3-5 minutes following startup, and the modem (probably the internal fans) is making sounds like a dot matrix printer during this time. I hope this is enough information. If you need to know anything else in regards to software installations/uninstallations, I'd be happy to provide them. One final issue I'm having is with Java, but I don't know if it is related to the RAM drainage problem. In both malware detection processes, I was instructed to use Kaspersky Online AntiVirus, a Java-based AV. When I reached the site, it would try to auto-detect my Java software, but it was say I need to update my Java to 1.5 or higher, even though I have the most up-to-date version. Now, it just closes out my browser (IE and Firefox) if Java is needed to load a website. Mike.

List of 21 processes:
Image Name - User Name - Mem Usage
System - SYSTEM - 61268K
svchost.exe - SYSTEM - 49872K
explorer.exe - CA - 33728K
iexplorer.exe - CA - 31244K (this is the browser I am currently using)
kbd.exe - CA - 23424K
jusched.exe - CA - 22904K
spoolsv.exe - SYSTEM - 19824K
svchost.exe - SYSTEM - 19756K
dllhost.exe - SYSTEM - 19452K
svchost.exe - LOCAL SERVICE - 18616K
svchost.exe - NETWORK SERVICE - 18300K
svchost.exe - SYSTEM - 18220K
ctfmon.exe - CA - 17992K
atiptaxx.exe - CA - 17644K
svchost.exe - NETWORK SERVICE - 17468K
ehRecvr - SYSTEM - 17268K
alg.exe - LOCAL SERVICE - 16848K
ALCXMNTR.EXE - CA - 16764K
sm56hlpr.exe - CA - 16244K
ehtray.exe - CA - 15700K
MDM.exe - SYSTEM - 15392K

[Advertisements]

Hello hotshotvz

Can you tell me how much RAM ( Random Access Memory ) you have installed

hold Windows key ( with windows logo ) and press Pause/break

please give us details of your "system" and "computer"

Also , instead of looking at the Mem usage area Look at the CPU usage and please record the ones using CPU when the system is Idle( Not working hard )

BTW is your computer even running slow ???

also , i dont know what a dot matrix printer sounds like lol ( so i cannot help there )

Anthony19

PS: Do not worry about the "System Idle Process "if this is 99 that is a good sign ( the computer is waiting to do some work )


PSS: have you had your java version verified @ www.java.com , click "Do i have java? " and it will scan your computer for the current version and tell you if you need to be updated, should have Java version Version 6 Update 11

Edited by Anthony19, 10 February 2009 - 03:16 AM.

[Anthony19]

Hello hotshotvz

Can you tell me how much RAM ( Random Access Memory ) you have installed

hold Windows key ( with windows logo ) and press Pause/break

please give us details of your "system" and "computer"

Also , instead of looking at the Mem usage area Look at the CPU usage and please record the ones using CPU when the system is Idle( Not working hard )

BTW is your computer even running slow ???

also , i dont know what a dot matrix printer sounds like lol ( so i cannot help there )

Anthony19

PS: Do not worry about the "System Idle Process "if this is 99 that is a good sign ( the computer is waiting to do some work )


PSS: have you had your java version verified @ www.java.com , click "Do i have java? " and it will scan your computer for the current version and tell you if you need to be updated, should have Java version Version 6 Update 11

Edited by Anthony19, 10 February 2009 - 03:16 AM.

[happyrock]

go here and get Bill P's WinPatrol 2008..
install it and click on the start up tab...get a screenshot for us...

[hotshotvz]

happyrock,

How do I create a screenshot? hotshotvz

[happyrock]

Step 1: press...prnt scrn key

Step 2: Open paint .. click start ... programs ... accessories ... paint

Step 3: left click in the white area...then press ctrl + v

Step 4: click save ...click on desktop on the left hand side...name it in the upper box...save it as a .jpeg in the lower box...

Step 5: to post it in your reply...below where you type your reply...click on browse...select the screenshot...click on the green button...upload..when its done it will say it uploaded successfully...click add reply...it will then show up in your post...

Edited by happyrock, 10 February 2009 - 01:36 PM.

[hotshotvz]

happyrock,

Thank you. Your instructions were very precise. I had no clue that could be done. I guess you learn something new every day. Anyways, I have uploaded the screenshot as you requested. I forgot to ask in my last reply if you wanted the box beside "Display Secret Startup Locations" checked. I also have a question for you, not related to the problem, and I was wondering if I could PM it to you because I only want your eyes to see the question. I thought I would ask for permission because I know some techs do not like to be PMed. If you don't want me to PM you,I understand. I look forward to hearing from you soon. hotshotvz.

Attached Thumbnails

• 

[happyrock]

I forgot to ask in my last reply if you wanted the box beside "Display Secret Startup Locations"

yep...
also tell us how much ram you have installed as asked by Anthony19..

as for for your Java issue....
Sun Java has become a popular attack target for hackers and criminals as it can be found on almost every PC. Sun has responded by regularly releasing new versions that patch newly discovered vulnerabilities.
Unfortunately when you install a new version of Java the old one is not deleted and this is a security risk. This free utility will permanently remove all old and vulnerable versions of Java from your PC. Using it couldn't be simpler...
just download it and run it....
get it here...

also want you to post a screenshot of the performance tab

Edited by happyrock, 10 February 2009 - 07:11 PM.

[hotshotvz]

happyrock,

I think I have all the information you requested.

First of all, my computer has 1GB RAM installed (2x512MB DIMM) with a maximum allowable RAM of 4GB (4x1GB DIMM). If you need a link to my product specifications, I will be happy to provide you with one.

Second of all, I have the two screenshots that you requested. The Performance one is fine, but the WinPatrol had two more programs running than I could fit on my screen. I have them detailed below, but if you want me to take an additional screenshot of those two, I have no problem doing that.
1. termsrv - wlnotify.dll - Microsoft Corporation - Notify - 02/10/2009 12:32 AM
2. wlballoon - wlnotify.dll - Microsoft Corporation - Notify - 02/10/2009 12:32 AM

Third of all, the Java program worked as simple as you said it would. It's amazing how much junk Java left behind on my computer. I greatly appreciate that. I also got Kaspersky to finally recognize my Java, so I think that may be fixed.

If there's anything else you need to know or need to me to do, all you have to do is ask. Thanks very much and I look forward to hearing from you soon. hotshotvz

Attached Thumbnails

• 
• 

[happyrock]

everything looks good...I did a quick (in my head ) addition to the numbers on the ram usage in your first post and it was aprox 500 MB...the performance screenshot confirms my calculations...it takes 1000 Kb to make 1 MB...so 16000 kb =16 MB of ram...
your only using about half of your available ram....and if you added more ram windows will just use more...
a gig is plenty for xp...

these next steps are to put some speed back into your system...
the first thing we are going to do is turn off indexing ....its a resource hog and if you aren't searching for things on your computer 10 times a day it will only slow down your system....if you are having to search a lot get windows search 4 here...get the version that matches your operating system specs

click on start...my computer...right click on C: drive....properties...on the general tab..uncheck ...allow indexing on this drive....if you do not have the box on your system...

then START...RUN...type in SERVICES.MSC...then OK...scroll down until you find INDEXING SERVICE...click on it and in the general tab set it to DISABLED...then exit....

then go to START..RUN...type in MSCONFIG...then click on OK or press ENTER..
click on START UP TAB....if its a tower...uncheck everything EXCEPT your AV and firewall ...if its a laptop you have to be careful about what you uncheck or your touch pad and wireless and things like that will not function for you..
google each start up item to decide if you need it to load with windows...unchecking them does not remove them ..they are still available to use...


To clean your temp folder, recycle bin, index.dat etc..please download this free tool...

CCleaner

Don't install any Toolbars, or other programs, should it ask you...Just
uncheck the option of installing the Yahoo toolbar....if you get
the slim version it does not have the toolbar
thats the one I recommend...
It will put a shortcut on your Desktop.
Click on CCleaner to start it....
Before first use...
Select Options then Advanced.
UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
The rest of the standard settings are fine...

Then click "Run Cleaner"

DO NOT USE ANY OF THE OTHER TOOLS...RUNNING THEM MAY CAUSE OTHER PROBLEMS


next get diskeeper lite here


you do not have to defrag in safe mode with diskeeper lite and its 10 times faster than the defragger that comes with windows


if you are not networked with other computers like at work...
Open Windows Explorer, go to Tools, Folder Options, click on the View tab and uncheck Automatically search for network folders and printers...
after doing these...you should notice faster boot times and a more responsive system

Edited by happyrock, 11 February 2009 - 10:33 AM.

[hotshotvz]

Happyrock,

I followed your instructions and had a few follow-up questions. I had to restart to get some of the changes to take effect (required for MSCONFIG changes). After restart, I pulled up Task Manager, and I noticed that svchost.exe and explorer.exe had fallen to 31280K and 9984K, respectively. However, both wuauclt.exe and System are still running at 60000K, and after about 5 mins, wuauclt.exe disappears. As for the changes to index, I unchecked the box, and when I clicked apply, it asked to make changes to C: only or to make changes to files and subfolders as well. I clicked changes to files and subfolders, was that okay? As for CCleaner, I noticed there was a registry integrity scanner. Is it okay to use that function or should I only use it with the assistance of an expert? Other than that, it does seem like its moving faster, although I'm just a little concerned that System is still using that much Memory. I look forward to hearing from you. hotshotvz.

[happyrock]

your ram usage is absolutely normal...ignore it...this is not a area to monitor UNLESS you notice a extreme slow down in your system...
Wuauclt.exe is the AutoUpdate Client of Windows Update and is used to check for available updates

I clicked changes to files and subfolders, was that okay?

yep

As for CCleaner, I noticed there was a registry integrity scanner

no don't play with any of the tools in ccleaner...just run the cleaner about once per month

[hotshotvz]

happyrock,

That sounds like a good plan to me. Thank you for your help and your patience with me. I greatly appreciate it. hotshotvz

[happyrock]

your welcome...