Safe To Delete Multiple User Accounts?

[Sheryl]

Question for all the computer whizzes out there:

I badly need to free up space on my hard drive. Using Windows XP on a Lenovo laptop. 30 Gb on the C drive.

I've already deleted everything I can by way of installed programs and files, and only using 2 Gb for documents & files. Maybe another 1-2 for prigrams I've installed.

C:\Documents and Settings is currently hogging up 5 Gb and has folders for:

Sheryl (me)

Default User

Administrator

All Users.Windows

Default User.Windows

There is only one user of this computer, me. Seems to be a lot of duplication of the sub-folders under these folders, altho I am not clear if these are complete duplications or if they actually cross reference each other. Can I safely delete these any of these folders?

I have tried going to control panel, user accounts but it sees to show only one account, which is me, as administrator.

(I know little about computers, as this post no doubt shows. So please be patient and walk me through this!)

Thanks

[Sheryl]

Related query: I seem to have multiple versions of Microsoft .NET framework installed as follows:

.NET Framework 1.1

.NET Framework 2.0 service Pack 2

.NET Framework 3.0 service Pack 2

.NET Framework 3.5 Service Pack 1

I know I several times had to download this in ordert to run various n=internet connection device, most recently a USB link. Buit seems to me just one version should suffice. Can I safely uninstall 1.1, 2.0, 3.0 ?? Or does 3.5 require these earlier versions? Using a lot of space.

[siamect]

I think you should take a backup of everything before you start doing anything else...

If I were you I would make a clean install to get rid of all junk... And I would avoid Windows if you just have 30GB disk...

Do you have space on the d: partition? You can move you My Documents there.

You can also compress your drives if you haven't already..

Martin

[thaimite]

Related query: I seem to have multiple versions of Microsoft .NET framework installed as follows:

.NET Framework 1.1

.NET Framework 2.0 service Pack 2

.NET Framework 3.0 service Pack 2

.NET Framework 3.5 Service Pack 1

I know I several times had to download this in order to run various n=internet connection device, most recently a USB link. Buit seems to me just one version should suffice. Can I safely uninstall 1.1, 2.0, 3.0 ?? Or does 3.5 require these earlier versions? Using a lot of space.

Despite what it says on the MS website I can tell you from experience that different programs require different versions of .NET. Recently on a newly installed machine with XP I tried to load a program that required .NET 2.0 and although .NET 4.0 was installed it refused to run until I also installed .NET 2.0

Otherwise the advice from siametc is good advice take a backup before deleting anything.

You will probably be unable to uninstall the other user accounts as Administrtor and Guest are always installed by MS and probably the shared account as well.

I also think you will find that they use very little space unless any user logs on to that account

I am sure running out of disk space the last thing you want to do is add more software, but as a temporary measure this program will graphically show you where all your space has gone and may help you get some space back.

Also as noted by siametc 30GB is very small for a hard disk when running windows. Maybe a drive upgrade is an option

[Supernova]

Question for all the computer whizzes out there:

I badly need to free up space on my hard drive. Using Windows XP on a Lenovo laptop. 30 Gb on the C drive.

Start off by running the Disk Cleanup Utility.

Related query: I seem to have multiple versions of Microsoft .NET framework installed as follows:

.NET Framework 1.1

.NET Framework 2.0 service Pack 2

.NET Framework 3.0 service Pack 2

.NET Framework 3.5 Service Pack 1

I know I several times had to download this in ordert to run various n=internet connection device, most recently a USB link. Buit seems to me just one version should suffice. Can I safely uninstall 1.1, 2.0, 3.0 ?? Or does 3.5 require these earlier versions? Using a lot of space.

You need those, so don't remove them. Unfortunately, one version will not suffice. A typical .NET Framework installation consists of all the components you listed. This offers the maximum compatibility for .NET applications.

.NET 1.1

.NET 3.5 SP1 (also installs .NET 2.0 SP2 + .NET 3.0 SP2)

[BB1950]

C:\Documents and Settings is currently hogging up 5 Gb and has folders for:

Sheryl (me)

Default User

Administrator

All Users.Windows

Default User.Windows

There is only one user of this computer, me. Seems to be a lot of duplication of the sub-folders under these folders, altho I am not clear if these are complete duplications or if they actually cross reference each other. Can I safely delete these any of these folders?

The answer is basically, No.

The other accounts are default accounts installed by Windows and are necessary for the maintenance of Windows. As you already mentioned 2 GB is being used of the 5GB for your My Documents folder. You'll probably find that the other accounts aren't using that much disk space. Your account is using most of that 5GB. There are some temporary folders in you account folder that can be cleaned out. Use a program such as CCleaner to clean it up. When you uninstalled programs, there are some folders remaining that had settings for those programs. They probably still remain. It takes an expert to know what folders to remove and they usually are hidden. You risk serious damage to your installation if you delete something that is neccessary.

You could uninstall .NET Framework 1.1, but it's not going to free up much disk space.

Best recommendation: Upgrade your hard drive. These days 30GB is way too small for any version of Windows. Hard drives aren't very expensive anymore.

A clean install of Windows will clear up space, but it won't be long before it is full again.

[modafinil]

Is it possible that you have a number of duplicate files on your system (eg digital photos that you have more than 1 copy of)?

If so, try googling duplicate file finder and download one of the free utilities - it will scan your C drive, and offer to delete any files that you have more than 1 copy of. I did this a few days ago and freed up 15GB on my laptop.

Another thing you can do to save space is to download the 30-day trial of Window Washer (only 4 Megs) - it basically gets rid of much of the "crud" in your XP install, such as all your "temporary" files, the mysterious "index.dat" file etc etc. It will delete all your cookies, so any sites that you stay automatically logged into (such as thaivisa.com) will need the passwords reentering. If this is a big concern for you, don't run Window Washer

Edited September 23, 2010 by modafinil

[Cloggie]

Install and run CCleaner from http://www.piriform.com/

In the advanced area mark "Hotfix Uninstallers" as well.

Cheers,

M.

[BB1950]

If so, try googling duplicate file finder and download one of the free utilities - it will scan your C drive, and offer to delete any files that you have more than 1 copy of. I did this a few days ago and freed up 15GB on my laptop.

You need to be careful with this. Only delete the duplicates for files that you know of. Some system files are duplicated. Deleting duplicates of these will corrupt your system.

Edited September 23, 2010 by BB1950

[modafinil]

If so, try googling duplicate file finder and download one of the free utilities - it will scan your C drive, and offer to delete any files that you have more than 1 copy of. I did this a few days ago and freed up 15GB on my laptop.

You need to be careful with this. Only delete the duplicates for files that you know of. Some system files are duplicated. Deleting duplicates of these will corrupt your system.

You make a good point - thanks. I don't think the software I used brought up any system files, but that may not be true for all the products that offer this capability. As you say, if you don't recognise the file, don't delete it.

[Sheryl]

Thanks, all.

I had already run disk cleanup utility before posting this. As far as I know, I don't have a D: partition. D is the CDROM drive.

I had also already done a disk defragmentation, is that the same as compressing?

I managed to free up 1.8 gb by deleting a bunch of log files, removing some programs I do need but won't need for almost a year and can reinstall then and a bunch of microsoft updates for specific programs I don't use and had already removed (e.g. IE and Outlook.

This buys me a bit of time but I guess a drive update is what I'll have to do.

[sbk]

Short term fix, get a portable hard drive and put all your docs and stuff on there.

30gb is nothing, I am amazed you can even get anything done!

[BB1950]

I had also already done a disk defragmentation, is that the same as compressing?

No, it is not. Compressing compresses the space on the hard drive allowing you to store more data. De-fragmenting reorders the data on the drive so it can be accessed faster.

I wasn't aware that a system drive could be compressed because of the swap file and low level start up programs. But you could give it a try, if it can't be compressed, it won't do it.

Right click on the drive, select properties, and tick the compress this drive check-box at the bottom of the dialog box.

Edited September 24, 2010 by BB1950

[Sheryl]

The plot thickens. Although I've been low on drive space for a while I seemed to completely fill up suddently for no apparent reason.

Just read through my antivirus scan logs. Shows repeated detection and deletion of various worms/trojans (mostly variants of Worm.Win32...) on drive H:/. That is the drive assigned to USB if I have 4 inserted at once (E, F, G and H assigned in that order). So it is rarely present and definitely was not at the time of scan. (Using Kaspersky) One of the infected files listed as on the (non-extiostant) H drive is an autorun.inf file.

So I think space is being used up by a virus or worm or malware. But can't find it, the scans keep showing it as on drive H

Tried online bitdfefender scan, doesn't detect anything. Nothing comes up with "Hijack This" either. But Kaspersky keeps finding things that it thinks is on H.

? Suggestions?

I know I still need more drive space, but the virus angle has me alarmed. Documents and files already backed up on an external hard drive, but if my computer is infected so probably is that.

.

[modafinil]

Switching off system restore can help you increase the free space on your drive. To do this, go to My Computer, right click and select properties, then go to the System Restore tag. Click "turn off system restore", Apply OK, and restart your computer - you should now have an extra Gig or 2 to play with.

WARNING - the system restore function allows you to "go back in time", and reset your computer as it was perhaps 1 or 2 weeks ago. Some people find this useful - for example, if you accidentally deleted a load of files that you needed, System Restore *might* be able to help you. It is supposed to be useful for getting rid of viruses or malware, but most modern viruses/malware corrupt the system restore files as part of their evildoing. Personally I've had it switched off on various XP machines over the years and I've never missed it.

If you don't want to take the big step, you can reduced the amount of HD space that system restore uses - go to the System Restore tag as above, and instead of clicking "turn off system restore", move the slider which controls how much HD space System Restore uses. Apply OK, restart your machine, you should now have more HD space.

[modafinil]

re your latest post, download Malwarebytes and run it (its free, pretty much the best anti-malware program out there) . If Malwarebytes comes up with nothing, there's a good chance that your laptop is OK. Kaspersky has a bit of a reputation for coming up with "false positives" (seeing viruses where none exist). You could try DL Avira Antivirus also and doing a system scan if you are still worried.

Edited September 24, 2010 by modafinil

[Sheryl]

Malware didn't find anything. Only thing that seems to find it is Kaspersky but it detects it on a drive not in use. I have tried doing a search of My Computer for the file names listed as being infected, doesn't find them.

The Kaspersky scans were all done in normal mode and without turing ff system restore. I'll try the sys restore off/normal mode approach and see if that seems to work.

[modafinil]

It does sound a bit like Kaspersky false positive - try googling kaspersky false positive Worm.Win32, and kaspersky false positive autorun.inf

You can never be too careful though - installing and running a couple of the free AVs like Avira, Avast etc will give you some extra peace of mind. Note that you are not really supposed to have more than 1 AV installed and running at a time. Might be worth uninstalling and reinstalling kaspersky and seeing if the problem continues.

When System Restore creates a "restore point", it grabs a chunk of your hard drive space. Normally you won't notice if you have plenty of free space, but when you are juggling HD space System Restore can cause problems. Try going into System Restore and see if it has made a new restore point recently (around the time when your HD free space was reduced, for example).

Good luck

[siamect]

It does sound a bit like Kaspersky false positive - try googling kaspersky false positive Worm.Win32, and kaspersky false positive autorun.inf

You can never be too careful though - installing and running a couple of the free AVs like Avira, Avast etc will give you some extra peace of mind. Note that you are not really supposed to have more than 1 AV installed and running at a time. Might be worth uninstalling and reinstalling kaspersky and seeing if the problem continues.

When System Restore creates a "restore point", it grabs a chunk of your hard drive space. Normally you won't notice if you have plenty of free space, but when you are juggling HD space System Restore can cause problems. Try going into System Restore and see if it has made a new restore point recently (around the time when your HD free space was reduced, for example).

Good luck

True... you can never be careful enough...

I don't think this is any false positive at all.... A malware residing in an camelion file is mapping a drive H: temporarily for the nasty activities... Kaspersky is probably the only one catching this because it is doing on access scanning or heuristics and it ends up in the log. Then the malware removes the H: drive mapping and you are lost.

Second... Windows search does not search for all types of files by default... only the ones MS want you to find... That is by default but you can alter it in the registry. Even then there are possibilities to hide.... The attrib command from cmd usually find files that are hidden like that or boot the thing on a live CD or usb stick and search from there... But in this case the H: drive is already gone so... dream on....

Third. You should only run one antivirus at the same time. The on access scanning will cause problems if there are many installed at the same time.

And did you take a backup.... no mercy should ever be shown to those who doesn't

Martin

Edited September 24, 2010 by siamect

[modafinil]

True... you can never be careful enough...

I don't think this is any false positive at all.... A malware residing in an camelion file is mapping a drive H: temporarily for the nasty activities... Kaspersky is probably the only one catching this because it is doing on access scanning or heuristics and it ends up in the log. Then the malware removes the H: drive mapping and you are lost.

Second... Windows search does not search for all types of files by default... only the ones MS want you to find... That is by default but you can alter it in the registry. Even then there are possibilities to hide.... The attrib command from cmd usually find files that are hidden like that or boot the thing on a live CD or usb stick and search from there... But in this case the H: drive is already gone so... dream on....

Third. You should only run one antivirus at the same time. The on access scanning will cause problems if there are many installed at the same time.

And did you take a backup.... no mercy should ever be shown to those who doesn't

Martin

You make some interesting points - I am assuming a chameleon file is one that replaces a Windows system file, appearing to have the same functionality as the Windows file but actually performing different tasks as per the virus/spyware that infected it? It's an interesting theory - supposing you are right, what do you suggest that the OP does about it (besides reinstalling the OS)?

I certainly agree that only one virus scanner should be used at once - uninstalling the existing scanner and reinstalling a different one temporarily seems the best way of doing this for a non power-user.

Since we are trying to assist the OP, the advice to install a couple of different up-to-date AV programs one at a time seems appropriate. The OP probably does not have time to spend tens or hundreds of hours analysing her XP install - at some point she needs to conclude 1) "OK, things seem to be working OK now, will keep an eye on things" or 2) My XP install has been irretrievably compromised by malware/viruses,time to back up all my files to the external HD, make sure I have all the XP drivers from the Lenovo website for my laptop, and reinstall XP.

I personally stand by my "false positive" theory, but like Martin I would urge you to backup everything, and run as many different AV programs as time permits.

[Supernova]

The plot thickens. Although I've been low on drive space for a while I seemed to completely fill up suddently for no apparent reason.

Just read through my antivirus scan logs. Shows repeated detection and deletion of various worms/trojans (mostly variants of Worm.Win32...) on drive H:/. That is the drive assigned to USB if I have 4 inserted at once (E, F, G and H assigned in that order). So it is rarely present and definitely was not at the time of scan. (Using Kaspersky) One of the infected files listed as on the (non-extiostant) H drive is an autorun.inf file.

So I think space is being used up by a virus or worm or malware. But can't find it, the scans keep showing it as on drive H

Tried online bitdfefender scan, doesn't detect anything. Nothing comes up with "Hijack This" either. But Kaspersky keeps finding things that it thinks is on H.

? Suggestions?

Post your "HijackThis" log file. If there's suspicious activity going on it will show in the log. Also uninstall Kaspersky and install Avira AntiVir (the free version) and run a complete system scan. I'd be curious to see if Avira finds anything...

Malware/virus writers often use Autorun and .vbs scripts to infect Windows computers and spread their handy work. Protect your system by disabling Autorun functionality as well as the Windows Script Host (WSH). First, download and install this update. Paste the code below to Notepad and save as .bat or .cmd file. Double-click to execute; restart Windows for the changes to take effect.

@echo off

:AutoRn
cls
echo.
set /p Q1=Disable Autorun on all drives [y/n]? 
if /I "%Q1%"=="y" goto A_OFF
if /I "%Q1%"=="n" goto A_ON
goto AutoRn

:A_OFF
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f >nul
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /ve /t REG_SZ /d @SYS:DoesNotExist /f >nul
goto NoWSH

:A_ON
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 91 /f >nul
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /f >nul

:NoWSH
cls
echo.
set /p Q2=Disable Windows Script Host [y/n]? 
if /I "%Q2%"=="y" goto W_OFF
if /I "%Q2%"=="n" goto W_ON
goto NoWSH

:W_OFF
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_SZ /d 0 /f >nul
goto Prmpt

:W_ON
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_SZ /d 1 /f >nul

:Prmpt
echo.
echo Press any key to exit...
pause >nul

:EOF

Note: This won't do anything to solve your current problems, instead it will aid in preventing further Autorun infections and disallow the use of potentially harmful .vbs scripts.

[Supernova]

I know I still need more drive space, but the virus angle has me alarmed. Documents and files already backed up on an external hard drive, but if my computer is infected so probably is that.

A few more things you can do to free up disk space.

1. Disable Hibernation (Control Panel > Power Options)

This feature is enabled by default on most systems. The size of C:\hiberfil.sys (hidden) strictly depends on the amount of memory your computer has. If you don't put your computer in hibernation, disable this feature to save space.

2. Clear out %TEMP%

Everything here can be deleted. Paste the code below to Notepad and save as .bat or .cmd file. Double-click to execute.

@echo off
cls
echo.&echo Deleting items, please wait...

cd /d "%TEMP%"
attrib -s -h -r /s /d & del /f /q *.*
for /D /R %%a in ( * ) do rmdir /s /q "%%a"

3. Delete Chrome updates (skip if not using Google Chrome)

If you've been using Chrome for awhile, there will likely be several versions of Chrome in the Chrome application folder. You can easily spot these by taking note of the build numbers in the folder name (e.g. 5.0.nnn.nn, 6.0.nnn.nn). KEEP the latest one (currently at 6.0.472.63) and get rid of the rest. Do not delete anything else! This will recover several hundred megs depending on how many previous versions there are. For quick and easy access to the Chrome application folder, open Google Chrome shortcut Properties, click Find Target... or navigate to: C:\Documents and Settings\Username\Local Settings\Application Data\Google\Chrome\Application.

While on the subject of web browsers, it's also a good idea to limit your browser cache to 50MB or 100MB max. Internet Explorer in particular, is notorious for allocating insane amounts of disk space for storing Temporary Internet Files.

4. Microsoft Office Cache

If you have Microsoft Office installed, chances are there's a hidden folder called MSOCACHE residing at the root of drive C:. This folder stores Office setup files, aka: local install source, so you do not have to use the original installation media to perform subsequent maintenance tasks (e.g. add/remove Office features, repairs, etc). Methods for removing it are given here.

And finally...

5. The 'dllcache' repository

WARNING: I don't recommend anybody do this, but if you're really that desperate and in need of disk space, delete the C:\Windows\system32\dllcache repository. Although it isn't vital to the operation of Windows, this hidden folder caches important Windows system files. Once it's gone, Windows File Protection won't be able to restore system files to their original state should they become corrupt or get deleted by mistake.

[howto]

To garner more space,

may I suggest resizing your windows swap file from "Auto" to

a fixed size of say 200MB.

Yes, both the "System Restore" adjustment and

disable the "Hibernation" are good advice.

I agree with siamect post...

A malware residing in an camelion file is mapping a drive H: temporarily for the nasty activities... Kaspersky is probably the only one catching this because it is doing on access scanning or heuristics and it ends up in the log. Then the malware removes the H: drive mapping and you are lost.

In this scenario the temp drive H: is being created as a RAM Drive,

say 15% of available RAM, (if you 1 GB then a 150 MB drive)

then that drive is marked as Hidden,

then it creates a 100MB file, then transfers the file(s) to you hard drive

possibly into a hidden folder or anywhere on your drive,

and the files are possibly set with attributes

- Read-Only

- Hidden

- System

so they cant be seen, or deleted until the -R and -S attribute is removed.

Then the RAM drive H: perhaps is deleted.

If this is what's happening, there are likely many of these files on your disk.

Commands to do the above are completely legit to execute for windows systems.

The above could easily execute in <5 seconds.

It could happen several times a day, slowly filling up the hard disk.

One would notice nothing, except space disappearing.

There would be no event viewer entries for this.

For the above to happen, the code must be resident in RAM,

a system file could be involved,

or a hidden file on the USB (which autorun.ini is running)

or a root kit.

The HijackThis log will help locating it.

I've a app from SysInternals for root kit detection,

RootkitRevealer v1.71 from 2006-11-01

Perhaps a member has a more recent app.

You are welcome to it.

Since you have a small 30GB drive

it is likely partitioned as a single large bootable primary,

and no room to create a logical partition.

So this is out.

Per Supernova,

Do disabling Autorun functionality as well as the Windows Script Host (WSH),

as was suggested.

I prefer Nod32 or Avast as a A/V app.

Cheers,

[siamect]

I am assuming a chameleon file is one that ....

Camelion is word and there are probably more definitions than the one I give here... (green thing with 4 legs, that change colors)

I malware need to store itself in your computer. It can do that by attaching itself to existing files or it can do it the simple way by just saving its content in a file and make something else refer to this file, to make the thing active.

Both these ways make it very easy for an antivirus program to discover. The normal way for an antivirus program to search for viruses or other malware is to either compare parts of the files to known patterns of malware. Can be done by calculating the checksum of the suspected malware part of a file or by direct comparison.

Camelion properties means that the virus is trying to avoid storing itself in the same way all the time. It can modify, encrypt, compress, put in jumps or in other ways mess up its content but still keeping the code executable so it still can do its mission.

There are probably more thing to this subject, There is a virus called Chameleon that i don't know if it had these properties or not.

And I don't know if the correct spelling is Chameleon or Cameleon or anything else...

Martin

[modafinil]

Interesting info about the C-virus - thanks Lots of good advice on this thread. Avira has a free anti-rootkit utility posted on their site, they are usually very good at keeping their products up to date.

Avira also have a bootable antivirus CD that you can download, rather than running XP it fires up some Linux code which does a full drive scan. Useful when you can no longer boot into Windows, or some particularly tenacious malware will not let you install/run any AV software. It comes with Avira's latest anti-virus definitions- highly recommended, fixed the last XP box that I looked at enough for me to run Malwarebytes and get everything running smoothly again.

Edited September 25, 2010 by modafinil

[howto]

Forgot to mention you can change settings in the File Explorer. It's under "Tools"-"folder Options".

There one can make Hidden Folders and System Files visible.

Cheers.

[siamect]

Forgot to mention you can change settings in the File Explorer. It's under "Tools"-"folder Options".

There one can make Hidden Folders and System Files visible.

Cheers.

But there are ways to hide files from that too...

Martin

[Sheryl]

Some great info here. I will get back to some of it later. Meanwhile here is the HJT log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:51:04 PM, on 9/26/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.21256)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\PMHandler.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\agrsmsvc.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\PMSveH.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtblfs.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thaivisa.com/forum/Health-Body-Medicine-f23.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = isaserver:8080

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ievkbd.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll

O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe"

O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{EF8DBA57-08F2-4CB1-BBDC-ED552D63357A}: NameServer = 202.131.80.1,202.131.80.9

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll

O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--

End of file - 5700 bytes

[Supernova]

Some great info here. I will get back to some of it later. Meanwhile here is the HJT log

<snip>

HJT log - Don't know if you're aware of it, your network connection is configured to use CamboTech name servers. Other than that, there are no suspicious processes as far as I can tell.

Below is a slight modification of the command script I included in an earlier post. I added an entry to remove the "MountPoints2" registry key -- which is responsible for keeping track of mapped drives and USB devices plugged into your computer. While present, this key will override the Autorun settings if you connect a device Windows has seen before. Removing it will provide an extra layer of security and may also solve the mysterious drive H: dilemma, although I can't confirm the latter. Only way to find out is to run the batch file (to disable Autorun), which I suggest you do anyway.

@echo off

:AutoRn
cls
echo.
set /p Q1=Disable Autorun on all drives [y/n]? 
if /I "%Q1%"=="y" goto A_OFF
if /I "%Q1%"=="n" goto A_ON
goto AutoRn

:A_OFF
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" /f >nul 2>&1
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f >nul
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /ve /t REG_SZ /d @SYS:DoesNotExist /f >nul
goto NoWSH

:A_ON
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /f >nul 2>&1
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 91 /f >nul

:NoWSH
cls
echo.
set /p Q2=Disable Windows Script Host [y/n]? 
if /I "%Q2%"=="y" goto W_OFF
if /I "%Q2%"=="n" goto W_ON
goto NoWSH

:W_OFF
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_SZ /d 0 /f >nul
goto Prmpt

:W_ON
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_SZ /d 1 /f >nul

:Prmpt
echo.
echo Press any key to exit...
pause >nul

:EOF

Edited September 26, 2010 by Supernova

[Xircal]

Buy an external (USB) hard drive and then move the bulk of your own personal data to that. Any time you want to access the data on it, simply plug it into a USB port and and it will appear in Windows Explorer.