# Hard drive nearly full for no apparent reason



## keymooney (Dec 31, 2008)

Running XP on an HP Pavilion ze2000 with a 60 gig HD. Several months back my HD nearly filled up on its own. I've spent hours reading and researching potential causes but to no avail. I've tried turning off System Restore then turned it back on, but nothing there. My Windows directory and sub-directories shows that there are 50 GB used in it alone, but my limited knowledge prevents me from finding the specifics regarding where all this data is and why it was placed there.

My machine runs very slow. Please help!


----------



## ~Candy~ (Jan 27, 2001)

Hi and welcome. When you turned system restore off, did you reboot?


----------



## keymooney (Dec 31, 2008)

I did reboot.


----------



## ~Candy~ (Jan 27, 2001)

Go to the malware removal forum, read the first thread there, follow the instructions on how to download, install, run and post a hijack this log. Post the log BACK TO THIS THREAD though.


----------



## keymooney (Dec 31, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:14 AM, on 1/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\GCI Security Guard\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\GCI Security Guard\Anti-Virus\fsgk32st.exe
C:\Program Files\GCI Security Guard\Common\FSMA32.EXE
C:\Program Files\GCI Security Guard\Anti-Virus\FSGK32.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\GCI Security Guard\Common\FSMB32.EXE
C:\Program Files\GCI Security Guard\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\GCI Security Guard\Common\FAMEH32.EXE
C:\Program Files\GCI Security Guard\Anti-Virus\fsqh.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\GCI Security Guard\FSAUA\program\fsaua.exe
C:\Program Files\GCI Security Guard\FSGUI\fsguidll.exe
C:\Program Files\GCI Security Guard\Anti-Virus\fssm32.exe
C:\Program Files\GCI Security Guard\FWES\Program\fsdfwd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\GCI Security Guard\FSAUA\program\fsus.exe
C:\Program Files\GCI Security Guard\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe 
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\GCI Security Guard\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\GCI Security Guard\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk (file missing)
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games - Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://198.182.65.154/activex/AxisCamControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games - Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab55579.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\GCI Security Guard\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\GCI Security Guard\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\GCI Security Guard\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\GCI Security Guard\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 13200 bytes


----------



## ~Candy~ (Jan 27, 2001)

I don't see anything other than viewpoint could be uninstalled, and your start up list is a little large. I'll see if I can have a log expert give a second opinion.


----------



## Cookiegal (Aug 27, 2003)

There are some policies that are usually set by SpyBot Search & Destroy but I don't see that program installed. And yes, Viewpoint and an older version of Java.

Let's just take a look at a couple of other things.

Please download Malwarebytes Anti-Malware form *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply along with a new HijackThis log please.

Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. 
Also, if you receive an (Error Loading) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots. *

Also, please do this:

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## Frank4d (Sep 10, 2006)

It could be updates continually failing to install. How much space is used by the C:\Windows\Installer folder?


----------



## ~Candy~ (Jan 27, 2001)

Thanks to Derek and Karen for responding so quickly  :up:


----------



## Cookiegal (Aug 27, 2003)

You're welcome. Great minds Derek.


----------



## keymooney (Dec 31, 2008)

I HAVE had updates continually failing to install and my hard disk began filling up around that time!! I don't find a c:\Windows\Installer folder, but there are approximately 190 subfolders in the Windows directory that begin with $NtUninstallKB######$. I think you're onto something here!


----------



## Frank4d (Sep 10, 2006)

I don't think the $NtUninstallKB######$ files are the problem, so leave them alone for now. They are uninstall folders for updates that did install properly.

C:\Windows\Installer" is a hidden folder. Open My Computer and click the Tools button, then Folder options, then the View tab. Tick the button next to "Show hidden files and folders" then Apply. You should then be able to see the C:\Windows\Installer" folder.

If you right click on it then click Properties, does it show that is what is using most of your drive space?

If so, look to see if there are multiple .MSP files with random names... but with the exact same file size and date. If found, select the file, right click, and then click "Summary". The title line should show what the patch file is for.

Let us know what you find.


----------



## keymooney (Dec 31, 2008)

The "Show Hidden Files and Folders" box IS checked yet the C:\Windows\Installer folder is not being displayed in the Wosubfolder list. I know there is such a folder because while I was running the Malwarebytes' Anti-Malware program I noticed the directory.

What now?


----------



## Cookiegal (Aug 27, 2003)

Please post the results of the scan with MalwareBytes as well. We can troubleshoot together.


----------



## keymooney (Dec 31, 2008)

Thanks, Cookiegal. It's still running. It is taking a long time to get through those *.msp files. I'll post the results when it's finished. Should I have run the less thorough scan?


----------



## Cookiegal (Aug 27, 2003)

No, that's fine.


----------



## keymooney (Dec 31, 2008)

One malware found on HD > Vendor = Hijack.StartMenu. Category = Registry Data. Item = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff


----------



## CapriAnupam (Jul 9, 2008)

Please download

TreeSize : http://www.jam-software.com/freeware/index.shtml

or

WinDirStat : http://windirstat.info/

These two softwares will tell you how much space which directory is using. So you will know where your hard disk space is going.


----------



## Frank4d (Sep 10, 2006)

keymooney said:


> The "Show Hidden Files and Folders" box IS checked yet the C:\Windows\Installer folder is not being displayed in the Wosubfolder list. I know there is such a folder because while I was running the Malwarebytes' Anti-Malware program I noticed the directory.
> 
> What now?


Sorry, I forgot we also need to uncheck "Hide protected operating system files".


----------



## keymooney (Dec 31, 2008)

Frank4d and all,

My c:\Windows\Installer folder is the culprit! It has 34GB of data in it.

What can I do with this data? Can it simply be deleted? 

Why did this happen and how can I prevent it from happening?


----------



## ~Candy~ (Jan 27, 2001)

http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

Run that program.


----------



## Frank4d (Sep 10, 2006)

Don't delete the folder or the files in it... that will cause more headaches.

You want to find which files are causing the problem as I described in post #12. (Office 2003 udate is a fairly common one).

Then run the program AcaCandy linked above and select only the installed product that is causing the problem. You may have to re-install the cleaned up program afterward.


Edit: The cleanup program installation is sort of strange. You download and install "msicuu2.exe" from the link above. It gets installed into a C:\Program Files\Windows Installer Clean Up folder, but there is no shortcut icon on the desktop. So you need to go to that folder and execute the "msicuu.exe" file to run the Cleanup.


----------



## Cookiegal (Aug 27, 2003)

keymooney said:


> One malware found on HD > Vendor = Hijack.StartMenu. Category = Registry Data. Item = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff


You didn't post the log so I have to assume you had it fix that?

Also, please do the second part of my instructions:

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## keymooney (Dec 31, 2008)

How do I determine which installed product caused the problem? And how do I get rid of the files in the installer directory or will the Windows Installer Cleanup program take care of that?


----------



## keymooney (Dec 31, 2008)

Cookiegal,

I did nothing with the results of the Malwarebytes' program. It found that one entry but I didn't do anything with it.

Here's the uninstall list from HijackThis:

Adobe Flash Player 10 ActiveX
Adobe Reader 7.1.0
Adobe Shockwave Player 11
Adobe® Photoshop® Album Starter Edition 3.2
Apple Software Update
BlackBerry Desktop Software 4.3
BlackBerry Desktop Software 4.3
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
GCI Security Guard
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP PSC & OfficeJet 5.3.B
HP Solution Center 7.0
HP Update
iTunes
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office Basic Edition 2003
Microsoft SQL Server 2005 Compact Edition [ENU]
MSXML 6 Service Pack 2 (KB954459)
OCR Software by I.R.I.S 7.0
Picasa 2
QuickTime
Roxio Media Manager
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960714)
Synaptics Pointing Device Driver
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Windows Imaging Component
Windows Installer Clean Up
Windows Live Messenger
Windows Media Format Runtime


----------



## Frank4d (Sep 10, 2006)

keymooney said:


> How do I determine which installed product caused the problem? And how do I get rid of the files in the installer directory or will the Windows Installer Cleanup program take care of that?


Look in C:\Windows\Installer for multiple .MSP or .MSI files with random names... but with the exact same file size. If found, select the file, right click, and then click "Summary". The title line should show what the patch file is for. (One that I have seen mentioned a few times here is for Office 2003 updates).

Selecting the program that is causing the problem in the Cleanup Utility will automatically delete files from the C:\Windows\Installer folder. It usually uninstalls the program too. Therefore, be prepared to reinstall the program that caused the problem.


----------



## Cookiegal (Aug 27, 2003)

Run MalwareBytes again following these instructions:


When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply along with a new HijackThis log please.

I find it odd that an older version of Java shows in the running processes but no Java is installed.


----------



## keymooney (Dec 31, 2008)

Cookiegal,

Thanks for the help. I'll send you the MalwareBytes' results after I run the program again.

Any advice for dealing with the older Java version? Can it be removed and/or replaced with an update?


----------



## Cookiegal (Aug 27, 2003)

keymooney said:


> Cookiegal,
> 
> Thanks for the help. I'll send you the MalwareBytes' results after I run the program again.
> 
> Any advice for dealing with the older Java version? Can it be removed and/or replaced with an update?


We can download the latest version but might have to remove the older one from the registry manually. Can you check in Add/Remove programs in the Control Panel to see if it's listed there please? It should look like the following or something similar:

Java (TM) SE Runtime Environment 6 update 1 or maybe just:

Java (TM) 6 update 1


----------



## keymooney (Dec 31, 2008)

Frank4d and all,

I removed Office 2003 in the Cleanup Utility and rebooted, but the files are still in the c:\Windows\Installer directory.

Here is the Summary line from one of the files in the Installer directory:

Office 2003 Patch;MAINSP3.accwiz.Analys32_ENG.eurotool.xl.Excel.fm20.fpcutl.fpdbrgn.fpeditax.fp.FrontPG.gdiplus.gpfilt_ENG.graph.INFOPATH.infpxsn_ENG.lccwiz_ENG.MAINSP1.accwiz.blnmgr.xl.fp.gdiplus.graph.infopath.mainsp.mainsp1_ENG.ac.mshy3es.mso.olkintl_ENG.o

What now?


----------



## keymooney (Dec 31, 2008)

Cookiegal,

I found Java (TM) SE Runtime Environment 6 update 1 in my Add/Remove Programs, but it does not give me the option to remove it. What now? Thx.


----------



## Compiler (Oct 11, 2006)

Having an installer directory that is 34GB is shocking... it should, at most be a few hundred mb.

To make it EASIER to see what is sucking up your space, but most likely you have either a corrupted or infected file that is huge... get this free tool called "Space Monger" - a system cleaner called Glary Utilities works for cleanup.

http://www.download.com/SpaceMonger/3000-2248_4-10050288.html?tag=mncol

Click on your drive, and it show you graphicly what is sucking up a lot of space... the BEST way to see what is causing such problems.


----------



## keymooney (Dec 31, 2008)

Compiler,

Can you help me with how to get rid of the Installer files? Most of the files in that directory are .msp files and they're very large. I ran the Glary Utilities but I can't figure out how to get rid of the files. I tried deleting them one at a time, but the percentage of free space actually increased each time I deleted one of the .msp files. But then the percentage switched back after a short time so I'm not following how the program works.

Thanks.


----------



## Compiler (Oct 11, 2006)

When you delete files, its going into your trashcan... Hold down the SHIFT key to delete. Also, you should turn off System REstore (again) to empty it out, and then turn it back on.

I don't know what files you have. You're going to have to look up the name of that 35gb file and see what it is... I'd delete it myself. But that is up to you.


----------



## Cookiegal (Aug 27, 2003)

Use this utility and see if you can remove the Java with it.

http://support.microsoft.com/kb/290301


----------

