Virtual memory problem on XP?

bd@europe.com · Aug 10, 2007

Hello,

I have a problem that begins right when I start the computer. The computer goes extremelly slow, and normally I get a message that the virtual memory has reached its maximum. I get several other error messages until the computer gets completely frozen.

If I can manage to open the Task manager, I can see that a svchost.exe process is running using more and more memory and the “Transactions load” is increasing up to the maximum.

If I kill this svchost.exe process, the “Transactions load” or “pagefile use” in the performance chart of the Task manager go back to normal, and I can work more or less normally. After a while, a new svchost.exe process starts to increase its memory use again and the “PF use” starts increasing again.

I attach a few prints screen to see the processes running in the task manager.

This happens in normal mode as well as in “Safe mode with Networking Support”, but not in “Safe mode”.

I have gone through the malware removal recommendations and will attach all the logs. I could not find much, except for a "Dropper.Small" virus in the system restore files of the Administrator user in safe mode. I guess I could remove these files by switching system restore off and on, but I haven't done so yet following the recommendations.

My PC is a Pentium 4 CPU 3.00GHz, with 512 MB RAM, running Windows XP, Service Pack 2.

I don't know if this problem is due to malware, but hopefully you can provide some advice.

Thanks
bd

bd@europe.com · Aug 10, 2007

I attach more logs

bd@europe.com · Aug 10, 2007

I attach the hijackthis log

bd@europe.com · Aug 10, 2007

The previous logs were not correctly attached.

TimW · Aug 10, 2007

Please download and run CWShredder

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\sp.htm
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\sp.htm
Click to expand...

After clicking fix, exit HJT

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
"HideFileExt"=dword:00000000
Click to expand...

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

Files to delete:
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\2.tmp
C:\WINDOWS\system32\7.tmp
Click to expand...

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

Attach new logs for:
Avenger
ShowNew
GetRun

TimW · Aug 10, 2007

Please use the latest versions of ShowNew and Get Run:
ShowNew
and
GetRun.

bd@europe.com · Aug 11, 2007

Hi,

Thanks for your reply.
I have gone through all the steps:

Run CWShredder. It removed:
- CWS.Jksearch
- CWS.HiddenDll

Run HJT and fixed the 2 quotes.
Updated the registry.
Allowed Avenger to delete the 3 entries
Run the newest version of ShowNew and GetRun

I attach the logs.

Right now the problem remains.

BD

TimW · Aug 11, 2007

We have one more to clean up before I give you the final cleaning.

Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

Files to delete:
C:\WINDOWS\system32\drivers\^csftmri.sys
Click to expand...

Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

Attach new logs for:
Avenger
Shownew
HJT

Please tell me how things are running.

bd@europe.com · Aug 12, 2007

Hi,

I encountered some problems this time while running avenger.
After going through all the steps and rebooting the computer, the command window came out and the script was showing messages that it could not find C:\avenger\*.reg and some backup files. Then it was stuck and in the taskmanager I could see that the transactions load was going up. I killed the svchost.exe process and the avenger script kept on running but generated an empty log.

I run it one more time and this time it went a bit better. I had to kill also the svchost.exe process but the avenger generated the log saying that it deleted the entry you mentioned.

I attach the logs of avenger, hjt and shownew.

The thing is that the problem remains the same.

Besides, my Panda antivirus software warned me that the Internet explorer configuration had changed. Apparently it has a back-up copy of the configuration in case I would need to restore it. Was it something that we changed in the previous steps?

TimW · Aug 12, 2007

C:\WINDOWS\RENT2005.INI ---->?

Please print these instructions out, or write them down, as you can't read them during the fix.

Download and Install RogueRemover Free .

Run RogueRemover and select Scan and the program will walk you through the remaining steps.

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Noterocess.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.
Click to expand...

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
Click to expand...

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Now attach new logs from:

* GetRunKey
* ShowNew
* HJT

How are things working now?

bd@europe.com · Aug 12, 2007

Hi,

RENT2005 is a program that I installed from a safe source.

Rogue Remover did not detect any items.

I attach the log from SmitfraudFix Step 1.

bd@europe.com · Aug 12, 2007

I attach the log from SmitfraudFix step 2. Does it matter with which username I run it in Safe mode? I run it with my username. Should I run it with the Administrator username?

The problem is still the same.

bd@europe.com · Aug 12, 2007

I attach GetRunKey, ShowNew and HJT logs

TimW · Aug 12, 2007

I am not seeing anything in your logs ......You may wish to install a startup manager and stop any programs that you don't want running.

This sounds more like a driver problem .....or something that does not load in safe mode.

Are you having any malware issues at this time?

chaslang · Aug 12, 2007

You could try a few things:

increase the size of virtual memory

uninstall Panda Titanium and use some things that are not so resource intensive. This security suite is probably bringing your system to its knees.

install more RAM. 512 MB is just not adequate these days.

bd@europe.com · Aug 13, 2007

"You may wish to install a startup manager"
Do you have any recommendations?

"Are you having any malware issues at this time?"

Except from the problem I have described, no.
If it is not malware related, do you believe that I could find some help in any other forum?

increase the size of virtual memory
I tried it in the first place and there was no change.

uninstall Panda Titanium and use some things that are not so resource
intensive. This security suite is probably bringing your system to its knees.
I tried it already, uninstalled it and tried to run without it, and the problem was the same.

install more RAM. 512 MB is just not adequate these days.
I'm using the PC mainly for Internet and office tasks. I did not have the problem before without installing anything else.

I guess I'll just try to format the PC and reinstall it.

Thanks for your help anyway.

TimW · Aug 13, 2007

This is a good and free Startup Manager

You could try the software section to further check your system.

And there are alternatives here Freeware Picks.

Good luck.

bd@europe.com · Aug 13, 2007

OK. Thanks

Virtual memory problem on XP?

bd@europe.com Private E-2

Attached Files:

bd@europe.com Private E-2

bd@europe.com Private E-2

Attached Files:

bd@europe.com Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

bd@europe.com Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

bd@europe.com Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

bd@europe.com Private E-2

Attached Files:

bd@europe.com Private E-2

Attached Files:

bd@europe.com Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

bd@europe.com Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

bd@europe.com Private E-2

Useful Searches