Problems with Memory and Performance

Not too long after I turn on the PC, I receive a message about virtual memory being too low and the MS OS is modifying it. After working on the internet, email, and Office applications, the computer bogs down considerably. Twice, MS Word just left the screen (disappeared) and wouldn't start up again. I couldn't start anything (My Computer, email, Office applications). Sometimes I'll get an error message, "Not enough memory to load program." I have to Restart or Reboot to get the PC to work properly and applications running. Then it starts to bog down again, and the cycle continues. I also get an error message, " HP OfficeJet COM Event Manager has encountered a problem and needs to close." It happens only once each new start up and began occurring with the other problem(s).

I have accomplished all of the required actions in the READ & RUN ME FIRST webpage. The PC is still sluggish, moreso over time. HP OfficeJet COM error message still appears. Three of the four files asked for in the READ & RUN ME FIRST instructions are attached. The fourth (HiJackThis log) will be sent separately. Thanks in advance for any assistance you can offer.

Computer specs:
HP Pavilion a320n
AMD Athlon XP 2800+
2.08Ghz, 448MB RAM
110G HD

 

Attached is the HiJackThis log. Again, many thanks.

 

You have missed one!

Please post a shownew log:

Using ShowNew

 

Sorry for the omission. Here is the log from the same time I accomplished the other scans. Thanks.

 

Download:
- Pocket KillBox

Extract to its own folder somewhere that you will be able to locate later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.



REBOOT to Normal Mode.

Post fresh copies of all the logs.

 

Attached are 3 logs. The other 2 will be in a separate post. I’ve accomplished everything as instructed. . .or so I think. I am a bit confused with one of the steps with Pocket Killbox. I clicked on the Tools>Delete Temp Files but didn’t see a Red X to click on (as instructed). I don’t mean to get nit-picky but I didn’t see a Red X. The only X I saw was a white one in a red square. It is the one in the upper right corner, which closes the window. Since it was the only X, I clicked it and the window closed. I may not have done this step correctly. If so, my apology. Also, the instructions didn’t indicate I was supposed to do anything except click the Red X. I’m sure you’ll let me know if I’ve messed up. Thanks for your continued support.

 

Attached are the other logs. Thanks.

 

No you were right, my fault it wasn't very clear lol

It looks like the registry patch didn't do much, when you ran it did it say 'do you wish to allow to merge with the registry' ? In fact i've just run a comparison on the active scan log and its exactly the same apart form some cookies.

Can you let me know what happened when you ran it.

 

It did ask if I wanted to allow the merge and I clicked "Yes." I don't recall what, if anything, happend after that. I've attached the fixme.reg file (had to rename and change extension to txt). Maybe it doesn't contain what it should. Would you like for me to run through the steps again?

My computer still bogs down and eventually won't allow any program to open. I need to restart or reboot to do anything.

Thanks again.

 

Ahh we are mising some line breaks in that file.

Try this one, you will need to rename it to .reg again. Then rerun the activescan. (sorry, I know its a pain)

 

Fixme.reg successfully merged with registry. Active scan log is attached. Thanks.

 

OK! that looks a whole lot better, in fact all thats remaining in there are cookies and a couple of HP tools none of them are of any consequence.

The bitdefender log is CLEAN!

Post a new HJT log now we have sorted all that registry stuff.

How are things running now ? any improvment ?

 

Attached is the new HJT log. Had to shut down PC because it bogged down. Upon reboot, system seems slower and takes time for programs to open. No observable improvement. Thanks.

 

When I turned the computer on this morning I received a Symantec AntiVirus Notification that the PC is infected with the Linkoptimizer Trojan. The attached file contains the Notification and also the Realtime Scan Statistics. It appears the scan is still in progress as the total notifications number is slowly increasing as I type. The system seems to be getting worse. What do you recommend? Thanks.

 

In future please do not use word documents for screenshots. Word documents can contain macros and viruses and are therefore a security risk. ESPECIALLY from someone in your situation

You can upload screenshots as png or jpg images.

Once the scan is finished please can you give me a full log.

 

I couldn't find a log. The scan seems to occur all the time (realtime). The only difference with each notification, as I click through them, seems to be the time hack and sometimes the file name (lpt) displays as all caps (LPT) (see previous .doc attachment). I found the file "lpt7.bca" in the location indicated. It's 158KB and last modified on 8/29/02 8:00am. I haven't tried to delete it yet. . .want to hear what you think.

The PC seems to be running at a much faster speed. I haven't noticed the low virtual memory message since we last rebooted (~4 hours ago). Programs seem to open with no problem. Don't believe we conducted any medical treatment since the registry merge and Activescan yesterday morning. Thanks.

 

The LinkOptimizer Torjan often uses rootkit technology to hide itself so lets scan for rootkits.

Download and install the following tool.

Sophos Anti-Rootkit 1.1

Run sargui.exe from the location to which you installed it.

Make sure all 3 options in the 'area' column are checked and click start scan.

Once the scan is complete goto Start --> Run and type in %TEMP%\sarscan.log and hit enter.

The log that I need should open in notepad, goto File --> Save As and save the file to a location you will be able to find and then upload it here.

 

I've installed sophos anti-route kit and double-clicked on sargui.exe. Nothing appears to happen. I then tried Start>Run>Sargui.exe. Again, nothing seems to happen. I then went to Start>Run>%TEMP%\Sarscan.log just in case the scan was completed faster than I could notice. The message I received was "C\DOCUME~1\Owner\LOCALS~1\Temp\sarscan.log". What did I do wrong? Thanks

 

Don't think you did anything wrong, you should have had a dialog come up when you ran sargui.exe so you could start the scan.

Its releativly new tool so I wouldn't imagine anything is stopping it from running but just try renaming sargui.exe to Soar.exe and try again. I doubt this will make any difference but I'd like to try

 

You're right, it didn't work. No apparent scan accomplished and no log (same msg: "Windows cannot find "C\DOCUME~1\Owner\LOCALS~1\Temp\sarscan.log"). I've attached another Hijackthis log just in case it might help.

Is the LPT7.bca file a Trojan? Should I try to delete the LPT7.bca with the basic Windows command(s)? Thanks.

 

OK this specific malware uses the Gromozon rootkit.

Download Gromozon Removal Tool from Pevx1 to your desktop.

Disconnect from the internet by unplugging the cable and disable your antivrus

Run prevxremovaltool.exe from the Desktop by double clicking on it.

Click the scan and follow the intructions on screen,

once complete reboot and make sure you AV is reenable and let me know the results here.

 

The results are: "The Trojan.Gromozon rootkit component was not found on the system. Do you wish to continue with removal anyway?" I clicked "No."

I searched for the file that was identified earlier as being a trojan, "LPT7.bca." For whatever reason, the file is no longer on my C: drive. Could it have morphed into another file name? The only .bca file is in the Symantec antivirus folder (AP0.bca). Thanks.

 

First up, Sorry for the delays in my replies

OK although Norton is reporting the file as Link Optimizer I I cannot see any other indications that it is really present, have you had any joy running the sophos anti root-kit application yet?

Copy the below bold text to notepad and save it on your desktop as fixstrbcc.reg making sure to set the filetype to 'All Files'

Once saved, close notepad and Run the .reg file from your desktop and allow it to merge with the registry as we did earlier.

Then reboot into safe mode and delete the below file if found:
C:\WINDOWS\System32\strbcc.exe

Now reboot into normal mode.

Then attach a new log from ShowNew and since i've been while replying (sorry) can you post a new HJT log too.

 

Not a problem re: delays. As you can see, I've been a bit busy with other issues as well. I really appreciate the time you give to so many of us needy non-geeks.

I tried the Sophos Rootkit again and this time it worked. It didn't work the last time I tried (ref postings #17-20, 09-08-06). I scanned twice and the log is attached.

Registry merge was successful. File strbcc.exe was not found.

ShowNew and HJT logs are attached. Many thanks.

 

I haven't seen a response in quite awhile. I hope everything is alright with you.

My computer seems to be operating okay. I decided to run through the entire range of "READ & RUN ME FIRST" procedures. I executed a full scan with the Malicious Software Removal Tool and Windows Defender. No problems were detected in any of the scans with the exception of the online Activescan, which uncovered some incidents.

I've attached all of the logs in this and the next post and would appreciate a quick review. Many thanks for your dedicated efforts. -Ed

 

The rest of the logs. Thanks.