[neverborn]

hey guys,

recently i purged my pc of the really-annoying SpySheriff thingy. Got my desktop back, only now my firewall is disabled, and i can't get it to start(tried everything, including starting it from the Services window, along with dependencies). Any thoughts? For a while there my entire security center was disabled too, but i've fixed that, except for the firewall. Downloading Zonelabs' Zonealarm right now in case my firewall stays dead. Still, this isn't my biggest concern.

the main problem right now is the paging file. i've been getting messages saying my system's running low on virtual memory, and that Windows is increasing it. I've seen this alert once or twice before so at first i wasn't overly worried, but now it's happened too frequently-just about everytime i boot up! sometimes it takes as little as 30 mins from a cold boot, sometimes my pc holds out for hours before displaying this message.

worse, after displaying the message, sooner or later all of my apps say they don't have enough memory to perform a certain action, and prompts me either to close, or debug (ex. winword can't save a document, mediaplayer can't open a file). It's rather disturbing since i'm now forced to restart every several hours, and if i'm not even allowed to save...

i've downloaded and run most of the software you guys recommended(ewido, cws shredder, spyware blaster, etc.), and so far(several hours only) no great improvements yet. i'd appreciate whatever help you could give. Thanks!




----------
Logfile of HijackThis v1.99.1
Scan saved at 12:07:08 AM, on 12/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\inKline Global\PC Booster\PCBooster.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\mpcsvc.exe
C:\WINDOWS\system32\dnssvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\AllOfUs\Application Data\Microsoft\Internet Explorer\Quick Launch\FreeRAM XP Pro 1.40.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\AllOfUs\Desktop\New Folder\spysheriff episode\apps\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\PCBooster.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SiS Mpc Service] C:\WINDOWS\system32\mpcsvc.exe
O4 - HKLM\..\Run: [SiS Dns] C:\WINDOWS\system32\dnssvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\AllOfUs\Application Data\Microsoft\Internet Explorer\Quick Launch\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: MemoKit.lnk = C:\Program Files\MemoKit\mk.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{D650FFC6-CA47-4589-88FE-C7CDCBCAA0D9}: NameServer = 202.78.97.2 202.78.97.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

[Advertisements]

i don't see anything in your log that jumps out and screams at me but i'm not an expert....you should probably go ahead and start a thread in the malware forum with a fresh hjt log just to be sure you're clean...if you're clean..no harm no foul...

try doing a ram test
go here and download their program http://www.memtest86.com/ this program will create a floppy disk that y ou can use to test your ram..

[dsenette]

i don't see anything in your log that jumps out and screams at me but i'm not an expert....you should probably go ahead and start a thread in the malware forum with a fresh hjt log just to be sure you're clean...if you're clean..no harm no foul...

try doing a ram test
go here and download their program http://www.memtest86.com/ this program will create a floppy disk that y ou can use to test your ram..

[neverborn]

thanks for the reply. anyway tried what you said and booted from cd. not sure if i did anything wrong but after displaying info about my computer (disk partitions, hardware devices, etc.), it showed me 3 options followed by A: prompt. none of the options worked, and when i checked back at the site, the online commands listed were entirely different: pressing ESC is supposed to exit the program and do a warm reboot, but that didn't work when i tried. will try again later. any suggestions?

anyway here's what's been happening to my pc lately:

-like i said, sooner or later after booting i get the balloon saying i'm running low on virtual memory, and that windows is increasing it. i find this odd since, following what most people suggested in forums, i removed my paging file from my C: drive (windows directory) and had my system manage it on D: (storage) instead.

sometimes it doesn't really have any serious effect, other times--

-some programs can't do anything at all, ex: Nero can't burn a disc cos i don't have sufficient memory, i can't open firefox (at first) cos the paging file is too low (this even after windows has just increased the PF).

-also i noticed in task manager: when i click the processes tab, some of the processes are sort of, um, flickering? its like a process gets listed and then removed again abruptly. not sure what though. last i checked explorer.exe, svchost.exe, and services.exe are the ones flickering. any ideas?


anyway i have posted at the malware forum, but no replies yet. not complaining though, i know how busy you guys are! still, i kinda think it's not malware that's messing up my system cos ewido, spywareblaster, cwsshredder, microsoft anti-spyware, and avg all say i'm clean. also, i haven't made any major changes for a long while now so im stumped.

thanks again for helping out.