virtual memory

[andrewssue]

Have installed Beta but can't run scans as everytime I do I
get a virtual memory error and the whole machine freezes
up. I have increased my paging file but this has not helped.

Also having problems with "Aurora".

Related?

 

[Tom Emmelot]

I quote Engel:

News From The Spyware Front:

Following are the latest malware and therefore the hardest
to remove:

Called nail.exe aurora or bolger.
http://webhelper4u.com/tnewswritigs/bolger_aurora.html

Ewido seems to detect and remove one version which can
also be removed by disabling its service, booting into
Safe Mode and using HijackThis to get rid of the nail and
exe (with Explorer and Iexplore turned off) then Killbox
to remove nail on reboot. but there is another version
with a TODO file that requires a repair console delete or
you can go to the maker www.mypctuneup.com/aurora and run
their uninstall which gets rid of aurora but may install
something else. They make you fill out a form and then
will send you a code to use with the uninstaller. Use a
throwaway email address if you do and lie like crazy on
the form.

http://www.webhelper4u.com/tnewswritigs/mypctuneupmain.html

Another popular one right now is wp.exe which is the
smitfraud.c and which tears up the registry entries for
your desktop so you can't remove the warnign that
appears. Changes the registry to to add System under
Policies and adds some keys to limit the Display
Properties by removing Web and Background tabs.

This is it here:

http://securityresponse.symantec.com/avcenter/venc/data/tro
jan.desktophijack.html

(Same link but in smaller form since i guess that one will
wrap)

http://tinyurl.com/87n46

Then we have the bhoass.dll "Trojan.Win32.Agent.cx"

C:\WINNT\system32\bss.dll
C:\WINNT\bhoass.dll
C:\WINNT\system32\MSIMN32.EXE
C:\WINNT\system32\TASKMGRU.EXE
C:\WINNT\explorer32dbg.exe
C:\WINNT\iexplore_dbg.exe
C:\WINNT\ghj

this is just six of the files. There are about 10 in
all. The only way I can get rid of them is to use Killbox
to delete all of them on boot. And afterwards Explorer
(the desktop) won't run. Sample hjt log:

http://www.techsupportforum.com/computer/topic/49162-1.html

Also have a random named file that attaches itself to
winlogon notify and won't let go. Often seen in the
company of another random name file that pretends to be
Kavsvc or Navsvc. The Kavsvc file will sometimes go away
with mwav.exe from kaspersky. Nothing seems to work on
the winlogon notify critter. Believe it's a variation on
L2M.

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlinzp.exe
O20 - Winlogon Notify: OemStartMenuData -
C:\WINDOWS\system32\p2r4lc9q1f.dll

None are removed completely by AntiSpy unless there has
been a new update that I don't know of..

One final tip. A lot of the new stuff seems to use the
Task Scheduler as a backup. Start, (Settings,) Control
Panel, Scheduled Tasks and remove any that you don't
recognize especially any that have a path that includes
the Application or Temp Folder

andrewssue schreef:

 

[Engel]

The volunteer spyware busters who work these anti-spyware
forums do this kind of thing all day long, so you'll be in
good hands. At times they can be a bit overwhelmed, so
please be patient while waiting for help.

Not sure if its a bug in MS Antispy or unrelated to MS
but lets see if you can free up some space.

What Windows version are you running

What size is your pagefile(virtual memory) ?

Have the initial size be at least 1.5 times bigger than
the amount of physical RAM.The maximum size is 3 times
your RAM (This should be the default anyway)

How much RAM is available?

How much memory is your system committed to?

What was the largest amount of memory your system has
ever committed itself to since the last boot?

If the pagefile gets fragmented your system's performance
will decrease. System Internals has 'PageDefrag', a free
utility that shows fragmentation in the pagefile and then
offers the option of defragmentation at boot time.

The utility can be downloaded from HERE

http://www.sysinternals.com/ntw2k/freeware/pagedefrag.shtm

Once you download just unzip the file and run
pagedfrg.exe.


It may sometimes happen that the system give 'out of
memory' messages on trying to load a program, or give a
message about Virtual memory space being low. Possible
causes of this are:

The setting for maximum size of the page file is too low,
or there is not enough disk space free to expand it to
that size.

The page file has become corrupt, possibly at a bad shut-
down. In the Virtual memory settings, set to have no page
file, exit, shut down the machine and reboot. Delete
PAGEFILE.SYS (on each drive if more than just C, set
the page file up again and reboot to bring it into use.

The page file has been put on a different drive without
leaving a minimal amount on C:.

There is trouble with third party software. If it happens
at boot and the machine has an Intel chipset, the message
may be caused by an early version (before version 2.1) of
Intel's 'Application Accelerator'. Uninstall this and
then get an up-to-date version from Intel's site.

Other things you can do to free up space :

Run the disk cleanup

Goto START then RUN and type

CLEANMGR

On the page that opens free up anything thats not needed
(temp files,recycle bin etc..) then goto to the second
page (More Options)

On the system restore part press clean up to remove all
the restore points except for your most recent one.

 

[Engel]

For AURORA

From Andy:
Download Nailfix to your desktop

Primary:
http://www.noidea.us/easyfile/file.php?
download=20050515010747824

mirror:
http://www.dknoppix.com/cgi-bin/download.cgi?Nailfix

Reboot into safe mode (Reboot and keep tapping F8 then
choose safe mode from the list)

in Safe Mode, double-click on nailfix.bat. Your desktop
and icons will disappear and reappear, and a window
should open and close very quickly.

This will stop and delete nail.exe and svcproc.exe


Then run MS Antispy on a full system scan to remove any
other files.Ewido Security Suite and Adaware SE both
target Aurora so maybe worth trying them if you have more
problems with it.The problem is the random named file in
the system folder which will act as a re-installer each
time you reboot.Plus it changes its name whenever you
reboot.Ewido will remove those entries.Adaware will
remove Bolger and Drpmon.dll so again it could help.

Evido:
http://www.ewido.net/en/

Lavasofts Adaware:
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-
8022-10399602.html?tag=list



--

 

[Guest]

I have seen this before, when MSAS encounters an access
denied error in the registy it alocates hundredes of MBs
of memory for no reason, try running MSAS from an admin
account until this major bug is fixed.

 

[Dave]

Ok, I had this problem also, it was funny, I actually
allocated 2 gig of ram and it was still using all of it.
What I ended up doing was seeing where it was freezing
up, in my case it was HKLm\Software\Toolbar\Server. I
looked in the registry and it didn't exist, but it did
exist in regedt32 (Win2k box obviousy) Nonne had rights
to the registry key, I changed the permissions and it
went thru and finished the scan. Strangely enough
whatever virus/spyware this box had, it did the same
thing to the the permissions on
HKLM\Software\Microsoft\Windows\Current Cersion\Run.
Hope this helps.

Dave