Physical ram drops to less than 8mb within minutes of starting system, Virtual ram remains constant at 208mb

I have a client's system that within minutes of starting up and without opening any applications the physical ram drops from around 50MB free to just under 8mb. The system is an Athlon 1.113 CPU, Giga-byte GA-7VXTE Motherboard with 128 MB RAM, running Windows 98. Normal Windows startup items, plus Norton Anti-virus corporate edition client, InCD, Wireless MS Mouse & Keyboard. Video Drivers are ATI Catalyst,  the latest version. Graphics chipset is Radeon VE (7000).

I have done the following: Upgraded Bios to current version, changed processor to Athlon XP 220+. applied all current updates to Windows 98. Applied Via drivers 4.48, Updated the Virus definitions, scanned for virus's, scandisk, defragged and applied updates to Office XP, SP1 & SP2. The client did have the W32.Galil virus, but i have removed it using Norton and have scanned with both Nortons online scanner & Mcaffe's online scanner, but
no virus's were found.

I Still the same problem, I increased the ram to 384 MB and now it drops down to about 25% of that. I am using a free memory program called freemem to free up the ram every now and then.

Has anyone got any ideas, I am fresh out, I have never seen this large a drop in physical ram 15 years of PC tech work.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Check for adware and sypware

spybot here



BHODemon and Hijack This and Browser Hijack Blaster
BHODemon | Think of BHODemon as a guardian for your Internet browser: it protects you from unknown Browser Helper Objects (BHOs), by letting you enable/disable them individually. This program is my choice for BHO detection and is highly recommended.

Browser Hijack Blaster | Running silently in the background, Browser Hijack Blaster only springs into action when an attempt is made. It watches and protects the following items: IE Homepage, IE Default Page, IE Search Page, BHOs. Whenver one of the above items is changed, or a BHO is added, you are immediately provided with information on the item, along with the option to keep the change, or revert to your previous settings.

Hijack This | Written by a member of our support forums and based on our Hijacked! article, this program scans the locations in your computer system that may be modified by browser hijackers and fixes any problems found. An easy-to-understand tutorial is available at

General and overall information about Spy/Adware
Test the RAM

If you can swap out the RAM with known good modules for testing first if you can't do that then test the machine with one RAM module at a time until you tested every module. Other wise run the the following RAM testers.

NOTE IF THIS DOESN'T FIND ANYTHING WRONG WITH THE RAM THIS DOESN'T MEAN THE RAM IS GOOD you would need to swap out the RAM with known good modules for testing. However if it does find something wrong then chances are the RAM is bad.

DocMemory PC RAM
Diagnostic Software




Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Now this free utility doesn't give you memory usuage but it does give you CPU usage and that might help you find something.

Note when you open the program go to the menu View and make sure there is a check mark next to View DLL's if there isn't then click on it.

Process Explorer
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

Sounds to me like an excessive number of startup programs and too many processes running in the background including, but not limited to, some of the following:

LoadQM.exe - (MS Messenger indexer type thing that's never been properly accounted for)

Office FindFast Indexer
Run Add/Remove Progs > Office > Remove Momponents > uncheck Find Fast)

MS Messenger
(HKLM or CU\Software\Microsoft\Windows\CurrentVersion\Run)

AntiVirus application in "Autoprotect" mode

A Trojan that may not be detected by AntiVirus program.

Browser Helper Objects.

Download, install and run the freeware personal version of "Adaware" from Lavasoft.  It will identify any rogue Advertising Software or components on your system and allow you to get rid of them.

Download, unzip, and run (no need to install) the freeware "BHO Demon".  Browser Helper Objects (or BHO's) are small programs that run automatically when you start your Internet Browser, come in many forms including the legitimate Adobe Acrobat Reader, and Norton AntiVirus, but also can be malicious or just a plain nuisance.  This program allows you to enable or disable them.  Take for example Go!Zilla, the downloading utility, which installs a BHO created by Radiate (formerly Aureate Media).  This BHO tracks which advertisements you see as you surf the Web, which may not bother you too much, but it is using up resources.

That said, there is no restriction on what a BHO can do your system.  It can do anything any other program can do ie. read or write (or delete) anything on your system.  Usually, software is installed on your system explicitly by you, but BHO's have a history of being installed without the users knowledge.

With BHO Demon, BHO's are disabled by simply renaming the DLL that houses them.  By renaming the DLL, instead of deleting it, you have the option of enabling it later if you wish.


Download (v. 25 June 2002)

It would be helpful if we could inspect what processes are running on your system when this occurs.

1. Start > Run > and type MSINFO32
2. In the left pane, find "Software Environment"
3. For each of the following sections, click on it and then use the menu as follows:
  Edit > Select All > Edit Copy
4. Paste each into NotePad and save by the name of the section in MSINFO32
5. Copy and paste the details here if they are brief enough

Software Environment\
                                  Running Tasks
                                  Startup Programs
                                  System Hooks

Your list of startup programs will indicate what you need and don't need to run automatically when Windows boots.  You could disable them using "Start > Run"  > and typing MSCONFIG.  The checkboxes are in the "startup" tab, and the only one you usually require is the System Tray.  You could restore them again one at a time again, rebooting between, and test until you find the culprit.

A helpful page to assist you in identifying Startup items is:

Another useful program for finding things that take over your system is "HiJack This" from: 

It will run from any folder without needing installation.  Just unzip it, launch Hijack This.  To create a "startup list" press "Config" > "Miscellaneous Tools", and press "Generate Startuplist Log"

This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.  Maybe this would be better to post here.

That was quick, CrazyOne :-)
BoycerAuthor Commented:
Thanks Crazyone for responding.

I have not scanned for spyware on this particular machine, normally I would use spybot but this is a business machine and I have not noticed any of the usual spyware. Lately, this has become a daily support issue for me with my non-business clients. I will however try this anyway, it can't hurt.

I have swapped out the ram for known good ones, ones out of one of my own systems. I also am a computer dealer/consultant and have access to parts to swap in & out.

I haven't checked CPU Usage, just resource usage. I will try this as well. I will post the results to-morrow getting late now, tired.

>>>That was quick, CrazyOne :-)

>>>I haven't checked CPU Usage,

It may give a clue to which proccesses that may be the culprit.
Another thing, System Properties > Performance tab > Virtual Memory.  Has this been set to a limit?

Here's an interesting article, note in particular the "netstat" commands:

Checking for the existence of IRC Zombie/Bots

from Steve Gibson (

Fortunately, it's quite easy to verify that your system is not
currently infected by one of these IRC Zombie/Bots.

All of the IRC Zombie/Bots open and maintain static connections
to remote IRC chat servers whenever the host PC is connected to
the Internet. Although it is possible for an IRC chat server to
be configured to run on a port other than "6667", every instance
I have seen has used the IRC default port of "6667".

Consequently, an active connection to an IRC server can be
detected with the following command:

      netstat -an | find ":6667"

Open an MS-DOS Prompt window and type the command line above, then
press the "Enter" key. If a line resembling the one shown below is
NOT displayed, your computer does not have an open connection to an
IRC server running on the standard IRC port.

If, however, you see something like this:


then the only question remaining is how quickly you can disconnect
your PC from the Internet!

A second and equally useful test can also be performed.
Since IRC servers generally require the presence of an "Ident" server
on the client machine, IRC clients almost always include a local
"Ident server" to keep the remote IRC server happy.
Every one of the Zombie/Bots I have examined does this. Therefore,
the detection of an Ident server running in your machine would be
another good cause for alarm.

To quickly check for an Ident server, type the following command at
an MS-DOS Prompt:

      netstat -an | find ":113 "

(Note the "space" after the 113 and before the closing doublequote).

As before, a blank line indicates that there is no Ident server
running on the default Ident port of "113".

If, however, you see something like this:


then it's probably time to pull the plug on your cable-modem!

Note that a Windows IRC client program running in the PC will generate
falsepositive reports since these are tests for IRC client programs.
So be sure to completely exit from any known IRC client programs
BEFORE performing the tests above.

C:\WINDOWS>netstat /?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

  -a            Displays all connections and listening ports.
  -e            Displays Ethernet statistics. This may be combined with the -s
  -n            Displays addresses and port numbers in numerical form.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be TCP or UDP.  If used with the -s option to display
                per-protocol statistics, proto may be TCP, UDP, or IP.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics are
                shown for TCP, UDP and IP; the -p option may be used to specify
                a subset of the default.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.

ZoneAlarm v2.6 (Free)

The last of my testing was to see whether the firewall I keep telling
everyone to use:

ZoneAlarm either FREE or Pro would be effective in stopping the IRC
Zombie/Bot and the Sub7 Servers that had taken up residence in my poor
"Sitting Duck" laptop.

I downloaded the current, completely free, version of ZoneAlarm 2.6
from the ZoneLabs web site and installed it on the "Sitting Duck" laptop.
Upon restarting the machine I was gratified to receive immediate notification
that the Zombie/Bot was attempting to make an outbound connection to its IRC
chat server.

Meanwhile, the Sub7 Trojan was sitting quietly waiting for someone to connect
to it. So I used another machine to "Telnet" to the port the Sub7Server Trojan
was listening on. Up popped ZoneAlarm asking whether the nonsense-looking
random character name the Sub7Server had chosen for itself should be allowed
to accept a connection from the Internet.

Perfect performance from ZoneAlarm.
BoycerAuthor Commented:
I forgot one other thing I did, ran msconfig and unchecked all startup items, rebooted and re-selected each one at a time and rebooted each time to see if I could eliminate or find the problem that way.

No luck.

The closest solution I have found is that with just plain vga driver loaded, and 128 MB of ram installed the physical ram stayed around 45 - 50MB.

The video card was made by giga-byte, powered by ATI. I have tried both Giga-byte drivers and reference drivers from ATI.

I might end up swapping out the video card.

Just ran spybot with latest detection rules, found 27 components, all were tracking cookies.
BoycerAuthor Commented:

Logfile of HijackThis v1.97.3
Scan saved at 12:16:47 AM, on 11/1/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page ={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Btrbox95.lnk = C:\PVSW\Bin\BTRBOX95.EXE
O4 - Startup: Outlook Backup Batch File.pif = C:\OUTLOOK.BAT
O4 - Startup: MaxMem.lnk = C:\Program Files\AnalogX\MaxMem\maxmem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -,5,0,4301/
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer =,

I am running behind a hardware firewall with a static Private IP address.

I like the ideas though, keep them coming.

Hmmm I like your idea of the video. Does it use System RAM or VRAM?
BoycerAuthor Commented:

I have tested the video ram using PC-Check and everything passed. Also ran motherboard, processor and ram tests - burn in tests.

I think I will try swapping out the video card in the morning. I am sitting here right now and the ram has dropped to 127MB free and I have only IE open and windows explorer open.

I justed did an aggressive free up of memory and am back at 269MB free now.

getting late time for sleep :-)

I will let you know regarding the video card. just a note though, this is one of two identical systems. Same motherboard, same video card, same processor, same OS etc..

I will re-post results in the morning.

Thanks to CrazyOne and BillDL for the feedback.

Thanks for the list.  The only thing I can see that would have any consequence is the Norton AntiVirus Definition Update monitoring file DEFWATCH.EXE, but that certainly wouldn't be chewing up resources to any noticeable extent.

Incidentally, while I was checking Symantec's site for possible conflicts with this file, I found the following extremely annoying script on their page:

Place in "Head" tag.

<script language="JavaScript" type="text/javascript">
function printPage() {

var da = (document.all) ? 1 : 0;
var pr = (window.print) ? 1 : 0;
var mac = (navigator.userAgent.indexOf("Mac") != -1);

 if (pr) { window.print(); }  // NS4, IE5
 else if (da && !mac) {vbPrintPage();}  // IE4 (Windows)
 else {  } // other browsers

if (da && !pr && !mac) with (document) {
  writeln('<OBJECT ID="WB" WIDTH="0" HEIGHT="0" CLASSID="clsid:8856F961-340A-11D0-A96B-00C04FD705A2"></OBJECT>');
  writeln('<' + 'SCRIPT LANGUAGE="VBScript">');
  writeln('Sub window_onunload');
  writeln('  On Error Resume Next');
  writeln('  Set WB = nothing');
  writeln('End Sub');
  writeln('Sub vbPrintPage');
  writeln('  OLECMDID_PRINT = 6');
  writeln('  On Error Resume Next');
  writeln('End Sub');
  writeln('<' + '/SCRIPT>');

// -->

The damned page fires up your printer without prompting you.  The swines, that's verging on malicious intrusion !!
BoycerAuthor Commented:
I agree,  it is presumptious of them to assume we would want to print the page without prompting us. Talk about
taking control of a situation eh!

Oh by the way I am canadian eh!

I think I narrowed the problem down to either faulty video ram or buggy drivers, or a combination of both. I suspect the ram, myself, as I have heard nothing but fairly good things regarding ATI Catalyst Ref Drivers. Also,
I tried Giga-bytes ATI Drivers and V-tuner program with the same results.

I swapped out the Radeon Ve card for an old ATI Rage IIC AGP card, loaded the drivers and was able to run
Microsoft Word, Excel, Windows Explorer, Internet Explorer and play a Daredevil DVD using PowerDVD and still had almost 200MB of physical ram free and it did not drop below this.

So, I'am going to run with that as the solution.
Thank you, Boycer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.