We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Top Urgent : Page file usage jumps sky high suddenly.

ShadowRack
ShadowRack asked
on
Medium Priority
9,107 Views
Last Modified: 2011-08-18
Hi

I'm using windows xp pro , my system is preety tidy no spythings no viruses and things like that.

O.k , So the problem is that after about 5 mins after booting windows the page file is jumping from bout 98MB into 950MB slowing down my system totally.. , Than randomly calm down back to around 100MB and back to around 1000MB in pars of minutes/seconds...

Please provide me with your best knowlege i realy getting pissed off..

Bye.
Comment
Watch Question

Author

Commented:
It's going exactly up high to 965MB and then back to normal after couple of minutes...

Author

Commented:
Not exacly 965MB...
have you tried looking at the scheduler?

you can also try to execute "msconfig" and check startup for strange files.

but it's hard to tell with that amount of information.

Author

Commented:
I changed the value at registry to clean the pf at logoff.

Maybe it worked out , it's only the first minutes of the new log and no raise for now..

BTW , i coulndn't manage to custume the page file both in the registry or at the advanced managment , The commit charge is always  - *usage* / 1247M -

k i wait for more idea's.

Author

Commented:
no strange files at the msconfig startup window , no scheduler.

What information u need?

Computer is P4 3.0GHZ@3.15GHz , Mem 256x2(400) / (@440).


Damn it havn't solved.. , it looks so weirdly annoying at the page file usage history , somth like this:

       ______
      |          |
___|            |____________

Author

Commented:
I've defragmented the page file with "System file defragmenter"..

still waiting to see if it succeded

Author

Commented:
didn't work...

This is too weird help me plx!!!!
Tell me what your video card is, some of the ATI cards caused problems similar to this in the past, some others may as well, I would check it out.  Also, open up your task manager, add the I/O reads and I/O writes columns to it (view --> columns) and see what processes are using up all the I/O time, this usually helps and could be the culprit.  Could be a faulty process (programming bug, finite loop...etc)

Author

Commented:
Man your good maybe 2 shots.. , I tought it might be my firewall's fault <VSMON.EXE> proccess - I/O Reads 390,240 , Well i closed it and the page file was still a resources hog..

Plx give me further instruction bout this I/O comparation..

Bout my GPU it is Hercules Radeon 9800 pro , Never did problems , I already tried uninstalling catalist and runing windows in generic graphic drivers and it still did that mess..

Well , I'm waiting for your reply.

Thanks ahead.



Author

Commented:
These are the proccess that usually running :

aston.exe           C:\Aston\aston.exe                                                               1716 KB     9240 KB
    cisvc.exe           C:\WINDOWS\System32\cisvc.exe                                                     244 KB     3056 KB
    iexplore.exe        C:\Program Files\Internet Explorer\iexplore.exe                                   104 KB     9504 KB
    internat.exe        C:\Aston\XP\internat.exe                                                          120 KB      848 KB
    lsass.exe           C:\WINDOWS\system32\lsass.exe                                                     596 KB     1768 KB
    services.exe        C:\WINDOWS\system32\services.exe                                                  600 KB     1544 KB
    smss.exe            C:\WINDOWS\System32\smss.exe                                                       44 KB      172 KB
    svchost.exe         C:\WINDOWS\system32\svchost.exe                                                   140 KB     1108 KB
    svchost.exe         C:\WINDOWS\System32\svchost.exe                                                  1576 KB    11504 KB
    taskmgr.exe         C:\WINDOWS\System32\taskmgr.exe                                                  1496 KB     1772 KB
    vsmon.exe           C:\WINDOWS\system32\ZONELABS\vsmon.exe                                           1440 KB     5384 KB
    winlogon.exe        C:\WINDOWS\system32\winlogon.exe                                  

Author

Commented:
If ill tell you it happend all of the sudden would it be weirder?..

That pagefile don't even go to the bounderies stated...

Commented:
Post This for me

Regedit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Thanks
wtrmk74

Commented:
Hi,
Rather intrigue by this so please run msconfig
Choose Diagnostic StartUp and advise if problem still happens
If it doesn't then it must be a service or driver etc.
Have a look at the other msconfig tabs to see if anything loading that shouldn't
Finally unless you have a really good reason to clear page file at shutdown - don't as it just takes longer to shutdown.
Also I read in numerous areas to set the page file at 512 Meg. If I find the URL re that I'll post.
I use to have all my company servers at 1024 Meg for page file but after many hours of reading dropped them all to only 512 Meg ( Memory in Servers is 2048 so needed to disable complete dump in system area though) again I'll have a look for URL on this.

Any way I look forward to an EE solution to this.

Cheers
Ian

Commented:
Your DDR memory is proberly bogus or the pipe (ea bios or hardware on motherboard) to it is not working properly.
If you let windows choose for it self the memory swap usage, is will continuely check what it needs, depending on access to drives and other systems and depending on installed memory.

Author

Commented:
Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Class Name:        <NO CLASS>
Last Write Time:   13/04/2004 - 11:41
Value 0
  Name:            NeroCheck
  Type:            REG_SZ
  Data:            C:\WINDOWS\system32\NeroCheck.exe

Value 1
  Name:            SoundMAXPnP
  Type:            REG_SZ
  Data:            C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

Value 2
  Name:            Zone Labs Client
  Type:            REG_SZ
  Data:            C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

Value 3
  Name:            MSConfig
  Type:            REG_SZ
  Data:            C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

--------------

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

this key is empty.

Author

Commented:
For both parkerig and mahae , I've ran windows at Safe Mode whice it is same as diagnostical startup and the problem havn't occur.. , So it seem that maybe it's a faulty service or somthing else unknown since it realy acts out randomly - jumping from 100 to 1000 and via versa in random timings without running somthing new.. , I tried looking everywhere for something that runs and making this problem , msconfig , registry editor etc..

But.. , another thing i saw is the RAM inusement , I think it is getting optimized and unused frequent somewhy..

I'm not running any program that autooptimize or somthing it is just like that.

Well it's not a fact yet but ill try to provide more clues.

Thanks ahead.

Author

Commented:
Yup it seems the memory is stuck at 437016k(83% free) and only the page file functioning.. as i opened many many programs that consume memory..

Author

Commented:
Mmm.. , well my bad it wasn't refreshed so dont mind the "stuck at 437016k(83% free)" thing.


:P
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Top Expert 2004

Commented:
Imho,

Try uninstalling Nero first...and see what happens.

Is your XP machine patched with XP Service Pack 1 (and all other fixes and critical update) from Windows Update?
If not then please do so.

You should also follow banks1850 good comments for better performance.
Good luck and have a nice day.

Author

Commented:
I have all Driveres both GPU , DirectX , Updated all at windows update , ill see if there's new bios update.

Ill try to uninstalled nero soon as my other computer(Shared internet) is finish his work.. since it need restarting.

About the sp1 i uninstalled it coz i tought it would help solve the problem but it didn't , I reupdated everything at windows update , i didn't notice if the SP1 is installed or not.

So for all your questions please follow the link below its images of many things you might need to know of the system :

http://www.villagephotos.com/pubbrowse.asp?selected=843339


Please notive all photos taken when the page file wasn't sky high , Ofcourse it wasn't intentionly.

ill try to catch it skyhigh and make a screen of it soon.

Author

Commented:
IT seems the ram is consumes to 0 when the page file icreasing to 1000 MB..

Please see this photo i added now too :

http://www.villagephotos.com/pubbrowse.asp?selected=843339

Commented:
Looking over your task manager files....
some curious entries arise....   Are you using Bilangual Windows ?

internat.exe
http://www.liutilities.com/products/wintaskspro/processlibrary/internat/

However the entry is only used in bilangual supprted OS. and should be about 20kb to 30kb

Conclusion = Possible Trojan or new variant of this
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.netsnake.html

Also...
aston.exe is a desktop manager and shell replacement for Windows.
if you do not have this or know about this could be another problem surrounding your problems. If your new shell replacement has been corrupted you will recieve spikes and errors and all sorts of problems running apps.

I would recommend also to varify the zlclient.exe has not been corrupted - This is your zone alarm client that runs in the background.

disconnect your PC from the internet....uncheck the run as service in your zone alarm dialog boxes....restart your PC and check on the entries listed above.

good luck
wtrmk74

Commented:
even the most tidy of systems can get infected !

Commented:
Hi,
I can't see any virus checker running.
Can you please confirm that you have booted into safe mode and run a full virus scan with the latest virus defns.
Thanks in advance
Ian.

Below is my stock standard advise on virus checking

https://www.experts-exchange.com/Miscellaneous/Q_20936305.html

Author

Commented:
o.k

I downloaded norton antivirus 2004 and checked viruses on safe mode(I already checked before that with panda antivirus , updated , no viruses found) and it found the following viruses :

1.winlogon.exeCommon Startup

2.cd_clint.dll

Altough it have been deleted the memory is still going mad and the problem consist , The page file is arising uncontorlably...


About the internat.exe and aston.exe , I'm aware of them , Aston is my shell instead of explorer hog , Aston is using internat.exe , I never had problem with it for a year..

Ill try unloading the zone alarm and all the other stuff now on clean start..

Please help me more ill give extra points plx!! , It works perfectly in safe mode no spiking and things...

chao..
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Commented:
ShadowRack,
Thank you for your feedback.

Can I please ask you to startup zone alarm, remove all programs out of the program control and then see what POPS up.
I suggest this as there my be a program trying to send something out.
This will catch it and give us a hint.

Also having used many spy ware products I decided to retry http://pestpatrol.com
The earlier versions were terrible but version 4 just found an extra 35 problems including 2 high risk.

Suggest you give it a try. The trial version can't delete automatically but tells you how to delete manually.
I am about to spend the coin and buy it - very impressed.

Re BlackViper above - good advice but make your own decisions based on his advice.
I'm opening myself up here but the worst service ever ( in my humble opionion) has to be SSDP Discovery Service.

Cheers
Ian

Author

Commented:
Belive me  wtrmk74 i have spent alot but i'm not kidding , ALOT of my time disabling most of the services much more than the 19 i'm running currently , However disabling more than that will cause in infunction in the Internet and the Intenet Sharing which i need since i share 1 internet connection into 2 computers , BTW i've been to like 5 site like this and blackviper is not so "clear" in his settings modes.

parkerig , I tought about that idea and i shall uninstall zonealarm totaly including all it's settings including the program control as ill be back from work.

As for a total conclusion i might need to disable every service and wait some time to see which makes the spikies..

Please think about more ideas while im gone

Thanks alot all of you.
Joseph NyaemaIndependednt Consultant
CERTIFIED EXPERT
Top Expert 2005

Commented:
Your system seems to be running normally.

You mentioned that you have about 512MB of RAM.

The recommend page-file size is twice your physical ram.
I personally recommend three times.

Your page file only spikes to twice your physical RAM, once in a while expecially on startup.
That to me is normal, and should not be a reason for worry, unless there is a more worrying phenomenon.

Author

Commented:
It's not happening at startup , It's happening randomly in a season of usement of the pc at windows xp slowing the computer like a slug with sars...

well soon ill try what u suggested me my bro is using the other comp..

Commented:
If you got more then one memory bank filled inside this pc remove all of them and check them one for one, if the problem keeps occuring with every one of them, then it's proberly a system process what is not working properly. If not,...

Author

Commented:
That must be a process since it's works fine at safe mode..

I've noticed that the spikes usage happends allot when the screensaver comes.. , well maybe it's another hint but it happends when it's not in screen server season too obviusoly..

I tried revoming the zonealarm program control and to update it again but it didnt work even with an access only to the internet only for iexplorer , messanger and outlook express..

Author

Commented:
Even with no programs at all allowed , so probebly not internet guided problem or is it?

Author

Commented:
Also when system is idle for a bit

Author

Commented:
I added new photo :

http://www.villagephotos.com/pubbrowse.asp?selected=843339

I managed to find the spikes happens when the system is idle for about 5 minutes and when i deleted all program access on zonealarm , A window popup saying scvhost.exe need accesss to the intenet from zonealarm showen up , So it is probebly 1 of the system services.. , anyone knows about the one that initiate when idle process??

plx help me ppl

Author

Commented:
Added another photo that shoes the usage spikes 25 mins when the computer was idle and when i came back it fixed up...

http://www.villagephotos.com/pubbrowse.asp?selected=843339

Commented:
I know there are some issues with zone-alarm, remove it from your system, and get the internet connection out. See of the system keeps steady now.

Commented:
I know you probably dont want to do this but
Download HiJackThis
and post the report on your next visit
http://www.spychecker.com/program/hijackthis.html

I think we need to go deeper !

wtrmk74

Author

Commented:
Logfile of HijackThis v1.97.7
Scan saved at 03:05:31, on 15/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Aston\aston.exe
C:\Aston\XP\internat.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Download\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
F0 - system.ini: Shell=C:\Aston\aston.exe ,svchost.exe
F2 - REG:system.ini: Shell=C:\Aston\aston.exe ,svchost.exe
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Shortcut to killpnp.lnk = C:\killpnp.bat
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://c:/x.mht!file:///c:/pl.exe
O16 - DPF: {18871EA7-1B30-46DE-9283-E96E707492BA} (Playcom_ATL_Object Class) - http://www.netbabyworld.com/media/playcom/Playcom.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/patch/EARTPX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37905.6196875
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com/ActiveX/vxpspeeddelivery.dll
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/patch/MaxisSimCity4PatcherX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVBU/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5090935-6599-4CA3-8BE0-62AD13F1B67D}: NameServer = 212.150.48.169 206.49.94.234

Author

Commented:
I already tried not loading all zone alarm services and it didn't worked out :/

Commented:
Remove google tool bar

Ian
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
hey,
read this:

Please note that there is a legitimate Windows application called %windir%\system\Internat.exe. The Trojan file (also known as internat.exe) is 82.5 KB in length and uses a zip file icon. The "real" Internat.exe is generally about 20 KB in length with a "?" icon.

why is internat.exe running on your machine ? are you using international settings ?

can you remove it from your startup (either using msconfig) or edit the run key.

also, I realized that a very important way to determine if this problem is coming from a user installed software package or if it's some windows issue is to see if this activity happens if you DO NOT LOGIN for the first minutes of your boot up.

haresh

Commented:
haresh-nyc

that was mentioned in previous post !
did you read entire thread yet ?

Commented:
HijackThis Log:

OK here's something that needs fixing !
Downloaded Program Files (DPF)

O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://c:/x.mht!file:///c:/pl.exe

What is this ?
http://www.tapuz.co.il

O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVBU/launcher.cab


SIMCITY , GAMINGZONE , and GIGEX dont really need to be ran when explorer opens unless you live for gaming !

NETBABYWORLD ?

WINDOWS UPDATE and MACROMEDIA are OK entries

wtrmk74

Commented:
Also fix this:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm


Question are you running a start up batch script ?
Because this is running !
O4 - Global Startup: Shortcut to killpnp.lnk = C:\killpnp.bat

Also....
Browser Helper Objects (BHO)
BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
The Windows Update starts only when the system is idle and also tries to access the internet (to see if updates are available). You can try disabling it:
right click on My Computer, Properties, Automatic Updates, uncheck "Keep my computer up to date".

Author

Commented:
Problem found! , It's the proccess Cidaemon.exe it eates all memory after some idleness and going back to normal after returning!

it doesn't load at the startup so it is probebly a manual proccess ill try to find the fix to beat it without windows probelem(if it is needed).


Special thanks to haresh-nyc with the help in task manger detection.

Author

Commented:
I disabled the indexing service as the source for the mem hog.. , If it works ill split points since many ppl here gave usufull hints , PLEASE TELL ME IF IT IS NOT RECOMMENDED TO DISABLE INDEXING SERVICE.

Thanks.
no problem to disable indexing.
I hate indexing.

keep it disabled forever !!!!!

haresh :)

Author

Commented:
I guess it's fixed now , 99%


Thanks for anyone that helped , You are great team even as total strangers to each other :P

Commented:
Glad it's all better!

Check on your Hijack This entries ....

Take Care
wtrmk74
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.