(Closed) 100% Physical Memory In Use

[Mag476]

Hey guys, first time poster here.

 

I've had this problem now for a few days and just can't wrap my head around it. Basically when windows starts the performance is very very sloppy because something is using 100% of the physical memory. I haven't installed any recent software or hardware that could have done this, it literally came out of the blue. My first guess would be that the hard drive is on its last campaign, but would that use up all of the physical memory? I have no idea at this point.

 

Now the second obvious question would be is it just faulty ram? I ran memtest overnight and all results came back positive with no errors, i've taken the memory out one by one and booted up successfully on single sticks of ram, but as soon as windows starts, something eats away at the memory.

 

Ending the explorer process frees up the majority of physical memory and seems to run just as it should, I tested multiple programs / browsing the internet using the task manager run command.

 

The Wait Chain for explorer.exe and svchost.exe are most commonly queued up, here's just a bit of info on the most common threads that seem to keep hanging.

 

Thread 656 - ntdll.dll!RtlUserThreadStart

ntoskrnl.exe!memset+0x64a
ntoskrnl.exe!KeWaitForMultipleObjects+0xd52
ntoskrnl.exe!KeWaitForSingleObject+0x19f
ntoskrnl.exe!PoStartNextPowerIrp+0xba4
ntoskrnl.exe!PoStartNextPowerIrp+0x1821
ntoskrnl.exe!KeWaitForMultipleObjects+0xf5d
ntoskrnl.exe!KeWaitForMultipleObjects+0x26a
ntoskrnl.exe!NtWaitForSingleObject+0x40f
ntoskrnl.exe!NtWaitForSingleObject+0x77e
ntoskrnl.exe!KeSynchronizeExecution+0x3a43
ntdll.dll!ZwWaitForMultipleObjects+0xa
KERNELBASE.dll!GetCurrentProcess+0x40
kernel32.dll!WaitForMultipleObjects+0xb0

Thread 5868 - ole32.dll!ObjectStublessClient24+0x18d8

ntoskrnl.exe!memset+0x64a
ntoskrnl.exe!KeWaitForMultipleObjects+0xd52
ntoskrnl.exe!KeWaitForSingleObject+0x19f
ntoskrnl.exe!PoStartNextPowerIrp+0xba4
ntoskrnl.exe!PoStartNextPowerIrp+0x1821
ntoskrnl.exe!KiCheckForKernelApcDelivery+0x25
Ntfs.sys+0x99f6e
fltmgr.sys+0x1098
fltmgr.sys!FltIsCallbackDataDirty+0x1fca
fltmgr.sys!FltDeletePushLock+0x1e0
ntoskrnl.exe!NtReadFile+0x419
ntoskrnl.exe!KeSynchronizeExecution+0x3a43
ntdll.dll!NtReadFile+0xa
KERNELBASE.dll!ReadFile+0x7a
kernel32.dll!ReadFile+0x59

Thread 5612 - ntdll.dll!RtlValidateHeap+0x170

ntoskrnl.exe!memset+0x64a
ntoskrnl.exe!KeWaitForMultipleObjects+0xd52
ntoskrnl.exe!KeWaitForSingleObject+0x19f
ntoskrnl.exe!PoStartNextPowerIrp+0xba4
ntoskrnl.exe!PoStartNextPowerIrp+0x1821
ntoskrnl.exe!KeWaitForMultipleObjects+0xf5d
ntoskrnl.exe!KeWaitForMultipleObjects+0x26a
ntoskrnl.exe!NtWaitForSingleObject+0x40f
ntoskrnl.exe!NtWaitForSingleObject+0x77e
ntoskrnl.exe!KeSynchronizeExecution+0x3a43
ntdll.dll!ZwWaitForMultipleObjects+0xa
KERNELBASE.dll!GetCurrentProcess+0x40
kernel32.dll!WaitForMultipleObjectsEx+0xb3
USER32.dll!GetScrollBarInfo+0x1dd
USER32.dll!MsgWaitForMultipleObjectsEx+0x2e
ole32.dll!CreatePointerMoniker+0x7f2
ole32.dll!CreatePointerMoniker+0x6ef
ole32.dll!STGMEDIUM_UserUnmarshal+0x28f0
ole32.dll!CoGetInstanceFromFile+0xa27f
ole32.dll!CoGetInstanceFromFile+0x6aab
ole32.dll!CreatePointerMoniker+0x3c2
ole32.dll!CreatePointerMoniker+0x5ef
ole32.dll!DcomChannelSetHResult+0x31d0
ole32.dll!CoGetInstanceFromFile+0x64ad
RPCRT4.dll!Ndr64AsyncServerCallAll+0x14c9
ole32.dll!CoGetInstanceFromFile+0x6620
ole32.dll!DcomChannelSetHResult+0x3066

alot of the wait chain seems to come down to ntdll.dll!RtlValidateHeap+0x170


svchost.exe (LocalSystemNetworkRestricted)

Thread 3140 - hidserv

ntoskrnl.exe!memset+0x64a
ntoskrnl.exe!KeWaitForMultipleObjects+0xd52
ntoskrnl.exe!KeWaitForSingleObject+0x19f
ntoskrnl.exe!PoStartNextPowerIrp+0xba4
ntoskrnl.exe!PoStartNextPowerIrp+0x1821
ntoskrnl.exe!KeWaitForMultipleObjects+0xf5d
ntoskrnl.exe!KeWaitForSingleObject+0x19f
ntoskrnl.exe!NtWaitForSingleObject+0xde
ntoskrnl.exe!KeSynchronizeExecution+0x3a43
ntdll.dll!NtWaitForSingleObject+0xa
KERNELBASE.dll!WaitForSingleObjectEx+0x9c
hidserv.dll!ServiceMain+0x11f
svchost.exe+0x1344
sechost.dll!RegisterServiceCtrlHandlerExA+0x269
kernel32.dll!BaseThreadInitThunk+0xd
ntdll.dll!RtlUserThreadStart+0x21

Now none of the above may relate to the problem i'm having, but I thought it might be worth mentioning.

 

Other info is in attachments. (OTL.txt was over 200kb so I couldn't upload it as .txt)

 

Here are a few images also RM_Memory | RM_Disk | RM_CPU | Task Manager Performance

 

So all in all, I really have no idea at this point, any help would be appreciated.

procexp.txt

aswMBR.txt

Extras.Txt

OTL.zip

Edited September 30, 2011 by Mag476

[Mag476]

I forgot to post a hijackthis log. :o

hijackthis.txt

[4ndy]

No new software or hardware.. Out of interest have you checked the MB/Computer manufacturers website to see if there's a Bios update (usually they say what they are for i.e. fixes problem with memory controller etc,etc)

[Mag476]

As of right now, the computer in question won't even make it to POST. It makes it to the mobo intro screen then hangs while the hdd led stays on full time.

 

And to answer your question the bios is currently up to date with the latest revision. I'm confident it's hardware failure, but it's sketchy trying to pinpoint it.

 

I installed a bunch of updates just before it started hanging before POST, are there any hardware tests, similar to memtest86 but for hard-drives?

Edited October 1, 2011 by Mag476

[Mag476]

Removed a DVD drive which appears to be faulty and now the machine will boot (that explains the hidserv activity) but something is still eating away at the memory as soon as I login.

[Plastic Nev]

HI, Good to know at least that DVD drive was one of the problems and sorted by removing it.

Have you looked in the task manager?

Click start, then in the search box type, or copy and paste,= taskmgr

 

Click on or select taskmgr.exe, then select the processes tab, have a look under memory as to what is using the high amount, let us know what you find.

It should also tell you on the bottom right "Physical Memory" in %

 

Nev.

[Mag476]

Sorry I should have mentioned in an earlier post, the procexp.txt with my other attachments above contains all of the process info that was running around the time that I made the first post, all info in my attachments was taken together and the same problem is still occuring.

 

The 2 main processes which are noticeably the most active are explorer.exe and svchost.exe (LocalSystemNetworkRestricted). Like I said in the original post, terminating explorer.exe stops the memory leak (or w/e it is) and puts it from 95 -100% usage down to a more stable 25 - 30%.

 

All services affilated with svchost.exe (LocalSystemNetworkRestricted) are:

 

wudfsvc - Windows Driver Foundation - User Mode Driver Framework

UxSms - Desktop Window Manager Session Manager

SysMain - Superfetch

PcaSvc - Program Compatibility Assistant Service

Netman - Network Connections

IPBusEnum - PnP-X IP Bus Enumerator

HomeGroupListener - HomeGroup Listener

hidserv - Human Interface Device Access

AudioEndpointBuilder - Windows Audio Endpoint Builder

 

During startup explorers working set usually builds up to around 140,000 -150,000 K and maintains for a good amount of time, during this time HDD activity sky rockets aswell.

 

I can't say i've really paid any attention to how much memory explorer or svchost has used in the past because i've never had a problem with them until now.

 

Here is a pic (from my original post) which shows memory % in task manager.

Edited October 1, 2011 by Mag476

[Plastic Nev]

OK, thanks, there is something strange as explorer shouldn't be anywhere near that.

I have let our security guy Starbuck know you have posted the OTL logs etc as attachments, so he can take a look see if there is a malware presence causing it. Please be patient as he may be busy elsewhere.

Nev.

[Mag476]

No problem, thanks.

[4ndy]

In answer to your question re HD diagnostics check the manufacturers website as they usually have a their own program ie seatools. Some are better than others. As mentioned previously most problems I get with HD's are cable related. So if you suspect HD change the cable or swap end for end and reseat several times. Perhaps try a different MB connection. Or is it IDE ?

[Mag476]

It's SATA connector, i've tried several slots with the same results and all power connectors are working as they should.

 

Thanks for the info, I found just what I was looking for on the Seagate website (my primary HDD is Seagate, it never occured to me to check their website) they have a series of tests bootable from DOS, now my only problem is I have no dvd drive to run it from haha, I guess i'll try and use the desktop one until my new drive arrives, but that may prove difficult with how slow the machine is, i'll report back when its done.

[Plastic Nev]

As Yet I don't think there is a problem with the hard drive. I am still very suspicious of that high activity within explorer and if not malware which only an examination of those OTL and other logs will reveal, (sorry they are gobbledegook to me ha ha.) the only other thing could be a software conflict.

I must ask, but have you more than one antivirus running or more than one firewall? If you have a third party firewall such as Comodo, for instance, check that the Windows own one is turned off. Sometimes odd updates will turn it back on, then it conflicts with the other firewall.

Same for antivirus, two trying to run at once will cause high level conflicts too.

 

Nev.

[Mag476]

I'm currently running tests on my HDD, all tests so far have given a green light, but its doing a long generic scan right now which will take a few hours.

 

I'm not using more than one anti-virus/firewall, I have Microsoft Security Essentials installed, and just using windows firewall, both appear to be working wonders, i've ran anti-virus/malware scans and everything appears fine there.

[Mag476]

Doesn't look like the HDD is the problem.

 

--------------- SeaTools for Windows v1.2.0.5 ---------------

02/10/2011 11:59:45

Model: ST3750640AS

Serial Number: 5QD3PCC9

Firmware Revision: 3.AAE

SMART - Pass 02/10/2011 11:59:45

Identify - Started 02/10/2011 12:00:23

SMART: Supported and enabled

48-bit Address feature set supported: True

Max LBA: 1465149167

Host Protected Area features: Supported and enabled

Mandatory Power Management: Supported and enabled

Security Mode: Supported not enabled

SET MAX security extension: Supported not enabled

Advanced Power Managment: Not Supported

Download Firmware: False

SMART self-test supported: True

SMART error logging supported: True

Drive Temperature(C/F): 50/122

Power-On Hours: 18778

Identify - Started 02/10/2011 12:01:09

SMART: Supported and enabled

48-bit Address feature set supported: True

Max LBA: 1465149167

Host Protected Area features: Supported and enabled

Mandatory Power Management: Supported and enabled

Security Mode: Supported not enabled

SET MAX security extension: Supported not enabled

Advanced Power Managment: Not Supported

Download Firmware: False

SMART self-test supported: True

SMART error logging supported: True

Drive Temperature(C/F): 50/122

Power-On Hours: 18778

Short Generic - Started 02/10/2011 12:01:36

Short Generic - Pass 02/10/2011 12:02:59

Short DST - Started 02/10/2011 12:04:16

Short DST - Pass 02/10/2011 12:06:48

Identify - Started 02/10/2011 12:09:34

Long Generic - Started 02/10/2011 15:32:27

Long Generic - Pass 02/10/2011 21:54:10

 

:eek:

[4ndy]

What happens if you turn off search indexing? (indexing options / modify) perhaps rebuild the index if you want it to continue operating.

[4ndy]

Here's an interesting thread detailing something similar (from 2009 though)

[Mag476]

Just tried that, it seems to definitely have something to do with the explorer process, I just tried disabling the search service but as soon as explorer starts it still slowly builds up to 100% Physical Memory usage and maintains, making the computer very very sloppy.

[4ndy]

You've unticked all the index locations?

[Mag476]

Yes even with nothing being indexed, still getting the memory spike.

[Starbuck]

Hi Mag476

 

(OTL.txt was over 200kb so I couldn't upload it as .txt)

It's not surprising.

Where did you get that set of custom scans from?

It was obviously posted by someone who has a lot more time to spare than we do. ( there's too much not needed info there)

Plus some important ones are missing.

 

Let's see if we can wade through all this.

Yes there is signs of unwanted programs in the report and some possible conflicts.

 

P2P Warning

Please note that as long as you're using any form of Peer-to-Peer networking ( Frostwire, Bit Torrent, UTorrent etc.) and downloading files from non-documented sources, you can expect infestations of malware to occur.

Once upon a time, P2P file sharing was fairly safe. That is no longer true.

P2P programmes form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

 

Many of the programmes come bundled with other unwanted programmes, but even the ones free of any bundled software are not safe to use.

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

 

You may decide to continue P2P sharing, but keep in mind that this practice may be the source of future malware infestation.

If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programmes, we may refuse to help you.

 

Step 1

Please download DeFogger to your desktop.

 

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

 

Do not re-enable these drivers until otherwise instructed.

 

 

Step 2

Please remove Spybot - Search & Destroy from the system.

It's old and out dated and i don't know of any security experts that still recommend it.

Reboot the system once removed.

You also had Ad-Aware on the system, but it seems to have been removed.

We'll remove the leftovers of this program.

 

MSCONFIG should be used as a means of testing ..... Not as a permanant means of stopping programs.

 

Step 3

Double click on OTL to run it.

Copy the lines in the codebox below. (make sure that :Otl is on the first line )

:otl
DRV:64bit: - [2010/12/03 10:05:34 | 000,069,152 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\Lbd.sys -- (Lbd)
O2:64bit: - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll (AnchorFree Inc.)
O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll (AnchorFree Inc.)
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKCU..\Run: [] File not found
O4 - HKCU..\Run: [AdobeBridge] File not found
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\Setup.exe
@Alternate Data Stream - 110 bytes -> C:\ProgramData\TEMP:888AFB86

:Files
ipconfig /flushdns /c

:commands
[emptytemp]
[purity]
[RESETHOSTS]
[EMPTYFLASH]

• Return to OTL,
  
• right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
   
  http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
   
  
• Click the red Run Fix button.
   
  http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png
   
  
• OTL will reboot your system once the fix has completed.
  
• After the reboot, you may need to double click OTL to launch the program and retrieve the log.

 

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

 

if you lose the report, there will be a copy here:

C:\_OTL\MovedFiles

 

 

Step 4

Download CKScanner

 

Important - Save it to your desktop.

Doubleclick CKScanner.exe and click Search For Files.

After a very short time, when the cursor hourglass disappears, click Save List To File.

A message box will verify the file has been saved.

Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

 

 

In your next reply, please submit:

Otl fix report

CKFiles.txt

 

Thanks.

[Mag476]

Hi, Starbuck.

 

Where did you get that set of custom scans from?

 

I got those scans from another PC help forum, with me having no experience with OTL I figured those scans would be better than nothing. I kindly asked the OP over at the other forums to close the thread after he asked that I remove P2P software (uTorrent) before we continued, so i've been looking around for help since.

 

Now don't get me wrong, i'm well aware of the risks of using P2P software and if the problem is found to be P2P related then i'll gladly remove it, but the fact i've been using it for years without any problems doesn't even make it a suspect from my perspective.

 

I did everything you mentioned in order, only the CKScan took a considerable amount of time, locking up the PC as it was scanning.

 

Logs attached.

ckfiles.txt

10042011_055025.txt

[4ndy]

Just reading this thread - Checkout the last post re nvidia drivers. Could be of interest? (no one has commented on it which makes it more interesting) Unless you are all AMD/ATI of course.

 

How much free space do you have on your boot drive?

If it's a bit full you could create some space by deleting any unnecessary restore points. You can do this easily in ccleaner (tools/system restore.. study the list and delete any you don't need)

[Mag476]

I'm using an ATI Radeon HD 4870X2, I do have multiple HDD's, 3 internal and 2 external all 1TB apart from my primary boot HDD. The external drives are not an issue as they're never on full-time.

 

I will be first to admit that the computer is a 'bit' cluttered, I have alot of programs installed for various things from video editing / video encoding / 3d modelling / photo editing / audio editing / map editing / gaming (on a seperate hard drive). There's about 250GB of free space right now with pending files to be moved to external drives (I used it as a temp base for encoding bluray movies before this problem started happening.)

[4ndy]

What motherboard is it?

[Starbuck]

if the problem is found to be P2P related then i'll gladly remove it, but the fact i've been using it for years without any problems doesn't even make it a suspect from my perspective.

If i had a £ or a $ for every time that's been said to me, i could take another holiday this year.

Just because you don't notice any problems, doesn't mean there aren't any.

The 02 lines we removed were malware related.

 

he asked that I remove P2P software (uTorrent) before we continued

Some forums are very strict about this.... and not without good reason.

We will sometimes ask this as well, but if we see evidence of illegal programs, we will stop help.

 

c:\users\public\vuescan\crack\vuescan.exe

c:\users\public\vuescan\crack\vuescan.reg

This is a good enough reason to withdraw help.