I just fixed a nice HP Pavillion desktop unit that was really FUBAR'd. The box is just over a year old and, once again, the kids almost destroyed it with massive malware infestations (Kazaa, Imesh, no firewall, and expired AV). I dropped it off, showed how it runs better than new, and the mom and dad were so happy they gave me two more to fix. One is dad's laptop and the other is an old Gateway (unsure of model) that they want cleaned up for the kids to destroy instead of the new Pavillion.

It has an Intel mobo with a P3 800+ running Win ME with 64MB RAM, RIVA NT AGP video, 30GB HDD, modem, SoundBlaster, and no NIC...they asked me to "fix it" and gave me a Netgear GA311 to install. Clean up was easy. I installed a firewall and the NIC and tried to run Winupdate but the thing would hang searching for updates. I looked under the hood and memory was at zero so I installed an additional 128MB and got all the needed updates. What started happening was the thing would slowly get "choppy", the cursor would resist responding and eventually the system would freeze. I ruled out heat, ran diags on the memory (PASS), and started to suspect HDD or graphics card.

The HDD is a brand I've never heard of and is probably not made anymore so I let diags for that go for now. I installed Process Explorer and I see something really strange. Keep in mind that I used MSCONFIG for selective debug startups and I see no IRQ conflicts or device driver issues with the NIC. What it is doing is slowly climbing in the CPU resources it (the NIC) uses. After boot, it starts at maybe 5%, spikes regularly, and the "baseline" CPU usage for its process climbs relentlessly until the system begins to bog down. This happens whether the ethernet cable is connected or not (no traffic).

Anybody ever seen anything like this? I'm going to check the Netgear site for a driver update. Hopefully that is it. I can get another cheap NIC if needed, I guess. They just want me to keep the cost down as much as possible.

Any suggestions would be appreciated.

Driver update did nothing. What I see now is a really bad memory leak when the driver is running. It slowly consumes all available RAM and begins to peg the CPU as a result. Killing the driver process halts the memory leak. I guess the GA311 is just not really ME compatible like the documentation said.

Sounds like you've still got a malware infection. I know you said you cleaned all that out, but it sounds like something got by all the scans and is still running. How familiar are you with what files should be hanging out in the Windows and System/System32 Folders? Pretty frequently I have to scan through those folders and look for oddball filenames, rename them and reboot. Sometimes the really tough ones manage to set themselves Read Only and refuse to allow changes even in Safe Mode, in which case I boot into a small Linux CD like DSL, Feather or Insert on the Ultimate Boot CD. Once I know what file to look for then it can be renamed or deleted from a Linux OS. I prefer to rename then boot back into Windows and try it, if everything still works right then and only then go ahead and delete the file.

Also a Hijack This log might help us out, and if you haven't run a trojan scan do that too. The symptoms sound exactly like a customer's computer that just about ate my lunch 2 or 3 weeks ago, once I found the files I thought were the problem NOTHING Windows could do would rename anything (even in Safe Mode I got "Access Denied") so a trip to Feather Linux finally made me a happy camper...

I guess these days you can never totally rule out malware. As a sanity check, I'll post the HJT log when I get home. It looks clean to me, but then I'm not a certified HJT Zen Master.

As a followup...Last night I disabled (killed) the Netgear Utility that was running and apparently the source of the memory leak. I say utility now because I thought it was the driver itself. It appears not to be. It places a small NIC icon on the task bar that when clicked, just shows the activity/performance of the NIC. Anyway, I killed it, watched to see that the leak stopped, and went to bed leaving all the system monitoring programs (process explorer, memory,, CPU, etc) running just to see what would happen overnight. Now, I figured I killed the NIC so there could be no net activity. When I went to check this morning everything looked great except that Sygate was blocking AVG from downloading updates. For grins, I clicked Allow and zoom, off she went (the utility was still not running). So the NIC/driver appears to be independent of the utility, and the utility appears to cause the memory leak. I sent an email to Netgear support.

BTW, I did boot up with Knoppix linux as another check. The system froze almost immediately after the browser opened. Figure that one out. Netgear's site had allot of troubleshooting linux FAQs with this NIC.

I'll still post the HJT log. As for the files hanging around in Windows and Windows/System and System32...I've become more familiar than I want to be. It's worth another look because of all the crap that was on this thing. Also, this is my very first exposure to ME and although it's just another flavor of Windoze, there seem to be subtle and not so subtle differences.

I completely unloaded the Netgear Utility and all seems well. Since you asked Pete, here's the log. My guess is it's clean, as are all other scans now.

Logfile of HijackThis v1.99.1
Scan saved at 8:07:54 PM, on 4/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\FREERAMPRO\FRAMXPRO\FREERAM XP PRO 1.40.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Lone Wolf Computing email: removed by request
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [FreeRAM XP] "C:\FREERAMPRO\FRAMXPRO\FREERAM XP PRO 1.40.EXE" -win
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: AMERICA ONLINE 8.0 TRAY ICON.LNK = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://gateway.yahoo.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab

I see Realplayer and MusicMatch Jukebox in that log.

1: I just don't like Realplayer by how much it takes over personal settings. I use Real Alternative (http://www.free-codecs.com/download/Real_Alternative.htm).

2: MusicMatch Jukebox is a host or carrier of Spyware and though I have used it but do plan to again eventually, I use an older version that the spyware can be side-stepped by disabling the mirror sites somewhere in the customization settings (It's been a few years since using it last,). The newer versions I've tried are a bit worse IMO.

I wonder if MM was the progressive memory hog involved in this case.

Just a guess, but I'd try disabling JukeBox and trying again.

I agree about Real and MM. If it was my PC I would trash both. It's not mine and it's destined for their kids. The kids want the AOL crap and they want music stuff. My assignment was to clean it up so they would have something to use/destroy and not be tempted to go after the nice new HP that I just fixed.

As far as memory usage, no this version of MM (whatever it is, I didn't look), didn't tax the memory too much. Real Player on the other hand did.

I'm declaring this one now suitable for the kids. It now has a firewall, updated OS, updated and active AV, and four or five antispyware apps.

Enough. Now it's on to the dad's laptop...a Dell :eek: