Low virtual memory - HJT log enclosed

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

angel

Thread Starter
Joined
Dec 2, 1998
Messages
2,736
I am posting this for a friend. One of her co-workers is receiving low virtual memory messages when shouldn't be. She ran Spybot, Adaware, etc and did remove a bunch of nasties but still receiving message. Likely there's something still there that shouldn't be but I'm terrible at HijackThis logs. If someone could please analyze this, I would greatly appreciate it.

Thanks!!!

Logfile of HijackThis v1.99.0
Scan saved at 9:06:06 AM, on 1/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cusrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\slpservice.exe
C:\WINDOWS\system32\slpmonx.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\mdsymonds\Application Data\csin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\n?svc32.exe
c:\windows\system32\ttitga.exe
c:\windows\system32\packager.exe
C:\Temp\MDSYMO~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iprint.hsl.wisc.edu:631/login/ippdocs/pcontrol.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: 128.104.105.17 zenwsimport
O1 - Hosts: 128.104.105.17 zenmaster
O1 - Hosts: 128.104.105.16 medportal
O1 - Hosts: 128.104.105.15 mscss
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\Program Files\CSBB\CSBB.DLL
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {5BACD57A-67CC-4280-9261-C2BD13E5964D} - C:\WINDOWS\System32\sgwkl.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SDWin32 Class - {808EB237-797E-4661-91CE-2B98B578AB63} - C:\WINDOWS\System32\cxgij.dll
O2 - BHO: SDWin32 Class - {A336B0C8-52EB-41C9-80A1-A5B30F280C17} - C:\WINDOWS\System32\pscfz.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D808B033-748A-7B21-86E0-73A2AD803AB1} - C:\WINDOWS\System32\glmmnc.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ttitga] c:\windows\system32\ttitga.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cona] C:\Documents and Settings\mdsymonds\Application Data\csin.exe
O4 - HKCU\..\Run: [Wicwsl] C:\WINDOWS\System32\n?svc32.exe
O4 - Startup: Magnifier.lnk = C:\WINDOWS\system32\magnify.exe
O4 - Startup: naldesk.lnk = ?
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: SmartCapture.lnk = C:\WINDOWS\Seiko\slpcap.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106157264735
O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Novell Application Launcher - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Novell ZfD Wake on LAN Status Agent - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\System32\slpservice.exe
O23 - Service: Workstation Manager - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
 
Joined
Sep 7, 2004
Messages
49,014
Print this out

Move HiJackThis to a permanent folder like C:\HJT

Download CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html Do not run yet

Boot to safe mode

I assume this person has something to do with the Univ of Wis – therefore the hosts will stay.

Fix

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

R3 - Default URLSearchHook is missing

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\Program Files\CSBB\CSBB.DLL

O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll

O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

O2 - BHO: SDWin32 Class - {5BACD57A-67CC-4280-9261-C2BD13E5964D} - C:\WINDOWS\System32\sgwkl.dll

O2 - BHO: SDWin32 Class - {808EB237-797E-4661-91CE-2B98B578AB63} - C:\WINDOWS\System32\cxgij.dll

O2 - BHO: SDWin32 Class - {A336B0C8-52EB-41C9-80A1-A5B30F280C17} - C:\WINDOWS\System32\pscfz.dll

O2 - BHO: (no name) - {D808B033-748A-7B21-86E0-73A2AD803AB1} - C:\WINDOWS\System32\glmmnc.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [ttitga] c:\windows\system32\ttitga.exe

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe

O4 - HKCU\..\Run: [Cona] C:\Documents and Settings\mdsymonds\Application Data\csin.exe

O4 - HKCU\..\Run: [Wicwsl] C:\WINDOWS\System32\n?svc32.exe

View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files
c:\windows\system32\ttitga.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\farmmext.exe
C:\Documents and Settings\mdsymonds\Application Data\csin.exe
C:\WINDOWS\System32\n?svc32.exe ç=== make sure the file has the ? in the name
C:\WINDOWS\System32\glmmnc.dll
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\Helper101.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\System32\sgwkl.dll
C:\WINDOWS\System32\cxgij.dll

Delete this folder
C:\Program Files\CSBB

START – RUN – key in %temp% - Edit – Select all – File – Delete
Empty the recycle bin

Open cwshredder.exe then click "Fix" and let it run.

Boot and post a new log
 

angel

Thread Starter
Joined
Dec 2, 1998
Messages
2,736
Quick question for ya if you have a sec...
She is going through the instructions provided and will post back with progress but I have a question...
Did you flag C:\Documents and Settings\mdsymonds\Application Data\csin.exe for deletion because it's known malware or because it's not recognizable? There's a little concern that maybe it's a valid app. I wasn't able to find any information on the that file online and the user of the pc isn't immediately available to see if she recognizes it.
 

angel

Thread Starter
Joined
Dec 2, 1998
Messages
2,736
Well, looks like she deleted it anyway.
Here's a new scan but something may have changed after the reboot. Looks like HJT hasn't been moved to it's own directory yet either.

Logfile of HijackThis v1.99.0
Scan saved at 3:13:56 PM, on 1/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Temp\MDSYMO~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iprint.hsl.wisc.edu:631/login/ippdocs/pcontrol.htm
O1 - Hosts: 128.104.105.17 zenwsimport
O1 - Hosts: 128.104.105.17 zenmaster
O1 - Hosts: 128.104.105.16 medportal
O1 - Hosts: 128.104.105.15 mscss
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DF52F91-8543-ADE8-5650-102BC7DFF3FB} - C:\WINDOWS\system32\tfliqwsm.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {63DE7B6F-8FDC-573D-4FCF-E360925BAD92} - C:\WINDOWS\system32\lsnbfejl.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Magnifier.lnk = C:\WINDOWS\system32\magnify.exe
O4 - Startup: naldesk.lnk = ?
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: SmartCapture.lnk = C:\WINDOWS\Seiko\slpcap.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106157264735
O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\system32\msupd5.exe
O23 - Service: Novell Application Launcher - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Novell ZfD Wake on LAN Status Agent - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\System32\slpservice.exe
O23 - Service: Workstation Manager - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
 
Joined
Sep 7, 2004
Messages
49,014
The log was created in safe mode it need to be created in regular mode

And HJT has not been moved

With IE closed - fix

O2 - BHO: (no name) - {1DF52F91-8543-ADE8-5650-102BC7DFF3FB} - C:\WINDOWS\system32\tfliqwsm.dll

O2 - BHO: (no name) - {63DE7B6F-8FDC-573D-4FCF-E360925BAD92} - C:\WINDOWS\system32\lsnbfejl.dll

Boot and post a new log

THe entry you asked about is a generated file name with the particular problems she had.
 
Joined
Jan 25, 2005
Messages
2
Hi....

I followed your instructions the best I could....here is the most recent log:

Logfile of HijackThis v1.99.0
Scan saved at 11:42:10 AM, on 1/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\cusrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\slpservice.exe
C:\WINDOWS\system32\slpmonx.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\WINDOWS\Seiko\slpcap.exe
C:\WINDOWS\system32\spoolsv.exe
C:\HijakThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iprint.hsl.wisc.edu:631/login/ippdocs/pcontrol.htm
O1 - Hosts: 128.104.105.17 zenwsimport
O1 - Hosts: 128.104.105.17 zenmaster
O1 - Hosts: 128.104.105.16 medportal
O1 - Hosts: 128.104.105.15 mscss
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Magnifier.lnk = C:\WINDOWS\system32\magnify.exe
O4 - Startup: naldesk.lnk = ?
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: SmartCapture.lnk = C:\WINDOWS\Seiko\slpcap.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106157264735
O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Novell Application Launcher - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Novell ZfD Wake on LAN Status Agent - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\System32\slpservice.exe
O23 - Service: Workstation Manager - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
 
Joined
Sep 7, 2004
Messages
49,014
angelfriend said:
which two would those be? :)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

:mad: Sorry :eek:
 

angel

Thread Starter
Joined
Dec 2, 1998
Messages
2,736
The original prob is that they were getting low virtual memory errors for no apparent reason and we knew there was junk that needed to go - therefore, HiJackThis log. Thank you for your help so far.
The log seems clean now but still getting low virtual memory errors. Had her send a screen shot of what was using all the virtual memory at the time of the error and it was services.exe - using 479,000K of virtual memory. And this was within 10 minutes of a reboot. What the heck?! I confirmed this is services.exe and not service.exe (indicating a baddie).
I searched around and found that 2000 had some issues with services.exe and memory leaks but couldn't find anything really for Windows XP.
Anyone got any ideas?
 

Attachments

Joined
Sep 7, 2004
Messages
49,014
How much real memory? How long has this PC been on SP2 and has the user checked with TechSUpport for any Novell issues with SP2
 

angel

Thread Starter
Joined
Dec 2, 1998
Messages
2,736
Only 256MB real memory. I know that's not a lot but that doens't explain the odd behavior of services.exe.
I don't think SP2 has been on there very long but it is also installed on the rest of the PCs there with the same setup with no problems.

Thoughts?
I can have her reply back with whatever information you need. They can't even use this computer any more since it's out of VM within 10 min. Raising that avalaible VM (currently at 768 min/max) really isn't an option since that wouldnt' solve the real prob - only prolong the time til the error occurred.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top