angel
Thread Starter
- Joined
- Dec 2, 1998
- Messages
- 2,736
I am posting this for a friend. One of her co-workers is receiving low virtual memory messages when shouldn't be. She ran Spybot, Adaware, etc and did remove a bunch of nasties but still receiving message. Likely there's something still there that shouldn't be but I'm terrible at HijackThis logs. If someone could please analyze this, I would greatly appreciate it.
Thanks!!!
Logfile of HijackThis v1.99.0
Scan saved at 9:06:06 AM, on 1/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cusrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\slpservice.exe
C:\WINDOWS\system32\slpmonx.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\mdsymonds\Application Data\csin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\n?svc32.exe
c:\windows\system32\ttitga.exe
c:\windows\system32\packager.exe
C:\Temp\MDSYMO~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iprint.hsl.wisc.edu:631/login/ippdocs/pcontrol.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: 128.104.105.17 zenwsimport
O1 - Hosts: 128.104.105.17 zenmaster
O1 - Hosts: 128.104.105.16 medportal
O1 - Hosts: 128.104.105.15 mscss
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\Program Files\CSBB\CSBB.DLL
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {5BACD57A-67CC-4280-9261-C2BD13E5964D} - C:\WINDOWS\System32\sgwkl.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SDWin32 Class - {808EB237-797E-4661-91CE-2B98B578AB63} - C:\WINDOWS\System32\cxgij.dll
O2 - BHO: SDWin32 Class - {A336B0C8-52EB-41C9-80A1-A5B30F280C17} - C:\WINDOWS\System32\pscfz.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D808B033-748A-7B21-86E0-73A2AD803AB1} - C:\WINDOWS\System32\glmmnc.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ttitga] c:\windows\system32\ttitga.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cona] C:\Documents and Settings\mdsymonds\Application Data\csin.exe
O4 - HKCU\..\Run: [Wicwsl] C:\WINDOWS\System32\n?svc32.exe
O4 - Startup: Magnifier.lnk = C:\WINDOWS\system32\magnify.exe
O4 - Startup: naldesk.lnk = ?
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: SmartCapture.lnk = C:\WINDOWS\Seiko\slpcap.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106157264735
O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Novell Application Launcher - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Novell ZfD Wake on LAN Status Agent - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\System32\slpservice.exe
O23 - Service: Workstation Manager - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
Thanks!!!
Logfile of HijackThis v1.99.0
Scan saved at 9:06:06 AM, on 1/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cusrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\slpservice.exe
C:\WINDOWS\system32\slpmonx.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\mdsymonds\Application Data\csin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\n?svc32.exe
c:\windows\system32\ttitga.exe
c:\windows\system32\packager.exe
C:\Temp\MDSYMO~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iprint.hsl.wisc.edu:631/login/ippdocs/pcontrol.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: 128.104.105.17 zenwsimport
O1 - Hosts: 128.104.105.17 zenmaster
O1 - Hosts: 128.104.105.16 medportal
O1 - Hosts: 128.104.105.15 mscss
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\Program Files\CSBB\CSBB.DLL
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {5BACD57A-67CC-4280-9261-C2BD13E5964D} - C:\WINDOWS\System32\sgwkl.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SDWin32 Class - {808EB237-797E-4661-91CE-2B98B578AB63} - C:\WINDOWS\System32\cxgij.dll
O2 - BHO: SDWin32 Class - {A336B0C8-52EB-41C9-80A1-A5B30F280C17} - C:\WINDOWS\System32\pscfz.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D808B033-748A-7B21-86E0-73A2AD803AB1} - C:\WINDOWS\System32\glmmnc.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ttitga] c:\windows\system32\ttitga.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cona] C:\Documents and Settings\mdsymonds\Application Data\csin.exe
O4 - HKCU\..\Run: [Wicwsl] C:\WINDOWS\System32\n?svc32.exe
O4 - Startup: Magnifier.lnk = C:\WINDOWS\system32\magnify.exe
O4 - Startup: naldesk.lnk = ?
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: SmartCapture.lnk = C:\WINDOWS\Seiko\slpcap.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106157264735
O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Novell Application Launcher - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Novell ZfD Wake on LAN Status Agent - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\System32\slpservice.exe
O23 - Service: Workstation Manager - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe