1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Low virtual memory - HJT log enclosed

Discussion in 'Virus & Other Malware Removal' started by angel, Jan 24, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. angel

    angel Thread Starter

    Joined:
    Dec 2, 1998
    Messages:
    2,736
    I am posting this for a friend. One of her co-workers is receiving low virtual memory messages when shouldn't be. She ran Spybot, Adaware, etc and did remove a bunch of nasties but still receiving message. Likely there's something still there that shouldn't be but I'm terrible at HijackThis logs. If someone could please analyze this, I would greatly appreciate it.

    Thanks!!!

    Logfile of HijackThis v1.99.0
    Scan saved at 9:06:06 AM, on 1/24/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\cusrvc.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Novell\ZENworks\nalntsrv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
    C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\slpservice.exe
    C:\WINDOWS\system32\slpmonx.exe
    C:\Program Files\Novell\ZENworks\wm.exe
    C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\system32\NWTRAY.EXE
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\mdsymonds\Application Data\csin.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\n?svc32.exe
    c:\windows\system32\ttitga.exe
    c:\windows\system32\packager.exe
    C:\Temp\MDSYMO~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iprint.hsl.wisc.edu:631/login/ippdocs/pcontrol.htm
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 128.104.105.17 zenwsimport
    O1 - Hosts: 128.104.105.17 zenmaster
    O1 - Hosts: 128.104.105.16 medportal
    O1 - Hosts: 128.104.105.15 mscss
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\Program Files\CSBB\CSBB.DLL
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
    O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SDWin32 Class - {5BACD57A-67CC-4280-9261-C2BD13E5964D} - C:\WINDOWS\System32\sgwkl.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SDWin32 Class - {808EB237-797E-4661-91CE-2B98B578AB63} - C:\WINDOWS\System32\cxgij.dll
    O2 - BHO: SDWin32 Class - {A336B0C8-52EB-41C9-80A1-A5B30F280C17} - C:\WINDOWS\System32\pscfz.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: (no name) - {D808B033-748A-7B21-86E0-73A2AD803AB1} - C:\WINDOWS\System32\glmmnc.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [ttitga] c:\windows\system32\ttitga.exe
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Cona] C:\Documents and Settings\mdsymonds\Application Data\csin.exe
    O4 - HKCU\..\Run: [Wicwsl] C:\WINDOWS\System32\n?svc32.exe
    O4 - Startup: Magnifier.lnk = C:\WINDOWS\system32\magnify.exe
    O4 - Startup: naldesk.lnk = ?
    O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
    O4 - Global Startup: SmartCapture.lnk = C:\WINDOWS\Seiko\slpcap.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106157264735
    O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Novell Application Launcher - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
    O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: OracleClientCache80 - Unknown - C:\orant\BIN\ONRSD80.EXE
    O23 - Service: Novell ZfD Wake on LAN Status Agent - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
    O23 - Service: Novell ZfD Remote Management - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
    O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\System32\slpservice.exe
    O23 - Service: Workstation Manager - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
     
  2. angel

    angel Thread Starter

    Joined:
    Dec 2, 1998
    Messages:
    2,736
    Dropped to page two so - bump...
     
  3. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Print this out

    Move HiJackThis to a permanent folder like C:\HJT

    Download CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html Do not run yet

    Boot to safe mode

    I assume this person has something to do with the Univ of Wis – therefore the hosts will stay.

    Fix

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

    R3 - Default URLSearchHook is missing

    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\Program Files\CSBB\CSBB.DLL

    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll

    O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll

    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

    O2 - BHO: SDWin32 Class - {5BACD57A-67CC-4280-9261-C2BD13E5964D} - C:\WINDOWS\System32\sgwkl.dll

    O2 - BHO: SDWin32 Class - {808EB237-797E-4661-91CE-2B98B578AB63} - C:\WINDOWS\System32\cxgij.dll

    O2 - BHO: SDWin32 Class - {A336B0C8-52EB-41C9-80A1-A5B30F280C17} - C:\WINDOWS\System32\pscfz.dll

    O2 - BHO: (no name) - {D808B033-748A-7B21-86E0-73A2AD803AB1} - C:\WINDOWS\System32\glmmnc.dll

    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

    O4 - HKLM\..\Run: [ttitga] c:\windows\system32\ttitga.exe

    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe

    O4 - HKCU\..\Run: [Cona] C:\Documents and Settings\mdsymonds\Application Data\csin.exe

    O4 - HKCU\..\Run: [Wicwsl] C:\WINDOWS\System32\n?svc32.exe

    View Hidden Files
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these files
    c:\windows\system32\ttitga.exe
    C:\WINDOWS\wupdt.exe
    C:\WINDOWS\farmmext.exe
    C:\Documents and Settings\mdsymonds\Application Data\csin.exe
    C:\WINDOWS\System32\n?svc32.exe ç=== make sure the file has the ? in the name
    C:\WINDOWS\System32\glmmnc.dll
    C:\WINDOWS\BTGrab.dll
    C:\WINDOWS\Helper101.dll
    C:\WINDOWS\systb.dll
    C:\WINDOWS\System32\sgwkl.dll
    C:\WINDOWS\System32\cxgij.dll

    Delete this folder
    C:\Program Files\CSBB

    START – RUN – key in %temp% - Edit – Select all – File – Delete
    Empty the recycle bin

    Open cwshredder.exe then click "Fix" and let it run.

    Boot and post a new log
     
  4. angel

    angel Thread Starter

    Joined:
    Dec 2, 1998
    Messages:
    2,736
    Quick question for ya if you have a sec...
    She is going through the instructions provided and will post back with progress but I have a question...
    Did you flag C:\Documents and Settings\mdsymonds\Application Data\csin.exe for deletion because it's known malware or because it's not recognizable? There's a little concern that maybe it's a valid app. I wasn't able to find any information on the that file online and the user of the pc isn't immediately available to see if she recognizes it.
     
  5. angel

    angel Thread Starter

    Joined:
    Dec 2, 1998
    Messages:
    2,736
    Well, looks like she deleted it anyway.
    Here's a new scan but something may have changed after the reboot. Looks like HJT hasn't been moved to it's own directory yet either.

    Logfile of HijackThis v1.99.0
    Scan saved at 3:13:56 PM, on 1/24/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Temp\MDSYMO~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iprint.hsl.wisc.edu:631/login/ippdocs/pcontrol.htm
    O1 - Hosts: 128.104.105.17 zenwsimport
    O1 - Hosts: 128.104.105.17 zenmaster
    O1 - Hosts: 128.104.105.16 medportal
    O1 - Hosts: 128.104.105.15 mscss
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1DF52F91-8543-ADE8-5650-102BC7DFF3FB} - C:\WINDOWS\system32\tfliqwsm.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: (no name) - {63DE7B6F-8FDC-573D-4FCF-E360925BAD92} - C:\WINDOWS\system32\lsnbfejl.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
    -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Magnifier.lnk = C:\WINDOWS\system32\magnify.exe
    O4 - Startup: naldesk.lnk = ?
    O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
    O4 - Global Startup: SmartCapture.lnk = C:\WINDOWS\Seiko\slpcap.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106157264735
    O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\system32\msupd5.exe
    O23 - Service: Novell Application Launcher - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
    O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: OracleClientCache80 - Unknown - C:\orant\BIN\ONRSD80.EXE
    O23 - Service: Novell ZfD Wake on LAN Status Agent - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
    O23 - Service: Novell ZfD Remote Management - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
    O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\System32\slpservice.exe
    O23 - Service: Workstation Manager - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    The log was created in safe mode it need to be created in regular mode

    And HJT has not been moved

    With IE closed - fix

    O2 - BHO: (no name) - {1DF52F91-8543-ADE8-5650-102BC7DFF3FB} - C:\WINDOWS\system32\tfliqwsm.dll

    O2 - BHO: (no name) - {63DE7B6F-8FDC-573D-4FCF-E360925BAD92} - C:\WINDOWS\system32\lsnbfejl.dll

    Boot and post a new log

    THe entry you asked about is a generated file name with the particular problems she had.
     
  7. angelfriend

    angelfriend

    Joined:
    Jan 25, 2005
    Messages:
    2
    Hi....

    I followed your instructions the best I could....here is the most recent log:

    Logfile of HijackThis v1.99.0
    Scan saved at 11:42:10 AM, on 1/25/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\cusrvc.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Novell\ZENworks\nalntsrv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
    C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\slpservice.exe
    C:\WINDOWS\system32\slpmonx.exe
    C:\Program Files\Novell\ZENworks\wm.exe
    C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\system32\NWTRAY.EXE
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Novell\ZENworks\NALDESK.EXE
    C:\WINDOWS\Seiko\slpcap.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\HijakThis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iprint.hsl.wisc.edu:631/login/ippdocs/pcontrol.htm
    O1 - Hosts: 128.104.105.17 zenwsimport
    O1 - Hosts: 128.104.105.17 zenmaster
    O1 - Hosts: 128.104.105.16 medportal
    O1 - Hosts: 128.104.105.15 mscss
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Magnifier.lnk = C:\WINDOWS\system32\magnify.exe
    O4 - Startup: naldesk.lnk = ?
    O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
    O4 - Global Startup: SmartCapture.lnk = C:\WINDOWS\Seiko\slpcap.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106157264735
    O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Novell Application Launcher - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
    O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: OracleClientCache80 - Unknown - C:\orant\BIN\ONRSD80.EXE
    O23 - Service: Novell ZfD Wake on LAN Status Agent - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
    O23 - Service: Novell ZfD Remote Management - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
    O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\System32\slpservice.exe
    O23 - Service: Workstation Manager - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
     
  8. angel

    angel Thread Starter

    Joined:
    Dec 2, 1998
    Messages:
    2,736
    bump (figured it would get buried after page 2)
     
  9. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Looks good

    Fix these 2 with IE Closed
     
  10. angelfriend

    angelfriend

    Joined:
    Jan 25, 2005
    Messages:
    2
    which two would those be? :)
     
  11. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

    :mad: Sorry :eek:
     
  12. angel

    angel Thread Starter

    Joined:
    Dec 2, 1998
    Messages:
    2,736
    The original prob is that they were getting low virtual memory errors for no apparent reason and we knew there was junk that needed to go - therefore, HiJackThis log. Thank you for your help so far.
    The log seems clean now but still getting low virtual memory errors. Had her send a screen shot of what was using all the virtual memory at the time of the error and it was services.exe - using 479,000K of virtual memory. And this was within 10 minutes of a reboot. What the heck?! I confirmed this is services.exe and not service.exe (indicating a baddie).
    I searched around and found that 2000 had some issues with services.exe and memory leaks but couldn't find anything really for Windows XP.
    Anyone got any ideas?
     

    Attached Files:

  13. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    How much real memory? How long has this PC been on SP2 and has the user checked with TechSUpport for any Novell issues with SP2
     
  14. angel

    angel Thread Starter

    Joined:
    Dec 2, 1998
    Messages:
    2,736
    Only 256MB real memory. I know that's not a lot but that doens't explain the odd behavior of services.exe.
    I don't think SP2 has been on there very long but it is also installed on the rest of the PCs there with the same setup with no problems.

    Thoughts?
    I can have her reply back with whatever information you need. They can't even use this computer any more since it's out of VM within 10 min. Raising that avalaible VM (currently at 768 min/max) really isn't an option since that wouldnt' solve the real prob - only prolong the time til the error occurred.
     
  15. angel

    angel Thread Starter

    Joined:
    Dec 2, 1998
    Messages:
    2,736
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - virtual memory enclosed
  1. internalfever
    Replies:
    3
    Views:
    461
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/322909

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice