Low virtual memory - HJT log enclosed

I am posting this for a friend. One of her co-workers is receiving low virtual memory messages when shouldn't be. She ran Spybot, Adaware, etc and did remove a bunch of nasties but still receiving message. Likely there's something still there that shouldn't be but I'm terrible at HijackThis logs. If someone could please analyze this, I would greatly appreciate it.

Thanks!!!

Logfile of HijackThis v1.99.0
Scan saved at 9:06:06 AM, on 1/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cusrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\slpservice.exe
C:\WINDOWS\system32\slpmonx.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\mdsymonds\Application Data\csin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\n?svc32.exe
c:\windows\system32\ttitga.exe
c:\windows\system32\packager.exe
C:\Temp\MDSYMO~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iprint.hsl.wisc.edu:631/login/ippdocs/pcontrol.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: 128.104.105.17 zenwsimport
O1 - Hosts: 128.104.105.17 zenmaster
O1 - Hosts: 128.104.105.16 medportal
O1 - Hosts: 128.104.105.15 mscss
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\Program Files\CSBB\CSBB.DLL
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {5BACD57A-67CC-4280-9261-C2BD13E5964D} - C:\WINDOWS\System32\sgwkl.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SDWin32 Class - {808EB237-797E-4661-91CE-2B98B578AB63} - C:\WINDOWS\System32\cxgij.dll
O2 - BHO: SDWin32 Class - {A336B0C8-52EB-41C9-80A1-A5B30F280C17} - C:\WINDOWS\System32\pscfz.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D808B033-748A-7B21-86E0-73A2AD803AB1} - C:\WINDOWS\System32\glmmnc.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ttitga] c:\windows\system32\ttitga.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cona] C:\Documents and Settings\mdsymonds\Application Data\csin.exe
O4 - HKCU\..\Run: [Wicwsl] C:\WINDOWS\System32\n?svc32.exe
O4 - Startup: Magnifier.lnk = C:\WINDOWS\system32\magnify.exe
O4 - Startup: naldesk.lnk = ?
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: SmartCapture.lnk = C:\WINDOWS\Seiko\slpcap.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106157264735
O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Novell Application Launcher - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Novell ZfD Wake on LAN Status Agent - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\System32\slpservice.exe
O23 - Service: Workstation Manager - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

 

Dropped to page two so - bump...

 

Print this out

Move HiJackThis to a permanent folder like C:\HJT

Download CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html Do not run yet

Boot to safe mode

I assume this person has something to do with the Univ of Wis – therefore the hosts will stay.

Fix

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

R3 - Default URLSearchHook is missing

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000002230} - C:\Program Files\CSBB\CSBB.DLL

O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll

O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

O2 - BHO: SDWin32 Class - {5BACD57A-67CC-4280-9261-C2BD13E5964D} - C:\WINDOWS\System32\sgwkl.dll

O2 - BHO: SDWin32 Class - {808EB237-797E-4661-91CE-2B98B578AB63} - C:\WINDOWS\System32\cxgij.dll

O2 - BHO: SDWin32 Class - {A336B0C8-52EB-41C9-80A1-A5B30F280C17} - C:\WINDOWS\System32\pscfz.dll

O2 - BHO: (no name) - {D808B033-748A-7B21-86E0-73A2AD803AB1} - C:\WINDOWS\System32\glmmnc.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [ttitga] c:\windows\system32\ttitga.exe

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe

O4 - HKCU\..\Run: [Cona] C:\Documents and Settings\mdsymonds\Application Data\csin.exe

O4 - HKCU\..\Run: [Wicwsl] C:\WINDOWS\System32\n?svc32.exe

View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files
c:\windows\system32\ttitga.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\farmmext.exe
C:\Documents and Settings\mdsymonds\Application Data\csin.exe
C:\WINDOWS\System32\n?svc32.exe ç=== make sure the file has the ? in the name
C:\WINDOWS\System32\glmmnc.dll
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\Helper101.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\System32\sgwkl.dll
C:\WINDOWS\System32\cxgij.dll

Delete this folder
C:\Program Files\CSBB

START – RUN – key in %temp% - Edit – Select all – File – Delete
Empty the recycle bin

Open cwshredder.exe then click "Fix" and let it run.

Boot and post a new log

 

Quick question for ya if you have a sec...
She is going through the instructions provided and will post back with progress but I have a question...
Did you flag C:\Documents and Settings\mdsymonds\Application Data\csin.exe for deletion because it's known malware or because it's not recognizable? There's a little concern that maybe it's a valid app. I wasn't able to find any information on the that file online and the user of the pc isn't immediately available to see if she recognizes it.

 

Well, looks like she deleted it anyway.
Here's a new scan but something may have changed after the reboot. Looks like HJT hasn't been moved to it's own directory yet either.

Logfile of HijackThis v1.99.0
Scan saved at 3:13:56 PM, on 1/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Temp\MDSYMO~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iprint.hsl.wisc.edu:631/login/ippdocs/pcontrol.htm
O1 - Hosts: 128.104.105.17 zenwsimport
O1 - Hosts: 128.104.105.17 zenmaster
O1 - Hosts: 128.104.105.16 medportal
O1 - Hosts: 128.104.105.15 mscss
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DF52F91-8543-ADE8-5650-102BC7DFF3FB} - C:\WINDOWS\system32\tfliqwsm.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {63DE7B6F-8FDC-573D-4FCF-E360925BAD92} - C:\WINDOWS\system32\lsnbfejl.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Magnifier.lnk = C:\WINDOWS\system32\magnify.exe
O4 - Startup: naldesk.lnk = ?
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: SmartCapture.lnk = C:\WINDOWS\Seiko\slpcap.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106157264735
O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\system32\msupd5.exe
O23 - Service: Novell Application Launcher - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Novell ZfD Wake on LAN Status Agent - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\System32\slpservice.exe
O23 - Service: Workstation Manager - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

 

The log was created in safe mode it need to be created in regular mode

And HJT has not been moved

With IE closed - fix

O2 - BHO: (no name) - {1DF52F91-8543-ADE8-5650-102BC7DFF3FB} - C:\WINDOWS\system32\tfliqwsm.dll

O2 - BHO: (no name) - {63DE7B6F-8FDC-573D-4FCF-E360925BAD92} - C:\WINDOWS\system32\lsnbfejl.dll

Boot and post a new log

THe entry you asked about is a generated file name with the particular problems she had.

 

Hi....

I followed your instructions the best I could....here is the most recent log:

Logfile of HijackThis v1.99.0
Scan saved at 11:42:10 AM, on 1/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\cusrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\slpservice.exe
C:\WINDOWS\system32\slpmonx.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\WINDOWS\Seiko\slpcap.exe
C:\WINDOWS\system32\spoolsv.exe
C:\HijakThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iprint.hsl.wisc.edu:631/login/ippdocs/pcontrol.htm
O1 - Hosts: 128.104.105.17 zenwsimport
O1 - Hosts: 128.104.105.17 zenmaster
O1 - Hosts: 128.104.105.16 medportal
O1 - Hosts: 128.104.105.15 mscss
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Magnifier.lnk = C:\WINDOWS\system32\magnify.exe
O4 - Startup: naldesk.lnk = ?
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: SmartCapture.lnk = C:\WINDOWS\Seiko\slpcap.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106157264735
O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Novell Application Launcher - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Novell ZfD Wake on LAN Status Agent - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\System32\slpservice.exe
O23 - Service: Workstation Manager - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

 

bump (figured it would get buried after page 2)

 

Looks good

Fix these 2 with IE Closed

 

which two would those be?

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

Sorry

 

The original prob is that they were getting low virtual memory errors for no apparent reason and we knew there was junk that needed to go - therefore, HiJackThis log. Thank you for your help so far.
The log seems clean now but still getting low virtual memory errors. Had her send a screen shot of what was using all the virtual memory at the time of the error and it was services.exe - using 479,000K of virtual memory. And this was within 10 minutes of a reboot. What the heck?! I confirmed this is services.exe and not service.exe (indicating a baddie).
I searched around and found that 2000 had some issues with services.exe and memory leaks but couldn't find anything really for Windows XP.
Anyone got any ideas?

 

How much real memory? How long has this PC been on SP2 and has the user checked with TechSUpport for any Novell issues with SP2

 

Only 256MB real memory. I know that's not a lot but that doens't explain the odd behavior of services.exe.
I don't think SP2 has been on there very long but it is also installed on the rest of the PCs there with the same setup with no problems.

Thoughts?
I can have her reply back with whatever information you need. They can't even use this computer any more since it's out of VM within 10 min. Raising that avalaible VM (currently at 768 min/max) really isn't an option since that wouldnt' solve the real prob - only prolong the time til the error occurred.

 

bump