# c:\winnt\system32\x



## prashanth123k (Dec 19, 2008)

Dear all,

I have a problem with my windows 2000 server running oracle....

At start up, i get a error message like

Services.exe Bad image
--- Application or Dll c:\winnt\system32\x is not a valid windows image.. please insert diskette

Here is the hijackthis logs i have captured on that machine:

StartupList report, 12/19/2008, 1:03:07 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
F:\Utils\CDCAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\CBA\pds.exe
c:\winnt\ImagePoint\srvany.exe
c:\winnt\ImagePoint\srvany.exe
c:\winnt\ImagePoint\srvany.exe
c:\winnt\ImagePoint\srvany.exe
c:\winnt\ImagePoint\srvany.exe
c:\winnt\ImagePoint\srvany.exe
c:\winnt\ImagePoint\SMServerE2H.exe
c:\winnt\ImagePoint\SMServerH2E.exe
c:\IPLocal\PipeServerE2H.exe
c:\IPLocal\PrintServer\PrintDictServer.exe
C:\WINNT\System32\llssrv.exe
c:\IPLocal\PipeServerH2E.exe
c:\IPLocal\PrintServer\PrintServer.exe
C:\WINNT\system32\pg.exe
C:\WINNT\system32\ntfrs.exe
E:\oracle\ora92\bin\omtsreco.exe
E:\oracle\ora92\bin\agntsrvc.exe
E:\oracle\ora92\Apache\Apache\apache.exe
C:\WINNT\system32\cmd.exe
E:\oracle\ora92\bin\dbsnmp.exe
E:\Oracle\ora92\BIN\TNSLSNR.exe
e:\oracle\ora92\bin\ORACLE.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Lsi Logic Corp\Spy\SpySer.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\system32\msdtc.exe
E:\oracle\ora92\Apache\Apache\apache.exe
E:\oracle\ora92\jdk\bin\java.exe
E:\oracle\ora92\jdk\bin\java.exe
e:\oracle\ora92\bin\isqlplus
C:\WINNT\System32\svchost.exe
C:\WINNT\Microsoft.NET\Framework\v1.0.3705\aspnet_wp.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\HindiPHDriver.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINNT\system32\internat.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ipmsg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
ipmsg.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

RunRaidmon = "C:\Program Files\Lsi Logic Corp\Spy\Raidmon.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray = C:\PROGRA~1\SYMANT~1\VPTray.exe
NeroFilterCheck = C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
HindiPHDriver = C:\WINNT\HindiPHDriver.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} = "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
internat.exe = "internat.exe"

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=(NONE)
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 5,247 bytes
Report generated in 0.032 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

***********************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:30 PM, on 12/19/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
F:\Utils\CDCAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\CBA\pds.exe
c:\winnt\ImagePoint\srvany.exe
c:\winnt\ImagePoint\srvany.exe
c:\winnt\ImagePoint\srvany.exe
c:\winnt\ImagePoint\srvany.exe
c:\winnt\ImagePoint\srvany.exe
c:\winnt\ImagePoint\srvany.exe
c:\winnt\ImagePoint\SMServerE2H.exe
c:\winnt\ImagePoint\SMServerH2E.exe
c:\IPLocal\PipeServerE2H.exe
c:\IPLocal\PrintServer\PrintDictServer.exe
C:\WINNT\System32\llssrv.exe
c:\IPLocal\PipeServerH2E.exe
c:\IPLocal\PrintServer\PrintServer.exe
C:\WINNT\system32\pg.exe
C:\WINNT\system32\ntfrs.exe
E:\oracle\ora92\bin\omtsreco.exe
E:\oracle\ora92\bin\agntsrvc.exe
E:\oracle\ora92\Apache\Apache\apache.exe
C:\WINNT\system32\cmd.exe
E:\oracle\ora92\bin\dbsnmp.exe
E:\Oracle\ora92\BIN\TNSLSNR.exe
e:\oracle\ora92\bin\ORACLE.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Lsi Logic Corp\Spy\SpySer.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\system32\msdtc.exe
E:\oracle\ora92\Apache\Apache\apache.exe
E:\oracle\ora92\jdk\bin\java.exe
E:\oracle\ora92\jdk\bin\java.exe
e:\oracle\ora92\bin\isqlplus
C:\WINNT\System32\svchost.exe
C:\WINNT\Microsoft.NET\Framework\v1.0.3705\aspnet_wp.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\HindiPHDriver.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINNT\system32\internat.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ipmsg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

Any help ...

thanks in advance


----------

