Solved

Netsh.exe trouble

Posted on 2004-09-10
43
481 Views
Last Modified: 2008-02-07
Hi Everyone

I have a XP SP1 box with a pritty new installation.

The problem is when i shut down the pc i get a OK box with memory read error 0xfffffff, also i noticed that in process Netsh.exe starts and stops.
This is what is written in the windows application log >
Application Failure  netsh.exe 5.1.2600.0 in netsh.exe 5.1.2600.0 at offset 00003843

Any good ideas


Logfile of HijackThis v1.98.2
Scan saved at 20:55:20, on 10.09.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Programfiler\Norman\Nvc\BIN\Zanda.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\PROGRAMFILER\NORMAN\Nvc\BIN\nvcoas.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\nipsvc.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\ZLH.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NYMSE.EXE
C:\Programfiler\Messenger\msmsgs.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NIP.EXE
C:\PROGRAMFILER\NORMAN\Nvc\BIN\cclaw.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\npfmsg2.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Documents and Settings\Paal\Skrivebord\HijackThis.exe
C:\WINDOWS\System32\netsh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAMFILER\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094833812390
0
Comment
Question by:maraas
  • 15
  • 14
  • 14
43 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Hello maraas =)

>> C:\WINDOWS\System32\netsh.exe

Well this is a Command line tool, why its running in ur background as a process ??
How to Use the Netsh.exe Tool and Command-Line Switches
http://support.microsoft.com/default.aspx?kbid=242468

there is no startup entry present in Log either !!
0
 

Author Comment

by:maraas
Comment Utility
Hi SheharyaarSaahil

Is it possible to start this program from a remote pc on the network??

This is a strange one!!
0
 

Author Comment

by:maraas
Comment Utility
What i am thinking just now is to remove this file??
Do you know if it is needed by the OS.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
is ur system on network..... and when u boot into safemode, can u see this netsh.exe running in task manager... and not dont remove this file, its a system file and is not harmful, but just behaving abnormally.... we have to trace out the reason just :)
0
 

Author Comment

by:maraas
Comment Utility
Hi again.-

My system is not on a network but is connected to the internett through a cable modem. The reason why i am wondering about this is a i am constantly bothered with a pop up from Norman Firewall that a incomming ip address wants access.
"and when u boot into safemode, can u see this netsh.exe running in task manager" NO!
I did remove it and the memory read error 0xfffffff was repaired. It is now back and the problen is also back.
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 250 total points
Comment Utility
ok ttry this now....
in Normal Mode goto Start>Run>msconfig>Startup
click on Disable All
restart and DONT connect to internet
just have a look in task manager, if its running or not
if NO then re-eanble each application at a time and check what's initiating it

if YES then goto Start>Run>msconfig>Services
clcik on Disable All
reboot and DONT do anything else, just have a look at task manager
its running or not ??
Enable All services and applications again now and restart
come here and tell me the results

i want to know if its initiating by a startup application or a service ??
Also except Norman, have u ever run any onlien virus scan to verify if it comes as clean ??
if no then try this one >> http://housecall.trendmicro.com/

post back :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
You definitely do not want to delete this file.  It is used for scripting networking configurations both locally and in a network.  You also do not want to allow this command to be executed without your permission.  I would suggest that you are not protected with a firewall, or a NAT enabled device (router), and you need to turn on your XP firewall, along with possibly stopping the Messenger Service from running...

FE
0
 

Author Comment

by:maraas
Comment Utility
Hi Fatal Excption, SheharyaarSaahil

Thanks for the quick reply. Im Back again - it just got too late yesterday...
I do have a firewall - Norman, but its a real pain, i am getting Norman popups all the time that "135" ip address ***.***.***.*** wants access to my pc. (Ip address changing now and then.) and what do i want to do about it "Allow" yes or no.
The PC is 3 day old, no I haven't tried any other virus pgms, but will do.
I will post back any descoveries made :)

Fatal Excption, If i stop Messenger Service from running will MSN Messenger continue to work?

Ill be back in a few hours...
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Yes..  they are not the same.  

Disabling Messenger Service in Windows XP

http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx

Note Although the name of the service is similar, Messenger Service in Windows XP is not related to instant messaging programs such as Windows Messenger and MSN Messenger. Disabling instant messaging programs is not necessary and not recommended. Disabling instant messaging programs will not prevent Messenger Service spam on your computer.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
And no, you do not want to allow netsh to be run from an outside source, UNLESS you know or are running it yourself from a LAN connected system..

FE
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
well the Normal alerts dont look ABNORMAL to me..... coz i have installed Mcafee personal Firewall.... and it does the Same ditto thing,,,, so what i do to keep it "Shutup" is it has an option,,,,, Block all acceesses and Dont Tell Me Abt Alerts
i keep it turned on,,,, and it do its jobs silently and dont disturb me,,,,, but still i can see all the Event Logs and they are full from these blocked accessing attempts =\

same is true for my sister's laptop, and for all others where i have installed this firewall..... so ... :-?
But one thing is confirmed,,,, it does block all accesses and keep my system safe from all threats,,,, and this i can check from this thing,,, that if i dont allow my sis's system IP addresss anually,,,, it blocks its access also and thus no Networking or ICS !!  :)

But like u, i have never faced this netsh.exe problem..... so i "think" that those Norman alerts has nothing to do with this netsh.exe, coz if Norman is blocking all the accesses, then they cannot be able to do any BAD plays on ur system..... right ;)

what do u say Fatal.... :)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Yes..  but I am concerned about netsh...  this command is used to configure network protocols, etc., as you know.  Admins use it for remotely administering systems.  I just wonder where they are coming from..  ???

FE
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
u mean a remote system can initiate this command on one's system thru.... ??
hehe.... u know im not good at networking 8-)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Ha..  yes..  Actually, that is how it is usually used by admins..  Brian Posey writes a lot about this and scripting:

http://www.brienposey.com/kb/netsh_scripting.asp
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
yakh !! these networking type thingies are so complicated and boring..... how do u manage to "digest" all those scripts & commands =(
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
:)  I am with you on that one.  I just know how to execute them and what they are supposed to do, I don't write them...  My partner does all that..  He is really good with database and .NET programming, but I think I need to learn.  The things you can do with vb.net are amazing...
0
 

Author Comment

by:maraas
Comment Utility
Hi guys
Ive been busy working on my house... Pcs are not the only problems i have :(, haven't had time to finish checking the solutions given. I will do it tomarrow. Just an up date at where i am on this :~)
Again many thanks sooooo far!

R. Maraas
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
>> Ive been busy working on my house... Pcs are not the only problems i have :(

looks like u are married !!! =\  ......  hehe dont mind just kidding ;-)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
I know how those homey chores go.  Never ends.

Take your time, we will be around..

FE
0
 

Author Comment

by:maraas
Comment Utility
Cool, yah wife, 2 kids, 2 rabbits, 66 mustang FB just back from the paint shop, lots of bills......... oh yah and a PC ;-)

RM
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
never mind dude... atleast we can support u in the PC issue ;-D
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
I used to have a 66 mustang convertible...  If you need someone to take that fastback off your hands, I will be more than happy to oblige you..!!  :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
hehehe... <8)
0
 

Author Comment

by:maraas
Comment Utility
OK ok
Ii found the service that is causing Netsh.exe to misbehave... The service is called "Norman Type-R" witch from what i can tell... is connected to Norman firewall. Has anyone seen this before??

RM
0
 

Author Comment

by:maraas
Comment Utility
Oh yah Online virus program is running just now... back in a few with results.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
wow.... a firewall itself is doing suspisious things here..... is there any particualr reason u are using Norman :-\
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
I am not familiar with Norman, so I am clueless to this behavior...  Let us know what you find there..

FE
0
 

Author Comment

by:maraas
Comment Utility
No viruses... OK guess it is time for tech support at the manufacture :(. ill get back with the results.

Thanks for all the help.

RM
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
hmmmmmmm.... im looking forward for the results .... !!
0
 

Author Comment

by:maraas
Comment Utility
>>is there any particualr reason u are using Norman :-\
No not really, it just came free with the PC with 3 years update. And free is allways nice. But after this I am not so sure Norman is for me...
I use Norton on my other PCs and haven't been botherd at all. ;) And expecially NO POPUPS that take 1/4 of my screen.....
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Yea...  I really did not want to suggest that you uninstall your Firewall, but Norman does not seem to be a mainstream product (at least here in the USA) or certainly I would know about it....   I use Norton also (not the firewall) and the AV works just fine on my consumer machines..

FE
0
 

Author Comment

by:maraas
Comment Utility
Yep i agree with u FE (here in Norway), but ill give the techies at the manufacturer 2 hours to straiten things out. If no result then BY BY Norman. Some people say Norton is a bit Resource hungry, what do you guys think, any suggestions??
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
>> Some people say Norton is a bit Resource hungry

atleast im among them,,,, but can be the reason that i have always used NAV with Firewall... and may be Fatal has some good tricks on this issue :)
0
 
LVL 40

Assisted Solution

by:Fatal_Exception
Fatal_Exception earned 250 total points
Comment Utility
Ha..  my response to anyone that installs a software firewall is to be aware that they are ALL resource hungry (with the exception of the XP firewall, which only stops incoming traffic and not traffic outbound)...  I always advise my clients to go with a Hardware firewall with SPI (Stateful Packet Inspection).  Consumer grade devices are so cheap (inexpensive) these days, it just does not make sense to not go out and get one.  They also provide much better protection to your LAN, as they sit on the perimeter of the LAN and keep everything out.  

FE
0
 

Author Comment

by:maraas
Comment Utility
Still no joy, the manufacture said install Microsoft update 12345678. It didn't work...
Ill try them again tomarrow...

Cya  RM
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
What version of Norman are you running?  I took this straight from Norman's site:

Norman Personal Firewall (NPF)
One of the applications that will not work satisfactory with Service Pack 2 is older versions of the Norman Personal Firewall. Affected versions are: NPF 1.0, 1.1, 1.2, 1.3 and 1.4.

If you are running one of these versions you should upgrade to the latest version (p.t. ver. 1.41) as soon as possible.

0
 

Author Comment

by:maraas
Comment Utility
Hi FE.-

Service pack 2 is not installed yet... Waiting for the Norwegian version. It should be here soon.
As i have 3 years of program / virus updates from Norman and its free, I will wait for SP2 and see if it does the trick. If not i think i will purchase a wireless router with a built in firewall and use Norman virus protection.

Do you have any good experiences with a particular brand router?

RM
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
>> Do you have any good experiences with a particular brand router?

aham aham,,, Fatal ur turn !!  8-)
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
A router, eh?  That is definitely the best way  to configure a SOHO network.  I recommend it even if you are only running one system off it.

For a consumer grade router, I always recommend Linksys for the money.   This being said, if you want a little more protection, I would go with a Netgear router with an SPI firewall  (Stateful Packet Inspection)...  You can pick up a decent one for under $100 US...

Something like this:

http://www.amazon.com/exec/obidos/ASIN/B00006B9HP/ref%3Dnosim/theshoppinguidea/102-7923332-1450504
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
And thanks...  

FE
0
 

Author Comment

by:maraas
Comment Utility
Hi Fatal Excption, SheharyaarSaahil

This was a tough one, trying to be fair with the points, I gave the Accepted answer to SheharyaarSaahil as he gave the answer that helped me find the exact place where problem the occurred. But at the same time i also received some really valuable info from FE. Sooo 50/50 split.

Thanks a bunch, you guys saved me from those pesky grey hairs :) I bow to you!

Cya

RuneM
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
not at all a problem,,,,, infact Fatal was more helpful here and i was just throwing my one\two words from behind his back !!  ;-)
Cheets to Him ^_^

Happy Computing !!
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
you are welcome, Rune..  and happy computing..!!

FE
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now