oicur0t
asked on
SVCHOST crash firewall crashes and winsock needs reset
I've found bits relating to this question and temporary fixes but I need help!
Example Scenario (on continuous loop)
machine boots fine, windows networking is working, firewall is running, shares are working.
SVCHOST crashes. the component is nnushared40.dll (appears in event viewer)
I need to run "netsh winsock reset" (or winsockfix.exe)
reboot
start at the begining again
this is happening on a few of machines on our network....all HP machines (fix is here http://h10025.www1.hp.com/ewfrf/wc/genericDocument?cc=us&docname=c00291957&lc=en&jumpid=reg_R1002_USEN but this is only temporary)
I've seen posts that windows 2000 machines have a fix to stop the mblaster virus from crashing remote machines, but these are XP machines
I have seen no reference anywhere on the internet to the filename nnushared40.dll.
Any ideas?
Example Scenario (on continuous loop)
machine boots fine, windows networking is working, firewall is running, shares are working.
SVCHOST crashes. the component is nnushared40.dll (appears in event viewer)
I need to run "netsh winsock reset" (or winsockfix.exe)
reboot
start at the begining again
this is happening on a few of machines on our network....all HP machines (fix is here http://h10025.www1.hp.com/ewfrf/wc/genericDocument?cc=us&docname=c00291957&lc=en&jumpid=reg_R1002_USEN but this is only temporary)
I've seen posts that windows 2000 machines have a fix to stop the mblaster virus from crashing remote machines, but these are XP machines
I have seen no reference anywhere on the internet to the filename nnushared40.dll.
Any ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The blaster virus also hit xp machines but usually causes an RPC error then crashs the machine.
ASKER
The machine doesn't fully crash. Some network service fail, the ICS service, windows file sharing fails. Network connections may fail to appear when opened as well.
Have you tried running a hijack this log on the machines?
ASKER
Logfile of HijackThis v1.99.1
Scan saved at 15:14:19, on 21/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\PROGRA~1\Grisoft\AVGFRE ~1\avgamsv r.exe
C:\PROGRA~1\Grisoft\AVGFRE ~1\avgupsv c.exe
C:\Program Files\Symantec\pcAnywhere\ awhost32.e xe
C:\Program Files\RealVNC\VNC4\WinVNC4 .exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_01\bi n\jusched. exe
C:\PROGRA~1\Grisoft\AVGFRE ~1\avgcc.e xe
C:\PROGRA~1\Grisoft\AVGFRE ~1\avgemc. exe
C:\RSS\Midas\V7PosMaster.e xe
C:\Program Files\Nortel Networks\Shared Files\NTSPInit.exe
C:\Program Files\OpenOffice.org1.1.5\ program\so ffice.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Outlook Express\msimn.exe
Z:\IT\HijackThis.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = https://www.jackwills.com/onlinestore/adminsql/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0409/bl7.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bi n\jusched. exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\Se tRefresh.e xe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE ~1\avgcc.e xe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE ~1\avgemc. exe
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\ program\qu ickstart.e xe
O4 - Global Startup: Shortcut to V7PosMaster.lnk = Midas\V7PosMaster.exe
O4 - Global Startup: TSP Launcher.lnk = C:\Program Files\Nortel Networks\Shared Files\NTSPInit.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_01\bi n\npjpi142 _01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_01\bi n\npjpi142 _01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = jackwills.local
O17 - HKLM\Software\..\Telephony : DomainName = jackwills.local
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = jackwills.local
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANot ify.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE ~1\avgamsv r.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE ~1\avgupsv c.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\ awhost32.e xe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4 .exe" -service (file missing)
Scan saved at 15:14:19, on 21/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\spools
C:\PROGRA~1\Grisoft\AVGFRE
C:\PROGRA~1\Grisoft\AVGFRE
C:\Program Files\Symantec\pcAnywhere\
C:\Program Files\RealVNC\VNC4\WinVNC4
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_01\bi
C:\PROGRA~1\Grisoft\AVGFRE
C:\PROGRA~1\Grisoft\AVGFRE
C:\RSS\Midas\V7PosMaster.e
C:\Program Files\Nortel Networks\Shared Files\NTSPInit.exe
C:\Program Files\OpenOffice.org1.1.5\
C:\WINDOWS\System32\svchos
C:\Program Files\Outlook Express\msimn.exe
Z:\IT\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bi
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\Se
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\
O4 - Global Startup: Shortcut to V7PosMaster.lnk = Midas\V7PosMaster.exe
O4 - Global Startup: TSP Launcher.lnk = C:\Program Files\Nortel Networks\Shared Files\NTSPInit.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANot
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4
well log looks clean how about software issue what is this V7PosMaster.exe linked to the POS for the buisness
ASKER
v7pos master is apart of out till system which is run on this machine (none of the others experiencing this problem) it's clean.
if I try to start windows firewall from "services" after a crash I get Error 5: access is denied.
if I try to start windows firewall from "services" after a crash I get Error 5: access is denied.
ASKER
From the event viewer
"Faulting application svchost.exe, version 5.1.2600.2180, faulting module NnuShared40.dll, version 0.0.0.0, fault address 0x00003375."
"Faulting application svchost.exe, version 5.1.2600.2180, faulting module NnuShared40.dll, version 0.0.0.0, fault address 0x00003375."
dont see anything about maybe a master browser or computer browser error it cant really be software related if its happening on more than one machine unless it is a virus which i didnt see in the log
but you know i am starting to see a trend try disabling the NTSPInit.exe program alot of people are complaining of the same error and have that process running.
ASKER
ok, I think I've found the culprit, should have traced this earlier....nnushared40.dll belongs to dialer software for our phone system to integrate with outlook. It will be installed on all machines. I bet the firewall interupts it then causes a crash.
I'm going to give you the points venom, you've helped and taught me some good stuff!
I'm going to give you the points venom, you've helped and taught me some good stuff!
Glad you found it and can clear up this messy situation.