Jamesm Posted March 4, 2010 Share Posted March 4, 2010 Specs to follow, but here's the deal:SVChost is sending OUT over a Gb of data a day from my computer why I have SSDP and UPnP services on. At first I thought it was limewire running in the background even though the process list didn't show it. I uninstalled limewire and the problem went away for a couple hours. I checked the network activity in Outpost Pro and again SVChost was sending out data at about 60-80 kb/s. It was weird though, because Outpost labelled the remote address as ffe2::C or something like that instead of an actual IP address.Anyways, I've got SSDP and UPnP services off for now and that seems to have solved it for the meantime. It'd be nice to be able to get the UPnP service up and running again though for my games and whatnot.ESET has found nothing suspicious, nor has Malware bytes or Hitman Pro 3.5any ideas?Windows 7 UltimateOutpost ProESET Nod32 AVHitman Pro 3.5 Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted March 4, 2010 Administrator Share Posted March 4, 2010 Hmm. Try Microsoft Malicious Software Removal Tool. Make sure you have latest windows updates installed. Run > MRT > FULL SCAN.I'm sure it will do something. If not then please leave a feedback. I'll tell you an advanced step later.But after you make sure that none of them is able to catch anything. Link to comment Share on other sites More sharing options...
HX1 Posted March 4, 2010 Share Posted March 4, 2010 Have you check your Scheduled tasks in Windows 7 to see if it happens to be anything related to normal function of the OS?.. There are quite a few tasks in there.. and they will run if certain events and configurations are present, including application problems and system optimization.. Windows Media Center as well... But yeah just curious if you have looked in any of these areas yet as to if it was related or not..NetBIOS/Shared files could be the culprit as well.. if I remember right .. ( I came across this when setting mine up.. ) there is an option about synchronizing directories.. in which case it could also be searching for resources.. Link to comment Share on other sites More sharing options...
*dcs18 Posted March 4, 2010 Share Posted March 4, 2010 :welcome: to the nSane forums, I would:-01.) Reset my Outpost rules to start afresh and02.) Regain control over all startup applications & services.off-topic:-Suggest you review your security concerns to lay stress upon prevention rather than remedial measures. ;) Link to comment Share on other sites More sharing options...
Jamesm Posted March 4, 2010 Author Share Posted March 4, 2010 I'm rather unfamiliar with the task scheduler but it seems to be very crippled. It took two tries to even open it (forgot the error now sorry), then it popped up an error that said "the remote computer was not found". and all the reports said "reading data failed". Very strange.I'm running MRT right now. I'll post back when its done. Link to comment Share on other sites More sharing options...
Marik Posted March 4, 2010 Share Posted March 4, 2010 try downloading hijackthishttp://free.antivirus.com/hijackthis/and past the log in the link belowhttp://www.hijackthis.de/ Link to comment Share on other sites More sharing options...
Jamesm Posted March 4, 2010 Author Share Posted March 4, 2010 Hmm. Try Microsoft Malicious Software Removal Tool. Make sure you have latest windows updates installed. Run > MRT > FULL SCAN.I'm sure it will do something. If not then please leave a feedback. I'll tell you an advanced step later.But after you make sure that none of them is able to catch anything.Everything checked out fine with MRT, Eset, and Malware bytes. Hmm...I've adjusted all my file sharing settings so they are turned off now. I'll check if that makes a difference. Any other ideas guys?Also, thanks for the warm welcome! This site is great! I've been lurking a while. Link to comment Share on other sites More sharing options...
myidisbb Posted March 5, 2010 Share Posted March 5, 2010 wouldnt stuff check out okay if you clicked to allow it to begin with? Link to comment Share on other sites More sharing options...
*dcs18 Posted March 5, 2010 Share Posted March 5, 2010 Any other ideas guys?Just to elaborate on my previous post, 'svchost.exe' is merely a Messenger, not the Culprit. The Messenger is just doing it's job by relaying your network traffic back-and-forth. Your system has already been compromised due to a misconfigured firewall rule that is evidently allowing unaccounted packets through the Messenger. B)To identify the Culprit, you might have to delete your existing firewall rules containing the misconfiguration. Once you start with fresh rules, you'll be in a better position to trace the Culprit. :yes:Hope you don't shoot the Messenger. :) Link to comment Share on other sites More sharing options...
*dcs18 Posted March 5, 2010 Share Posted March 5, 2010 In case you're reluctant to reset your firewall rules, :unsure: but are gifted with better-than-average computing skills there's another alternative. You could employ the following:-01.) WireShark in conjunction with WinPcap to audit your network traffic and02.) Process Monitor to trace activities generated from running processes, files and registries which can then be logged to run a trace.NB:-. . . . . . . . . all tools mentioned here are freeware. Link to comment Share on other sites More sharing options...
Jamesm Posted March 5, 2010 Author Share Posted March 5, 2010 In case you're reluctant to reset your firewall rules, :unsure: but are gifted with better-than-average computing skills there's another alternative. You could employ the following:-01.) WireShark in conjunction with WinPcap to audit your network traffic and02.) Process Monitor to trace activities generated from running processes, files and registries which can then be logged to run a trace.NB:-. . . . . . . . . all tools mentioned here are freeware. I'm a pretty quick learner with computers... and since I'm starting my network admin course in a month or two... I may as well get my feet wet :)thanks for the suggestions about the apps. I was using Commview, but it's not nearly as detailed. I'll pop back in if anything comes up. Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted March 5, 2010 Administrator Share Posted March 5, 2010 So did you try Wireshark? It's posted here if needed. ;) Link to comment Share on other sites More sharing options...
HX1 Posted March 5, 2010 Share Posted March 5, 2010 I'm rather unfamiliar with the task scheduler but it seems to be very crippled. It took two tries to even open it (forgot the error now sorry), then it popped up an error that said "the remote computer was not found". and all the reports said "reading data failed". Very strange.I'm running MRT right now. I'll post back when its done.Yamicsoft Windows 7 Manager makes this pretty simple..but it would seem that your configuration is set to either another account .. and another computer.. You can do this ( or atleast with Ultimate.. what I have and I see the settings to do so...except I am having no issues with it.. ) Something doesn't seem right though.. either it could be from tweaking, malicious registry entry/deletion... Possible even a hack from one of many sources.. You shoudl make sure your in the Admin Account as well.. just in case.. Link to comment Share on other sites More sharing options...
Toshiro Posted March 5, 2010 Share Posted March 5, 2010 try downloading hijackthishttp://free.antivirus.com/hijackthis/and past the log in the link belowhttp://www.hijackthis.de/And post the log here plz. Lemme have a look. The site marik gave you isn't always precise :) Link to comment Share on other sites More sharing options...
shought Posted March 5, 2010 Share Posted March 5, 2010 Yeah, provide us with a HijackThis! log.Also I wouldn't rule out the possibility of this NOT being something malicious. It might be that for some reason the data is passed through this service, but not caused by this particular service. Link to comment Share on other sites More sharing options...
Jamesm Posted March 9, 2010 Author Share Posted March 9, 2010 Yeah, provide us with a HijackThis! log.Also I wouldn't rule out the possibility of this NOT being something malicious. It might be that for some reason the data is passed through this service, but not caused by this particular service.Sorry It's taken so long to get back here. I opened up the SSDP and UPnP again and it was really quite for a couple days, but now in the last day and a half there's been over 200mb of data sent through SVChost again... Here's the log anyways.Also, for the record I have an ATI video card, Not an NVIDIA one... Those files are awfully suspect. Although My mobo does have a Nforce chipset.Logfile of Trend Micro HijackThis v2.0.3 (BETA)Scan saved at 11:13:33 PM, on 3/8/2010Platform: Unknown Windows (WinNT 6.01.3504)MSIE: Internet Explorer v8.00 (8.00.7600.16385)Boot mode: NormalRunning processes:C:\Program Files (x86)\Windows Sidebar\sidebar.exeC:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exeC:\Program Files (x86)\DAEMON Tools Lite\DTLite.exeC:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeC:\Program Files (x86)\Steam\Steam.exeC:\Program Files (x86)\Mozilla Firefox\firefox.exeC:\Program Files (x86)\TrendMicro\HiJackThis\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htmR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files (x86)\Shareaza\RazaWebHook32.dllO2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office12\GR469A~1.DLLO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllO4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRunO4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -rO4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottimeO4 - HKCU\..\Run: [Steam] "c:\program files (x86)\steam\steam.exe" -silentO4 - HKCU\..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\sidebar.exe /autoRunO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"O4 - HKCU\..\Run: [Google Update] "C:\Users\Alpha\AppData\Local\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorunO4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -pO4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')O8 - Extra context menu item: Download with &Shareaza - res://c:\program files (x86)\shareaza\razawebhook32.dll/3000O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLLO10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dllO10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dllO10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dllO10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dllO10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dllO10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dllO10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dllO10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dllO13 - Gopher Prefix: O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~3\Office12\GRA32A~1.DLLO18 - Protocol: intu-qt2009 - {03947252-2355-4E9B-B446-8CCC75C43370} - C:\Program Files (x86)\QuickTax 2009\ic2009pp.dll (file missing)O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dllO23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exeO23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exeO23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exeO23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exeO23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exeO23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exeO23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exeO23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exeO23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exeO23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exeO23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exeO23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)--End of file - 10306 bytes Link to comment Share on other sites More sharing options...
shought Posted March 9, 2010 Share Posted March 9, 2010 Find this file:O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')and upload it to VirusTotal.com ;) Do note: this could still be a legitimate Windows file. Link to comment Share on other sites More sharing options...
Jamesm Posted March 9, 2010 Author Share Posted March 9, 2010 Find this file:O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')and upload it to VirusTotal.com ;) Do note: this could still be a legitimate Windows file.http://www.virustotal.com/analisis/0f73a7f64c4fdab98cd3a865cc54b3a7195761530fcb115b725cc5a9fb738739-1268078669This is the report for that file.Ignore the following, It was circumvented by Copying the exe to another folder:_____________________________________________________________________________________________I can't.. I can find it with windows exploder but I can't find it with the file browser window via that website... weird?I also just tried sending it to virus total via their context menu plugin and it reported an error "Cannot access mctadmin" Link to comment Share on other sites More sharing options...
shought Posted March 9, 2010 Share Posted March 9, 2010 Check again, if it still doesn't work then maybe copy the file to your desktop or ZIP it and try again. It's probably to do with Windows 7/Vista being gay in protecting the system from its user :PEdit: I see you already figured it out yourself :)Report seems fine, it's the same file I have in my system. It doesn't run here though, I think. Try disabling it (TuneUp Utilities' Startup Manager will do or CCleaner Startup). Link to comment Share on other sites More sharing options...
HX1 Posted March 9, 2010 Share Posted March 9, 2010 Remove: ( make sure you have the backups from each one of these.. )016 - This and its components were known to have vulnerabilities and where instructed to completely remove the 'NOS' directory from computers because a vulnerabilityThese two are not bad but completely unnecessary unless you use them: ( there are several more you could do without.. but I know these two are the most useless.. )O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottimeThis will poll out of your system sometimes every few minutes.. There is a place to completely remove/uninstall it.. I used to go directly to the folder and uninstall , then shred all files in the folder.. It does get your updates, but there is usually a less resource intensive way to do so.. Truthfully I never trusted it because it would stay connected for quite sometime in some cases..O4 - HKCU\..\Run: [Google Update] "C:\Users\Alpha\AppData\Local\Google\Update\GoogleUpdate.exe" /cThis should ATLEAST.. only be in here once.. I would also research it by removing it and seeing if its needed..if so leave/restore one of them..O10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dllO10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dllO10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dllO10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dllO10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dllO10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dllO10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dllO10 - Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dllResearch it and see if the file is actually there and if it actually is part of something installed..O18 - Protocol: intu-qt2009 - {03947252-2355-4E9B-B446-8CCC75C43370} - C:\Program Files (x86)\QuickTax 2009\ic2009pp.dll (file missing) Do the same thing for section 023.. Windows 7 sometimes will leave these entries behind when uninstalling a program that may or may not be completely compatible or written to be compatible with Windows 7.. ( this also happen even for system files for x64 and HJT... ) I had this happen to a couple of installation.. so the best way is to clean up this area that way.. I had to use three different methods to do this.. I had to use the uninstaller, then I used WinASO, then I had to use Windows 7 Manager.. and Finally HiJack This in an Admin account...Since HiJack This can be flaky about detecting proper files that exist some of these could be wrong.. BUT that being said there could also be real problems in between those legitimate services and files... so not something to just blow-off..I would suggest you also use a good registry cleaner on your system and do a thorough scan/clean with a backup beforehand.. Other problems can exist in the registry which can cause undesired behavior.. This may help/fix this issue.. it may not.. but it is good to check..EDIT: This isn't all I would change about this log.. BUT.. it is some pretty basic stuff that needs to be done.. that is outside the personal preference range.. So be aware that more can be done.. Link to comment Share on other sites More sharing options...
Jamesm Posted March 9, 2010 Author Share Posted March 9, 2010 I think rather than trying to patch all the holes and hope I don't sink, I'll just reformat this beast again... It's just so weird it got so bad so fast. It's been only a few weeks since I reformatted it last time. Link to comment Share on other sites More sharing options...
shought Posted March 9, 2010 Share Posted March 9, 2010 You'll learn more from patching the holes ;) Link to comment Share on other sites More sharing options...
HX1 Posted March 9, 2010 Share Posted March 9, 2010 Yeah and reinstalling, then re-installing the programs.. will all render the same result.. The absolute only thing you are or would be accounting for in this method is if you picked something up in a TEMP file from browsing... All oter methods, which you still may have to change anyway... still will not be unaccounted for... Except the one that repeats itself like 10 times...EDIT: Last but not least.. the last thing you want to get in the habit of doing is wiping your system, reformatting, repartitioning and reinstalling.. This will eventually put un-necessary ware and tear on your HD and your system components.. Not to mention like shought said above.. You really will not learn a thing about the maintenance. On top of this you will waste your time doing all of this.. and at the first sign of an issue you reinstall... This is not a recommended method... Link to comment Share on other sites More sharing options...
tonyblair Posted March 9, 2010 Share Posted March 9, 2010 As you are familiar with Commview (perhaps SmartWhois too), could you check the destination IP of the data transfer?Commview can tell you also about the data transferred (the packets), can you read in ASCII something helpful?With the above info, I did catch most of the time the culprit.Cheers :) Link to comment Share on other sites More sharing options...
Jamesm Posted March 9, 2010 Author Share Posted March 9, 2010 As you are familiar with Commview (perhaps SmartWhois too), could you check the destination IP of the data transfer?Commview can tell you also about the data transferred (the packets), can you read in ASCII something helpful?With the above info, I did catch most of the time the culprit.Cheers :)Yes, I used commview initially to find the destination address of the packets being sent. Here is a what it said in 20 minutes of logging:It's kind of messy but it goes: process, type, IP address, Port, name, and amountSVCHOST.EXE UDPv6 ff02::c 1900 "SSDP Discovery Service" and "UPnP device Host" services 18,013,184 bytesOn a side note, that Nvidia Nvlsp.dll file is causing all my browsers to crash randomly and repeatedly... I'm starting to really think that my SVChost problem is related to the driver files for my chip set and Ethernet. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.