netsh.exe

[Espen Johannessen]

I am running win XP pro SP1 on a laptop connected to LAN. My firewall is
Norman personal firewall. In task manager I see that the process netsh.exe
is starting and stopping in two seconds intervals. It does so regardless if
the pc is connected to the LAN or not. Is that normal?

At computer shut down the netsh.exe process hangs and gives an error
message.

Thanks,
Espen

 

[Aaron Margosis [MS]]

I don't know of anything legitimate that would start netsh over and over
like that. My suspicion is that you might have malware on your machine that
is trying to use netsh to keep the built-in Windows XP firewall disabled.

-- Aaron

 

[Espen Johannessen]

Yes, I have indeed the same suspicion myself. I have no idea though, how has
this malware eventually come into the machine. I am always running an
updated Norman virus control, firewall, and I am not allowing scripts for
non-trusted internet sites. I have also scanned the pc with Ad-Aware.

Is there any way to disable netsh.exe in the register?

Thanks,
Espen

 

[plun]

I am running win XP pro SP1 on a laptop connected to LAN. My firewall is
Norman personal firewall. In task manager I see that the process netsh.exe
is starting and stopping in two seconds intervals. It does so regardless if
the pc is connected to the LAN or not. Is that normal?

At computer shut down the netsh.exe process hangs and gives an error
message.

Thanks,
Espen

Exuse my english.....

Running XPhome with SP2, swedish version

I have also this problem. Can you plese check if you have
a svchost.exe file in the Windows folder ? You also have a
start string
för this file in the autostart if we have the same problem,
check with "msconfig" or HiJack this.

(Original svchost.exe within system32 folder. )

Norman antivirus has checked this file within the "Sandbox"
with this result.
I have send this file to Norman and Lavasoft for analyze.


Virus infected:
Virus name: 'W32/Malware' [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO:
(e-mail address removed) - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH
PASSWORD)**.
* File length: 16210 bytes.

[ Changes to filesystem ]
* Creates file C:/WINDOWS/svchost.exe.

[ Process/window information ]
* Creates a mutex GARGAMELFLX10.
* Creates a mutex {662B3A7E-2DC8-5CB6-0ED7-2D5A6C7B4C1D}.
* Enumerates running processes.
* Modifies other process memory.
* Creates a remote thread.


Norman Scanner Engine Information
Engine version: 5.70.14
Binary definition file: 5.70 of 2004/09/09
Macro definition file: 5.70 of 2004/09/09
Login information: User 'SYSTEM' on host 'DUNDERII'.
File infected: C:/WINDOWS/svchost.exe


I can remove svchost.exe in failsafe mode with systemrestore
off, but I cant get rid
of the netsh.exe problem. It goes On-off as you describe
with a crash after a while.


Händelsetyp: Fel
Händelsens källa: Application Error
Händelsekategori: (100)
Händelse-ID: 1000
Datum: 2004-09-11
Tid: 10:30:08
Användare: Saknas
Dator:
Beskrivning:
Felaktigt program netsh.exe, version 5.1.2600.2180, felaktig
modul netsh.exe, version 5.1.2600.2180, felaktig adress
0x00003b6d.

Mer information finns i Hjälp- och supportcenter på sidan
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6e 65 74 ure net
0018: 73 68 2e 65 78 65 20 35 sh.exe 5
0020: 2e 31 2e 32 36 30 30 2e .1.2600.
0028: 32 31 38 30 20 69 6e 20 2180 in
0030: 6e 65 74 73 68 2e 65 78 netsh.ex
0038: 65 20 35 2e 31 2e 32 36 e 5.1.26
0040: 30 30 2e 32 31 38 30 20 00.2180
0048: 61 74 20 6f 66 66 73 65 at offse
0050: 74 20 30 30 30 30 33 62 t 00003b
0058: 36 64 6d


??????????????

 

[Espen Johannessen]

Hi, I think that I am solving the problem. First I found very good help at
the site:
http://www.techsupportforums.com/showthread.php?t=15142&highlight=netsh.exe

As you can see another user had the same problem and he was infected by a
trojan horse. I have myself searched through my computer without finding any
virus. Neither do I see any suscpisious processes running. Though, I paste
my HijackThis logfile below.

The netsh.exe process stopped restarting after I ran Spybot - Search and
Destroy. Try installing it! Just follow the information in the above link at
techsupportforums. It is worth of mentioning I think that all three of us
reporting this problem are using Norman Virus Control and Norman Personal
Firewall. I will try to scan my computer with Norton's online virusscanner.

It may also be that netsh.exe disappeared from task manager after I stopped
and restarted the firewall. Try this as well.

Logfile of HijackThis v1.98.2
Scan saved at 22:34:34, on 13.09.2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norman\NVC\BIN\Zanda.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\PROGRAM FILES\NORMAN\Nvc\BIN\nipsvc.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\MXOaldr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NYMSE.EXE
C:\PROGRAM FILES\NORMAN\Nvc\BIN\cclaw.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NIP.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\npfmsg2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = proxy1.chello.no:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} -
C:\PROGRA~1\PopUpCop\PopUpCop.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program
Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.EXE
/LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat
5.0\Distillr\AcroTray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program
Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program
Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://C:\Program
Files\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll


-- Espen

 

[plun]

The netsh.exe process stopped restarting after I ran Spybot - Search and
Destroy. Try installing it! Just follow the information in the above link at
techsupportforums. It is worth of mentioning I think that all three of us
reporting this problem are using Norman Virus Control and Norman Personal
Firewall. I will try to scan my computer with Norton's online virusscanner.

It may also be that netsh.exe disappeared from task manager after I stopped
and restarted the firewall. Try this as well.

Thank you

I have also checked what is probably is, from Spybot log.

n-Case: Autorun settings (system) (Registry value, nothing done)

HKEY_USERS\S-1-5-21-2038945071-2942328611-1021817841-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system

(This string goes to netsh.exe.)

n-Case: Autorun settings (system) (Registry value, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system


About n-Case, they have a uninstall function for this "shit".

http://www.n-case.com/ncaseuninstall.html,

 

[plun]

Hi again

After reboot netsh started again.......... ;(

up and down, cpu between 0-15%

Maybe techsupports last advice is the best solution ?
Remove it !

 

[plun]

It may also be that netsh.exe disappeared from task manager after I stopped
and restarted the firewall. Try this as well.

Something must be wrong with Normans firewall.

In this link you can see CPU from this netsh.exe starting
and stopping.

http://hem.bredband.net/b288305/netshcpu.JPG

In the middle I have stopped my firewall and CPU goes to
zero, when I start
it again netsh starts/stopps again.

Norman have a really stupid supportlink for this, my ISP
blocks all port 139 traffic so
I cant use it...... !?

http://www.norman.com/Support/Contact_support/Request_and_feedback_form/en

How to contact Norman about this ?

 

[Espen Johannessen]

Actually I'm not sure if there is something wrong with the firewall. If
there is a trojan that is responsible for the restarting of netsh.exe it may
do so just to try to use it for shutting down the firewall!

--Espen

 

[plun]

Actually I'm not sure if there is something wrong with the firewall. If
there is a trojan that is responsible for the restarting of netsh.exe it may
do so just to try to use it for shutting down the firewall!

I have search with:

- Norman.

- Panda software online scanning.

- TrendMicro online scanning

- Adaware

- Spybot

- Hijack this, About Buster, and some more of Spyware master
Merlins tools.

Nothing can be found.

All users who have reported this is running Normans firewall
and why is CPU going down to zero when the firewall is off ?

Netsh.exe is important for SP2:s firewall and maybe there is a
mismatch between Normans firewall/SP2:s firewall and use of
netsh.exe.

 

[plun]

Actually I'm not sure if there is something wrong with the firewall. If
there is a trojan that is responsible for the restarting of netsh.exe it may
do so just to try to use it for shutting down the firewall!

--Espen

One more thing about this, during logout or fast user
switching netsh.exe always crash for me
and several dump files are created.


Folder name always like WER36f.dir00 and so on.

Included files:
appcomcat.txt
manifest.txt
netsh.exe.hdmp , size always around 4MB !
netsh.exe.mdmp

Totally unreadable for me. ( *. txt OK)

Any MVP:s who knows how to check this dumpfiles ? or have
other clues ?

Any sniffer to see what commands netsh.exe to start ?

 

[Espen Johannessen]

Nothing can be found.

I can neither find any virus or trojan on my computer.

All users who have reported this is running Normans firewall
and why is CPU going down to zero when the firewall is off ?

It is netsh.exe that is using CPU when it is restarting. When the firewall
is shut down, also netsh quits processing. I can not say that I am so happy
about Norman. It is thrustworthy, but it is not the first time I am having
problems with Norman.

Netsh.exe is important for SP2:s firewall and maybe there is a
mismatch between Normans firewall/SP2:s firewall and use of
netsh.exe.

I had the same problem also before I upgraded to SP2.

Now have I solved the problem by deleting the netsh.exe file in safe mode. I
took a backup of it first. Everything is working good now. I didn't have the
same problem as you have with dumped files.

--Espen

 

[plun]

I can neither find any virus or trojan on my computer.




It is netsh.exe that is using CPU when it is restarting. When the firewall
is shut down, also netsh quits processing. I can not say that I am so happy
about Norman. It is thrustworthy, but it is not the first time I am having
problems with Norman.

I have also checked this with Etherreal protocol analyzer
and no traffic is generated
from this netsh.exe.

I think Norman needs a user forum, my supplier
Fujitsu-Siemens have no support for
this type of questions, ie "How do I connect my mouse" and
so on .

Norman do not take end user questions so a Forum is needed !!!

I had the same problem also before I upgraded to SP2.

Didnt notice anything before SP2, for my it started wih a
unknown svchost.exe file wich
Normans Sandbox alarmed about. But for this it can be
different causes.

Now have I solved the problem by deleting the netsh.exe file in safe mode. I
took a backup of it first. Everything is working good now. I didn't have the
same problem as you have with dumped files.

Done the same and everything is back to normal again, I
thought this file was SFC protected but it was removed.

 

[Guest]

http://www.norman.com/Support/Knowledge_bases/Norman_Internet_Control/17592/en-uk