Bearshare crashing, multiple versions [Archive]

View Full Version : Bearshare crashing, multiple versions

killercarver

02-12-2008, 05:19 AM

First off, Howdy and thanks for this forum!! Hopefully we can fix my problem.
I've tried using both 5.2.0 lite and 5.2.4, both of which crash either after a few minutes or, after a reinstall, as soon as bearshare connects to the network. I get the typical "Bearshare has encountered....", look a little further and find "Exception Information code:0xc0000005 Flags:0x00000000 Record:0x0000000000000000 Address: 0x0000000000000103"

I've run the beardiag and set my firewall to the correct ports. Any ideas?

BEARDIAG ISSUES - brief summary: (Extracted on 2008/02/12 01:18:56)

Java version 1.6.0_03 found. Check if you have the latest version of Java at http://www.javatester.org/version.html - Older version have loopholes which have recently been frequently exploited.
BearShare version 5.2.0.1 found. We recommend the 5.1.0.b25 beta version - see Recommended BearShare downloads (http://www.technutopia.com/forum/showthread.php?t=2002)
BearShare currently shows port 6348 for TCP and port 6348 for UDP that need to match with your firewall/router configuration
You are behind a NAT firewall and/or router. They need to be correctly configured to allow BearShare to access the Internet.
This is a common cause of problems with BearShare - it can't communicate.
Check your firewall allows BearShare to communicate on TCP port 6348 and UDP port 6348
If your connection is via a router, make sure it can forward BearShare traffic to a static IP address on your computer
Refer to the following guidelines to correctly configure your firewall and router for use:
- www.bearshare.com/help/firewalls/index.htm - the Firewall FAQ at the official BearShare Help site,
- www.portforward.com/english/applications/port_forwarding/BearS/BearSindex.htm - the definitive guide to port forwarding and setting up a static IP address.
(Hint: use static IP address 192.168.0.2, TCP Port 6348, and UDP port 6348).
FixLSP.BAT was generated on the desktop and may need to be run (subject to advice) to rectify LSP chain issues.

More technical diagnostic troubleshooting information follows:
BEARDIAG: Bearcare for BearShare.
Details collected on 2008/02/12 01:17:30, BEARDIAG Version 01.99.19.0 beta, expires 2008/06/30 (139 days), running from C:\Documents and Settings\Administrator\Desktop\BearDiag.exe

System Hardware Information
CPU Type is: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+, CPU speed is approx: 2204Mhz, System BIOS date is: 2006/11/13
OS Version is: Microsoft Windows XP Professional, Service Pack 2, OS Build: 2600, Computer Name: MINE
Browser name: C:\Program Files\Internet Explorer\iexplore.exe, version: 6.0.2900.2180, Admin user? YES, Locale: 0409-English

System Memory Parameters: Memory in use: 35%
Total Physical RAM: 2.0Gb Available Physical RAM: 1.3Gb
Total Pagefile: 3.8Gb Available Pagefile: 3.2Gb

Internet IP Address 198.82.xxx.xxx Local IP Address 192.168.0.2 You are behind a NAT firewall and/or router.

File Locations
Program files are at: C:\Program Files, System Temporary files are at: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp, Common desktop is at: C:\Documents and Settings\All Users\Desktop
BearShare version installed is: 5.2.0.1, Gnutella servent BearShare full path is: C:\Program Files\BearShare2\
Temporary downloads at: C:\Program Files\BearShare2\Temp\, Completed downloads at: C:\My Downloads\

Disk statistics
Drive C: Total space: 278.55Gb Free: 265.29Gb Full: 4.8% Vol type: NTFS

Folder Statistics
Temporary downloads folder: Space used: 8.2Gb, File count: 38, Write access allowed? YES, # of DAT files: 11, #BAK: 11, #TIGER: 6, #TMP: 0, Other: 10
Completed downloads folder: Space used: 1.5Gb, File count: 3, Write access allowed? YES
BearShare library file 'library.db' size is 100.0Kb, '/db' library folder size is 11.1Mb, console log size is 5.5Kb

FreePeers.ini settings
The freepeers.ini file is found at C:\Program Files\BearShare2\FreePeers.ini. The extracted settings are as follows:

ProductLogic
No : bAlwaysUpdate; Always Download and announce latest signaled BearShare program updates from FreePeers.inc

Network
1 : connectionType; Network connection type
(0=Modem/AOL/ISDN, 1=Broadband/Cable/DSL/Wireless, 2=Satellite, 3=T1/T3/LAN/OC3/Microwave, 4=Custom values)
6348 : listenPort; TCP/IP port number to listen on

Hosts
Yes : bNeverBecomeUltrapeer; Disable UltraPeer mode

Authentication
No bAuthenticateHosts; Authenticate host connections
No bAuthenticateDownloads; Authenticate search results and downloads

GBandwidthLogic
Yes : bSymmetric; Is Internet connection symmetric
1024 : totalKbps; Maximum bandwidth for symmetric connections
256 : sendKbps; Maximum outbound bandwidth for asymmetric connections
1024 : recvKbps; Maximum inbound bandwidth for asymmetric connections
No : bMaxHostsKbps; Limit host bandwidth
0 : maxHostsKbps; Kbps of send/receive bandwidth to limit hosts
No : bMaxUploadsKbps; Limit upload bandwidth
0 : maxUploadsKbps; Kbps of send bandwidth to limit uploads
No : bMaxDownloadsKbps; Limit download bandwidth
0 : maxDownloadsKbps; Kbps of receive bandwidth to limit downloads

HostLogic
No : m_bEverUltrapeerCapable; Has client ever been an UltraPeer?

FirewallLogic
No : bTcpNFW; yes if TCP is not firewalled
No : bUdpNFW; yes if UDP is not firewalled
6348 : UDP Port; UDP port

Downloads
C:\My Downloads : szDownloadsDir; Directory where completed and hashed downloads are moved to
C:\Program Files\BearShare2\Temp : szTempDir; Directory where partial downloads are kept
8 : dlMaxFiles; Maximum files to download at once
40 : dlMaxStreams; Maximum connections total
20 : dlMaxStreamsFile; Maximum connections per file
No : bDelCompletedDownloads; ; Automatically remove completed downloads
Yes : bEnableSparseFiles; Enable Sparse files for temporary files
No : bDisablePushSources; Never send Push messages
No : bDisablePushProxySources; Never send Push Proxy requests

Uploads
8 : maxTotUploads; Maximum files to upload at once
0 : lastSendBpsMaxAvg; last session average outgoing bandwidth

Firewall testing
Could not communicate with http://www3.limewire.com:6348/ - possible firewall configuration needed

C:\Program Files\BearShare2\db\BearShareHostiles.zip is the current version

StartupList report, 2/12/2008, 1:17:38 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Administrator\Desktop\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\csrss.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
C:\Program Files\BOINC\projects\qah.uni-muenster.de\Amolqc-preRC1_5.01_windows_intelx86.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\BOINC\projects\boinc.bio.wzw.tum.de_boincsimap\simap_5.10_windows_intelx86.exe
C:\Documents and Settings\Administrator\Desktop\BearDiag.exe
C:\Documents and Settings\Administrator\Desktop\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nTrayFw = C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
RTHDCPL = RTHDCPL.EXE
Alcmtr = ALCMTR.EXE
MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
winlogon = C:\WINDOWS\csrss.exe
amd_dc_opt = C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Pidgin = C:\Program Files\Pidgin\pidgin.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\WINDOWS\system32\MSAFDLsp.dll
Protocol #2: C:\WINDOWS\system32\MSAFDLsp.dll
Protocol #3: C:\WINDOWS\system32\MSAFDLsp.dll
Protocol #4: C:\WINDOWS\system32\nvappfilter.dll
Protocol #5: C:\WINDOWS\system32\nvappfilter.dll
Protocol #6: C:\WINDOWS\system32\nvappfilter.dll
Protocol #20: C:\WINDOWS\system32\nvappfilter.dll
Protocol #21: C:\WINDOWS\system32\MSAFDLsp.dll

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = PDBoot.exe

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLB1A2B.EXE||C:\PROGRA~1\BEARSH~2\~GLH0005.TMP => C:\Program Files\BearShare2\BearShare.exe|C:\PROGRA~1\BEARSH~2\~GLH0006.TMP => C:\Program Files\BearShare2\BSidle.dll||s

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 5,917 bytes
Report generated in 0.015 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Current task list information for MINE, running WIN_XP, Service Pack 2, build 2600
Details collected on 2008/02/12 01:17:34

PID Process Name File Version Pk Mem Usg. Command line that invoked task
0 System Idle Process 0.0.0.0 0Mb ><
4 System 0.0.0.0 7.31Mb ><
704 smss.exe 5.1.2600.2180 0.71Mb >\SystemRoot\System32\smss.exe<
760 csrss.exe 0.0.0.0 6.93Mb ><
784 winlogon.exe 5.1.2600.2180 20.18Mb >winlogon.exe<
828 services.exe 5.1.2600.2180 11.15Mb >C:\WINDOWS\system32\services.exe<
840 lsass.exe 5.1.2600.2180 5.77Mb >C:\WINDOWS\system32\lsass.exe<
1024 svchost.exe 5.1.2600.2180 4.9Mb >C:\WINDOWS\system32\svchost -k DcomLaunch<
1096 svchost.exe 0.0.0.0 33.77Mb ><
1224 svchost.exe 5.1.2600.2180 19.33Mb >C:\WINDOWS\system32\svchost.exe -k netsvcs<
1268 svchost.exe 0.0.0.0 5.51Mb ><
1348 svchost.exe 0.0.0.0 5.26Mb ><
1408 spoolsv.exe 5.1.2600.2180 74.52Mb >C:\WINDOWS\system32\spoolsv.exe<
1612 explorer.exe 6.0.2900.2180 57.58Mb >C:\WINDOWS\Explorer.EXE<
1676 nTrayFw.exe 2.2.0.5023 10.09Mb >"C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" <
1704 rundll32.exe 5.1.2600.2180 6.81Mb >"C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit<
1716 RTHDCPL.exe 2.1.8.6 6.11Mb >"C:\WINDOWS\RTHDCPL.EXE" <
1760 csrss.exe 0.0.0.0 19.09Mb >"C:\WINDOWS\csrss.exe" <
1768 rundll32.exe 5.1.2600.2180 10.38Mb >rundll32.exe nview.dll,nViewInitialize<
1776 pidgin.exe 2.3.1.0 60.72Mb >"C:\Program Files\Pidgin\pidgin.exe" <
1788 boincmgr.exe 5.10.30.0 9.07Mb >"C:\Program Files\BOINC\boincmgr.exe" /s<
1908 boinc.exe 5.10.30.0 11.66Mb >"C:\Program Files\BOINC\boinc.exe" -redirectio -launched_by_manager <
252 Apache.exe 2.0.52.0 6.34Mb >"C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice<
264 nSvcIp.exe 2.2.0.5023 5.91Mb >"C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe"<
416 nvsvc32.exe 6.14.11.6921 5.13Mb >C:\WINDOWS\system32\nvsvc32.exe<
476 svchost.exe 5.1.2600.2180 14.59Mb >C:\WINDOWS\system32\svchost.exe -k imgsvc<
628 nSvcAppFlt.exe 2.2.0.5023 22.25Mb >"C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe"<
672 svchost.exe 5.1.2600.2180 22.2Mb >C:\WINDOWS\System32\svchost.exe -k netinfsvc<
892 Apache.exe 2.0.52.0 8.67Mb >"C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -d "C:/Program Files/NVIDIA Corporation/NetworkAccessManager/Apache Group/Apache2" -D SSL<
2432 wisptis.exe 1.7.2600.2180 5.02Mb >"C:\WINDOWS\system32\WISPTIS.EXE" -Embedding<
1696 acrotray.exe 6.0.1.1333 3.77Mb >"C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe" <
6812 Amolqc-preRC1_5.01_w 0.0.0.0 85.75Mb >projects/qah.uni-muenster.de/Amolqc-preRC1_5.01_windows_intelx86.exe qmc<
7856 firefox.exe 1.8.20080.20121 104.78Mb >"C:\Program Files\Mozilla Firefox\firefox.exe" <
7564 notepad.exe 5.1.2600.2180 3.66Mb >"C:\WINDOWS\system32\notepad.exe" C:\Documents and Settings\Administrator\Desktop\startuplist.txt<
6372 simap_5.10_windows_i 5.0.10.172 8.77Mb >projects/boinc.bio.wzw.tum.de_boincsimap/simap_5.10_windows_intelx86.exe <
5356 wmiprvse.exe 0.0.0.0 6.04Mb ><
7828 wmiprvse.exe 0.0.0.0 7.26Mb ><
6304 BearDiag.exe 1.99.19.0 12.93Mb >"C:\Documents and Settings\Administrator\Desktop\BearDiag.exe" <

BearShare library folder information for MINE, running WIN_XP, Service Pack 2, build 2600
Details collected on 2008/02/12 01:18:56

Volume in drive C has no label.
Volume Serial Number is 1094-4CD3

Directory of C:\Program Files\BearShare2\db

02/12/2008 01:14 AM <DIR> .
02/12/2008 01:14 AM <DIR> ..
02/12/2008 12:29 AM 1,091,582 BearShareHostiles.zip
02/08/2008 11:43 PM 3,103 config.bin
02/12/2008 12:12 AM 166,780 connect.txt
02/08/2008 11:59 PM 3,768 Hostiles.old
01/12/2008 03:11 PM 9,916,720 Hostiles.txt
02/08/2008 11:58 PM 0 Hostiles-Chat.txt
02/12/2008 12:07 AM 102,400 library.2.db
02/12/2008 12:07 AM 102,400 library.2.db.lastgoodload.bak
02/12/2008 12:07 AM 102,400 library.db
02/12/2008 12:07 AM 102,400 library.db.lastgoodload.bak
02/08/2008 11:58 PM 19 searches.ini
11 File(s) 11,591,572 bytes
2 Dir(s) 284,858,368,000 bytes free

Firewall information for MINE, running WIN_XP, Service Pack 2, build 2600
Details collected on 2008/02/12 01:18:56

Default gateway is 192.168.0.1

Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable

Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing

Allowed programs configuration for Domain profile:
Mode Name / Program
-------------------------------------------------------------------
Enable Remote Assistance / C:\WINDOWS\system32\sessmgr.exe

Port configuration for Domain profile:
Port Protocol Mode Name
-------------------------------------------------------------------
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service

Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable

Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable No UPnP Framework

Allowed programs configuration for Standard profile:
Mode Name / Program
-------------------------------------------------------------------
Enable Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable Apache HTTP Server / C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe

Port configuration for Standard profile:
Port Protocol Mode Name
-------------------------------------------------------------------
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service
1900 UDP Enable SSDP Component of UPnP Framework
2869 TCP Enable UPnP Framework over TCP

Log configuration:
-------------------------------------------------------------------
File location = C:\WINDOWS\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable

1394 Connection firewall configuration:
-------------------------------------------------------------------
Operational mode = Enable

Local Area Connection firewall configuration:
-------------------------------------------------------------------
Operational mode = Enable

Logfile of HijackThis v1.99.1
Scan saved at 1:17:40 AM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\csrss.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
C:\Program Files\BOINC\projects\qah.uni-muenster.de\Amolqc-preRC1_5.01_windows_intelx86.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\BOINC\projects\boinc.bio.wzw.tum.de_boincsimap\simap_5.10_windows_intelx86.exe
C:\Documents and Settings\Administrator\Desktop\BearDiag.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis2.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [winlogon] C:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\msafdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msafdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msafdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msafdlsp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

.

Aaron.Walkhouse

02-12-2008, 08:02 AM

Try uninstalling that Nvidia Network Access Manager software or run the FixLSP.BAT
batch file which BearDiag put on your desktop.

MoreBandwidthPls

02-15-2008, 08:56 PM

C:\WINDOWS\csrss.exe suggests a NETSPY infection (wrong folder). Try running AVG antivirus (free version) to rid yourself of this infestation. What anti-spyware protection do you have? I suggest AdAware (also free).

killercarver

02-18-2008, 08:30 PM

Howdy Folks!

Sorry I haven't returned a posting, but work and school have kept me busy beyond belief this past week and weekend. Anyway, I tried running the .bat that Beardiag left which worked to no avail. I then removed the Nvidia Network program, which again has worked to no avail. Mind too, that I did fresh uninstall - then install after each of those processes just to give this 5.2.0 that i've been using for years on other computers to work right.

I am now getting a slightly different error now with "Exception Information code:0xc0000005 Flags:0x00000000 Record:0x0000000000000000 Address: 0x0000000000000103" followed by all the other mom-bo jumbo that comes with the standard Microsoft error report.

Also downloaded and ran the AVG anti-virus and spyware which didn't find much of anything.

Ran Beardiag again, but to my eye, I don't see anything that really sticks out. What do you think?

BEARDIAG ISSUES - brief summary: (Extracted on 2008/02/18 16:23:37)

Java version 1.6.0_03 found. Check if you have the latest version of Java at http://www.javatester.org/version.html - Older version have loopholes which have recently been frequently exploited.
BearShare version 5.2.0.1 found. We recommend the 5.1.0.b25 beta version - see Recommended BearShare downloads (http://www.technutopia.com/forum/showthread.php?t=2002)
BearShare currently shows port 6348 for TCP and port 6348 for UDP that need to match with your firewall/router configuration
You are behind a NAT firewall and/or router. They need to be correctly configured to allow BearShare to access the Internet.
This is a common cause of problems with BearShare - it can't communicate.
Check your firewall allows BearShare to communicate on TCP port 6348 and UDP port 6348
If your connection is via a router, make sure it can forward BearShare traffic to a static IP address on your computer
Refer to the following guidelines to correctly configure your firewall and router for use:
- www.bearshare.com/help/firewalls/index.htm - the Firewall FAQ at the official BearShare Help site,
- www.portforward.com/english/applications/port_forwarding/BearS/BearSindex.htm - the definitive guide to port forwarding and setting up a static IP address.
(Hint: use static IP address 192.168.0.2, TCP Port 6348, and UDP port 6348).
FixLSP.BAT was generated on the desktop and may need to be run (subject to advice) to rectify LSP chain issues.

More technical diagnostic troubleshooting information follows:
BEARDIAG: Bearcare for BearShare.
Details collected on 2008/02/18 16:21:52, BEARDIAG Version 01.99.19.0 beta, expires 2008/06/30 (133 days), running from C:\Documents and Settings\Administrator\Desktop\BearDiag.exe

System Hardware Information
CPU Type is: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+, CPU speed is approx: 2204Mhz, System BIOS date is: 2006/11/13
OS Version is: Microsoft Windows XP Professional, Service Pack 2, OS Build: 2600, Computer Name: MINE
Browser name: C:\Program Files\Internet Explorer\iexplore.exe, version: 6.0.2900.2180, Admin user? YES, Locale: 0409-English

System Memory Parameters: Memory in use: 53%
Total Physical RAM: 2.0Gb Available Physical RAM: 955.6Mb
Total Pagefile: 3.8Gb Available Pagefile: 2.9Gb

Process info for BearShare
Pagefile peak usage: 0, Number of threads: 20, Number of handles: 600, Virtual memory usage: 0

Internet IP Address 198.82.xxx.xxx Local IP Address 192.168.0.2 You are behind a NAT firewall and/or router.

File Locations
Program files are at: C:\Program Files, System Temporary files are at: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp, Common desktop is at: C:\Documents and Settings\All Users\Desktop
BearShare version installed is: 5.2.0.1, Gnutella servent BearShare full path is: C:\Program Files\BearShare2\
Temporary downloads at: C:\Program Files\BearShare2\Temp\, Completed downloads at: C:\My Downloads\

Disk statistics
Drive C: Total space: 278.55Gb Free: 263.55Gb Full: 5.4% Vol type: NTFS

Folder Statistics
Temporary downloads folder: Space used: 11.5Gb, File count: 73, Write access allowed? YES, # of DAT files: 22, #BAK: 22, #TIGER: 8, #TMP: 0, Other: 21
Completed downloads folder: Space used: 2.6Gb, File count: 25, Write access allowed? YES
BearShare library file 'library.db' size is 290.0Kb, '/db' library folder size is 11.4Mb, console log size is 15.6Kb

FreePeers.ini settings
The freepeers.ini file is found at C:\Program Files\BearShare2\FreePeers.ini. The extracted settings are as follows:

ProductLogic
No : bAlwaysUpdate; Always Download and announce latest signaled BearShare program updates from FreePeers.inc

Network
1 : connectionType; Network connection type
(0=Modem/AOL/ISDN, 1=Broadband/Cable/DSL/Wireless, 2=Satellite, 3=T1/T3/LAN/OC3/Microwave, 4=Custom values)
6348 : listenPort; TCP/IP port number to listen on

Hosts
Yes : bNeverBecomeUltrapeer; Disable UltraPeer mode

Authentication
No bAuthenticateHosts; Authenticate host connections
No bAuthenticateDownloads; Authenticate search results and downloads

GBandwidthLogic
Yes : bSymmetric; Is Internet connection symmetric
1024 : totalKbps; Maximum bandwidth for symmetric connections
256 : sendKbps; Maximum outbound bandwidth for asymmetric connections
1024 : recvKbps; Maximum inbound bandwidth for asymmetric connections
No : bMaxHostsKbps; Limit host bandwidth
0 : maxHostsKbps; Kbps of send/receive bandwidth to limit hosts
No : bMaxUploadsKbps; Limit upload bandwidth
0 : maxUploadsKbps; Kbps of send bandwidth to limit uploads
No : bMaxDownloadsKbps; Limit download bandwidth
0 : maxDownloadsKbps; Kbps of receive bandwidth to limit downloads

HostLogic
No : m_bEverUltrapeerCapable; Has client ever been an UltraPeer?

FirewallLogic
No : bTcpNFW; yes if TCP is not firewalled
No : bUdpNFW; yes if UDP is not firewalled
6348 : UDP Port; UDP port

Downloads
C:\My Downloads : szDownloadsDir; Directory where completed and hashed downloads are moved to
C:\Program Files\BearShare2\Temp : szTempDir; Directory where partial downloads are kept
8 : dlMaxFiles; Maximum files to download at once
50 : dlMaxStreams; Maximum connections total
20 : dlMaxStreamsFile; Maximum connections per file
No : bDelCompletedDownloads; ; Automatically remove completed downloads
Yes : bEnableSparseFiles; Enable Sparse files for temporary files
No : bDisablePushSources; Never send Push messages
No : bDisablePushProxySources; Never send Push Proxy requests

Uploads
8 : maxTotUploads; Maximum files to upload at once
0 : lastSendBpsMaxAvg; last session average outgoing bandwidth

Firewall testing
Could not communicate with http://www3.limewire.com:6348/ - possible firewall configuration needed

C:\Program Files\BearShare2\db\BearShareHostiles.zip is the current version

StartupList report, 2/18/2008, 4:22:13 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Administrator\Desktop\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\winlogon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\BOINC\boincmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\BOINC\boinc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BOINC\projects\qah.uni-muenster.de\Amolqc-preRC1exp_5.01_windows_intelx86.exe
C:\Program Files\BearShare2\BearShare.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\DyKnow\Client\DyKnow.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BOINC\projects\qah.uni-muenster.de\Amolqc-preRC1exp_5.01_windows_intelx86.exe
C:\Documents and Settings\Administrator\Desktop\BearDiag.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis2.exe
C:\Documents and Settings\Administrator\Desktop\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
RTHDCPL = RTHDCPL.EXE
Alcmtr = ALCMTR.EXE
MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
winlogon = C:\WINDOWS\winlogon.exe
amd_dc_opt = C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Pidgin = C:\Program Files\Pidgin\pidgin.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
flashget urlcatch - C:\Program Files\FlashGet\jccatch.dll - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
(no name) - C:\Program Files\FlashGet\getflash.dll - {F156768E-81EF-470C-9057-481BA8380DBA}

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\WINDOWS\system32\MSAFDLsp.dll
Protocol #2: C:\WINDOWS\system32\MSAFDLsp.dll
Protocol #3: C:\WINDOWS\system32\MSAFDLsp.dll
Protocol #17: C:\WINDOWS\system32\MSAFDLsp.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 5,458 bytes
Report generated in 0.079 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Current task list information for MINE, running WIN_XP, Service Pack 2, build 2600
Details collected on 2008/02/18 16:21:58

PID Process Name File Version Pk Mem Usg. Command line that invoked task
0 System Idle Process 0.0.0.0 0Mb ><
4 System 0.0.0.0 7.31Mb ><
704 smss.exe 5.1.2600.2180 0.87Mb >\SystemRoot\System32\smss.exe<
772 csrss.exe 0.0.0.0 6.93Mb ><
796 winlogon.exe 5.1.2600.2180 8.65Mb >winlogon.exe<
840 services.exe 5.1.2600.2180 3.91Mb >C:\WINDOWS\system32\services.exe<
852 lsass.exe 5.1.2600.2180 5.53Mb >C:\WINDOWS\system32\lsass.exe<
1024 svchost.exe 5.1.2600.2180 4.66Mb >C:\WINDOWS\system32\svchost -k DcomLaunch<
1108 svchost.exe 0.0.0.0 4.33Mb ><
1232 svchost.exe 5.1.2600.2180 14.08Mb >C:\WINDOWS\system32\svchost.exe -k netsvcs<
1244 svchost.exe 0.0.0.0 3.99Mb ><
1360 svchost.exe 0.0.0.0 4.3Mb ><
1448 spoolsv.exe 5.1.2600.2180 4.96Mb >C:\WINDOWS\system32\spoolsv.exe<
1676 explorer.exe 6.0.2900.2180 28.58Mb >C:\WINDOWS\Explorer.EXE<
1752 rundll32.exe 5.1.2600.2180 6.81Mb >"C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit<
1760 RTHDCPL.exe 2.1.8.6 20.89Mb >"C:\WINDOWS\RTHDCPL.EXE" <
1772 rundll32.exe 5.1.2600.2180 8.08Mb >rundll32.exe nview.dll,nViewInitialize<
1808 winlogon.exe 0.0.0.0 7.07Mb >"C:\WINDOWS\winlogon.exe" <
1924 guard.exe 7.5.1.36 48.2Mb >"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe"<
1932 avgas.exe 7.5.1.43 49.8Mb >"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized<
1968 avgcc.exe 7.5.0.504 7.1Mb >"C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP<
1988 avgamsvr.exe 7.5.0.496 4.48Mb >C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe<
2000 pidgin.exe 2.3.1.0 25.6Mb >"C:\Program Files\Pidgin\pidgin.exe" <
224 boincmgr.exe 5.10.30.0 10.76Mb >"C:\Program Files\BOINC\boincmgr.exe" /s<
256 avgupsvc.exe 7.5.0.420 5.3Mb >C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe<
320 avgemc.exe 7.5.0.510 6.41Mb >C:\PROGRA~1\Grisoft\AVG7\avgemc.exe<
468 boinc.exe 5.10.30.0 7.41Mb >"C:\Program Files\BOINC\boinc.exe" -redirectio -launched_by_manager <
496 nvsvc32.exe 6.14.11.6921 5.1Mb >C:\WINDOWS\system32\nvsvc32.exe<
516 svchost.exe 5.1.2600.2180 3.82Mb >C:\WINDOWS\system32\svchost.exe -k imgsvc<
740 svchost.exe 5.1.2600.2180 17.64Mb >C:\WINDOWS\System32\svchost.exe -k netinfsvc<
1620 Amolqc-preRC1exp_5.0 0.0.0.0 81.32Mb >projects/qah.uni-muenster.de/Amolqc-preRC1exp_5.01_windows_intelx86.exe qmc<
648 BearShare.exe 5.2.0.1 56.07Mb >"C:\Program Files\BearShare2\BearShare.exe" <
584 dwwin.exe 10.0.5815.0 6.26Mb >C:\WINDOWS\system32\dwwin.exe -x -s 2280<
1476 DyKnow.exe 5.0.73.0 96.28Mb >"C:\Program Files\DyKnow\Client\DyKnow.exe" <
3732 wisptis.exe 1.7.2600.2180 4.84Mb >"C:\WINDOWS\system32\WISPTIS.EXE" -Embedding<
2932 firefox.exe 1.8.20080.20121 63.6Mb >"C:\Program Files\Mozilla Firefox\firefox.exe" <
856 Amolqc-preRC1exp_5.0 0.0.0.0 81.37Mb >projects/qah.uni-muenster.de/Amolqc-preRC1exp_5.01_windows_intelx86.exe qmc<
1368 BearDiag.exe 1.99.19.0 12.47Mb >"C:\Documents and Settings\Administrator\Desktop\BearDiag.exe" <
1468 wmiprvse.exe 0.0.0.0 7.3Mb ><

BearShare library folder information for MINE, running WIN_XP, Service Pack 2, build 2600
Details collected on 2008/02/18 16:23:37

Volume in drive C has no label.
Volume Serial Number is 1094-4CD3

Directory of C:\Program Files\BearShare2\db

02/18/2008 04:22 PM <DIR> .
02/18/2008 04:22 PM <DIR> ..
02/12/2008 12:29 AM 1,091,582 BearShareHostiles.zip
02/08/2008 11:43 PM 3,103 config.bin
02/18/2008 02:21 PM 166,711 connect.txt
02/08/2008 11:59 PM 3,768 Hostiles.old
01/12/2008 03:11 PM 9,916,720 Hostiles.txt
02/08/2008 11:58 PM 0 Hostiles-Chat.txt
02/18/2008 01:33 PM 296,960 library.2.db
02/12/2008 12:07 AM 102,400 library.2.db.lastgoodload.bak
02/18/2008 01:33 PM 296,960 library.db
02/12/2008 12:07 AM 102,400 library.db.lastgoodload.bak
02/08/2008 11:58 PM 19 searches.ini
11 File(s) 11,980,623 bytes
2 Dir(s) 282,986,016,768 bytes free

Firewall information for MINE, running WIN_XP, Service Pack 2, build 2600
Details collected on 2008/02/18 16:23:37

Default gateway is 192.168.0.1

Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable

Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing

Allowed programs configuration for Domain profile:
Mode Name / Program
-------------------------------------------------------------------
Enable Remote Assistance / C:\WINDOWS\system32\sessmgr.exe

Port configuration for Domain profile:
Port Protocol Mode Name
-------------------------------------------------------------------
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service

Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable

Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable No UPnP Framework

Allowed programs configuration for Standard profile:
Mode Name / Program
-------------------------------------------------------------------
Enable Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable Apache HTTP Server / C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe

Port configuration for Standard profile:
Port Protocol Mode Name
-------------------------------------------------------------------
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service
1900 UDP Enable SSDP Component of UPnP Framework
2869 TCP Enable UPnP Framework over TCP

Log configuration:
-------------------------------------------------------------------
File location = C:\WINDOWS\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable

1394 Connection firewall configuration:
-------------------------------------------------------------------
Operational mode = Enable

Local Area Connection firewall configuration:
-------------------------------------------------------------------
Operational mode = Enable

Logfile of HijackThis v1.99.1
Scan saved at 4:23:19 PM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\winlogon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\BOINC\boincmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\BOINC\boinc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BOINC\projects\qah.uni-muenster.de\Amolqc-preRC1exp_5.01_windows_intelx86.exe
C:\Program Files\BearShare2\BearShare.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BOINC\projects\qah.uni-muenster.de\Amolqc-preRC1exp_5.01_windows_intelx86.exe
C:\Documents and Settings\Administrator\Desktop\BearDiag.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis2.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [winlogon] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\msafdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msafdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msafdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msafdlsp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

.

Aaron.Walkhouse

02-19-2008, 02:17 AM

Zip up a copy of that C:\WINDOWS\system32\MSAFDLsp.dll file and post it as an attachment.
I want to put it under the microscope. :cool:

killercarver

02-19-2008, 02:56 AM

Alright...and I see what you mean. Weird.

Out of curiosity, how do you plan to "analyze" this .dll?

Aaron.Walkhouse

02-19-2008, 05:28 PM

In this case a quick look with a hex editor found a connection to dyknow.com. Try uninstalling
the Dyknow software completely and see if BearShare stops crashing.

It's a bit suspicious they would use a filename deliberately crafted to look like a Microsoft
product. That's how it caught my eye.

killercarver

02-20-2008, 04:51 AM

Thanks Aaron! I cannot, however, uninstall Dyknow as this is a program that I use for multiple classes nearly every day of the week. I was able to get Bearshare to run for almost 3 hours today, but it then crashed with the same error as in my last post. It's odd how I cannot really make this problem replicate by say, opening a program or something. It just happens when it wants to.

Aaron.Walkhouse

02-20-2008, 10:39 PM

It's probably a side-effect of having multiple copies of the dyknow LSP driver in the
LSP stack. BearShare drives the TCP networking subsystem of Windows pretty hard
and weak LSP drivers have always been susceptible to crashes When BearShare gets busy.

MoreBandwidthPls

02-23-2008, 08:52 AM

Compare the size and contents of C:\WINDOWS\system32\winlogon.exe and C:\WINDOWS\winlogon.exe - why is the second one present on your system? :eek:

Virus/trojan???

Aaron.Walkhouse

02-23-2008, 10:15 AM

Zip up that one and post it too. ;]