Re: Unanswered Question Asked By Many

From: David Candy (david_at_mvps.org)
Date: 12/02/03 

Date: Tue, 2 Dec 2003 17:09:13 +1100

tasklist /svc tells you services loaded.
tasklist /m you can work it out (but not as easily)
Pro Only 

-- 
----------------------------------------------------------
http://www.g2mil.com/Dec2003.htm
"Eric" <none@death.to.spammers.now> wrote in message news:vso6apa3qg6j98@corp.supernews.com...
> Yeah, disabling fxssvc.exe was one of the earliest things I did try.
> 
> Something else that I forget to list, but only remembered when reading
> someone else's post with the same exact problem, is that when these symptoms
> appear there is a SVCHOST process running at 99 percent.  I've been waiting
> for the symptoms to re-appear, of course now that I WANT them to they won't,
> so I can start shutting down different services from services.msc and see
> which are linked to that SHVHOST process.  That and the mysterious entry in
> the history log are what I am now focusing on.
> 
> Thanks
> 
> -Eric
> 
> 
> "Kelly" <kelly@mvps.org> wrote in message
> news:uA6Pik9tDHA.2248@TK2MSFTNGP09.phx.gbl...
> > Hi Eric,
> >
> > Suggestions:
> >
> > Go to Start/Run and type in:  services.msc
> > Scroll down to Fax and choose Properties.
> > Choose Disable or Manual.
> > From there in Task Manager:  fxssvc.exe should not be running.
> >
> > -- 
> > All the Best,
> > Kelly
> >
> > MS-MVP Win98/XP
> > [AE-Windows® XP]
> >
> > Troubleshooting Windows XP
> > http://www.kellys-korner-xp.com
> >
> > Repair/Customize Quick Launch, Taskbar and Notification Area
> > http://www.kellys-korner-xp.com/taskbarplus!.htm
> >
> > Registry Edits, Tips and Tricks for XP
> > http://www.kellys-korner-xp.com/xp_tweaks.htm
> >
> > "Eric" <none@death.to.spammers.now> wrote in message
> > news:vslbsqkhv6566b@corp.supernews.com...
> > > I apologize for cross-threading, but having done deja and google
> searches
> > I
> > > found that this question has been asked by many but still remains
> > completely
> > > unanswered.  From my searches and reading, it appears that the nature of
> > > this particular problem is somewhat widespread and common, however
> nobody
> > as
> > > of yet has found a clear solution.  I believe the newsgroups that I
> posted
> > > this to are appropiate and I wanted to ensure that it achieves maxinum
> > > proliferation in case someone knows of a solution.  If, for any other
> > > reason, than perhaps someone in the future will come across the solution
> > > through a deja search.
> > >
> > > I've been working every angle I can possible think of to find a solution
> > to
> > > this problem, but have only achieved working myself in full circles.  I
> > will
> > > describe each angle I took to find a solution.  I will also note
> specific
> > > software installed that may be giving this problem, perhaps when others
> > read
> > > this they will begin to see a pattern with specific programs installed.
> > >
> > > The problem itself seems simple enough: "WinXP internet connections
> > freezing
> > > up while using dialup modem connections"
> > >
> > > The symptoms: internet communication locks up completely, no traffic can
> > be
> > > received or transmitted.  The dialup internet icon in the taskbar
> (little
> > > two terminal looking icon) no longer responds to left or right mouse
> > clicks.
> > > Only solution is to shut down WinXP and reboot.  Sometimes while
> shutting
> > > down, a dialoge window appears stating that "HiddenFaxWindow" can not
> shut
> > > down properly and must by manually ended.  Regardless, after this
> problem
> > > occurs, during the shutdown WinXP can only make itself to the "Saving
> User
> > > Settings" screen and afterwards requires a physical reset.
> Interestingly,
> > > this problem only presents itself while using a dialup internet
> > > connection -- it doesn't present itself when only using broadband or
> > > wireless connections.
> > >
> > > Course of action I have tried:
> > >
> > > 1. Obviously, the first thing I looked for was any fax (Microsoft or
> third
> > > party) software that may be giving the problem.  The only third party
> > > software I had installed was "FaxTalk NetOnHold", which operates both as
> > > faxing software and a "modem on hold" software interface for my v.92
> > dialup
> > > modem.  This, of course, was the prime suspect.  However, I seem to
> recall
> > > having this problem before I installed FaxTalk.  I did, however,
> > completely
> > > remove FaxTalk just to ensure it wasn't the culprit.  When I installed
> it,
> > > Norton CleanSweep monitored the installation and I used CleanSweep to
> > remove
> > > it completely.  I also hand searched the registry to ensure that no
> > entries
> > > were left behind, along with hand searching to ensure that all
> directories
> > > and files associated with it were also removed.  They all were.
> Searching
> > > through FaxTalk's support web site and also specific searches on
> > web/usenet
> > > revieled no known problems with FaxTalk and dialup internet freezing up.
> > >
> > > 2. Next suspect was perhaps Lucent's "Modem on Hold", however I had
> > > previously uninstalled it completely and cleanly to make certain there
> > would
> > > be no conflicts with FaxTalk.  I ensured that there was nothing of it
> left
> > > laying around in the registry or drive.
> > >
> > > 3. With that out of the way, my next suspect was perhaps network
> > protocols.
> > > I removed, re-installed, and ensured I had the most current TCP/IP.
> With
> > > wireless and broadband working fine, I didn't really think this was the
> > > problem but figured it couldn't hurt.
> > >
> > > 4.  I read that WinXP's built-in firewall can sometimes cause conflicts
> > when
> > > you have another firewall in use.  I have Norton's firewall.  I ensured
> > that
> > > XP's firewall was disabled for dialup connections, but the problem
> > > continued.
> > >
> > > 5. I read on Microsoft's support web site that DirectX 9.0b causes
> > conflicts
> > > with XP's firewall and Microsoft Instant Messenger.  While I don't have
> > > Microsoft IM load on boot, I did check out my DirectX.  I have DirectX
> > 9.0a
> > > installed, which (based on Microsoft support knowledge base), fixed the
> > > conflict problems that DirectX 9.0b had.
> > >
> > > 6.  I begin to expect malware as a possibility.  I keep my virus scanner
> > > (Norton) continuously updated and frequently do full system scans.  I
> did
> > > another full scan, regardless, and it had negative results.  I also
> > scanned
> > > completely for spyware, using Ad Aware. Nothing beyond Doubleclick
> cookies
> > > were found.  Still not completely convinved, I even scanned it with
> > > different virus scanners and spyware scanners -- thinking perhaps it
> > > might've been possible that malware could've attacked Norton or Ad
> Aware.
> > > To do these scans, I scanned the problem PC  (laptop) over my wireless
> > > network using scanner software physically running on a different
> machine.
> > > No results are found.
> > >
> > > 7. More web searching leads me to start believing that the "Mofei" worm
> > may
> > > be a possibility since some of the symptoms are similiar.  I see no
> > > footprint of this worm, however.  Looking at the registry by hand shows
> no
> > > footprint related to this worm being installed, nor do any system files.
> > > The system file /windows/system32/scardsrv32.exe is a footprint of this
> > > worm, however it wasn't in the directory.  I did have a few files in
> that
> > > directory that initially caught my attention (scardsrv.exe,
> scardssp.dll)
> > > mainly because of their file version number (ver: 5.1.2600.0 -- that
> > '2600'
> > > caught my eye), but after doing some searching against at Microsoft I
> > > discovered that these files (Microsoft Smart Card Service Manager) and
> the
> > > version number were legit.  To be absolutely sure, I even did a checksum
> > > comparison between these files in my directory and known legit files.
> > They
> > > checked out fine.
> > >
> > > 8. Running "Event Viewer" (/start/Control Panel/Adminstration Tool/Event
> > > View) raises a few questions.  Looking at the Security Log, some
> questions
> > > are raised.  I don't believe these are related to this specific internet
> > > freezing problem though, but they still kind of bug me.  In the log,
> many
> > > entries have been (and continue to be) logged for unsuccessul logon
> > attempts
> > > by an "advapi" process.  Reason for unsuccessful logon attempts is
> > "unknown
> > > user name or password".  I had read that this isn't anything major to
> fret
> > > over and have read that this might be caused by the "Administrator"
> > account
> > > name being changed.  After installing WinXP (full scratch install), I
> had
> > > initially selected "Administrator" for the administrator account name
> > during
> > > the setup process, but later changed it to a different name.  I wonder
> if
> > > this could be why I am seeing all these log entries and if I
> could/should
> > > change something to clear them up.  (WinXP wouldn't let me change the
> > > administrator account name back to "Administrator", it says its already
> in
> > > use.  From what I read, the names "Administrator", "Guest", etc can't be
> > use
> > > for account names. I suppose this holds true even if you had changed the
> > > administrator account name from "Adminstrator" and want to revert back
> to
> > > that name?)  I'll hold these questions for later though.
> > >
> > > 9. Running msinfo32.exe raises my most alarming question.  In the system
> > > history log, there are sometimes an entry for a program that is beeing
> > added
> > > and then immedietly removed.  The syntax used when it is added is
> > > "[program].exe \install".  (The "\" might have been a "/", can't
> remember
> > > off-hand which slash it was.)  After it is added, it is immedietly
> > removed.
> > > The reason why I didn't give a name for "[program]" is because I can't
> > using
> > > normal ASCII text here!  The name of this program is about four (or
> five)
> > > special characters, at least two appearing as a "y" with an accent mark
> > over
> > > it.  This, of course, raises grave concern of stealthy malware
> somewhere.
> > I
> > > have no idea on how to do a file search for a filename with these
> special
> > > characters.  As far as I knew, I didn't even think a filename could
> > contain
> > > them?
> > >
> > > Malware seems to be my suspect at the moment, but I'm not completely
> > > convinced as the only the software I have installed from the internet
> has
> > > been Ad Aware.  Everything else has been commercial, packaged, software.
> > > Its still possible, I admit, that malware might had found it's way in
> > > through email (although I have .exe's, components, even HTML disabled
> for
> > > email) or the web.
> > >
> > > I now admit to feeling completely defeated on finding a solution.
> > >
> > > Some software I have (and had) installed that may be common with others
> > > (read some posts that said some of these were installed on their system
> as
> > > well):
> > >
> > > - Lucent's "Modem on Hold" utility for v.92 modems
> > > - FaxTalk NetOnHold
> > > - Microsoft Office 2000 over WinXP
> > > - DirectX 9.0a
> > >
> > > Apologies for the long post, but wanted to make it as clear as possible.
> > > Any help would be most appreciated by myself and many others.
> > >
> > > Thanks!
> > >
> > > -Eric
> > >
> > >
> > >
> > >
> > >
> > >
> >
> 
>