Mr Snrub

But why a trojan?At best this is an obscure "denial of service", surely?

Automatic Updates should only kick in when you visit the Windows Update site manually or at the daily scheduled check time if it's enabled, like 3am. Why should it be a problem if a single-CPU system hits 100% utilisation during the check? Or are you saying that it remains constantly at 100% even once the check is complete? The number of checks the system is doing is quite extensive, so it doesn't surprise me that it's an exhaustive process - I just did a check for updates on a Windows 2003 SP1 dual-CPU system and it (svchost.exe -k netsvcs) hit 50% utilisation, so it's definitely a single thread under the AU service which is "busy" during the check.

This is just the Messenger service receiving spam ads - it is not that someone has "gotten hold of your IP address", these are simply blasted out to entire IP ranges at random, not aimed at individuals. It would imply you don't have SP2 installed yet - you should do this ASAP as the Messenger service could be exploited to crash your system. Always put SP2 onto a clean XP build before going anywhere near the Internet. Definitely do a spyware/virus cleanup as well.

csrss.exe (in session 0) is a critical process for Windows, so if it crashes it will cause a bugcheck, this is by design. A quick analysis of your minidump seems to imply an error during an inpage operation - i.e. part of a process's virtual memory was paged to disk and it encountered an error when it came to read it back into physical memory: CRITICAL_OBJECT_TERMINATION (f4) A process or thread crucial to system operation has unexpectedly exited or been terminated. Several processes and threads are necessary for the operation of the system; when they are terminated (for any reason), the system can no longer function. ... EXCEPTION_RECORD: b2af29d8 -- (.exr ffffffffb2af29d8) ExceptionAddress: 7c936bd1 ExceptionCode: c0000006 (In-page I/O error) ExceptionFlags: 00000000 NumberParameters: 3 Parameter[0]: 00000000 Parameter[1]: 7c99a3d8 Parameter[2]: c0000185 Inpage operation failed at 7c99a3d8, due to I/O error c0000185 EXCEPTION_CODE: (NTSTATUS) 0xc0000185 - The I/O device reported an I/O error. CUSTOMER_CRASH_COUNT: 29 DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT ERROR_CODE: (NTSTATUS) 0xc0000006 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The required data was not placed into memory because of an I/O error status of "0x%08lx". IO_ERROR: (NTSTATUS) 0xc0000185 - The I/O device reported an I/O error. ... STACK_TEXT: b2af2520 8062c359 000000f4 00000003 86923020 nt!KeBugCheckEx+0x1b b2af2544 805f9f46 805f9f88 86923020 86923194 nt!PspCatchCriticalBreak+0x75 b2af2574 804de7ec 86923268 c0000006 b2af29b0 nt!NtTerminateProcess+0x7d b2af2574 804ddae1 86923268 c0000006 b2af29b0 nt!KiFastCallEntry+0xf8 b2af25f4 8051d696 ffffffff c0000006 b2af29f8 nt!ZwTerminateProcess+0x11 b2af29b0 805064c2 b2af29d8 00000000 b2af2d64 nt!KiDispatchException+0x3a0 b2af2d34 804e206b 0069f22c 0069f24c 00000000 nt!KiRaiseException+0x175 b2af2d50 804de7ec 0069f22c 0069f24c 00000000 nt!NtRaiseException+0x31 b2af2d50 7c936bd1 0069f22c 0069f24c 00000000 nt!KiFastCallEntry+0xf8 WARNING: Frame IP not in any known module. Following frames may be wrong. 0069f528 00000000 00000000 00000000 00000000 0x7c936bd1 Anything changed on the system before the problem appeared? Driver updates, heatsinks or fans worked on, new software or hardware installed? Could be heat related, or a problem with RAM, hard disk or a cable not seated correctly. Does the problem occur in safe mode, if you leave it at the user selection screen? I would test uninstalling AVG completely to see if the problem still occurs - put it straight back on if the crashes still occur. I would also check where these drivers come from - look at the dates: kd> lmvm DLPortIO start end module name b1ac5000 b1acb000 DLPortIO T (no symbols) Loaded symbol image file: DLPortIO.SYS Image path: DLPortIO.SYS Image name: DLPortIO.SYS Timestamp: Fri Sep 27 15:10:46 1996 (324BD256) CheckSum: 00001DD3 ImageSize: 00006000 Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0 kd> lmvm mapmem start end module name f7ace000 f7ace8a0 MAPMEM T (no symbols) Loaded symbol image file: MAPMEM.sys Image path: MAPMEM.sys Image name: MAPMEM.sys Timestamp: Fri May 08 23:25:04 1998 (35537830) CheckSum: 0000786D ImageSize: 000008A0 Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0 In particular, searching the Internet on "dlportio.sys" gives some worrying hits... If you take AVG off and the problem persists, I would recommend installing an alternative AV package such as Avast! to get a second opinion on the health of the system. I would also run RootkitRevealer from sysinternals.com to check for hidden nasties, just in case.

Case sensitive maybe? KB900524 describes the switches, backing up what cluberti said.

1. You should install FRE and not CHK builds unless you are debugging, as this will make you run slower - the only functional difference is extra ASSERT statements for deeper checking at runtime, which will be a performance hit. 2. Error 80070241 implies the image hash is not valid - bad download, burn or the source is corrupt.

On my machine, clicking Start / Network brings up exactly the same as Network and Sharing Center / View computers and devices, is this not the same as your "View Networks" option? Also, I think that the functions performed by the Network and Sharing Center are mainly configuration ones, so it doesn't make sense to have it on a link through the Start menu itself - it's just as accessible by right-clicking the network icon in the system tray but it is more logical for it to be there.

Tried launching the app as administrator?

Sounds like the DNS setting on the ICS client is not correct, or there is a problem resolving names. The gateway setting is obviously okay, as is connectivity between the ICS client and host. Assuming the ICS host itself has no problems accessing the Internet, open a command prompt on both machines and enter the following command: ipconfig /all Paste the output from the 2 machines here.

Office is the big earner for Microsoft, no way will that be included in OS media. OneCare is a subscription service only possible through mainteance payments, so you won't see that included either (and definitely not 5 years). Visual Studio is not a commonly-enough demanded product (and again an earner) to warrant bundling with the OS. And after the debacle that was the EU's decision to force Microsoft to produce a version of Windows without Media Player bundled, plus the ridiculous fine, there's very little chance you would see any "bundling" such as this in the future - allegedly it kills competition.

So you can't even install Windows 2003, this STOP error crops up during setup? How far through the installation does it get before the error occurs? Are you formatting the partition through setup, or preparing it beforehand? Does the installation media contain SP1? Do you have another Windows 2003 CD that you could test, to rule out a media problem?

The use of the loopback address for an SMTP relay from regular ISP users would imply that this is a bot network of trojans used for spamming - the senders are most likely unaware they are being used to distribute this garbage. That is also why the headers are not consistent - you won't trace the individual mails back to a specific source and the only significant clue is the addresses to which they are sent. The purpose of me using unique addresses for every site I register on is so that I can see when this occurs and know which source it was lifted from.

I'll repeat it - the mail did not originate from the MSFN forum servers, the addresses have been harvested from within the user database - mine has been hidden since signup so cannot have been harvested through browsing my profile.Edit: MSDN != MSFN (need more coffee) Of course I'm assuming it's harvested, and here is why: 1. The email address used is unique for MSFN 2. I have never sent an email from this address or replied to a mail addressed to it 3. The email address is hidden from viewing my profile 4. The email address has not changed since I signed up, and I have not viewed my profile for months 5. A number of other users of the MSFN forum received identically-formatted spam on the very same night 6. The mails were not sent from MSFN's mailer daemon (it was generated on the regular spam network worldwide), so this was not the compromised component It's hardly rocket science to come to the conclusion that the profile information, even that which was marked as private, has therefore been compromised - either by accessing the user database or injecting code into a script or applet delivered to clients that they execute when visitng the board.

Random subject, different sender addresses and routes - the email addresses of the users on the forum have been harvested and will be in circulation on spam engines all over the place by now. If the forum mailer daemon had been compromised, the message would be the same, would appear to come from MSFN and would be traceable back to the same origin. I received an email with this header addressed to a unique address used only for MSFN (so I can track when addresses get leaked like this): From: - Thu Jul 13 18:42:06 2006 X-Account-Key: account3 X-UIDL: UID4263-1116176773 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-path: <KermitWilkerson34@animail.net> Envelope-to: [mymailbox] Delivery-date: Thu, 13 Jul 2006 02:21:56 +0100 Received: from [195.224.48.118] (helo=nine.mx.123-reg.co.uk) by pophost.123-reg.co.uk with esmtps (TLSv1:AES256-SHA:256) (Exim 4.43) id 1G0pts-0000rn-8y for [mymailbox]; Thu, 13 Jul 2006 02:21:56 +0100 Received: from 163.red-81-36-192.dynamicip.rima-tde.net ([81.36.192.163]) by nine.mx.123-reg.co.uk with smtp (Exim 4.50) id 1G0ptr-0001x3-SH for [me]; Thu, 13 Jul 2006 02:21:56 +0100 Received: from localhost (linux139 [127.0.0.1]) by handler.bolt.com (Postfix) with ESMTP id 0-9A-ZA-Z0-9A-Z0-9A-Z0-90-9A-ZA-Z for [me]; Wed, 12 Jul 2006 22:10:25 +0000 (EDT) Received: from handler.bolt.com ([127.0.0.1]) by localhost (amavis.boltstaff.com [127.0.0.1]) (amavisd-new, port 10099) with ESMTP id 48882-13 for [me]; Wed, 12 Jul 2006 22:10:25 +0000 (EDT) Received: from boltfolio08 (unknown [10.70.15.87]) by handler.bolt.com (Postfix) with ESMTP id A-Z0-9A-ZA-ZA-Z0-9A-Z0-9A-ZA-Z0-9 for [me]; Wed, 12 Jul 2006 22:10:25 +0000 (EDT) Message-ID: <14083443.1185289068282.JavaMail.confirm@boltinc.com> From: Kermit Wilkerson <srayford73@boltfolio.com> To: [me] Subject: lawmake message from Kermit Wilkerson Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Wed, 12 Jul 2006 22:10:25 +0000 (EDT) X-Virus-Scanned: amavisd-new at boltstaff.com X-Antivirus: avast! (VPS 0628-3, 2006-07-12), Inbound message X-Antivirus-Status: Clean Time to change my email address for MSFN...

HKCU\.DEFAULT is the LOCAL SYSTEM user profile hive, as it doesn't have a profile on disk to pull NTUSER.DAT from. You don't want to go messing in there really.

Seems the bad code in Daemon Tools has been rectified:http://www.daemon-tools.cc/dtcc/announcements.php On a related note, the genuine x64 Windows SP2 is currently in beta testing.

Environments are passed between parent and child processes, so if you open a command prompt and launch a process it will inherit the environment.What you could do is use FileMon to see what paths are being probed by the game - maybe it's not only checking the path but ownership also, or something like that. Perhaps it is indeed looking for "%UserProfile%\My Documents", and you don't have a "My Documents" folder under "f:\mydoc"?

My guess then is that the browser is going to the correct addresss but the page being returned has a reference which still resolves to the other server.e.g. domain.com is set in HOSTS to point to 10.10.10.15 browser visits http://domain.com - this is resolved to 10.10.10.15 (via HOSTS) and the web server returns a client-side redirect to http://www.domain.com browser then requests http://www.domain.com as instructed - this resolves to 10.10.10.10 (via DNS) and the old web server now returns the page requested Use something like HTTP Fiddler to view the browser requests, or Ethereal to see the raw network traffic to verify this.

Actually regedit.exe lives in %systemroot% - regedt32.exe is the one that lives in %systemroot%\system32.

Open an elevated command prompt and run it from there - it should dump the error message out. Alternatively, does regedt32.exe work?

The fact that it resolves to the correct IP address at the command prompt would imply the DNS Client service is working correctly and the HOSTS file is read.The fact that only browsers resolve to the wrong address would imply you are using a proxy server for Internet access - or some ad-filtering/privacy/AV software which behaves as a transparent proxy - and this is doing a DNS lookup for the address so your local HOSTS file is ignored. If the browsers are not configured to use a proxy server, check for software on the machine which is transparently doing the check for outbound HTTP connections and is performing the name resolution.

Didn't work for my Dell Latitude D600 laptop ATI Radeon Mobility 9000) using Vista build 5384.

yes it isGive This A Try I don't think this has worked in the last 7 months, since the December CTP.That same site has a forum and there is a post here with that very question, saying that only cards that support it will show it now. RAM doesn't have that much to do with Aero Glass, it's more the graphics card (and driver) requirements, something like DX9, Pixel Shader 2.0, 64MB graphics RAM (possiby 128MB for resolutions >1024x768), AGP 4x or faster, WDDM/LDDM driver. If you have PowerPoint there is a slideshow from Microsoft here.

Okay, well that would imply the driver it quite happily determining Aero Glass support is possible, but some resource is running out or a threshold being exceeded when you ramp up the requirements too high.What about 1280x1024x16? Does Aero Glass work then? Not sure if the req's for beta 2 just raise the bar a bit and your current GPU can't cut it... this is an AGP card right? 512MB system memory... have you tried tinkering with the AGP aperture size in the BIOS at all? The rating tool is pretty clear - the weakest link there is the GPU and the graphics memory.

Let me re-word it - what if you make the screen resolution lower, for example 1024x768? Does Aero Glass work then? I tink 88.61 came out to coincide with beta 2, so you'll not have tried that version with a previous build... so we don't know if it's the later build of Vista or the later ForceWare driver. If you have the older build you could always verify with the 88.61 driver to see if it's the driver or not.