freezing up

I too have been experiencing frequent freeze ups. I scanned for spyware using
several different programs. Finally Adware-Pro (the last one I tried) found
212 parasites!!!! My system has not froze up since. My question is---in
looking at the session logs from Webroot SpySweeper this entry keeps coming
up---anyone know what it means??


Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\
Source: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
11:22 AM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\
Source: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
11:22 AM: Tamper Detection

"Maine4Us" <> wrote in message
news:E9C92EA1-90D6-4322-A4B1-...
>I too have been experiencing frequent freeze ups. I scanned for spyware
>using
> several different programs. Finally Adware-Pro (the last one I tried)
> found
> 212 parasites!!!! My system has not froze up since. My question is---in
> looking at the session logs from Webroot SpySweeper this entry keeps
> coming
> up---anyone know what it means??
>
>
> Operation: Registry Access
> Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\
> Source: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
> 11:22 AM: Tamper Detection
> Operation: Registry Access
> Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\
> Source: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
> 11:22 AM: Tamper Detection


Now, malware can use something like Svchost.exe. Svchost.exe, a key O/S
component running out of the System32 directory, can host O/S programs and
non O/S programs, even malware programs can be hosted by Svchost.exe to do
something on its behalf.

So, it's not Svchost that's doing it as Svchost does nothing on its own it
just hosts other programs and provides the means.

So is this something that is bad? What's the Target line mean?
Thanks for your help.

"Mr. Arnold" wrote:

>
> "Maine4Us" <> wrote in message
> news:E9C92EA1-90D6-4322-A4B1-...
> >I too have been experiencing frequent freeze ups. I scanned for spyware
> >using
> > several different programs. Finally Adware-Pro (the last one I tried)
> > found
> > 212 parasites!!!! My system has not froze up since. My question is---in
> > looking at the session logs from Webroot SpySweeper this entry keeps
> > coming
> > up---anyone know what it means??
> >
> >
> > Operation: Registry Access
> > Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\
> > Source: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
> > 11:22 AM: Tamper Detection
> > Operation: Registry Access
> > Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\
> > Source: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
> > 11:22 AM: Tamper Detection
>
>
> Now, malware can use something like Svchost.exe. Svchost.exe, a key O/S
> component running out of the System32 directory, can host O/S programs and
> non O/S programs, even malware programs can be hosted by Svchost.exe to do
> something on its behalf.
>
> So, it's not Svchost that's doing it as Svchost does nothing on its own it
> just hosts other programs and provides the means.
>
>

"Maine4Us" <> wrote in message
news:2B6EAC8B-6C74-4ED1-9F4A-...
> So is this something that is bad? What's the Target line mean?
> Thanks for your help.
>

I don't know what it means. However, nothing should be changing the
register, unless you're installing software that you know about. And maybe,
if the registry is being changed and you don't know about it, then maybe
you should surf the Web using a Limited User account, if you're not using
one.

Maybe, you can get some more information from the links.

http://www.google.com/search?hl=en&q...=Google+Search

Maybe you can take a tool like Process Explorer and look at what any given
Svshost is hosting. Maybe, you'll spot something that shouldn't be hosted,
like malware.

"Maine4Us" <> wrote in message
news:E9C92EA1-90D6-4322-A4B1-...
>I too have been experiencing frequent freeze ups. I scanned for spyware
>using
> several different programs. Finally Adware-Pro (the last one I tried)
> found
> 212 parasites!!!! My system has not froze up since. My question is---in
> looking at the session logs from Webroot SpySweeper this entry keeps
> coming
> up---anyone know what it means??
>
>
> Operation: Registry Access
> Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\
> Source: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
> 11:22 AM: Tamper Detection
> Operation: Registry Access
> Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\
> Source: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
> 11:22 AM: Tamper Detection
>




SpySweeper protecting its own registry entries from 'tampering' by the looks
of it.

A quick google turned up this on one page, which should show you what the
initials stand for

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_SSHRMD\0000]
"DeviceDesc"="Spy Sweeper Hookrack MiniDriver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_SSIDRV\0000]
"DeviceDesc"="Spy Sweeper Interdiction Driver"

--
Jon

"Mr. Arnold" wrote:

>
> "Maine4Us" <> wrote in message
> news:2B6EAC8B-6C74-4ED1-9F4A-...
> > So is this something that is bad? What's the Target line mean?
> > Thanks for your help.
> >
>
> I don't know what it means. However, nothing should be changing the
> register, unless you're installing software that you know about. And maybe,
> if the registry is being changed and you don't know about it, then maybe
> you should surf the Web using a Limited User account, if you're not using
> one.
>
> Maybe, you can get some more information from the links.
>
> http://www.google.com/search?hl=en&q...=Google+Search
>
> Maybe you can take a tool like Process Explorer and look at what any given
> Svshost is hosting. Maybe, you'll spot something that shouldn't be hosted,
> like malware.
>
> thanks for the info i will see what i can find

"Jon" wrote:

>
> "Maine4Us" <> wrote in message
> news:E9C92EA1-90D6-4322-A4B1-...
> >I too have been experiencing frequent freeze ups. I scanned for spyware
> >using
> > several different programs. Finally Adware-Pro (the last one I tried)
> > found
> > 212 parasites!!!! My system has not froze up since. My question is---in
> > looking at the session logs from Webroot SpySweeper this entry keeps
> > coming
> > up---anyone know what it means??
> >
> >
> > Operation: Registry Access
> > Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\
> > Source: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
> > 11:22 AM: Tamper Detection
> > Operation: Registry Access
> > Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\
> > Source: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
> > 11:22 AM: Tamper Detection
> >
>
>
>
>
> SpySweeper protecting its own registry entries from 'tampering' by the looks
> of it.
>
> A quick google turned up this on one page, which should show you what the
> initials stand for
>
> [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_SSHRMD\0000]
> "DeviceDesc"="Spy Sweeper Hookrack MiniDriver"
>
> [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_SSIDRV\0000]
> "DeviceDesc"="Spy Sweeper Interdiction Driver"
>
> --
> Jon
>
>
> thanks Jon, so it might be nothing to worry about. I hope. How do you google something like this??

Denise

"Maine4Us" <> wrote in message
news:0B187249-5E09-4DFB-B19C-...
>
>
> "Jon" wrote:
>
>>
>> "Maine4Us" <> wrote in message
>> news:E9C92EA1-90D6-4322-A4B1-...
>> >I too have been experiencing frequent freeze ups. I scanned for spyware
>> >using
>> > several different programs. Finally Adware-Pro (the last one I tried)
>> > found
>> > 212 parasites!!!! My system has not froze up since. My question is---in
>> > looking at the session logs from Webroot SpySweeper this entry keeps
>> > coming
>> > up---anyone know what it means??
>> >
>> >
>> > Operation: Registry Access
>> > Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\
>> > Source: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
>> > 11:22 AM: Tamper Detection
>> > Operation: Registry Access
>> > Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\
>> > Source: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
>> > 11:22 AM: Tamper Detection
>> >
>>
>>
>>
>>
>> SpySweeper protecting its own registry entries from 'tampering' by the
>> looks
>> of it.
>>
>> A quick google turned up this on one page, which should show you what the
>> initials stand for
>>
>> [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_SSHRMD\0000]
>> "DeviceDesc"="Spy Sweeper Hookrack MiniDriver"
>>
>> [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_SSIDRV\0000]
>> "DeviceDesc"="Spy Sweeper Interdiction Driver"
>>
>> --
>> Jon
>>
>>
>> thanks Jon, so it might be nothing to worry about. I hope. How do you
>> google something like this??
>
> Denise




To google it you can use portions of the error message eg 'LEGACY_SSHRMD' or
'LEGACY_SSHRMD' along with something like "Tamper Detection" and see what
turns up.

I'd also run this command from an elevated command prompt (right-click >
Run as administrator), to verify the integrity of your files (since it's
clearly been infected).

sfc /scannow

Also if you want to be thorough then this command will show what services
each 'svchost.exe' is hosting.

tasklist /svc

You can use this information ensure that the services that are running
should be running.

Otherwise, and perhaps simpler, you could run your various spyware
detection tools again and verify that they give you the all clear.


--
Jon

"Jon" wrote:

>
> "Maine4Us" <> wrote in message
> news:0B187249-5E09-4DFB-B19C-...
> >
> >
> > "Jon" wrote:
> >
> >>
> >> "Maine4Us" <> wrote in message
> >> news:E9C92EA1-90D6-4322-A4B1-...
> >> >I too have been experiencing frequent freeze ups. I scanned for spyware
> >> >using
> >> > several different programs. Finally Adware-Pro (the last one I tried)
> >> > found
> >> > 212 parasites!!!! My system has not froze up since. My question is---in
> >> > looking at the session logs from Webroot SpySweeper this entry keeps
> >> > coming
> >> > up---anyone know what it means??
> >> >
> >> >
> >> > Operation: Registry Access
> >> > Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\
> >> > Source: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
> >> > 11:22 AM: Tamper Detection
> >> > Operation: Registry Access
> >> > Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\
> >> > Source: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
> >> > 11:22 AM: Tamper Detection
> >> >
> >>
> >>
> >>
> >>
> >> SpySweeper protecting its own registry entries from 'tampering' by the
> >> looks
> >> of it.
> >>
> >> A quick google turned up this on one page, which should show you what the
> >> initials stand for
> >>
> >> [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_SSHRMD\0000]
> >> "DeviceDesc"="Spy Sweeper Hookrack MiniDriver"
> >>
> >> [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_SSIDRV\0000]
> >> "DeviceDesc"="Spy Sweeper Interdiction Driver"
> >>
> >> --
> >> Jon
> >>
> >>
> >> thanks Jon, so it might be nothing to worry about. I hope. How do you
> >> google something like this??
> >
> > Denise
>
>
>
>
> To google it you can use portions of the error message eg 'LEGACY_SSHRMD' or
> 'LEGACY_SSHRMD' along with something like "Tamper Detection" and see what
> turns up.
>
> I'd also run this command from an elevated command prompt (right-click >
> Run as administrator), to verify the integrity of your files (since it's
> clearly been infected).
>
> sfc /scannow
>
> Also if you want to be thorough then this command will show what services
> each 'svchost.exe' is hosting.
>
> tasklist /svc
>
> You can use this information ensure that the services that are running
> should be running.
>
> Otherwise, and perhaps simpler, you could run your various spyware
> detection tools again and verify that they give you the all clear.
>
>
> --
> Jon
>
>
> Thanks Jon...what is an elevated command prompt??