Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Generic Host Process For Win32 Services

  • Please log in to reply
1 reply to this topic

#1 jjq


  • Members
  • 1 posts
  • Local time:03:23 AM

Posted 10 February 2008 - 02:11 AM

Generic Host Process for Win32 Services has encountered a problem...

* On bootup was getting the following message:

"Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the

* And when I clicked the 'click here for details' I got:

szAppName : svchost.exe szAppVer : 5.1.2600.2180 szModName : wuaueng.dll
szModVer : 7.0.6000.381 offset : 0014d8cd

* Problem included the following:-
- midi sound files wouldn't play, no music etc.
- Windows XP theme display reverted to 'Classic' view
- Couldn't Update Windows
- Switched off Firewall and couldn't switch it on again

* I ran Combofix which immediately restored sound and the XP theme display (without reboot). Following prompts
I visited http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ and followed it step by step.

* Adaware found and deleted 7 criticals, on a second scan it detected none.

* Spybot found 20 problems (listed in red - real threats):

CoolToolBar: [SBI $426C664D] Settings (Registry key, nothing done)

CoolToolBar: [SBI $5E037FEF] Uninstall settings (Registry key, nothing done)
DrAntispy: [SBI $A060FAB7] Link (File, nothing done)
C:\Documents and Settings\Justin O'Brien\Start Menu\Programs\Startup\DrAntispy.lnk
FunWebProducts: [SBI $7D9D33B1] Configuration file (File, nothing done)
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
MyWay.MyWebSearch: [SBI $6404C538] Settings (Registry key, nothing done)

MyWay.MyWebSearch: [SBI $39E631BB] Settings (Registry key, nothing done)

MyWay.MyWebSearch: [SBI $1D729FD1] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}
MyWay.MyWebSearch: [SBI $71059DE8] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution

MyWebSearch: [SBI $0778094F] Interface (Registry key, nothing done)
MyWebSearch: [SBI $EB0F98F9] Interface (Registry key, nothing done)
SexList: [SBI $4CDCC3D5] Tracking cookie (Internet Explorer: Justin O'Brien) (Cookie, nothing done)
HitBox: [SBI $4CDCC3D5] Tracking cookie (Internet Explorer: Justin O'Brien) (Cookie, nothing done)
MediaPlex: [SBI $4CDCC3D5] Tracking cookie (Internet Explorer: Justin O'Brien) (Cookie, nothing done)
BurstMedia: [SBI $4CDCC3D5] Tracking cookie (Internet Explorer: Justin O'Brien) (Cookie, nothing done)
CasaleMedia: [SBI $4CDCC3D5] Tracking cookie (Internet Explorer: Justin O'Brien) (Cookie, nothing done)
WebTrends live: [SBI $4CDCC3D5] Tracking cookie (Internet Explorer: Justin O'Brien) (Cookie, nothing done)
FastClick: [SBI $4CDCC3D5] Tracking cookie (Internet Explorer: Justin O'Brien) (Cookie, nothing done)
HitBox: [SBI $4CDCC3D5] Tracking cookie (Internet Explorer: Justin O'Brien) (Cookie, nothing done)
HitBox: [SBI $4CDCC3D5] Tracking cookie (Internet Explorer: Justin O'Brien) (Cookie, nothing done)
HitsLink: [SBI $4CDCC3D5] Tracking cookie (Internet Explorer: Justin O'Brien) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-02-10 unins000.exe (
2008-01-28 blindman.exe (
2008-01-28 SDMain.exe (
2008-01-28 SDUpdate.exe (
2008-01-28 SDWinSec.exe (
2007-10-07 SDShred.exe (
2008-01-28 SDDelFile.exe (
2008-01-28 SpybotSD.exe (
2008-01-28 TeaTimer.exe (
2008-01-28 Update.exe (
2008-01-28 advcheck.dll (
2007-04-02 aports.dll (
2008-01-28 SDFiles.dll (
2007-11-17 DelZip179.dll (
2008-01-28 SDHelper.dll (
2008-01-28 Tools.dll (
2008-02-06 Includes\Revision.sbi (*)
2008-02-06 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-02-06 Includes\HeavyDuty.sbi (*)
2008-02-06 Includes\Hijackers.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-01-17 Includes\Malware.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2008-01-10 Includes\Security.sbi (*)
2008-01-23 Includes\Spybots.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-02-06 Includes\Trojans.sbi (*)
2008-02-06 Includes\DialerC.sbi (*)
2008-02-06 Includes\HijackersC.sbi (*)
2008-02-06 Includes\KeyloggersC.sbi (*)
2008-02-06 Includes\MalwareC.sbi (*)
2008-02-06 Includes\PUPSC.sbi (*)
2008-02-06 Includes\SecurityC.sbi (*)
2008-02-06 Includes\SpybotsC.sbi (*)
2008-02-06 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll

* During Spybot Windows automatically updated (I don't know what files)

* I rebooted

* Windows autodate kept asking to install Office XP Service Pack 3, I chose not to update it

* I ran BitDefender Online Scanner, which detected and deleted two infections: C:\WINDOWS\system32\nss9.dll and


* I then rebooted.

* I then updated and ran Sophos Anti-Virus scan, which detected Adware/PUA 'NirCmd' and quarantined it.

* I then ran McAfee Stinger and it appeared (I wasn't around at the end of the scan and there was no report at
the end) to find no problems. The report read:
"Scan initiated on Sun Feb 10 11:20:56 2008 Number of clean files: 273191"

* I then installed Sygate Personal Firewall and turned it on. I don't know if this was a good thing to do as
it's forever asking me if I want to block things coming in and out and to be honest I'm not sure that I got the
first few answers to these prompts right. svchost is blocked for example.

* I then updated Windows from www.update.microsoft.com and installed Office XP Service Pack 3 (this was the
first time in days that windows update had worked).

* I did another Windows update, and installed 13 security updates (for Office XP, PowerPoint 2002, Outlook
2002, SharePoint Team Services, Word, Excel, Publisher, etc.).

* I did a third Windows update, and installed 4 "high-priority" updates: Office XP Update: KB837253, Office XP
Update: KB833858, Security Update for Office XP: WordPerfect 5.x Converter (KB873379), Update for Access 2002

* I rebooted and tried a fourth Windows update, and got a message that the page couldn't be displayed.

* I closed IE, reopened it and tried to do the Windows Update again, this time it took forver at the point
'Checking for the latest updates for your computer'. I pondered removing Sygate Firewall and just
sticking with Windows Firewall, at least during the period of my Windows updating. It came back with:

"The website has encountered a problem and cannot display the page you are trying to view. The options
provided below might help you solve the problem.
For self-help options:

Frequently Asked Questions

Find Solutions

Windows Update Newsgroup
For assisted support options:

Microsoft Online Assisted Support (no-cost for Windows Update issues)

Read more about steps you can take to resolve this problem (error number 0x80072EFD) yourself. "

* I clicked on the link under (error number 0x80072EFD) and was asked to change the firewall settings to allow
Microsoft updates, I think I did this, got very confused really.

* Re-tried Windows Update again. Sygate popped up asking to allow or block 'ndisuio.sys', I blocked it. During
the update attempt I allowed the update to write a dll file. The update went through okay, with the message
that I require no High-Priority Updates.

* I then ran HihackThis and the log is pasted below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:42 PM, on 10/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Labtec\Mouse\2.1\moffice.exe
C:\Program Files\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Labtec\Mouse\2.1\MOUSE32A.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO}
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Mouse\2.1\moffice.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Labtec\Media Keyboard\V5.0\KbdAp32A.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202294907203
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC57BC84-5099-4231-99F2-D4786D3CFC4B}: Domain = sa.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = prod.main.ntgov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = prod.main.ntgov
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = prod.main.ntgov
O20 - AppInit_DLLs: c:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

End of file - 10695 bytes

* All does seem to be working. Only issues might be Updating windows (although I think I've made it an exception), knowing what and what not to block with Sygate. :wacko: :thumbsup: :blink:

BC AdBot (Login to Remove)


#2 RichieUK


    Malware Assassin

  • Malware Response Team
  • 13,614 posts
  • Local time:06:53 PM

Posted 19 February 2008 - 08:22 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum.
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late response,as i'm sure you can appreciate we are extremely busy.

If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.

If you still require help,please post a new Hijackthis log into this topic in your next reply.

Also post a detailed description of the issues you're experiencing.

Post all reports/logs directly into this topic,not as attachments,thanks.
Posted Image
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users