Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Generic Host for WIN32 Services (Virus or No?)


  • Please log in to reply
10 replies to this topic

#1 nmidura

nmidura

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 18 November 2009 - 02:00 PM

I know this has been asked before, but I haven't been able to find a good answer.

Just got rid of the dreaded Security Tool from a friend's "New" laptop (handed down by someone who probably couldn't get rid of this virus.) These were my steps. After startup in Safe Mode,
1. Downloaded and started rKill
2. Deleted previous owners' profile and folder (seemed to be where virus was located)
3. Ran Bytes and S.A.S. (A little overkill, I know)
4. Downloaded and installed AVG free.
5. Created a Restore point.

After running Bytes (which turned up no malware or viruses) got error message:

"Generic Host Process for WIN32 Services encountered a problem and needs to close."

Pops up on startup... Only things opening on startup (msconfig) AVG and Bytes. Am running WIndows XP Home.

Help?

Edited by nmidura, 18 November 2009 - 02:01 PM.


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:32 AM

Posted 18 November 2009 - 03:32 PM

It is possible you still may have an infection present via a rootkit.

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 nmidura

nmidura
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 18 November 2009 - 07:06 PM

Rootrepeal website is above bandwidth. Cannot get program. ANywhere else I can download?

#4 nmidura

nmidura
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 18 November 2009 - 07:15 PM

Think I got it. This is a friend's comp. No rar program. Found frog. Will let you know how it goes down.

#5 nmidura

nmidura
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 18 November 2009 - 07:27 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/18 19:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAAD24000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A7A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9F7E000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\roger kennedy\local settings\temp\~dfb5cd.tmp
Status: Allocation size mismatch (API: 131072, Raw: 16384)

==EOF==

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:32 AM

Posted 19 November 2009 - 07:30 AM

That looks clean...

Let's try an on-line scan
Please perform a scan with Eset Onlinescan (NOD32).
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
  • You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use
  • Now click Start.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
  • Answer Yes to install and download the ActiveX controls that allows the scan to run.
  • Click Start. (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan to start the online scan. (this could take some time to complete)[/color]
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.
  • Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad.
  • Copy and paste the log results in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn\ them back on after you are finished.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 nmidura

nmidura
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 19 November 2009 - 08:21 AM

Can't get online with laptop at work... network access for outside laptops not allowed. I did run a full AVG scan last night. 1 instance of adware in an Online Services folder (People PC). Removed just fine.

Do you like Nod32 better than AVG? I have NOD on my desktop at home, but AVG on my own laptop...

#8 nmidura

nmidura
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 19 November 2009 - 08:22 AM

Also, just a thought...

This laptop is "brand new" for her. Nothing worth saving on it. Should I just reinstall the OS? Since she has nothing, would it save a lot of heartache and time?

#9 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:32 AM

Posted 19 November 2009 - 03:54 PM

I like NOD32 and have used it in the past.

I would say a reload would be the best solution. That way you are sure everything is clean and fresh.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#10 nmidura

nmidura
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 20 November 2009 - 10:31 AM

Reload completed. Thanks so much!

#11 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:32 AM

Posted 20 November 2009 - 07:44 PM

You are very welcome safe surfing....

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users