Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Generic Host Process for Win32 problems


  • Please log in to reply
4 replies to this topic

#1 graydj

graydj

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 20 January 2010 - 01:53 PM

Now I know for sure that there is a worm or rootkit or Alcureon or Vundo (all of the above apeared as notices from Avast! and AVG) and I'm waiting to fix it, but they must have gotten deeper because the CPU is repeatedly restarting from the "DCOM Server process launcher services terminated unexpectedly" and the Data Execution Prevention. This thing is getting worse by the day and I need to know how to stop it.

BC AdBot (Login to Remove)

 


#2 whiteac2k4

whiteac2k4

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:19 AM

Posted 20 January 2010 - 02:23 PM

What scans have you done?
What anitvirus/malware software have you installed and ran?
DO you have avast and avg installed on this machine?

Quietman7 has addressed this issue with a fix on another forum posting. Please follow his directions from this link http://www.theeldergeek.com/forum/index.php?showtopic=24936

#3 graydj

graydj
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 20 January 2010 - 02:56 PM

I've done high sensitivity scans with the installed Avast! and AVG free but I haven't done the other installed scans like the GMER or Malwarebytes or RootRepeal that are also downloaded because I'm afraid it might shut down in the middle of the process. I read your other post that addresses it but it didn't look like it was ever solved.... just worked around. I'd prefer it squashed.
Thanks

#4 graydj

graydj
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 21 January 2010 - 08:53 AM

Here are is a HijackThis Log and following, a RootRepeal log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:58 AM, on 1/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DN1.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = DN1.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DN1.LOCAL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DN1.LOCAL
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = DN1.LOCAL
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = DN1.LOCAL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7014 bytes

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/20 14:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAA545000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-307CCA25.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\admin3\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\img-resized[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\admin3\Local Settings\Temporary Internet Files\Content.IE5\EVP5IXM5\index[1].php
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\admin3\Local Settings\Temporary Internet Files\Content.IE5\EVP5IXM5\index[3].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\admin3\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\av-38160[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\admin3\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\smile[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\admin3\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\tongue[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\admin3\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\t_reply[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\admin3\Local Settings\Temporary Internet Files\Content.IE5\LM20JB3Y\index[1].php
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\admin3\Local Settings\Temporary Internet Files\Content.IE5\LM20JB3Y\av-708[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\admin3\Local Settings\Temporary Internet Files\Content.IE5\LM20JB3Y\wink[1].gif
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xab8df6b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xab8df574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xab8dfa52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xab8df14c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xab8df64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xab8df08c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xab8df0f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xab8df76e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xab8df72e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xab8df8ae

==EOF==

#5 whiteac2k4

whiteac2k4

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:19 AM

Posted 25 January 2010 - 02:22 PM

I am not allowed to advice on any registry or system file deletions. However if you run Malwarebytes im sure it will help clear it up. I would ditch AVG free its garbage.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users