Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WIN32 generic host and can't access MS update


  • This topic is locked This topic is locked
6 replies to this topic

#1 Hank Knowles

Hank Knowles

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 20 October 2010 - 10:32 AM

Greeting and I hope you can help me resolve issues with a relatives computer. Dell insprion 9300 - She is getting the win32 generic host errors - also the MS update function throws cannot access webpage screen. I used to have Internet security by occillin - then changed to WS secuirty essentials - ran MalwareBytes 2 times Xoftspyse 2 times the superAntispy free addition.. still the errors continue. I was getting survey page hijack but I think I resolved it by updating Java. At thus point my toolbag is empty! :-(

Here is DDS Log contents

DDS (Ver_10-10-10.03) - NTFSx86
Run by Peggy at 10:39:22.98 on Wed 10/20/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.401 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.drudgereport.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell/en/side.html
uSearch Bar = hxxp://www.google.com/hws/sb/dell/en/side.html
mSearchAssistant = hxxp://www.google.com/hws/sb/dell/en/side.html
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-9 136176]
S3 XoftSpyService;XoftSpyService;c:\program files\common files\xoftspyse\6\xoftspyservice.exe [2010-9-29 582424]

=============== Created Last 30 ================

2010-10-20 12:47:07 -------- d-----w- c:\docume~1\peggy\applic~1\SUPERAntiSpyware.com
2010-10-20 12:47:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-10-20 12:46:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-20 12:44:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-20 12:44:11 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-19 16:50:28 -------- d-----w- c:\windows\Downloaded Program Files
2010-10-19 15:35:46 -------- d-----w- c:\docume~1\peggy\applic~1\Malwarebytes
2010-10-19 15:35:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-19 15:35:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-19 15:35:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-19 15:35:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-19 13:54:25 -------- d-----w- C:\suspicious_files_from_user
2010-10-19 13:12:09 -------- d-----w- c:\program files\common files\XoftSpySE
2010-10-19 13:12:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE
2010-10-19 13:12:04 -------- d-----w- c:\program files\XoftSpySE6
2010-10-19 12:18:20 -------- d-----w- c:\docume~1\peggy\applic~1\DriverCure
2010-10-19 12:18:19 -------- d-----w- c:\docume~1\peggy\applic~1\ParetoLogic
2010-10-19 12:18:08 -------- d-----w- c:\program files\common files\ParetoLogic
2010-10-19 12:18:03 -------- d-----w- c:\program files\ParetoLogic
2010-10-19 12:18:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-10-18 20:08:30 -------- d-----w- c:\docume~1\peggy\applic~1\ElevatedDiagnostics
2010-10-18 18:27:59 9728 ------w- c:\windows\system32\rwnh.dll
2010-10-18 18:27:59 10752 ------w- c:\windows\system32\smtpapi.dll
2010-10-18 18:27:57 81920 ------w- c:\windows\system32\ieencode.dll
2010-10-18 18:27:57 1327320 ------w- c:\program files\msn\msncorefiles\install\msnsusii.exe
2010-10-18 18:27:56 884712 ------w- c:\program files\msn\msncorefiles\install\msn9components\digcore.exe
2010-10-18 18:27:53 11053008 ------w- c:\program files\msn\msncorefiles\install\msn9components\msncli.exe
2010-10-18 18:27:51 229376 ------w- c:\program files\msn\msncorefiles\oobe\obelog.dll
2010-10-18 18:27:50 966656 ------w- c:\program files\msn\msncorefiles\oobe\obemetal.dll
2010-10-18 18:27:50 86016 ------w- c:\program files\msn\msncorefiles\oobe\obepopc.dll
2010-10-18 18:27:50 77824 ------w- c:\program files\msn\msncorefiles\oobe\obemtllc.dll
2010-10-18 18:27:13 19569 ----a-w- c:\windows\000001_.tmp
2010-10-18 18:15:10 -------- d-----w- C:\8c21c67b621f1059f6c6761503
2010-10-18 17:49:06 -------- d-----w- C:\8b1ce74bfba40304c373ea52
2010-10-18 17:47:59 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2010-10-18 17:45:22 -------- d--h--w- c:\windows\msdownld.tmp
2010-10-18 17:45:02 -------- d-----w- c:\windows\Logs
2010-10-18 16:02:13 6084944 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{220d81da-0021-4e4c-89e0-f001cfa9828d}\mpengine.dll
2010-10-18 15:53:17 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-10-18 15:45:50 -------- d-----w- C:\011b28915347fe7552ea
2010-10-18 15:13:45 -------- d-----w- c:\windows\system32\CatRoot2
2010-10-18 14:16:17 28288 ----a-w- c:\windows\system32\dllcache\grserial.sys
2010-10-18 14:16:14 82304 ----a-w- c:\windows\system32\dllcache\grclass.sys
2010-10-18 14:16:12 17408 ----a-w- c:\windows\system32\dllcache\gpr400.sys
2010-10-18 14:16:05 59136 ----a-w- c:\windows\system32\dllcache\gckernel.sys
2010-10-18 14:16:04 10624 ----a-w- c:\windows\system32\dllcache\gameenum.sys
2010-10-18 14:16:02 322432 ----a-w- c:\windows\system32\dllcache\g400m.sys
2010-10-18 14:14:59 57856 ----a-w- c:\windows\system32\dllcache\esuimgd.dll
2010-10-18 14:13:59 69692 ----a-w- c:\windows\system32\dllcache\el575nd5.sys
2010-10-18 14:12:59 419357 ----a-w- c:\windows\system32\dllcache\dgconfig.dll
2010-10-18 14:11:56 39936 ----a-w- c:\windows\system32\dllcache\cnxt1803.sys
2010-10-18 14:10:30 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-10-18 14:09:59 37568 ----a-w- c:\windows\system32\dllcache\avmwan.sys
2010-10-18 14:08:48 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2010-10-18 14:08:37 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-10-18 14:08:24 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-10-18 14:08:24 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-10-18 14:08:23 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2010-10-18 14:08:22 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-10-18 14:08:22 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2010-10-18 14:08:21 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-10-16 20:34:25 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-16 20:34:25 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-14 10:44:02 0 ----a-w- c:\windows\system32\lspA8.tmp
2010-10-09 14:56:58 -------- d-----w- c:\docume~1\peggy\locals~1\applic~1\Mozilla
2010-10-09 14:52:26 -------- d-----w- c:\program files\Mozilla Firefox(2)
2010-09-23 06:29:32 -------- d-----w- c:\windows\system32\Service

==================== Find3M ====================

2010-09-16 21:59:35 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-09-16 21:59:34 56 --sh--r- c:\windows\system32\A343378237.sys
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 10:41:25.82 ===============

And as you can see I type lousey!

Attached Files


Edited by hamluis, 20 October 2010 - 02:51 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:18 PM

Posted 20 October 2010 - 03:49 PM

Hello Hank Knowles ,

Posted Image

Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Hank Knowles

Hank Knowles
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 21 October 2010 - 09:18 AM

Hello Hank Knowles ,

Posted Image

Download TDSSKiller.zip

  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Thanks,
tea

Hi Tea here is the logfile

Thanks I ran the utility it found 1 rootkit and I selected cure attached

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:18 PM

Posted 21 October 2010 - 09:45 AM

Hello,

Excellent.....that rootkit wreaks havoc, doesn't it. <_< How is it running now please? It *should* be much better. Have a run with MBAM and let me know if it reports anything. Also, please see if you can get your MS updates now. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Hank Knowles

Hank Knowles
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 21 October 2010 - 12:03 PM

Hello,

Excellent.....that rootkit wreaks havoc, doesn't it. <_< How is it running now please? It *should* be much better. Have a run with MBAM and let me know if it reports anything. Also, please see if you can get your MS updates now. :)

Thanks,
tea



Hi Tea:

Yes it is a devilish bug and after it cleared it out the ms update started working ran all the scans and all came back clean.
It a shame that Internet Security from PC-Cillin allowed that on the PC. But all is well and learned a bunch on this one.

Sad to say I was the Desktop specialist when I was employed by big blue. Been away from broken pc's for too long. Luckily the systems I support can't get infected!

Cheers thank you so much for your time and advice!

Regards,

Hank Knowles :clapping: :clapping: :clapping:

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:18 PM

Posted 21 October 2010 - 12:16 PM

You're most welcome, Hank. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:18 PM

Posted 25 October 2010 - 04:22 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users