Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Error: Generic Host Process For Win32


  • Please log in to reply
3 replies to this topic

#1 Generic Guest

Generic Guest

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 14 April 2007 - 09:35 PM

Hi,

Recently, I've been getting a message upon starting my computer that tells me of an error in Generic Host Process for Win32 Services. Data Execution Prevention has stopped some sort of action that apparently may or may not be malicious. The message usually pops up twice, and is followed by a system error which gives the following:

Error report -
EventType : BEX P1 : svchost.exe P2 : 0.0.0.0 P3 : 00000000
P4 : unknown P5 : 0.0.0.0 P6 : 00000000 P7 : 00000000
P8 : c0000005 P9 : 00000008

Error details -
C:\DOCUME~1\(my name)\LOCALS~1\Temp\WERb75f.dir00\svchost.exe.mdmp
C:\DOCUME~1\(my name)\LOCALS~1\Temp\WERb75f.dir00\appcompat.txt

The computer does not generally seem any slower than before, but I've noticed that Firefox will have errors more often, and the volume and volume controls are no longer working. I can't open iTunes either. The message I get when I click on volume control says there are "no active mixer devices available" and tells me to install one by going to Control Panel and clicking on Add Hardware, which of course only notices that I have no new hardware.

Leading up to this event, I had just been using a new wireless network that had been installed a while ago, which I used before with no problems, then I used my computer without internet connection somewhere else. Then I came home to my normal wireless, and this problem came up. The first time I got the error, I couldn't get an internet connection either (attempting to repair connection failed to renew the IP address). The internet works fine now, though. I hadn't downloaded anything the time I used the computer right before the error. What I suspect could be behind it is that I downloaded and installed Nokia PC Suite a few days before this happened. I recently uninstalled the main program for it (but I think there may be some drivers that came with it which still remain).

On the first restart after getting rid of Nokia PC Suite (and also uninstalling my HP printer that hadn't been working in forever - since I read somewhere that HP printers may be involved with this), my volume was working again and so was iTunes, but then later on, it stopped at some point. I haven't received the error message on every startup, only most of them.

I've run a registry fixer by Advanced System Optimizer's free trial, and the problem wasn't fixed. I also just ran HouseCall and Stinger. I have a system restore point not too long ago, so I could resort to that, but I'd rather not have to. Also, if this does happen to be a case of Windows terminating a real virus which could do more damage, I wouldn't know if the restore included that virus or not.

Basically, I'd like to know if there's a virus on my computer or if there is a conflict with software/hardware or drivers that is causing this error as a mistake. Either one, I would appreciate any help I can get in solving this.

My HijackThis Log is attached. Attached File  hijackthis.log   4.82KB   40 downloads

Thanks in advance.

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,585 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 PM

Posted 20 April 2007 - 12:21 PM

Hi Generic Guest.

First I would like to ask that you post your log and not attach it as it makes analyses easier for us. So I'm posting it here for you.

Logfile of HijackThis v1.99.1
Scan saved at 7:23:28 PM, on 4/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\bcmntray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ssstars.scr
C:\Documents and Settings\Ryan\Desktop\Crap\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137427537421
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

However, this does not sound at all like a malware-related problem--at least not a normal one. The only thing I see that is a bit suspicious is a screensaver running. It should be legit, but if you would, check it out like this:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\ssstars.scr

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/flash/index_en.html

Be sure to update your AOL/Kaspersky antivirus program and run a full system scan--best results usually achieved in Safe Mode. Report back anything it finds along with a fresh HJT log and the jotti/VT results. If nothing is found it is most likely a hardware/driver problem or general Operating System problem.

To rule out malware I would also need to know if you are running a firewall. You have one service of Norton's running that may be a firewall but it is hard to tell with them. So can you confirm that you are running Norton's firewall or that you have attempted to uninstall all Norton?

The data you posted gives more info on the error report that was prepared to send to MS that doesn't give much info on the error itself. Did you report to MS? Those files listed in the Temp folder could be Dr. Watson debugging info that could be used to troubleshoot, so if you haven't deleted them already, save them somewhere as they may be needed later.

To get better info about the error, see what you have in your event viewer. See the following guide: http://www.bleepingcomputer.com/forums/t/40108/how-to-use-event-viewer/

Once you find the error, click on the icon underneath the up and down arrows to copy the error data to the clipboard and post it back here.

I've run a registry fixer by Advanced System Optimizer's free trial, and the problem wasn't fixed. I also just ran HouseCall and Stinger. I have a system restore point not too long ago, so I could resort to that, but I'd rather not have to. Also, if this does happen to be a case of Windows terminating a real virus which could do more damage, I wouldn't know if the restore included that virus or not.

I would hold off on using any general registry repair and tweaker as they can often make the situation worse and/or harder to troubleshoot. I can understand your reluctance to use System Restore, but if nothing malware shows in your next post, it would probably be the first thing I would try. Even if the restored state is infected, we can clean that up.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 Generic Guest

Generic Guest
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 10 May 2007 - 03:58 PM

OK, I had decided that it would probably be easier to just do the system restore and not worry about technically fixing the problem, but now I realize my system restore isn't working.

I posted the system resotre problem in another thread, but they told me that I shouldn't make any changes until the HJT situation is resolved. I would still rather do a system restore than jump into the process of fixing everything by going through files and error reports, so if I can have clearance to get my system restore working (assuming it's safe and easier to fix that), then that still looks like the best option to me. Here's what I posted in the other thread, relating to my SR problem:

"every time I pick a restore point (I've picked many different options, from manually made points to system checkpoints), I get this message:

"Your computer cannot be restored to:
[date and restore time I chose]
No changes have been made to your computer."

I get this message after XP logs off, then a system restore progress bar completes and the computer restarts. I then log in again, but then get the above message.

I doubt this is related to my original problem, and from what I've looked into online, it could have something to do with anti-virus software. I uninstalled all my Norton programs, except for some security update program that would not uninstall. Then I tried uninstalling my AOL Active Virus Shield, but of course you can't do that till you turn it off, which is seemingly not an option (I have shut down its activity for now).

From other troubleshooting I've looked into on System Restore, it seems that playing with some .inf files or other tactics fixes SR problems, but results in a loss of all current restore points. Obviously, my ideal situation is to keep those, so I can restore to a point of about a month and a half ago."

I did go ahead and run the Jotti scans, which gave this:

Service
Service load:
File: ssstars.scr
Status: OK
MD5 b7d61243ab22f27d059030499ec791f5
Packers detected: -


AntiVir - Found nothing
ArcaVir- Found nothing
Avast- Found nothing
AVG Antivirus- Found nothing
BitDefender- Found nothing
ClamAV- Found nothing
Dr.Web- Found nothing
F-Prot Antivirus- Found nothing
F-Secure Anti-Virus- Found nothing
Fortinet- Found nothing
Kaspersky Anti-Virus- Found nothing
NOD32- Found nothing
Norman Virus Control- Found nothing
Panda Antivirus- Found nothing
Rising Antivirus -Found nothing
VirusBuster- Found nothing
VBA32 -Found nothing

So the screen saver file appears to be harmless. I can post the error details from Event Viewer if that's necessary, but right now I'd mainly like to know if I could skip all that and proceed with the system restore. If not, then we can continue with the technical solution. Thanks, and sorry for the delayed response.

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,585 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 PM

Posted 10 May 2007 - 05:58 PM

Well, to be perfectly blunt, you are most likely SOL when it comes to System Restore. The best way to fix Restore problems is to purge your Restore Points, as you've no doubt researched and found out. And that will delete all your Restore Ponts, which is not what you want. It's a catch 22. The reason that works to get SR back is because at some point one of your RP's got corrupted and that subsequently corrupted all the RP's made after it--your oldest RP's get deleted after so long so that their storage space doesn't take up too much of your hard drive, so sounds like all of yours are corrupted.

It's been my experience that it is best to use SR only a day or two after experiencing a problem that you aren't having much luck solving.

It is still possible there is another reason for SR failure, but I'm not optimistic. Norton can block SR, but needs to be installed to resolve the problem. I might could have told you that earlier if you had answered my question about what you had installed. Norton can screw things up when installed and even more so when uninstalled, which is why they have a removal tool. I appreciate that you are frustrated and want to figure this out on your own, but I need for you to give me the feedback I ask for and wait for my input before you try some things. I'll try to only ask you to do things that need to be done in a certain way and in order.

We can work on your antivirus situation as a solution to the SR problem, but I need to gather some information first.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

This should give me some information on the state of your system, including some malware that may be hidden from HijackThis. It still doesn't show all possible malware, but a lot of the info can be used to troubleshoot nonmalware problems.

Another reason your other thread was closed is because it is standard procedure to assume your HJT thread is posted to clean up or rule out malware. If this log is clear of mawlware I will still need to see another few logs to be sure that malware can be ruled out. And I can help you with your security product and SR, if possible, because I know something about those. If and when malware is ruled out, I'll send you back to the XP forum and reopen your thread so you can get some help with your main problem which I don't know that much about. Will include a link to this thread with the information in these logs that could be helpful in troubleshooting your main problem.

To help further determine whether if malware can be ruled out is why I asked for your error information in Event Viewer. You can post those if you like, but let's concentrate on the info in the logs I asked for first.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users