Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

help with Generic Host Process for Win32 error

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

help with Generic Host Process for Win32 error

Unread postby korrin1982 » February 7th, 2011, 1:52 pm

I receive this error when starting my computer:
szAppName : svchost.exe szAppVer : 5.1.2600.5512 szModName : unknown
szModVer : 0.0.0.0 offset : 001a624b

hijackthis log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:51:09 AM, on 2/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tmq.bingstart.com/?cfg=2-168-0-1cJpM
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O3 - Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2679B5A3-C1F9-40DE-9039-25FEAC6BA73D}: NameServer = 93.188.162.71,93.188.161.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2807A24-381C-4570-A682-356D32A81617}: NameServer = 93.188.162.71,93.188.161.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.71,93.188.161.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{2679B5A3-C1F9-40DE-9039-25FEAC6BA73D}: NameServer = 93.188.162.71,93.188.161.4
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.71,93.188.161.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{2679B5A3-C1F9-40DE-9039-25FEAC6BA73D}: NameServer = 93.188.162.71,93.188.161.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.71,93.188.161.4
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5042 bytes


uninstall log:
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
AMDAway INF
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG Free 9.0
Bonjour
Conexant D850 PCI V.92 Modem
Dawn of War - Soulstorm
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB938759)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
iTunes
LoudMo Contextual Ad Assistant
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.13)
NETGEAR WG111v3 wireless USB 2.0 adapter
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
QuickTime
Realtek High Definition Audio Driver
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
StarCraft II
Stardock MyColors
Stardock MyColors
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB980182)

please help. sound is also gone
korrin1982
Active Member
 
Posts: 11
Joined: February 7th, 2011, 1:46 pm
Advertisement
Register to Remove

Re: help with Generic Host Process for Win32 error

Unread postby askey127 » February 9th, 2011, 7:59 am

Hi korrin1982,
Please don't install, remove or scan with anything unless I ask, until we are through cleaning your machine.
These directions should work. Do each step before proceeding to the next.
I would print this out first, to be sure you are doing everything in the correct sequence. Don't Guess.

Did you set up this proxy?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

We are going to remove your AVG antivirus and replace it with an antivirus called Avira Antivir.
This is necessary to for all our tools to work corrrectly. That particular AVG is out of date anyway.
Then we will have Antivir run a scan and give us a report without removing anything.
-----------------------------------------------------------
Remove Registry items with HijackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
O3 - Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{2679B5A3-C1F9-40DE-9039-25FEAC6BA73D}: NameServer = 93.188.162.71,93.188.161.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2807A24-381C-4570-A682-356D32A81617}: NameServer = 93.188.162.71,93.188.161.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.71,93.188.161.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{2679B5A3-C1F9-40DE-9039-25FEAC6BA73D}: NameServer = 93.188.162.71,93.188.161.4
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.71,93.188.161.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{2679B5A3-C1F9-40DE-9039-25FEAC6BA73D}: NameServer = 93.188.162.71,93.188.161.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.71,93.188.161.4

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
-----------------------------------------------
Download Antivir Free
This program is free for personal, non-business use.
Download AntiVir Free from here : http://www.softpedia.com/get/Antivirus/AntiVir-Personal-Edition.shtml
Click the Download button. Then when the "Download Locations" page comes up, choose the first External Mirror (exe)
Save the Installer to your desktop, but don't run it yet. The installer file will be named avira_antivir_personal_en.exe
Double check to be sure you know where to find it.
------------------------------------------------
Remove AVG Antivirus Using the Control Panel
From Start, Control Panel, click on Uninstall a program under the Programs heading.
Right click this Entry, choose Uninstall/Change, and give permission to Continue:

AVG Free 9.0

Take extra care in answering questions posed by any Uninstaller.
-----------------------------------------------
Install Antivir
Double click the Avira Antivir Installer you saved on your desktop, and let it Install Antivir.
-----------------------------------------------
Update and Scan with Antivir
Right click the red umbrella icon and choose Start Antivir.
When the window comes up click Start Update.
When the update is complete, click on Scan System Now.
This full scan could take a hour or more.
It will ask what to do with any items it finds.
IMPORTANT >> For Now, tell it to IGNORE any items it finds. Do not choose Quarantine or Delete.
-----------------------------------------------
Get Last Avira Report
Right click the red umbrella icon in the system tray and click Start Antivir
In the left pane, click Overview, then click Reports
There wil be reports titled Update and reports titled Scan. Find the most recent report in the list titled Scan
Click on the Report File button, or Right click the report and choose Display Report.
The report contents will come up in Notepad. Highlight the entire report (Ctrl+A) and copy to the clipboard (Ctrl+C).
Paste the contents (Ctrl+V) into your next reply.

So we will be looking for the log from Antivir, and anything you can tell me about the proxy server.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: help with Generic Host Process for Win32 error

Unread postby korrin1982 » February 9th, 2011, 2:09 pm

Avira AntiVir Personal
Report file date: Wednesday, February 09, 2011 11:38

Scanning for 2389845 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : DELLINSPIRON

Version information:
BUILD.DAT : 10.0.0.609 31824 Bytes 12/13/2010 09:43:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 12/13/2010 14:39:56
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 18:57:04
LUKE.DLL : 10.0.3.2 104296 Bytes 12/13/2010 14:40:06
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 05:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 17:26:46
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 17:27:14
VBASE003.VDF : 7.11.3.1 2048 Bytes 2/9/2011 17:27:15
VBASE004.VDF : 7.11.3.2 2048 Bytes 2/9/2011 17:27:15
VBASE005.VDF : 7.11.3.3 2048 Bytes 2/9/2011 17:27:15
VBASE006.VDF : 7.11.3.4 2048 Bytes 2/9/2011 17:27:16
VBASE007.VDF : 7.11.3.5 2048 Bytes 2/9/2011 17:27:16
VBASE008.VDF : 7.11.3.6 2048 Bytes 2/9/2011 17:27:16
VBASE009.VDF : 7.11.3.7 2048 Bytes 2/9/2011 17:27:16
VBASE010.VDF : 7.11.3.8 2048 Bytes 2/9/2011 17:27:16
VBASE011.VDF : 7.11.3.9 2048 Bytes 2/9/2011 17:27:16
VBASE012.VDF : 7.11.3.10 2048 Bytes 2/9/2011 17:27:17
VBASE013.VDF : 7.11.3.11 2048 Bytes 2/9/2011 17:27:17
VBASE014.VDF : 7.11.3.12 2048 Bytes 2/9/2011 17:27:17
VBASE015.VDF : 7.11.3.13 2048 Bytes 2/9/2011 17:27:17
VBASE016.VDF : 7.11.3.14 2048 Bytes 2/9/2011 17:27:17
VBASE017.VDF : 7.11.3.15 2048 Bytes 2/9/2011 17:27:18
VBASE018.VDF : 7.11.3.16 2048 Bytes 2/9/2011 17:27:18
VBASE019.VDF : 7.11.3.17 2048 Bytes 2/9/2011 17:27:19
VBASE020.VDF : 7.11.3.18 2048 Bytes 2/9/2011 17:27:19
VBASE021.VDF : 7.11.3.19 2048 Bytes 2/9/2011 17:27:19
VBASE022.VDF : 7.11.3.20 2048 Bytes 2/9/2011 17:27:19
VBASE023.VDF : 7.11.3.21 2048 Bytes 2/9/2011 17:27:19
VBASE024.VDF : 7.11.3.22 2048 Bytes 2/9/2011 17:27:20
VBASE025.VDF : 7.11.3.23 2048 Bytes 2/9/2011 17:27:20
VBASE026.VDF : 7.11.3.24 2048 Bytes 2/9/2011 17:27:20
VBASE027.VDF : 7.11.3.25 2048 Bytes 2/9/2011 17:27:20
VBASE028.VDF : 7.11.3.26 2048 Bytes 2/9/2011 17:27:20
VBASE029.VDF : 7.11.3.27 2048 Bytes 2/9/2011 17:27:20
VBASE030.VDF : 7.11.3.28 2048 Bytes 2/9/2011 17:27:21
VBASE031.VDF : 7.11.3.29 2048 Bytes 2/9/2011 17:27:21
Engineversion : 8.2.4.162
AEVDF.DLL : 8.1.2.1 106868 Bytes 12/13/2010 14:39:51
AESCRIPT.DLL : 8.1.3.53 1282427 Bytes 2/9/2011 17:28:07
AESCN.DLL : 8.1.7.2 127349 Bytes 12/13/2010 14:39:50
AESBX.DLL : 8.1.3.2 254324 Bytes 12/13/2010 14:39:50
AERDL.DLL : 8.1.9.2 635252 Bytes 12/13/2010 14:39:50
AEPACK.DLL : 8.2.4.9 512374 Bytes 2/9/2011 17:28:01
AEOFFICE.DLL : 8.1.1.16 205179 Bytes 2/9/2011 17:27:57
AEHEUR.DLL : 8.1.2.73 3207541 Bytes 2/9/2011 17:27:56
AEHELP.DLL : 8.1.16.1 246134 Bytes 2/9/2011 17:27:35
AEGEN.DLL : 8.1.5.2 397683 Bytes 2/9/2011 17:27:33
AEEMU.DLL : 8.1.3.0 393589 Bytes 12/13/2010 14:39:42
AECORE.DLL : 8.1.19.2 196983 Bytes 2/9/2011 17:27:28
AEBB.DLL : 8.1.1.0 53618 Bytes 12/13/2010 14:39:41
AVWINLL.DLL : 10.0.0.0 19304 Bytes 12/13/2010 14:39:56
AVPREF.DLL : 10.0.0.0 44904 Bytes 12/13/2010 14:39:54
AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 20:27:13
AVREG.DLL : 10.0.3.2 53096 Bytes 12/13/2010 14:39:54
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 12/13/2010 14:39:56
AVARKT.DLL : 10.0.22.6 231784 Bytes 12/13/2010 14:39:52
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 12/13/2010 14:39:53
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 20:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 12/13/2010 14:39:56
NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 20:27:21
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 19:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 12/13/2010 14:40:20

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Wednesday, February 09, 2011 11:38

Starting search for hidden objects.
HKEY_USERS\S-1-5-21-1606980848-1123561945-682003330-1003\Software\SecuROM\License information\datasecu
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-1606980848-1123561945-682003330-1003\Software\SecuROM\License information\rkeysecu
[NOTE] The registry entry is invisible.
c:\program files\stardock\mycolors\wbload.exe
c:\program files\stardock\mycolors\wbload.exe
[NOTE] The process is not visible.

The scan of running processes will be started
Scan process 'msdtc.exe' - '42' Module(s) have been scanned
Scan process 'dllhost.exe' - '62' Module(s) have been scanned
Scan process 'dllhost.exe' - '47' Module(s) have been scanned
Scan process 'vssvc.exe' - '50' Module(s) have been scanned
Scan process 'avscan.exe' - '73' Module(s) have been scanned
Scan process 'avcenter.exe' - '68' Module(s) have been scanned
Scan process 'avgnt.exe' - '53' Module(s) have been scanned
Scan process 'sched.exe' - '54' Module(s) have been scanned
Scan process 'avshadow.exe' - '28' Module(s) have been scanned
Scan process 'avguard.exe' - '59' Module(s) have been scanned
Scan process 'firefox.exe' - '85' Module(s) have been scanned
Scan process 'iPodService.exe' - '32' Module(s) have been scanned
Scan process 'alg.exe' - '35' Module(s) have been scanned
Scan process 'WG111v3.exe' - '72' Module(s) have been scanned
Scan process 'ctfmon.exe' - '31' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '67' Module(s) have been scanned
Scan process 'RUNDLL32.EXE' - '35' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '42' Module(s) have been scanned
Scan process 'Explorer.EXE' - '99' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '36' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '53' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'spoolsv.exe' - '67' Module(s) have been scanned
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '53' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '40' Module(s) have been scanned
Scan process 'lsass.exe' - '60' Module(s) have been scanned
Scan process 'services.exe' - '42' Module(s) have been scanned
Scan process 'winlogon.exe' - '72' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '970' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\Sir Algood\My Documents\Downloads\freemovie.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
C:\Program Files\AV\Antivir.exe.tmp1
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan

Beginning disinfection:
C:\Program Files\AV\Antivir.exe.tmp1
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[WARNING] The file was ignored!
C:\Documents and Settings\Sir Algood\My Documents\Downloads\freemovie.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
[WARNING] The file was ignored!


End of the scan: Wednesday, February 09, 2011 12:05
Used time: 21:39 Minute(s)

The scan has been done completely.

17440 Scanned directories
119962 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
119960 Files not concerned
1139 Archives were scanned
2 Warnings
0 Notes
281436 Objects were scanned with rootkit scan
3 Hidden objects were found

and i have no idea where that proxy server came from or even what a proxy server is. thanks for helping so far.
korrin1982
Active Member
 
Posts: 11
Joined: February 7th, 2011, 1:46 pm

Re: help with Generic Host Process for Win32 error

Unread postby askey127 » February 9th, 2011, 8:01 pm

korrin1982,
------------------------------------------------------------
Please download OTM and save to your Desktop.
  • Please double-click OTM.exe to run it. (Note: If you are running on Vista or Win7, right-click on the file and choose Run As Administrator).
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Do NOT copy the word "Code" :
Code: Select all
:processes
explorer.exe

:files
C:\Program Files\AV\Antivir.exe.tmp1
C:\Documents and Settings\Sir Algood\My Documents\Downloads\freemovie.exe

:commands
[purity]
[start explorer]
[emptytemp]
  • Return to OTM, right-click in the "Paste instructions for items to be moved" window (under the yellow bar) and choose Paste
  • Then click the red MoveIt! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it into your next Reply.
  • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot. Please copy and paste the contents in your reply.
  • Close OTM.
Note: the logs are saved in C:\_OTM\MovedFiles\ if you need to retrieve one.

------------------------------------------------------------
Run MalwareBytes' Anti-Malware
  • Start Malwarebytes' Anti-Malware.
  • Click on The Update tab. Choose Check for Updates.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it shows any malware items, Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2010-mm-dd(hour-min-sec).txt
.

So we are looking for thge OTM log, and the results from Malwarebytes Anti-malware.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: help with Generic Host Process for Win32 error

Unread postby korrin1982 » February 10th, 2011, 4:24 pm

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
C:\Program Files\AV\Antivir.exe.tmp1 moved successfully.
C:\Documents and Settings\Sir Algood\My Documents\Downloads\freemovie.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33237 bytes

User: Sir Algood
->Temp folder emptied: 141068251 bytes
->Temporary Internet Files folder emptied: 27576145 bytes
->FireFox cache emptied: 88762951 bytes
->Apple Safari cache emptied: 2237440 bytes
->Flash cache emptied: 293916 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 359826803 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 94400576 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 60729434 bytes

Total Files Cleaned = 741.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 02102011_140738

Files moved on Reboot...

Registry entries deleted on Reboot...

i cant seem to get malwarebytes to work. uninstalled and reinstalled still no luck sorry reply took so long
korrin1982
Active Member
 
Posts: 11
Joined: February 7th, 2011, 1:46 pm

Re: help with Generic Host Process for Win32 error

Unread postby askey127 » February 10th, 2011, 8:11 pm

korrin:

Let's try again to get Malwarebytes to work.
Follow the previous Malwarebytes installation/scan routine from the beginning, except run this first:
------------------------------------------------
Download and Run Rkill
Please download and run the tool named Rkill, which may help in allowing other programs to run.
There are 4 different versions. If one of them won't run then download and try to run one of the other ones.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get ONE of these to run, not all of them. You may get warnings from your antivirus about any of these tools, ignore them or shutdown your antivirus.
Please download Rkill from one of the following links and save to your Desktop:
Rkill.exe
RKill.com
RKill.scr
Rkill.pif
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If ir does not, delete the desktop entry. Then download and use the one provided in the next link.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Please try the previous Malwarebytes routine and see if it runs.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: help with Generic Host Process for Win32 error

Unread postby korrin1982 » February 11th, 2011, 3:22 pm

ok tried to run first three. the black dos screen would popup saying preparing to run rkill but it would not do anything else. the forth one gave me a 404 error when trying to download. thank for helping
korrin1982
Active Member
 
Posts: 11
Joined: February 7th, 2011, 1:46 pm

Re: help with Generic Host Process for Win32 error

Unread postby askey127 » February 11th, 2011, 5:12 pm

korrin1982,
When Rkill flashes a black box and disappears, it means it ran OK.
Please use one of the first three, make it flash a black window.
Then see if you can run Malwarebytes:
------------------------------------------------------------
Run MalwareBytes' Anti-Malware
  • Start Malwarebytes' Anti-Malware.
  • Click on The Update tab. Choose Check for Updates.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it shows any malware items, Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2010-mm-dd(hour-min-sec).txt
.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: help with Generic Host Process for Win32 error

Unread postby korrin1982 » February 11th, 2011, 8:05 pm

the blackbox on rkill never disappered. it just stayed there
korrin1982
Active Member
 
Posts: 11
Joined: February 7th, 2011, 1:46 pm

Re: help with Generic Host Process for Win32 error

Unread postby askey127 » February 12th, 2011, 8:11 am

korrin1982,
Please try this and tell me if it behaves as it says.
------------------------------------------------
Download and Run A Special File
Please download the file from the following link HERE and save to your Desktop.
  • Double click on eXplorer.exe.
  • A command window will open, then should disappear upon completion, this is normal.
  • Please leave eXplorer on the Desktop until otherwise advised.
Note: If your security software warns about the file, please ignore and allow the download to continue.

If it appears to work as it is supposed to, please continue with the Malwarebytes instruction above.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: help with Generic Host Process for Win32 error

Unread postby korrin1982 » February 12th, 2011, 2:49 pm

ok that one ran but malwarebytes wont do anything cant get it to start
korrin1982
Active Member
 
Posts: 11
Joined: February 7th, 2011, 1:46 pm

Re: help with Generic Host Process for Win32 error

Unread postby askey127 » February 12th, 2011, 5:14 pm

korrin,
Since you were able to run eXplorer.exe, please do so, then:
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software after downloading but BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE AVIRA ANTIVIR
    Please navigate to the system tray on the bottom right hand corner and look for an open umbrella on red background (looks like this:Image )
    • Right click it and untick any of the options AntiVir Guard enable, Antivir Webguard enable, and Antivir Mailguard enable, that are present.
    • You should now see a closed umbrella on a red background (looks like this: Image )
    The AntiVir Guards are now disabled.
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it. (You would).
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts.
    When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • It will run through about 50 procedures, then take a while to assemble its output log.
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply, and then Reenable your Antivir protection software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

The Recovery Console produces a brief (2 second) black screen at bootup which allows an additional technical resource for repair in case of a major failure. In regular operation, you can ignore it.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: help with Generic Host Process for Win32 error

Unread postby korrin1982 » February 14th, 2011, 4:49 pm

ComboFix 11-02-13.04 - Sir Algood 02/14/2011 14:39:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1678 [GMT -6:00]
Running from: c:\documents and settings\Sir Algood\Desktop\zzz.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Toolbar4
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Infected copy of c:\windows\system32\drivers\ftdisk.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2011-01-14 to 2011-02-14 )))))))))))))))))))))))))))))))
.

2011-02-10 20:16 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-10 20:16 . 2011-02-10 20:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-10 20:16 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-10 20:07 . 2011-02-10 20:07 -------- d-----w- C:\_OTM
2011-02-09 17:38 . 2011-02-09 17:39 -------- d-----w- c:\windows\system32\NtmsData
2011-02-09 17:19 . 2011-02-09 17:19 -------- d-----w- c:\documents and settings\Sir Algood\Application Data\Avira
2011-02-09 17:17 . 2011-02-09 17:17 -------- d-----w- c:\program files\Avira
2011-02-09 17:17 . 2011-02-09 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-02-09 17:17 . 2010-12-13 14:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-02-09 17:17 . 2010-12-13 14:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-09 17:17 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-02-09 17:17 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-02-07 17:17 . 2011-02-07 17:17 388096 ----a-r- c:\documents and settings\Sir Algood\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-07 17:17 . 2011-02-07 17:17 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2008-04-13 23:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-13 23:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-04-13 23:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-13 23:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 22:15 . 2008-04-13 23:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 22:15 . 2008-04-13 23:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-12-20 17:26 . 2008-04-13 23:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-09 15:15 . 2008-04-13 23:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-04-13 23:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2008-04-13 23:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-19 22:43 . 2010-07-25 00:08 21840 -c--atw- c:\windows\system32\SIntfNT.dll
2010-11-19 22:43 . 2010-07-25 00:08 17212 -c--atw- c:\windows\system32\SIntf32.dll
2010-11-19 22:43 . 2010-07-25 00:08 12067 -c--atw- c:\windows\system32\SIntf16.dll
2010-11-18 18:12 . 2009-12-21 22:49 81920 ----a-w- c:\windows\system32\isign32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-7-1 2326528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2009-06-09 15:55 30000 ----a-w- c:\program files\Stardock\MyColors\fastload.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Sir Algood^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Sir Algood\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16755\\SC2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/9/2011 11:17 AM 135336]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 1:13 PM 38144]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 3:02 PM 287232]
S0 cerc6;cerc6; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://tmq.bingstart.com/?cfg=2-168-0-1cJpM
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
FF - ProfilePath - c:\documents and settings\Sir Algood\Application Data\Mozilla\Firefox\Profiles\m08yqys8.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox ... S:official
FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/coolchaser_game ... 60531&qkw=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 5555
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Gamers Unite! Snag Bar: {afe43e80-0abc-4df2-81a0-3fe44b74abe8} - %profile%\extensions\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-nwiz - c:\program files\NVIDIA Corporation\nView\nwiz.exe
AddRemove-NVIDIA nView Desktop Manager - c:\program files\NVIDIA Corporation\nView\nViewSetup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-14 14:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-1123561945-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-1606980848-1123561945-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:3a,98,6b,00,69,e8,46,24,7b,43,21,c4,fa,58,7b,53,b0,16,c5,08,a7,
ac,a4,fc,68,f6,8c,b8,e6,c2,f1,28,84,5c,bb,81,ad,8a,29,7c,95,5f,45,b0,bf,37,\
"rkeysecu"=hex:0c,01,85,43,d9,94,1a,d5,71,29,87,48,26,17,d9,45
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\program files\Stardock\MyColors\fastload.dll
.
Completion time: 2011-02-14 14:45:05
ComboFix-quarantined-files.txt 2011-02-14 20:45

Pre-Run: 291,519,459,328 bytes free
Post-Run: 291,504,943,104 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - BDB2947FDE1405C1F7DB82396D0D30D9


sorry reply took so long. thanks for helping so far.
korrin1982
Active Member
 
Posts: 11
Joined: February 7th, 2011, 1:46 pm

Re: help with Generic Host Process for Win32 error

Unread postby askey127 » February 14th, 2011, 5:34 pm

korrin1982,
Just for background, you might find this interesting.
http://techcrunch.com/2009/10/31/scamvi ... m-of-hell/
There is not much doubt the Zynga Toolbar will track you all over the place and sell the results.
I would suggest you remove it from your Firsfox extensions, but it's your call.

------------------------------------------------------
Warning - Compromised Data
Because the infection has had remote control access to your Internet activities, you should assume that any data on the machine may have been stolen.
Take whatever precautions you think sensible about any financial (credit cards, banking, etc.), or other critical information that has been passed through or stored on the machine.
I would suggest changing all account names/numbers, and passwords for ANY accounts that have been used with the machine.
That includes not only banking, credit cards, and financial, but also website and e-mail accounts as well.

-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    RegLock::
    [HKEY_USERS\S-1-5-21-1606980848-1123561945-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"=-
    
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.

See whether Malwarebytes will run now.
It may be that it has been corrupted by the infection, and it may have to be removed, completely erased and re-installed.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: help with Generic Host Process for Win32 error

Unread postby korrin1982 » February 16th, 2011, 12:53 pm

ComboFix 11-02-15.04 - Sir Algood 02/16/2011 10:42:58.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1641 [GMT -6:00]
Running from: c:\documents and settings\Sir Algood\Desktop\zzz.exe
Command switches used :: c:\documents and settings\Sir Algood\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2011-01-16 to 2011-02-16 )))))))))))))))))))))))))))))))
.

2011-02-10 20:16 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-10 20:16 . 2011-02-10 20:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-10 20:16 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-10 20:07 . 2011-02-10 20:07 -------- d-----w- C:\_OTM
2011-02-09 17:38 . 2011-02-09 17:39 -------- d-----w- c:\windows\system32\NtmsData
2011-02-09 17:19 . 2011-02-09 17:19 -------- d-----w- c:\documents and settings\Sir Algood\Application Data\Avira
2011-02-09 17:17 . 2011-02-09 17:17 -------- d-----w- c:\program files\Avira
2011-02-09 17:17 . 2011-02-09 17:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-02-09 17:17 . 2010-12-13 14:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-02-09 17:17 . 2010-12-13 14:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-09 17:17 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-02-09 17:17 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-02-07 17:17 . 2011-02-07 17:17 388096 ----a-r- c:\documents and settings\Sir Algood\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-07 17:17 . 2011-02-07 17:17 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2008-04-13 23:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-13 23:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-04-13 23:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-04-13 23:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 22:15 . 2008-04-13 23:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 22:15 . 2008-04-13 23:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-12-20 17:26 . 2008-04-13 23:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-09 15:15 . 2008-04-13 23:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-04-13 23:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2008-04-13 23:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-19 22:43 . 2010-07-25 00:08 21840 -c--atw- c:\windows\system32\SIntfNT.dll
2010-11-19 22:43 . 2010-07-25 00:08 17212 -c--atw- c:\windows\system32\SIntf32.dll
2010-11-19 22:43 . 2010-07-25 00:08 12067 -c--atw- c:\windows\system32\SIntf16.dll
2010-11-18 18:12 . 2009-12-21 22:49 81920 ----a-w- c:\windows\system32\isign32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-7-1 2326528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2009-06-09 15:55 30000 ----a-w- c:\program files\Stardock\MyColors\fastload.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Sir Algood^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Sir Algood\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16755\\SC2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/9/2011 11:17 AM 135336]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 1:13 PM 38144]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 3:02 PM 287232]
S0 cerc6;cerc6; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://tmq.bingstart.com/?cfg=2-168-0-1cJpM
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
FF - ProfilePath - c:\documents and settings\Sir Algood\Application Data\Mozilla\Firefox\Profiles\m08yqys8.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox ... S:official
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 5555
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Gamers Unite! Snag Bar: {afe43e80-0abc-4df2-81a0-3fe44b74abe8} - %profile%\extensions\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-16 10:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-1123561945-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:3a,98,6b,00,69,e8,46,24,7b,43,21,c4,fa,58,7b,53,b0,16,c5,08,a7,
ac,a4,fc,68,f6,8c,b8,e6,c2,f1,28,84,5c,bb,81,ad,8a,29,7c,95,5f,45,b0,bf,37,\
"rkeysecu"=hex:0c,01,85,43,d9,94,1a,d5,71,29,87,48,26,17,d9,45
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\program files\Stardock\MyColors\fastload.dll
.
Completion time: 2011-02-16 10:48:01
ComboFix-quarantined-files.txt 2011-02-16 16:47
ComboFix2.txt 2011-02-14 20:45

Pre-Run: 291,477,135,360 bytes free
Post-Run: 291,465,740,288 bytes free

- - End Of File - - 37B3C4A712501DF7122D6882B0D0CB76


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5773

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2/16/2011 10:52:35 AM
mbam-log-2011-02-16 (10-52-31).txt

Scan type: Quick scan
Objects scanned: 132399
Time elapsed: 1 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\OTGV1DNWQQ (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\YXE7DXCQ37 (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\sir algood\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
korrin1982
Active Member
 
Posts: 11
Joined: February 7th, 2011, 1:46 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 12 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware