Generic Host Process for Win32 Failure

Hi Guys,

I've been running into some problems recently, and I believe its due to some malware/viruses. I'm just having some trouble pinpointing it.

I'm getting the popup with the window's warning:

Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.
---------------------------------
The error signature is:

szAppName : svchost.exe szAppVer : 5.2.3790.3959 szModName : ntdll.dll
szModVer : 5.2.3790.3959 offset : 00000000000308bb
----------------------------------

I've run a scan with HijackThis 2.0.2:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:40 PM, on 2/19/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
M:\WINDOWS\SysWOW64\brsvc01a.exe
M:\WINDOWS\SysWOW64\brss01a.exe
M:\Program Files (x86)\Intel\IDU\awServ.exe
M:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaantmon.exe
M:\Program Files (x86)\Marvell\61xx\svc\mvraidsvc.exe
M:\Program Files (x86)\Marvell\61xx\Apache2\bin\Apache.exe
M:\Program Files (x86)\Marvell\61xx\Apache2\bin\Apache.exe
M:\Program Files (x86)\RivaTuner v2.02\RivaTuner.exe
M:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
M:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
M:\Program Files (x86)\BitTorrent_DNA\dna.exe
M:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
M:\Program Files (x86)\Intel\IDU\iptray.exe
G:\WINDOWS\mHotkey.exe
G:\WINDOWS\SysWOW64\ctfmon.exe
M:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe
M:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
M:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
M:\Program Files (x86)\Internet Explorer\iexplore.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thottbot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - M:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - m:\program files (x86)\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - M:\Program Files (x86)\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - m:\program files (x86)\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelAudioStudio] "M:\Program Files (x86)\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [IAAnotif] "M:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe "
O4 - HKLM\..\Run: [ipTray.exe] "M:\Program Files (x86)\Intel\IDU\iptray.exe "
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [masqform.exe] "M:\Program Files (x86)\PureEdge\Viewer 6.5\masqform.exe" -RunOnce
O4 - HKLM\..\Run: [SunJavaUpdateSched] "M:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "M:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] M:\WINDOWS\SysWOW64\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "M:\Program Files (x86)\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [SysTrayApp] M:\Program Files\IDT\WDM\sttray.exe
O4 - HKCU\..\Run: [swg] M:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "M:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [BitTorrent DNA] "M:\Program Files (x86)\BitTorrent_DNA\dna.exe "
O4 - HKCU\..\Run: [NVIDIA nTune] "M:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - M:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - M:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files (x86)\Microsoft Office\Office12\REFIEBAR.DLL (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - M:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - M:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: M:\Program Files (x86)\Internet Explorer\Plugins\NPDocBox.dll
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1183880208687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183880174343
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: Admin Works Agent X8 (AWService) - OSA Technologies Inc., An Avocent Company - M:\Program Files (x86)\Intel\IDU\awServ.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - M:\WINDOWS\SysWOW64\brsvc01a.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - G:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - G:\WINDOWS\system32\services.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - M:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - G:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - M:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - M:\Program Files (x86)\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - M:\WINDOWS\system32\mnmsrvc.exe (file missing)
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - M:\Program Files (x86)\Marvell\61xx\Apache2\bin\Apache.exe
O23 - Service: NBService - Nero AG - M:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Net Logon (Netlogon) - Unknown owner - G:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - M:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - G:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - M:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - G:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - G:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - G:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - G:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - G:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - G:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - G:\WINDOWS\System32\vssvc.exe (file missing)

--
End of file - 8488 bytes

---------------------------------

Nothing really jumps out at me. But I'm almost positive it's a virus. I run fine until I close the window's error popup. Once I close that the system will flicker and then BSOD. But if I drag the popup off to the side I haven't had any problems running any programs.

Your ideas?

Thanks,
Chris

 

Hello Pete,

I do not mean to be rude, but I kinda do. I do not apprecieate being insulted. I know I am new here, and I'm sure there are many people that miss the bright red warning at the top of the screen.

I have read the *** READ THIS BEFORE POSTING IN THIS FORUM ***, and I did attempt to run the DDS program.

I downloaded it, and the program poped up in a DOS dialog box and stated that my operating system does not support that program... press any key to continue. Then it closed.

I am at work now, but once I return home tonight I will take a screen shot and attach it. Perhaps there was something I did wrong.


The DDS program was the only source of files I saw listed in the intro. If there was something I missed, again, I apologise. As I stated in my introduction post, I do not know much about programming, nor viruses. My usual solution to a virus is to format. I generally don't put up with with people punking my system.

But, on the flip side, this does peak my interest and I would like to learn and help others in the future.

*Note I only ran the program from Mirror1 (I assumed all mirrors were the same)

My sincere thanks,

Chris

 

Hello Arie,

Very true. I should have stated that in my post. So misasumptions on both our parts.

Many times the context is lost in the text. Again, my apologies.

I would like to move forward, and perhaps, find a resolution. I am prepared to perform necessary tasks to clean my computer. And if all else fails, I'm prepared to format like usual.

One more note of interest. Both my boot drives seem to be infected. My cpu isn't setup with the historical sense of the word 'dual boot'.

I run seperate drives with seperate windows on them. Both are near mirror installations of my XP 64bit, however on seperate physical hard drives.

This means that when I boot up, I am not prompted for which version of windows I want to run. In order to change which I boot from, I reorder the hard drive boot order in the bios.

This leads me to believe the infection is in some shared folder that is accessed from both instances of windows. And to assume further, this would cause a format to not fix the problem either.

Your thoughts?

Chris

 

Hi Legomaniax

I'm not seeing any malware in your log.

Unfortunately like DDS most our tools will not work on a 64 BIT machine.

I'm not seeing a Anti Virus program, I would suggest you find one that will run on a 64 BIT machine and download, update and run a scan with it.

Geri