1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Generic host process for win32 services has encountered a proble

Discussion in 'Malware and Virus Removal Archive' started by conde357, 2010/11/26.

Page 3 of 4
  1. 2010/11/28
    conde357

    conde357 Inactive Thread Starter

    Joined:
    2010/11/26
    Messages:
    39
    Likes Received:
    0
    I booted the computer and its just hanging, it won't completely boot up...
     
    conde357,
    #41
  2. 2010/11/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I suspect, we may be dealing with some other issues beside an infection.

    Try to restart it couple of times, try Safe Mode.
     
    broni,
    #42


  3. to hide this advert.

  4. 2010/11/28
    conde357

    conde357 Inactive Thread Starter

    Joined:
    2010/11/26
    Messages:
    39
    Likes Received:
    0
    I started in safe mode as administrator....is this correct?
     
    conde357,
    #43
  5. 2010/11/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Good :)
    Now, I need that SystemLook log.
     
    broni,
    #44
  6. 2010/11/28
    conde357

    conde357 Inactive Thread Starter

    Joined:
    2010/11/26
    Messages:
    39
    Likes Received:
    0
    SystemLook 04.09.10 by jpshortstuff
    Log created at 15:54 on 28/11/2010 by George
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "explorer.exe "
    C:\explorer\explorer.exe --a---- 1033728 bytes [10:42 14/04/2008] [16:59 27/11/2010] 12896823FB95BFB3DC9B46BCAEDC9923
    C:\WINDOWS\explorer.exe --a---- 1033216 bytes [12:00 04/08/2004] [11:26 13/06/2007] 82852070785B5BE6E99D414FF4CFE920
    C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe --a---- 1033216 bytes [11:26 13/06/2007] [11:26 13/06/2007] 7712DF0CDDE3A5AC89843E61CD5B3658
    C:\WINDOWS\$NtUninstallKB938828$\explorer.exe -----c- 1032192 bytes [04:25 25/12/2008] [12:00 04/08/2004] A0732187050030AE399B241436565E64
    C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\explorer.exe --a---- 1033728 bytes [00:12 14/04/2008] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

    Searching for "winlogon.exe "
    C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\winlogon.exe ------- 507904 bytes [00:12 14/04/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
    C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [12:00 04/08/2004] [00:12 14/04/2008] BEE0253B590760906B8CC284D8B39AFA
    C:\winlogon\winlogon.exe --a---- 507904 bytes [06:36 21/03/2008] [17:02 27/11/2010] B8135E9ED99A0858DF535CE0A0271558

    -= EOF =-
     
    conde357,
    #45
  7. 2010/11/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK.
    Firstly, to avoid that recovery console password issue in the future, do this:

    Go Start>Run
    Type in:
    regedit
    Click OK.
    Navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Setup\RecoveryConsole
    Set the DWORD SecurityLevel value to 1
    Exit registry editor.

    =============================================================

    Now, let's see, if we can replace those files without using recovery console.


    Download BlitzBlank and save it to your desktop.
    Double click on Blitzblank.exe

    • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
    • Click the Script tab and copy/paste the following text there:
    Code:
    CopyFile:
C:\explorer\explorer.exe C:\WINDOWS\explorer.exe
C:\winlogon\winlogon.exe C:\WINDOWS\system32\winlogon.exe

    • Click Execute Now. Your computer will need to reboot in order to replace the files.
    • When done, post the report created by Blitzblank.
      You can find it in the root of the drive, normally C:\
     
    broni,
    #46
  8. 2010/11/28
    conde357

    conde357 Inactive Thread Starter

    Joined:
    2010/11/26
    Messages:
    39
    Likes Received:
    0
    Ok, I am doing this form safe mode right?
     
    conde357,
    #47
  9. 2010/11/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It doesn't matter what mode you're in.
     
    broni,
    #48
  10. 2010/11/28
    conde357

    conde357 Inactive Thread Starter

    Joined:
    2010/11/26
    Messages:
    39
    Likes Received:
    0
    I am getting this error message:

    Syntax error in line 2, Invalid file path.
     
    conde357,
    #49
  11. 2010/11/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I assume, you copied/pasted, instead of typing it manually?

    BTW, did you make that registry change?
     
    broni,
    #50
  12. 2010/11/28
    conde357

    conde357 Inactive Thread Starter

    Joined:
    2010/11/26
    Messages:
    39
    Likes Received:
    0
    Yes you assumed right... just copy and paste. And yes I made the change to the reg to value 1
     
    conde357,
    #51
  13. 2010/11/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Copying is what you want to do.
    Make sure, you copy only, what's inside code box (without word "code "):
     
    broni,
    #52
  14. 2010/11/28
    conde357

    conde357 Inactive Thread Starter

    Joined:
    2010/11/26
    Messages:
    39
    Likes Received:
    0
    I copy and paste this

    CopyFile:
    C:\explorer\explorer.exe C:\WINDOWS\explorer.exe
    C:\winlogon\winlogon.exe C:\WINDOWS\system32\winlogon.exe

    And still get the same error
     
    conde357,
    #53
  15. 2010/11/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK, let's try recovery console again.

    Follow all steps from my reply #19
     
    broni,
    #54
  16. 2010/11/28
    conde357

    conde357 Inactive Thread Starter

    Joined:
    2010/11/26
    Messages:
    39
    Likes Received:
    0
    Its still asking me for a password...I click enter and it asks again...
     
    conde357,
    #55
  17. 2010/11/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
C:\explorer\explorer.exe | C:\WINDOWS\explorer.exe
C:\winlogon\winlogon.exe | C:\WINDOWS\system32\winlogon.exe

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
    broni,
    #56
  18. 2010/11/28
    conde357

    conde357 Inactive Thread Starter

    Joined:
    2010/11/26
    Messages:
    39
    Likes Received:
    0
    This is what I see:

    1: D:\Windows
    2: C:\WINDOWS

    Then I click 1 and it asks for the password and I press enter and it keeps asking me for the password
     
    conde357,
    #57
  19. 2010/11/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You should click 2.
     
    broni,
    #58
  20. 2010/11/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Try the above first before trying Combofix.
     
    broni,
    #59
  21. 2010/11/28
    conde357

    conde357 Inactive Thread Starter

    Joined:
    2010/11/26
    Messages:
    39
    Likes Received:
    0
    I did, then I type what you told me to type and I get 'Access Denied'
     
    conde357,
    #60
Page 3 of 4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...