Generic Host Process for win32 Service

[Guest]

I am trying to help a friend with his XP machine reporting the msg:" Generic
Host Process for win32 Service" after 2-5 minutes it is connected to the
internet through the ADSL (LAN) and than the service is disconnected (even
though it appear to be still up). Connecting with normal dial-up line does
not show the message. I found out the machine had several viruses. I cleaned
them all using Stinger, sasser, Welchia fixes and updating Symantec Norton AV
at latest level and run it. I also installed adware6 tool to remove adware
stuff. After I did all of this it seemed it helped, He was able to connect
via ADSL no problem for a longer time(a couple of hours)...than same issue
again. I asked him to re-run all the stuff I provided him with to see if any
other virus is present... but it all seems ok No viruses are reported. What
else can I do? Anyone knows what it is all about? If it is a worm any idea
what could be? This is also preventing him from isntalling service pack 2
(from WinUpdate)
Thanks
Ciao. Giorgio

 

[David H. Lipman]

Well first replace Adaware6 with Adaware SE v1.05 since this version superceded the Adaware6
which Lavasoft no longer supports. Make sure you also update Adaware SE with the latest
definitions before using it to scan the PC and perform the scan in Safe Mode.

Dave



| I am trying to help a friend with his XP machine reporting the msg:" Generic
| Host Process for win32 Service" after 2-5 minutes it is connected to the
| internet through the ADSL (LAN) and than the service is disconnected (even
| though it appear to be still up). Connecting with normal dial-up line does
| not show the message. I found out the machine had several viruses. I cleaned
| them all using Stinger, sasser, Welchia fixes and updating Symantec Norton AV
| at latest level and run it. I also installed adware6 tool to remove adware
| stuff. After I did all of this it seemed it helped, He was able to connect
| via ADSL no problem for a longer time(a couple of hours)...than same issue
| again. I asked him to re-run all the stuff I provided him with to see if any
| other virus is present... but it all seems ok No viruses are reported. What
| else can I do? Anyone knows what it is all about? If it is a worm any idea
| what could be? This is also preventing him from isntalling service pack 2
| (from WinUpdate)
| Thanks
| Ciao. Giorgio

 

[Guest]

Thanks Dave. Adware SE was downloaded and updated and it was execute on the
machine in safe mode together with the Norton AV at latest updated level. NAV
found nothing, while Adware found 12 dangerous objects whcih were eliminated.
Than both NAV and Adware were run again in normal mode: no issue.
The XP machine run for about two days no problem. NOw have the same exact
symptom I described before. The only thing the guy said was that he noticed
that before this failure happens the hard disk starts running like crazy and
that the message "Generic Host Process for Win32 Service" is posted and the
connection through ADSL is dropped. Any other hints? I suggested to run again
Adware and NAV in safe mode and see if something new comes out... but than I
do not know what to say more.
Ciao. Giorgio

 

[Guest]

Adware Se and NAV have been executed in safe mode again. Well for lmost five
hours the machine ran no issue.. than while downloading sp2 from Windows
Update at one poiint the Hard Disk started working like crazy and than same
message occurred... and ADSL was dropped.... ????? Any Hints?

 

[David H. Lipman]

1) Download the following three items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt248.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
3) Reboot your PC into Safe Mode
4) Using both the Trend Sysclean utility and Stinger, perform a Full Scan of your
platform and clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform using both.
6) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) If you are using WinME or WinXP, create a new Restore point


* * * Please report back your results * * *

Dave



| Adware Se and NAV have been executed in safe mode again. Well for lmost five
| hours the machine ran no issue.. than while downloading sp2 from Windows
| Update at one poiint the Hard Disk started working like crazy and than same
| message occurred... and ADSL was dropped.... ????? Any Hints?
|
| "Giorgio" wrote:
|
| > Thanks Dave. Adware SE was downloaded and updated and it was execute on the
| > machine in safe mode together with the Norton AV at latest updated level. NAV
| > found nothing, while Adware found 12 dangerous objects whcih were eliminated.
| > Than both NAV and Adware were run again in normal mode: no issue.
| > The XP machine run for about two days no problem. NOw have the same exact
| > symptom I described before. The only thing the guy said was that he noticed
| > that before this failure happens the hard disk starts running like crazy and
| > that the message "Generic Host Process for Win32 Service" is posted and the
| > connection through ADSL is dropped. Any other hints? I suggested to run again
| > Adware and NAV in safe mode and see if something new comes out... but than I
| > do not know what to say more.
| > Ciao. Giorgio
| >
| > "David H. Lipman" wrote:
| >
| > > Well first replace Adaware6 with Adaware SE v1.05 since this version superceded the
Adaware6
| > > which Lavasoft no longer supports. Make sure you also update Adaware SE with the
latest
| > > definitions before using it to scan the PC and perform the scan in Safe Mode.
| > >
| > > Dave
| > >
| > >
| > >
| >

 

[Guest]

HI Dave. All action have been performed: Stinger found nothing. sysclean
found 5 Viruses: TROJ_SMALL.CC, TROJ_DIALTOP.A, PE_PARITE.A, WORM_RBOT.EH,
WORM_RBOT-4 and all have been cleaned succesfully. Second run did not show
anymore viruses (NAV found nothing). Now the machine works better than before
in the sense that the time the message takes to get posted is longer today
worked all day only two messages received. Here are more info that comes with
the message:
C:\DOCUM- 1\UTENTE-1\IMPOST-1\Temp\WER1.temp.dir00\svchost.exe.mdmp
C:\DOCUM- 1\UTENTE-1\IMPOST-1\Temp\WER1.temp.dir00\appcompat.txt
Generic Host Process for WIN32 Service
Identifier:
szAppName: szAppVer: 0.0.0.0 szModName: unknown
szModver:0.0.0.0 offset:00000000
SP2 not installed yet
Anymore ideas?
Ciao. Giorgio

 

[David H. Lipman]

If you email me, I can give you further assistance using another Command Line Scanner.

Just remove ~nospam~.

Dave



| HI Dave. All action have been performed: Stinger found nothing. sysclean
| found 5 Viruses: TROJ_SMALL.CC, TROJ_DIALTOP.A, PE_PARITE.A, WORM_RBOT.EH,
| WORM_RBOT-4 and all have been cleaned succesfully. Second run did not show
| anymore viruses (NAV found nothing). Now the machine works better than before
| in the sense that the time the message takes to get posted is longer today
| worked all day only two messages received. Here are more info that comes with
| the message:
| C:\DOCUM- 1\UTENTE-1\IMPOST-1\Temp\WER1.temp.dir00\svchost.exe.mdmp
| C:\DOCUM- 1\UTENTE-1\IMPOST-1\Temp\WER1.temp.dir00\appcompat.txt
| Generic Host Process for WIN32 Service
| Identifier:
| szAppName: szAppVer: 0.0.0.0 szModName: unknown
| szModver:0.0.0.0 offset:00000000
| SP2 not installed yet
| Anymore ideas?
| Ciao. Giorgio
|

 

[Kelly]

Start here:

Run Ad-Aware SE, Spybot and HijackThis:
http://www.majorgeeks.com/downloads31.html

Note: Update each program, once installed, before running.

Note2: To avoid the False-Flag for the DSO Exploit (W3), open
Spybot/Advanced Mode/Settings/Ignore Products. On the All Products Tab,
scrol to DSO Exploit and check that item only. Randy (silj)

Free Online Virus Scan
http://housecall.trendmicro.com/housecall/start_corp.asp


/taskbarplus!.htm

 

[Kelly]

Dave,

Why should he write you for this information?

/taskbarplus!.htm

 

[David H. Lipman]

Because the Command Line Scanner in question is a licensed product and in theory would
require the OP to own one of the vendor's products. Thus I can't post in public but I can
provide information to individuals on a one-to-one basis. The scanner has signature library
of ~108,000 infectors and is highly effective. The scanner is also a dual mode Win32/DOS
Command Line Scanner.

Email me if you want to know more Kelly.

Dave



| Dave,
|
| Why should he write you for this information?
|
| --
| All the Best,
| Kelly
|
| Microsoft-MVP Windows® XP-Shell/User
| 2004 Windows MVP "Winny" Award
|
| Troubleshooting Windows XP
| http://www.kellys-korner-xp.com
|
| Taskbar Repair Tool Plus!
| http://www.kellys-korner-xp.com/taskbarplus!.htm
|
|
| | > If you email me, I can give you further assistance using another Command
| > Line Scanner.
| >
| > Just remove ~nospam~.
| >
| > Dave
| >
| >
| >
| > | > | HI Dave. All action have been performed: Stinger found nothing. sysclean
| > | found 5 Viruses: TROJ_SMALL.CC, TROJ_DIALTOP.A, PE_PARITE.A,
| > WORM_RBOT.EH,
| > | WORM_RBOT-4 and all have been cleaned succesfully. Second run did not
| > show
| > | anymore viruses (NAV found nothing). Now the machine works better than
| > before
| > | in the sense that the time the message takes to get posted is longer
| > today
| > | worked all day only two messages received. Here are more info that comes
| > with
| > | the message:
| > | C:\DOCUM- 1\UTENTE-1\IMPOST-1\Temp\WER1.temp.dir00\svchost.exe.mdmp
| > | C:\DOCUM- 1\UTENTE-1\IMPOST-1\Temp\WER1.temp.dir00\appcompat.txt
| > | Generic Host Process for WIN32 Service
| > | Identifier:
| > | szAppName: szAppVer: 0.0.0.0 szModName: unknown
| > | szModver:0.0.0.0 offset:00000000
| > | SP2 not installed yet
| > | Anymore ideas?
| > | Ciao. Giorgio
| > |
| >
| >
|
|

 

[David H. Lipman]

I just had him run the TrendMicro Sysclean utility which shares the same Pattern Files as
the Free Online Virus Scanner from TrendMicro therefore using the web based scanner is
redundant.

Dave




| Start here:
|
| Run Ad-Aware SE, Spybot and HijackThis:
| http://www.majorgeeks.com/downloads31.html
|
| Note: Update each program, once installed, before running.
|
| Note2: To avoid the False-Flag for the DSO Exploit (W3), open
| Spybot/Advanced Mode/Settings/Ignore Products. On the All Products Tab,
| scrol to DSO Exploit and check that item only. Randy (silj)
|
| Free Online Virus Scan
| http://housecall.trendmicro.com/housecall/start_corp.asp
|
|
| --
| All the Best,
| Kelly
|
| Microsoft-MVP Windows® XP-Shell/User
| 2004 Windows MVP "Winny" Award
|
| Troubleshooting Windows XP
| http://www.kellys-korner-xp.com
|
| Taskbar Repair Tool Plus!
| http://www.kellys-korner-xp.com/taskbarplus!.htm
|
|
| | > HI Dave. All action have been performed: Stinger found nothing. sysclean
| > found 5 Viruses: TROJ_SMALL.CC, TROJ_DIALTOP.A, PE_PARITE.A, WORM_RBOT.EH,
| > WORM_RBOT-4 and all have been cleaned succesfully. Second run did not show
| > anymore viruses (NAV found nothing). Now the machine works better than
| > before
| > in the sense that the time the message takes to get posted is longer today
| > worked all day only two messages received. Here are more info that comes
| > with
| > the message:
| > C:\DOCUM- 1\UTENTE-1\IMPOST-1\Temp\WER1.temp.dir00\svchost.exe.mdmp
| > C:\DOCUM- 1\UTENTE-1\IMPOST-1\Temp\WER1.temp.dir00\appcompat.txt
| > Generic Host Process for WIN32 Service
| > Identifier:
| > szAppName: szAppVer: 0.0.0.0 szModName: unknown
| > szModver:0.0.0.0 offset:00000000
| > SP2 not installed yet
| > Anymore ideas?
| > Ciao. Giorgio
| >
|
|

 

[Kelly]

I see.

--
All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com