Generic Host Process for Win32 Services

[TonyUK]

I am running XP SP2 on a laptop with virtual C and D drives. All Windows and
program folders etc are on C drive. I put all data in D drive.

Whenever I reboot, during the process a message appears with the words in
bold lettering "Generic Host Process For Win32 Services". Above this the
message reads: "To help protect your computer Windows has closed this
program."

To continue with the reboot I have to click OK. Then I get a message asking
me to report this to Microsoft. I click to send, then I click to close, but
the same request for a report appears a second and sometimes a third time.

This happened for some months, but has continued to happen subsequent to my
wiping C drive and reinstalling most programs again. The system is protected
by Norton Internet Security 2007, and regularly checked for malware.

The use of the laptop does not appear to be affected, but it is annoying as
it happens on every occasion where a reboot is necessary. If someone can
explain to me what might be happening I would be very grateful.

 

[Gerry]

Tony

What is the Report on the problem in Event Viewer?

Please post copies of all Error and Warning Reports appearing in
the System and Application logs in Event Viewer for the last boot. No
Information Reports or Duplicates please. Indicate which also appear in
a previous boot.

You can access Event Viewer by selecting Start, Control Panel,
Administrative Tools, and Event Viewer.

A tip for posting copies of Error Reports! Run Event Viewer and double
click on the error you want to copy. In the window, which appears is a
button resembling two pages. Click the button and close Event
Viewer.Now start your message (email) and do a paste into the body of
the message. Make sure this is the first paste after exiting from
Event Viewer.


--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[TonyUK]

Thanks for replying Gerry

Under the heading System, there is no error or warning which is relevant.
The time of the event was around 12.37 pm EST today, March 7.

Under the heading Application Logs there are 4 error notices between 12.37
and 12.39 pm today. The first is

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1001
Date: 3/7/2008
Time: 12:39:50 PM
User: N/A
Computer: NEIL
Description:
Fault bucket 11666497.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 31 31 36 36 36 34 39 37 11666497
0010: 0d 0a ..

The second is

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1004
Date: 3/7/2008
Time: 12:39:29 PM
User: N/A
Computer: NEIL
Description:
Faulting application svchost.exe, version 5.1.2600.2180, faulting module
CNCL4100.DLL, version 1.0.1.0, fault address 0x00002ad0.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 35 2e 31 2e 32 36 30 5.1.260
0028: 30 2e 32 31 38 30 20 69 0.2180 i
0030: 6e 20 43 4e 43 4c 34 31 n CNCL41
0038: 30 30 2e 44 4c 4c 20 31 00.DLL 1
0040: 2e 30 2e 31 2e 30 20 61 .0.1.0 a
0048: 74 20 6f 66 66 73 65 74 t offset
0050: 20 30 30 30 30 32 61 64 00002ad
0058: 30 0

The third is

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1001
Date: 3/7/2008
Time: 12:39:16 PM
User: N/A
Computer: NEIL
Description:
Fault bucket 11666497.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 31 31 36 36 36 34 39 37 11666497
0010: 0d 0a ..

And the fourth is

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1004
Date: 3/7/2008
Time: 12:37:47 PM
User: N/A
Computer: NEIL
Description:
Faulting application svchost.exe, version 5.1.2600.2180, faulting module
CNCL4100.DLL, version 1.0.1.0, fault address 0x00002ad0.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 35 2e 31 2e 32 36 30 5.1.260
0028: 30 2e 32 31 38 30 20 69 0.2180 i
0030: 6e 20 43 4e 43 4c 34 31 n CNCL41
0038: 30 30 2e 44 4c 4c 20 31 00.DLL 1
0040: 2e 30 2e 31 2e 30 20 61 .0.1.0 a
0048: 74 20 6f 66 66 73 65 74 t offset
0050: 20 30 30 30 30 32 61 64 00002ad
0058: 30 0

Have I given you what you wanted, and does it mean anything to you?

 

[Gerry]

Tony

This file sugests a nasty malware infection or the remnants of an
infection.

If there is still an active malware infection you will most likely need
specialist advice to assist removal:
http://www.google.com/search?q=CNCL4100.DLL&hl=en&lr=&as_qdr=all&filter=0

http://www.elephantboycomputers.com/page2.html#Removing_Malware

If it is a remant you could try Autoruns to remove from you start up
list what ever is put up the message on start. Do you have a
CNCL4100.DLL file located in your system32 folder. If you do then I
think you have an active infestation.


--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[TonyUK]

I have found CNCL4100.DLL in my System 32 folder. Before I take any steps, I
should be grateful if you would explain to me the significance of this file.

You have to bear in mind that I wiped C drive clean and used the laptop's
supplied system replacement disk to replace (inter alia) the entire operating
system. If the file was on that disk, then it has been there since I
purchased the machine two years ago. I don't believe that to be the case. So
anything you can tell me about this file would be of interest to me.

 

[TonyUK]

A further thought: every piece of data that I possess is backed up to an
external hard drive. I wonder if it might not be wise to wipe C and D drives,
the whole thing: the only problem there is that there might be some virus
that got into my data. I have no real answer for that as my data files are
important to me. Of course, I could run Norton 2007, with the extarnal drive
attached to the computer. Surely that would identify any malware. Any
comments on this?

 

[TonyUK]

Hi Gerry

I have now run Norton (fully updated) over C Drive, D Drive and External
drive, and nothing evil shows up. Perhaps File CNCL4100.DLL is faulty in the
edition supplied to me: I couldn't comment on that. But I don't see a malware
involvement either.

 

[Gerry]

Tony

This link gave you the reason for my suspicion:
http://www.google.com/search?q=CNCL4100.DLL&hl=en&lr=&as_qdr=all&filter=0

That evidence I would admit is not conclusive. The information there
suggests it is not malware that has been widely distributed. Norton may
have a reasonable detection rate for viruses but it's detection rate for
other malware is less successful. You cannot rely on Norton. If using a
number of anti-spyware programmes it is never possible to be absolutely
certain a machine is clean.

"Perhaps File CNCL4100.DLL is faulty in the edition supplied to me,"
You are missing the point. It is not a known driver so you should not
have the file.

"But I don't see a malware involvement either." You have unexplained
activity on your computer. You should not get the message every time you
boot. Until you have an innocent explanation for this activity then
malware must always be a possible explanation.

The ideal way to resolve the issue would be to run anti-spyware software
known to be capable of detecting the suspected malware. I am not a
specialist in malware so I cannot suggest how to eliminate the
possibilty that the file is malware. If you right click on the file and
select Properties is there any indication of the source of the file?

--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Tonyo UK]

Gerry

I have taken some time to review Win32 folders. The File CNCL4100.DLL is
revealed as a Canon file related to my All-In-One Canon laser printer,
installed about 6 months ago. It is actually called the 4100 series. There
are a number of other CNCL files. The one we are talking about is copyright
Canon Inc 2006 and the Product name is ScanGear MF, part of the printer
program. The whole installation was first done last October, which is when
the problem first arose. All of the similar files are simiilarly related to
the Canon Program. Now I intend to see if I can find updated drivers to
download from Canon and then see if that settles the problem. I don't see
this as a malware problem, especially since the system has been wiped clean
in the past week and then reinstalled. It is beginning to look more and more
like a corrupted file in the Canon software. I will keep you posted.

 

[Gerry]

Tony

That's that a much better outcome than I feared. If you cannot find the
updated drivers uninstalling and reinstalling the software may resolve
the problem. Offline you can do this without your security software and
firewall running.

However, going back to this statement by you "Whenever I reboot, during
the process a message appears with the words in bold lettering "Generic
Host Process For Win32 Services". Above this the message reads: "To help
protect your computer Windows has closed this
program.". Given what you now know about the file suggests that it
could be your Windows Firewall stopping it loading? Add the Programmes
to exceptions -Start, Control Panel, Windows Firewall, Exceptions, Add
Programmes.


--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Tonyo UK]

Actually I have Windows Firewall turned off. This is because I have Norton
Firewall turned on instead.

I will contact you again when I have downloaded updated drivers and tested
the system.

 

[Tonyo UK]

There are no update drivers for my product. So I rebooted and when the error
message appeared I reported to MS as usual and opened a link provided by MS.
This referred me to "Data Execution Protection" (DEP) and told me I could
make exceptions to this protection.So I went to control panel/System/System
Properties/Advanced/Performance Options/Data Execution Protection. I selected
the Button "Turn on DEP for all programs and services except those I select"
This opened a small window insider which the was an empty tick-box and then
the words "Generic Host Process for Win32 Services". It was the only program
in the box! So I ticked it, clicked apply, then OK, then rebooted. This time
the annoying message did not appear and the heavens have not fallen in.

Thank you for accompanying me on this Odyssey.

 

[Gerry]

Well done Tony. Thanks for recording the outcome.


--
Regards.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~