Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1187
  • Last Modified:

Generic Host Process for Win32 Services has encountered a problem and needs to close

This is driving me crazy.
A client of mine complained that their XP SP2 system was running slow. I ran Malwarebytes Anti-malware and found 20 items among which was the Trojan.ambler keylogger virus. I allowed the programme to remove everything which required a reboot. On rebooting I was faced wit the dreaded "Generic Host Process for Win32 Services has encountered a problem and needs to close" message. Clicking on Close sends it away and everything else on the machine seems to be working fine.

While working on the machine I noticed that the Windows Update icon was displaying in the system tray. When clicked it requested permission to update the system to SP3. I felt pretty sure that this would also cure the GHP error and so carried out the update. All went well but on rebooting the GHP message was still there.

I have followed some advice on various sites, in particular the re-registering of Windows Update files and renaming of the Software Distribution folder but this has not helped. The problem appears to be with svchost.exe but this could refer to many different things. Since removing the malware I have run further scans with AV and AM programmes. These have found and removed a few more things but the GHP message prevails.

I am desparate to find a solution and would welcome any suggestions.
0
grigorovsky
Asked:
grigorovsky
  • 10
  • 4
  • 3
  • +2
1 Solution
 
Mohamed OsamaSenior IT ConsultantCommented:
I would instantly consult event logs, usually such errors will be resolved by winows update.
make sure your client has an active firewall turned on,run winows update or  run MBSA scan on his machine , download & install any missing updates through the MBSA scan report.


0
 
delyan_valchevCommented:
Check for any automatic service which is not started. The problem may be in partially removed malware which has left a service entry without or with a broken malware executable.
You can also scan the system with the great rootkit detection tool GMER - http://www.gmer.net/
It can point you to the culprit.
Hope it helps!
0
 
warturtleCommented:
It could be corrupt system files for which you can do this:

Start->Run->sfc /scannow

This will ask Windows to check all OS files and make sure that they are not corrupt or missing. If there are any corrupted or missing files, they will be replaced with fresh copies. You'll need Windows XP CD for this though.

Secondly, after doing that I am going to advise that you do an online scan of critical areas with the Kaspersky Online Scanner based at: http://www.kaspersky.co.uk/virusscanner and let us know, what you find.

Hope it helps.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
grigorovskyAuthor Commented:
Thank you for the very quick responses here. I am aministering the machine remotely via LogMeIn and need to liaise with the client before starting annother session. I will certainly be trying out your advice.

Admin3k: I did look at the event log and could only find one reference to a USB device that could not be started. This seemed to be consistent with each time that the machine is started up. Besring in mind that the problem was present while the system was at the SP2 stage and prevailed into the SP3 update I would have hoped that any relevant hotfixes would have already been applied.

delyan valchev: I had a quick look at the Services list but could not see anything obvious. My first thought was also that this may have to do with a service entry pointing to a broken or deleted malware exec. I will try GMER.

warturtle: I will try scannow and the Kaspersky tool and let you know the outcome
0
 
LeeTutorretiredCommented:
If you have an XP Pro system, and not XP Home, then you can go to a CMD prompt and find out what processes are connected with each of the SVCHOST.EXE entries by typing   TASKLIST  /SVC  That may help you narrow down on what the problems are...
0
 
grigorovskyAuthor Commented:
That would be great. Unfortunately this one is running XP home. Is there anything similar or a third party utility which could provide that information?
0
 
Mohamed OsamaSenior IT ConsultantCommented:
Thanks for the feedback, I was referring to several updates, hotfixes & patches that were released after the service pack, there certainly are a lot if you are following the Microsoft patch cycle.
the behaviour this machine is displaying could mean that there is a vulnerable / unpatched windows component that is crashing repeatedly, which could also mean existence of malware on the network that is trying to exploit this vulnerability, thus the need to be most updated.
hope this helps.



0
 
delyan_valchevCommented:
Digging into crashing automatic service, it is possible that the culprit recovers itself after a single failure. You can try setting the recovery actions of all automatic services to "Take no action", restart the machine and after you get the error, the automatic service which does not run is the bad guy.
Hope it helps!

Delyan
0
 
grigorovskyAuthor Commented:
I have spent some time on the machine again today and here are my findings.

Discovered this item in the event log: "Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x00406a49". This obviously refers to the issue but throws no light upon the cause.

Ran windows update and updated evrything, even to IE 8 but this did not solve the error.

Checked that all automatic services were started - they were.

Ran GMER and the only thing it turned up was an odd registry entry which it listed as:

HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@t!s!s!d!t!s!d!t!s!r!y!s!s!t!\30!c!
I exported the entry and it showed up in the file as:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}]
"tssdtsdtsrysstc"=dword:0001163e

I was unable to run scannow due to not being at the machine with an XP disk.

Ran the Kaspersky online scanner on the critical areas and received this log:

Scan statistics:
      Files scanned: 48725
      Threat name: 3
      Infected objects: 2
      Suspicious objects: 5
      Duration of the scan: 01:00:44

C:\Program Files\Common Files\Real\Toolbar\RealBar.dll
Infected:notavirus:AdWare.Win32.MegaSearch.s      1
C:\Program Files\Qualcomm\Eudora\In.mbx      Suspicious: Trojan-Spy.HTML.Fraud.gen 5
C:\WINDOWS\system32\wbem\grpconv.exe      Infected: Trojan.Win32.Inject.yrx      1

Does this help at all?
0
 
grigorovskyAuthor Commented:
Forgot to mention that I also ran MBSA and it came up completely clean.
0
 
delyan_valchevCommented:
grigorovsky,
Looking around for the strange CLSID, I came up with a forum thread referring to the same CLSID at some point:
http://forums.techguy.org/malware-removal-hijackthis-logs/786565-junk-navquar-removal-hjt.html
It has some very cool instructions and sets of tools to help clean-up a machine.
Anyway, it's normal that system, revived from a sandwich of 20 malwares and still having infected files (C:\WINDOWS\system32\wbem\grpconv.exe      Infected: Trojan.Win32.Inject.yrx) to have incapacitated OS. You can consider solving the problem faster by redeploying the box.
Hope it helps!
Delyan
0
 
Mohamed OsamaSenior IT ConsultantCommented:
In KAspersky log this looks bad & could be related
C:\WINDOWS\system32\wbem\grpconv.exe      Infected: Trojan.Win32.Inject.yrx      1
can you please upload this file to www.virustotal.com
we need to ensure this is not a false positive
once confirmed as a threat please download & run Combofix, please show us the CF log, as well as a hijack this log

0
 
warturtleCommented:
Its good to see that Kasperksy Online Scanner has highlighted what could be the infections within the PC. I suggest that you run MalwareBytes scan right after running ComboFix and send us the MalwareBytes log.
0
 
grigorovskyAuthor Commented:
Thanks again for the advice. I did run malwarebytes and Avast over the file at C:\WINDOWS\system32\wbem\grpconv.exe and both came up blank. I will try again with virustotal.com.

I also found the forum at http://forums.techguy.org/malware-removal-hijackthis-logs/786565-junk-navquar-removal-hjt.html and indeed there were many tools and suggestions. I think I will stick with you guys for now.
0
 
grigorovskyAuthor Commented:
Ok so here is what has happened since the last report.

I have run complete virus and Malware scans on the system using Avast, Malwarebytes, SuperAntiSpyware and SpyBot SD.

Avast removed the file at C:\WINDOWS\system32\wbem\grpconv.exe also flagging it as a Trojan. A few other small items were picked up by the two malware programmes and SpyBot found a file in System32 called pavuppad.exe which it flagged as a rootkit.

I removed the registry entry HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@t!s!s!d!t!s!d!t!s!r!y!s!s!t!\30!c! and ran Hijack this. Here is the current log.



hijackthis.log
0
 
grigorovskyAuthor Commented:
After all this the GHP still appears at startup. I have not run Combofix at this point as I am administering this machine remotely via LogMeIn and Combofix is known to close the internet connection as part of its process.

Can anyone see anything odd in the Hijack this log? It looks fairly ok to me.
0
 
grigorovskyAuthor Commented:
Should I consider turning off DEP?
0
 
grigorovskyAuthor Commented:
One curious thing that happened during today was that I noticed at each reboot that I was getting two GHP windows both for the same error and also the My Documents window was opening.

I discovered that this was due to a duplicate userinit.exe in the registry. Something like this in HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon

C:\windows\system32\userinit.exe,userinit.exe,

Removing everything after the first comma solved the problem but the question is what caused the second entry, it wasn't there before.
0
 
Mohamed OsamaSenior IT ConsultantCommented:
Hijack this log looks fine , turning off DEP will be a workaround not a solution.
>>Removing everything after the first comma solved the problem but the question is what caused the second entry, it wasn't there before.
Apparenly this was the action of the rootkit , this is what they do , i.e. hide other executables , registry entries & even network connections from the windows API which is used by explorer ,regedit ,netstat, etc..
once the rootkit was gone , things started to clear out.
you should consider running another Kaspersky online scan with the rootkit gone, just for the sake of accuracy.
also if the machine still displays any strange behaviour, consider arranging to run Combofix from the machine console, the user can run it himself & you can collect the log later on from C:\Combofix
0
 
grigorovskyAuthor Commented:
The GHP message has recently stopped appearing. I can only assume that this is due to Windows Update patching a faulty component. many thanks for the assistance with this very tricky problem.
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 10
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now