Solved

Generic Host Process for Win32 Services has encountered a problem and needs to close

Posted on 2009-05-12
20
1,164 Views
Last Modified: 2012-05-06
This is driving me crazy.
A client of mine complained that their XP SP2 system was running slow. I ran Malwarebytes Anti-malware and found 20 items among which was the Trojan.ambler keylogger virus. I allowed the programme to remove everything which required a reboot. On rebooting I was faced wit the dreaded "Generic Host Process for Win32 Services has encountered a problem and needs to close" message. Clicking on Close sends it away and everything else on the machine seems to be working fine.

While working on the machine I noticed that the Windows Update icon was displaying in the system tray. When clicked it requested permission to update the system to SP3. I felt pretty sure that this would also cure the GHP error and so carried out the update. All went well but on rebooting the GHP message was still there.

I have followed some advice on various sites, in particular the re-registering of Windows Update files and renaming of the Software Distribution folder but this has not helped. The problem appears to be with svchost.exe but this could refer to many different things. Since removing the malware I have run further scans with AV and AM programmes. These have found and removed a few more things but the GHP message prevails.

I am desparate to find a solution and would welcome any suggestions.
0
Comment
Question by:grigorovsky
  • 10
  • 4
  • 3
  • +2
20 Comments
 
LVL 23

Expert Comment

by:Admin3k
ID: 24367869
I would instantly consult event logs, usually such errors will be resolved by winows update.
make sure your client has an active firewall turned on,run winows update or  run MBSA scan on his machine , download & install any missing updates through the MBSA scan report.


0
 
LVL 4

Expert Comment

by:delyan_valchev
ID: 24367945
Check for any automatic service which is not started. The problem may be in partially removed malware which has left a service entry without or with a broken malware executable.
You can also scan the system with the great rootkit detection tool GMER - http://www.gmer.net/
It can point you to the culprit.
Hope it helps!
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24367993
It could be corrupt system files for which you can do this:

Start->Run->sfc /scannow

This will ask Windows to check all OS files and make sure that they are not corrupt or missing. If there are any corrupted or missing files, they will be replaced with fresh copies. You'll need Windows XP CD for this though.

Secondly, after doing that I am going to advise that you do an online scan of critical areas with the Kaspersky Online Scanner based at: http://www.kaspersky.co.uk/virusscanner and let us know, what you find.

Hope it helps.
0
 

Author Comment

by:grigorovsky
ID: 24368331
Thank you for the very quick responses here. I am aministering the machine remotely via LogMeIn and need to liaise with the client before starting annother session. I will certainly be trying out your advice.

Admin3k: I did look at the event log and could only find one reference to a USB device that could not be started. This seemed to be consistent with each time that the machine is started up. Besring in mind that the problem was present while the system was at the SP2 stage and prevailed into the SP3 update I would have hoped that any relevant hotfixes would have already been applied.

delyan valchev: I had a quick look at the Services list but could not see anything obvious. My first thought was also that this may have to do with a service entry pointing to a broken or deleted malware exec. I will try GMER.

warturtle: I will try scannow and the Kaspersky tool and let you know the outcome
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 24368567
If you have an XP Pro system, and not XP Home, then you can go to a CMD prompt and find out what processes are connected with each of the SVCHOST.EXE entries by typing   TASKLIST  /SVC  That may help you narrow down on what the problems are...
0
 

Author Comment

by:grigorovsky
ID: 24368762
That would be great. Unfortunately this one is running XP home. Is there anything similar or a third party utility which could provide that information?
0
 
LVL 23

Accepted Solution

by:
Admin3k earned 500 total points
ID: 24368896
Thanks for the feedback, I was referring to several updates, hotfixes & patches that were released after the service pack, there certainly are a lot if you are following the Microsoft patch cycle.
the behaviour this machine is displaying could mean that there is a vulnerable / unpatched windows component that is crashing repeatedly, which could also mean existence of malware on the network that is trying to exploit this vulnerability, thus the need to be most updated.
hope this helps.



0
 
LVL 4

Expert Comment

by:delyan_valchev
ID: 24369226
Digging into crashing automatic service, it is possible that the culprit recovers itself after a single failure. You can try setting the recovery actions of all automatic services to "Take no action", restart the machine and after you get the error, the automatic service which does not run is the bad guy.
Hope it helps!

Delyan
0
 

Author Comment

by:grigorovsky
ID: 24378962
I have spent some time on the machine again today and here are my findings.

Discovered this item in the event log: "Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x00406a49". This obviously refers to the issue but throws no light upon the cause.

Ran windows update and updated evrything, even to IE 8 but this did not solve the error.

Checked that all automatic services were started - they were.

Ran GMER and the only thing it turned up was an odd registry entry which it listed as:

HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@t!s!s!d!t!s!d!t!s!r!y!s!s!t!\30!c!
I exported the entry and it showed up in the file as:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}]
"tssdtsdtsrysstc"=dword:0001163e

I was unable to run scannow due to not being at the machine with an XP disk.

Ran the Kaspersky online scanner on the critical areas and received this log:

Scan statistics:
      Files scanned: 48725
      Threat name: 3
      Infected objects: 2
      Suspicious objects: 5
      Duration of the scan: 01:00:44

C:\Program Files\Common Files\Real\Toolbar\RealBar.dll
Infected:notavirus:AdWare.Win32.MegaSearch.s      1
C:\Program Files\Qualcomm\Eudora\In.mbx      Suspicious: Trojan-Spy.HTML.Fraud.gen 5
C:\WINDOWS\system32\wbem\grpconv.exe      Infected: Trojan.Win32.Inject.yrx      1

Does this help at all?
0
 

Author Comment

by:grigorovsky
ID: 24378979
Forgot to mention that I also ran MBSA and it came up completely clean.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 4

Expert Comment

by:delyan_valchev
ID: 24379200
grigorovsky,
Looking around for the strange CLSID, I came up with a forum thread referring to the same CLSID at some point:
http://forums.techguy.org/malware-removal-hijackthis-logs/786565-junk-navquar-removal-hjt.html
It has some very cool instructions and sets of tools to help clean-up a machine.
Anyway, it's normal that system, revived from a sandwich of 20 malwares and still having infected files (C:\WINDOWS\system32\wbem\grpconv.exe      Infected: Trojan.Win32.Inject.yrx) to have incapacitated OS. You can consider solving the problem faster by redeploying the box.
Hope it helps!
Delyan
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24379221
In KAspersky log this looks bad & could be related
C:\WINDOWS\system32\wbem\grpconv.exe      Infected: Trojan.Win32.Inject.yrx      1
can you please upload this file to www.virustotal.com
we need to ensure this is not a false positive
once confirmed as a threat please download & run Combofix, please show us the CF log, as well as a hijack this log

0
 
LVL 16

Expert Comment

by:warturtle
ID: 24380362
Its good to see that Kasperksy Online Scanner has highlighted what could be the infections within the PC. I suggest that you run MalwareBytes scan right after running ComboFix and send us the MalwareBytes log.
0
 

Author Comment

by:grigorovsky
ID: 24383368
Thanks again for the advice. I did run malwarebytes and Avast over the file at C:\WINDOWS\system32\wbem\grpconv.exe and both came up blank. I will try again with virustotal.com.

I also found the forum at http://forums.techguy.org/malware-removal-hijackthis-logs/786565-junk-navquar-removal-hjt.html and indeed there were many tools and suggestions. I think I will stick with you guys for now.
0
 

Author Comment

by:grigorovsky
ID: 24398843
Ok so here is what has happened since the last report.

I have run complete virus and Malware scans on the system using Avast, Malwarebytes, SuperAntiSpyware and SpyBot SD.

Avast removed the file at C:\WINDOWS\system32\wbem\grpconv.exe also flagging it as a Trojan. A few other small items were picked up by the two malware programmes and SpyBot found a file in System32 called pavuppad.exe which it flagged as a rootkit.

I removed the registry entry HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@t!s!s!d!t!s!d!t!s!r!y!s!s!t!\30!c! and ran Hijack this. Here is the current log.



hijackthis.log
0
 

Author Comment

by:grigorovsky
ID: 24398880
After all this the GHP still appears at startup. I have not run Combofix at this point as I am administering this machine remotely via LogMeIn and Combofix is known to close the internet connection as part of its process.

Can anyone see anything odd in the Hijack this log? It looks fairly ok to me.
0
 

Author Comment

by:grigorovsky
ID: 24398961
Should I consider turning off DEP?
0
 

Author Comment

by:grigorovsky
ID: 24399048
One curious thing that happened during today was that I noticed at each reboot that I was getting two GHP windows both for the same error and also the My Documents window was opening.

I discovered that this was due to a duplicate userinit.exe in the registry. Something like this in HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon

C:\windows\system32\userinit.exe,userinit.exe,

Removing everything after the first comma solved the problem but the question is what caused the second entry, it wasn't there before.
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24401926
Hijack this log looks fine , turning off DEP will be a workaround not a solution.
>>Removing everything after the first comma solved the problem but the question is what caused the second entry, it wasn't there before.
Apparenly this was the action of the rootkit , this is what they do , i.e. hide other executables , registry entries & even network connections from the windows API which is used by explorer ,regedit ,netstat, etc..
once the rootkit was gone , things started to clear out.
you should consider running another Kaspersky online scan with the rootkit gone, just for the sake of accuracy.
also if the machine still displays any strange behaviour, consider arranging to run Combofix from the machine console, the user can run it himself & you can collect the log later on from C:\Combofix
0
 

Author Closing Comment

by:grigorovsky
ID: 31580664
The GHP message has recently stopped appearing. I can only assume that this is due to Windows Update patching a faulty component. many thanks for the assistance with this very tricky problem.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now