Data Execution Prevention Error

slamond
slamond used Ask the Experts™
on
One of our employee's home PC displays the following message during startup:

"Data Execution Prevention Error
Generic Host Process for Win32 Services"

They are ultimately able to start Windows but they are concerned that there is spyware or a virus lurking, given that they recently had a spyware issue that was removed using Malwarebytes.

Attached is their system profile using Belarc Advisor.

I assume someone will want us to install some other program to scan the system for executables?

S.



Belarc-Redacted.doc
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2009

Commented:
What scanners were used. Can you post Mbams logfile
Mohammed HamadaSenior IT Consultant

Commented:
This must be some virus or third-party running as a service under the Generic Host process.
Please turn update on and check the following on
http://support.microsoft.com/kb/894391

GL
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2007
Commented:
That error can be caused by many factors.

To rule out malware/viruses try ComboFix and attach the log.
Though this doesn't rule out the new infections.


Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Author

Commented:
Here's the Malwarebytes logfile:

Malwarebytes' Anti-Malware 1.44

Database version: 3596

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

1/18/2010 7:18:42 PM

mbam-log-2010-01-18 (19-18-42).txt

 

Scan type: Quick Scan

Objects scanned: 159454

Time elapsed: 36 minute(s), 40 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 3

Registry Values Infected: 3

Registry Data Items Infected: 8

Folders Infected: 1

Files Infected: 6

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

C:\WINDOWS\system32\helper32.dll (FakeAlert) -> Delete on reboot.

 

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Folders Infected:

C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

 

Files Infected:

C:\WINDOWS\system32\helper32.dll (FakeAlert) -> Delete on reboot.

C:\Documents and Settings\Kevin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kevin\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\cd17543a-e34c-4615-b1fe-6638d9207acd.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Author

Commented:
Thank moh10ly, but that article notes that it only applies to Windows XP SP2 and the user has SP3 installed.
Top Expert 2009

Commented:
Thanks for logfile.
Follow on with Combofix's proceedure :)

Author

Commented:
In the middle of the scan, the generic host Microsoft notation displayed.
ComboFix-013110.txt
Mohammed HamadaSenior IT Consultant
Commented:
MAN !!! You got 3 antiviruses on this computer? this would surely cause the data execution prevention to happen.
You also have lots of infections ... you should really consider using only one antivirus and do a scan online with trend micro to remove any leftovers of these viruses/spywares..etc

Author

Commented:
I have instructed the user to uninstall AVG and Avira and keep Symantec,
then to make sure the virus definitions are updated and scan the system again.

When he's done, I'll tell him to wait for further instructions from you guys.
S.

Author

Commented:
The user is reporting that the "Data Execution..." error is gone.

I suspect that this error was only a symptom of the user's attempt to overdose on anti-virual software.
So, to address the real problem, attached is the latest ComboFix logfile.

Let me know if you see any lingering infections.
ComboFix-020110.txt

Author

Commented:
Any more action needed ?
Top Expert 2009
Commented:
Run Eset online scanner
Check to "scan archives"

Under advanced options:
Have all three boxes checked

Attach its logfile
Location:C:\Program Files\EsetOnlineScanner\log.txt

Eset online scan http://www.eset.com/onlinescan/
Mohammed HamadaSenior IT Consultant

Commented:
The combofix log doesn't show any suspicious files however it would be great if you would go again with an Online scan as I suggested early by Trend micro or as optoma suggested by Eset scan, post logs when done.

GL

Author

Commented:
Attached is the logfile for the Eset online scanner.
S.
ESETS-020410.txt
Mohammed HamadaSenior IT Consultant

Commented:
Result tells your system is clean, I think your computer is safe !!!

Author

Commented:
Thanks to all.
S.
Top Expert 2009

Commented:
No prob,
Could you locate this file and check it at virustotal
http://www.virustotal.com/

You will have to go into folder options and "show hidden files and folders" firstly

 c:\windows\system32\E71B88B300.sys
Top Expert 2007

Commented:
@ optoma:

Below file is legit, related to Divx software.
c:\windows\system32\E71B88B300.sys



slamond,

Glad to know it's resolved.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /Uninstall


Thanks for using Experts-Exchange!



Top Expert 2009

Commented:
Ok, thanks Rpg :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial