Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

System 32 still opening--and more Viruses!


  • Please log in to reply

#1
hawthorn

hawthorn

    Member

  • Member
  • PipPipPip
  • 203 posts
Hi all.

I have been writing for a while now about my ongoing problems since I installed my new HD. Thanks to Coachwife and Jonnyrotten for your help so far--certainly my PC is at least running reasonably fast thanks to you!

When I boot up, C:\Windows\system32 still boots up, and also i got this erroe a few times:

Generic Host Process for Win32 Services
Generic Host Process for Win32 Services has encountered a problem and needs to close.

And the Data error report contained:

szAppName : szAppVer: 0.0.0.0 szModName: unknown szModVer: 0.0.0.0
offset: 00000000

The following files were included

C:\DOCUMENT~1\KEVINC~1\LOCALS~1\TEMP\WER1E.tmp.dir00\svchost.exe.mdmp\appcompat.txt


The PC froze and nothing would open or close, so I had to press the on/off button.

Anyway, someone at PcPitstop advised me to run the Pitstop check, which i did and nothing major showed up. They also asked me to do some online virus checks. I did, with Housecall and Pitstop virus check, which i had to download.
Here are results from house call:

WORM WOOTBOT.O C:\WINDOWS\system32\videosd.32.exe
WORM RBOT.NR C:\WINDOWS\system32\wngard.exe
TROJ DLOADER.QB C:\explorer.exe
C:\iexplorer.exe
TROJ LOWZONES.C C:\mms.exe
REG LOWZONES.A C:\re11.REG
TROJ DLOADER.PE C:\xbbgs.exe
TROJ LOWZONES.C C:\xmmc.exe
TROJ LOWZONES.C C:\xnnc.exe
TROJ LOWZONES.C C:\xrttc.exe
TROJ LOWZONES.C C:\xssss.exe
TROJ DLOADER.PE C:\xttgs.exe


And from Pitstop:

The Trj/Downloader.TC Virus was found in file C:\opens.html

The W32/Gaobot.AQE.worm Virus was found in file C:\WINDOWS\system32\videosd32.exe

The W32/Gaobot.ASO.worm Virus was found in file C:\WINDOWS\system32\wngard.exe


Interestingly a scan with AVG showed NOTHING unusual! Surely it should have spotted something, or are the other programs giving false results?

Where do I go from here!!!??
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
These are trusted programs that have earned our recommendation:

Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/
  • 0

#3
hawthorn

hawthorn

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 203 posts
[quote name='hawthorn' date='Sep 27 2004, 06:31 PM']

Here are results from house call:

WORM WOOTBOT.O C:\WINDOWS\system32\videosd.32.exe
WORM RBOT.NR C:\WINDOWS\system32\wngard.exe
TROJ DLOADER.QB C:\explorer.exe
C:\iexplorer.exe
TROJ LOWZONES.C C:\mms.exe
REG LOWZONES.A C:\re11.REG
TROJ DLOADER.PE C:\xbbgs.exe
TROJ LOWZONES.C C:\xmmc.exe
TROJ LOWZONES.C C:\xnnc.exe
TROJ LOWZONES.C C:\xrttc.exe
TROJ LOWZONES.C C:\xssss.exe
TROJ DLOADER.PE C:\xttgs.exe


I already have scanned with Trend Housecall.

I've just scanned with Moosoft The Cleaner and NO trojans were found! Hmmm!

Puzzling!
  • 0

#4
Smokey

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
Reboot in safe mode (by tapping F8 at startup and select safe mode from the menu). Be sure you're able to view hidden files, and remove the following:

C:\WINDOWS\system32\videosd.32.exe
C:\WINDOWS\system32\wngard.exe
C:\explorer.exe
C:\iexplorer.exe
C:\mms.exe
C:\re11.REG
C:\xbbgs.exe
C:\xmmc.exe
C:\xnnc.exe
C:\xrttc.exe
C:\xssss.exe
C:\xttgs.exe
C:\opens.html
C:\WINDOWS\system32\videosd32.exe
C:\WINDOWS\system32\wngard.exe

Also, run Disk Cleanup:

1. Go to "Start", "All Programs", "Accessories". "System Tools", "Disk Cleanup"
2. Make sure all the boxes are checked, then hit "OK"

Finally, Reboot in regular mode and post a HiUackThis log. See the "HiJackThis Guide" link in my signature. <_<
  • 0

#5
hawthorn

hawthorn

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 203 posts
Hi, The Other Side, thanks for reply!

Im about to do as you suggested, but I think theres a feeling of deja vu about this! Coachwife went through a similar routine with me last week; maybe I've been re-infected. You see i loaded on XP to the new Hard Drive but i dont know what updates I actually have. At the moment theres updates waiting to be downloaded, but its SP2, and anyway I have that on a cover disc. I notice in a similar post from someone who has reformatted and STILL has trojans etc that coachwife says all malware should be removed before SP2, and gave instructions to dload all the updates up to SP2. Trouble is I dont know what I have, though if SP is waiting to d load would that mean Im up to date to that point?

Anyway I will now do as you suggested, and post results!

Thanks

Kevin
  • 0

#6
hawthorn

hawthorn

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 203 posts
OK, other side!!

Ive done as you requested; here is Hijack This log:

Logfile of HijackThis v1.97.7
Scan saved at 19:47:13, on 29/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Kevin Carroll\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [BuildLabs] C:\WINDOWS\system\csrss.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Money Viewer (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095350570078
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab


When I rebooted, unfortunately, system 32 still opening up. Someone posted a link to a Microsoft solution for this, but it involved editing the registry which Im not confident at doing.

Also having problems logging in to Geeks site right now, wont recognize my password. I went through the process of filling in form for new one but same result. hardly connected to the problems Im having?

Kevin
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP