Generic Host Process for Win32 Services has encountered a problem and needs to close

Question

MooK1983 0 Newbie Poster

13 Years Ago

Every single time I turn on my laptop this message pops up:

Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.

Technical Details:

C:\DOCUME~1\user\LOCALS~1\Temp\WER590c.dir00\svchost.exe.mdmp
C:\DOCUME~1\user\LOCALS~1\Temp\WER590c.dir00\appcompat.txt

I have tried running AVG Anti-Virus Free Edition 2011, Spybot S&D, Malwarebytes'Anti-Malware and the Windows Malicious Software Removal Tool. The Windows Malicious Software Removal Tool found a Win32 Trojan Alureon virus and I cannot get rid of that.

GMER-ONE:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-11-18 22:16:40
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 TOSHIBA_MK4018GAP rev.M0.03_A
Running: fi8px3gs.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\kfqyrpog.sys

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 78139904 (+255): rootkit-like behavior;

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 85A42AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 85A42AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 85A42AEA

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK4018GAP_______________________M0.03_A_#3258345235303136205420202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----

GMER-TWO:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-18 22:51:48
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 TOSHIBA_MK4018GAP rev.M0.03_A
Running: fi8px3gs.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\kfqyrpog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF26E96C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xF26E9770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF26E9810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF26E98B0]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 85C41AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 85C41AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 85C41AEA

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK4018GAP_______________________M0.03_A_#3258345235303136205420202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 78139904 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

Malwarebytes Anti-Malware:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

11/15/2010 12:42:00 PM
mbam-log-2010-11-15 (12-42-00).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 146557
Time elapsed: 47 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

AVG Anti-Virus Free Edition 2011:

"";"C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Q1FZJQCB\inst[1].exe";"Trojan horse FakeAlert.VL";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Q1FZJQCB\inst[2].exe";"Trojan horse FakeAlert.VL";"Moved to Virus Vault"
"";"C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\X3SBSZZP\inst[1].exe";"Trojan horse FakeAlert.VL";"Moved to Virus Vault"

I dont know what else to do.

windows-virus

3 Contributors
13 Replies
239 Views
4 Days Discussion Span
Latest Post 13 Years Ago Latest Post by jholland1964

All 13 Replies

crunchie 990 Most Valuable Poster

13 Years Ago

Hi and welcome to the Daniweb forums :).

==========

You also need to post the log from DDS as per the sticky thread please.

==

Were you not able to update MBA-M? It is a couple of months behind in it's definitions.
Please update it and run it again.

====

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

crunchie 990 Most Valuable Poster

13 Years Ago

No worries :).

That log you just posted is incomplete. Can you please run it again and post the complete one.

How about MBA-M? Are you able to update and run it?

crunchie 990 Most Valuable Poster

13 Years Ago

Ok. Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop
Physically disconnect from the internet.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

jholland1964 650 Posting Expert

13 Years Ago

Did you follow this caution?
Do not mouse-click combofix's window while it is running. That may cause it to stall

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

MooK1983 0 Newbie Poster · Answer 1 · 2010-11-19T14:27:06+00:00

Hey Crunchie and thanks for the welcome....I didn't post the DDS log because for whatever reason it would never run, it just kinda made my laptop stall. I did some further searching through this forum and google about the Win32 Alureon_H Trojan and I found a program called TDSKiller that I ran. I think it got rid of the virus as there is no longer an error message popping up when I start my laptop. But I would still like to go through with the process just to be sure everything is fine. I posted the MBR Check below and if necessary I can re-do all the programs and repost the new information. Let me know whatever you need me to do and I can't thank you enough for all the help that you and your team have provided for everyone.

MBRCheck:

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 128):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EC000 \WINDOWS\system32\hal.dll
0xF7D2F000 \WINDOWS\system32\KDCOM.DLL
0xF7C3F000 \WINDOWS\system32\BOOTVID.dll
0xF77E0000 ACPI.sys
0xF7D31000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF77CF000 pci.sys
0xF782F000 isapnp.sys
0xF7C43000 compbatt.sys
0xF7C47000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7DF7000 PCIIde.sys
0xF7AAF000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF7D33000 intelide.sys
0xF77B1000 pcmcia.sys
0xF783F000 MountMgr.sys
0xF7792000 ftdisk.sys
0xF7AB7000 PartMgr.sys
0xF784F000 VolSnap.sys
0xF777A000 atapi.sys
0xF7ABF000 cercsr6.sys
0xF7762000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF785F000 disk.sys
0xF786F000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7743000 fltMgr.sys
0xF7731000 sr.sys
0xF771A000 KSecDD.sys
0xF768D000 Ntfs.sys
0xF7660000 NDIS.sys
0xF7645000 Mup.sys
0xF7AC7000 avgrkx86.sys
0xF787F000 AVGIDSEH.Sys
0xF788F000 agp440.sys
0xF792F000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7CD7000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF746B000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF7457000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7B17000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7434000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7B1F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF740A000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xF73F3000 \SystemRoot\system32\DRIVERS\ozscr.sys
0xF7CDB000 \SystemRoot\system32\DRIVERS\SMCLIB.SYS
0xF71D7000 \SystemRoot\system32\DRIVERS\w29n51.sys
0xF793F000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7B27000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7B2F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF794F000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7CDF000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF71C3000 \SystemRoot\system32\DRIVERS\parport.sys
0xF795F000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF796F000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF797F000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF71A0000 \SystemRoot\system32\DRIVERS\ks.sys
0xF715F000 \SystemRoot\system32\drivers\stac97.sys
0xF713B000 \SystemRoot\system32\drivers\portcls.sys
0xF798F000 \SystemRoot\system32\drivers\drmk.sys
0xF7108000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xF700B000 \SystemRoot\system32\DRIVERS\HSF_DPV.SYS
0xF6F5E000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF7B37000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7F10000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF799F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7CE7000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6F47000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF79AF000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF79BF000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7B3F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6F36000 \SystemRoot\system32\DRIVERS\psched.sys
0xF79CF000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7B47000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7B4F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6EDD000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF79DF000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7D4D000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6EA9000 \SystemRoot\system32\DRIVERS\update.sys
0xF7D07000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF79EF000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7A1F000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7D51000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7A3F000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
0xF7D53000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7E7C000 \SystemRoot\System32\Drivers\Null.SYS
0xF7D55000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7B6F000 \SystemRoot\System32\drivers\vga.sys
0xF7D57000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7D59000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7B77000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7B7F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF75F8000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF4D6E000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF4D16000 \SystemRoot\system32\DRIVERS\tcpip.sys

MooK1983 0 Newbie Poster · Answer 2 · 2010-11-20T01:50:24+00:00

Whatup Crunchie I ran the MBAM again after I updated it and this is what it found:

Malwarebytes' Anti-Malware 1.46
[url]www.malwarebytes.org[/url]

Database version: 5150

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

11/19/2010 2:46:03 PM
mbam-log-2010-11-19 (14-46-03).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 176085
Time elapsed: 1 hour(s), 17 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{6720D3B3-E1D3-489A-BD4F-A2D7A28522EE}\RP15\A0001858.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6720D3B3-E1D3-489A-BD4F-A2D7A28522EE}\RP15\A0001857.exe (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6720D3B3-E1D3-489A-BD4F-A2D7A28522EE}\RP15\A0001859.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6720D3B3-E1D3-489A-BD4F-A2D7A28522EE}\RP15\A0001860.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6720D3B3-E1D3-489A-BD4F-A2D7A28522EE}\RP15\A0001861.exe (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6720D3B3-E1D3-489A-BD4F-A2D7A28522EE}\RP15\A0001862.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6720D3B3-E1D3-489A-BD4F-A2D7A28522EE}\RP36\A0008786.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6720D3B3-E1D3-489A-BD4F-A2D7A28522EE}\RP36\A0010763.exe (Adware.QueryExplorer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6720D3B3-E1D3-489A-BD4F-A2D7A28522EE}\RP36\A0010854.exe (Adware.QueryExplorer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6720D3B3-E1D3-489A-BD4F-A2D7A28522EE}\RP36\A0010859.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6720D3B3-E1D3-489A-BD4F-A2D7A28522EE}\RP36\A0010861.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6720D3B3-E1D3-489A-BD4F-A2D7A28522EE}\RP36\A0010862.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6720D3B3-E1D3-489A-BD4F-A2D7A28522EE}\RP36\A0010863.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6720D3B3-E1D3-489A-BD4F-A2D7A28522EE}\RP36\A0010864.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6720D3B3-E1D3-489A-BD4F-A2D7A28522EE}\RP36\A0010865.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6720D3B3-E1D3-489A-BD4F-A2D7A28522EE}\RP36\A0010866.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.



Here is the [B]MBRCheck[B]:


MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:           
Windows Version:        Windows XP Professional
Windows Information:        Service Pack 2 (build 2600)
Logical Drives Mask:        0x0000000c

Kernel Drivers (total 130):
  0x804D7000 \WINDOWS\system32\ntoskrnl.exe
  0x806EC000 \WINDOWS\system32\hal.dll
  0xF7D2F000 \WINDOWS\system32\KDCOM.DLL
  0xF7C3F000 \WINDOWS\system32\BOOTVID.dll
  0xF77E0000 ACPI.sys
  0xF7D31000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
  0xF77CF000 pci.sys
  0xF782F000 isapnp.sys
  0xF7C43000 compbatt.sys
  0xF7C47000 \WINDOWS\system32\DRIVERS\BATTC.SYS
  0xF7DF7000 PCIIde.sys
  0xF7AAF000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
  0xF7D33000 intelide.sys
  0xF77B1000 pcmcia.sys
  0xF783F000 MountMgr.sys
  0xF7792000 ftdisk.sys
  0xF7AB7000 PartMgr.sys
  0xF784F000 VolSnap.sys
  0xF777A000 atapi.sys
  0xF7ABF000 cercsr6.sys
  0xF7762000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
  0xF785F000 disk.sys
  0xF786F000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
  0xF7743000 fltMgr.sys
  0xF7731000 sr.sys
  0xF771A000 KSecDD.sys
  0xF768D000 Ntfs.sys
  0xF7660000 NDIS.sys
  0xF7645000 Mup.sys
  0xF7AC7000 avgrkx86.sys
  0xF787F000 AVGIDSEH.Sys
  0xF788F000 agp440.sys
  0xF797F000 \SystemRoot\system32\DRIVERS\intelppm.sys
  0xF7CD7000 \SystemRoot\system32\DRIVERS\CmBatt.sys
  0xF7486000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
  0xF7472000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
  0xF7B2F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
  0xF744F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
  0xF7B37000 \SystemRoot\system32\DRIVERS\usbehci.sys
  0xF7425000 \SystemRoot\system32\DRIVERS\b57xp32.sys
  0xF740E000 \SystemRoot\system32\DRIVERS\ozscr.sys
  0xF7CDF000 \SystemRoot\system32\DRIVERS\SMCLIB.SYS
  0xF71F2000 \SystemRoot\system32\DRIVERS\w29n51.sys
  0xF798F000 \SystemRoot\system32\DRIVERS\i8042prt.sys
  0xF7B3F000 \SystemRoot\system32\DRIVERS\mouclass.sys
  0xF7B47000 \SystemRoot\system32\DRIVERS\kbdclass.sys
  0xF799F000 \SystemRoot\system32\DRIVERS\serial.sys
  0xF7CE3000 \SystemRoot\system32\DRIVERS\serenum.sys
  0xF71DE000 \SystemRoot\system32\DRIVERS\parport.sys
  0xF79AF000 \SystemRoot\system32\DRIVERS\imapi.sys
  0xF79BF000 \SystemRoot\system32\DRIVERS\cdrom.sys
  0xF79CF000 \SystemRoot\system32\DRIVERS\redbook.sys
  0xF71BB000 \SystemRoot\system32\DRIVERS\ks.sys
  0xF717A000 \SystemRoot\system32\drivers\stac97.sys
  0xF7156000 \SystemRoot\system32\drivers\portcls.sys
  0xF79DF000 \SystemRoot\system32\drivers\drmk.sys
  0xF7123000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
  0xF7026000 \SystemRoot\system32\DRIVERS\HSF_DPV.SYS
  0xF6F79000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
  0xF7B4F000 \SystemRoot\System32\Drivers\Modem.SYS
  0xF7EDF000 \SystemRoot\system32\DRIVERS\audstub.sys
  0xF79EF000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
  0xF7CEB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
  0xF6F62000 \SystemRoot\system32\DRIVERS\ndiswan.sys
  0xF79FF000 \SystemRoot\system32\DRIVERS\raspppoe.sys
  0xF7A0F000 \SystemRoot\system32\DRIVERS\raspptp.sys
  0xF7B57000 \SystemRoot\system32\DRIVERS\TDI.SYS
  0xF6F51000 \SystemRoot\system32\DRIVERS\psched.sys
  0xF7A1F000 \SystemRoot\system32\DRIVERS\msgpc.sys
  0xF7B5F000 \SystemRoot\system32\DRIVERS\ptilink.sys
  0xF7B67000 \SystemRoot\system32\DRIVERS\raspti.sys
  0xF6EDD000 \SystemRoot\system32\DRIVERS\rdpdr.sys
  0xF7A2F000 \SystemRoot\system32\DRIVERS\termdd.sys
  0xF7D47000 \SystemRoot\system32\DRIVERS\swenum.sys
  0xF6EA9000 \SystemRoot\system32\DRIVERS\update.sys
  0xF7D07000 \SystemRoot\system32\DRIVERS\mssmbios.sys
  0xF7A3F000 \SystemRoot\System32\Drivers\NDProxy.SYS
  0xF7A6F000 \SystemRoot\system32\DRIVERS\usbhub.sys
  0xF7D49000 \SystemRoot\system32\DRIVERS\USBD.SYS
  0xF7A8F000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
  0xF7D4B000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
  0xF7F6F000 \SystemRoot\System32\Drivers\Null.SYS
  0xF7D4D000 \SystemRoot\System32\Drivers\Beep.SYS
  0xF7B87000 \SystemRoot\System32\drivers\vga.sys
  0xF7D4F000 \SystemRoot\System32\Drivers\mnmdd.SYS
  0xF7D51000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
  0xF7B8F000 \SystemRoot\System32\Drivers\Msfs.SYS
  0xF7B97000 \SystemRoot\System32\Drivers\Npfs.SYS
  0xF7600000 \SystemRoot\system32\DRIVERS\rasacd.sys
  0xF4D6E000 \SystemRoot\system32\DRIVERS\ipsec.sys
  0xF4D16000 \SystemRoot\system32\DRIVERS\tcpip.sys
  0xF4CCE000 \SystemRoot\system32\DRIVERS\avgtdix.sys
  0xF4CA6000 \SystemRoot\system32\DRIVERS\netbt.sys
  0xF4C84000 \SystemRoot\System32\drivers\afd.sys
  0xF7A9F000 \SystemRoot\system32\DRIVERS\netbios.sys
  0xF4C58000 \SystemRoot\system32\DRIVERS\rdbss.sys
  0xF4BC1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
  0xF78AF000 \SystemRoot\System32\Drivers\Fips.SYS
  0xF4BA0000 \SystemRoot\system32\DRIVERS\ipnat.sys
  0xF78BF000 \SystemRoot\system32\DRIVERS\wanarp.sys
  0xF4B64000 \SystemRoot\system32\DRIVERS\avgldx86.sys
  0xF78DF000 \SystemRoot\System32\Drivers\Cdfs.SYS
  0xF4AD4000 \SystemRoot\System32\Drivers\dump_atapi.sys
  0xF7D81000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
  0xBF800000 \SystemRoot\System32\win32k.sys
  0xF4B4C000 \SystemRoot\System32\drivers\Dxapi.sys
  0xF7BBF000 \SystemRoot\System32\watchdog.sys
  0xBF000000 \SystemRoot\System32\drivers\dxg.sys
  0xF7E25000 \SystemRoot\System32\drivers\dxgthk.sys
  0xBF012000 \SystemRoot\System32\ati2dvag.dll
  0xBF054000 \SystemRoot\System32\ati2cqag.dll
  0xBF08E000 \SystemRoot\System32\atikvmag.dll
  0xBF0C4000 \SystemRoot\System32\ati3duag.dll
  0xBF32B000 \SystemRoot\System32\ativvaxx.dll
  0xF29C4000 \SystemRoot\system32\DRIVERS\ndisuio.sys
  0xF26AF000 \SystemRoot\system32\drivers\wdmaud.sys
  0xF2804000 \SystemRoot\system32\drivers\sysaudio.sys
  0xF22E5000 \SystemRoot\system32\DRIVERS\mrxdav.sys
  0xF7DD3000 \SystemRoot\System32\Drivers\ParVdm.SYS
  0xF2614000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
  0xF22C9000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
  0xF214E000 \SystemRoot\system32\DRIVERS\srv.sys
  0xF20B6000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
  0xF1F96000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
  0xF1B6D000 \SystemRoot\System32\Drivers\HTTP.sys
  0xF7BB7000 \SystemRoot\System32\Drivers\AFGSp50.sys
  0xF7BC7000 \SystemRoot\system32\drivers\npf.sys
  0xF7C0F000 \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
  0xF17F9000 \SystemRoot\system32\drivers\kmixer.sys
  0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 47):
       0 System Idle Process
       4 System
     744 C:\WINDOWS\system32\smss.exe
     800 C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
     992 csrss.exe
    1036 C:\WINDOWS\system32\winlogon.exe
    1088 C:\WINDOWS\system32\services.exe
    1104 C:\WINDOWS\system32\lsass.exe
    1276 C:\WINDOWS\system32\ati2evxx.exe
    1296 C:\WINDOWS\system32\svchost.exe
    1376 svchost.exe
    1436 C:\WINDOWS\system32\svchost.exe
    1532 svchost.exe
    1652 svchost.exe
    1928 C:\WINDOWS\system32\spoolsv.exe
    1964 scardsvr.exe
     196 C:\WINDOWS\system32\ati2evxx.exe
     392 C:\WINDOWS\explorer.exe
     704 C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
     712 C:\Program Files\AVG\AVG10\avgtray.exe
     724 C:\WINDOWS\system32\ctfmon.exe
     732 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
     768 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
     952 svchost.exe
    1236 C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
    1332 C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
    1460 C:\Program Files\AVG\AVG10\avgwdsvc.exe
    1560 C:\Program Files\Java\jre6\bin\jqs.exe
     144 C:\Program Files\WinPcap\rpcapd.exe
     580 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
     384 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    1816 C:\Program Files\AVG\AVG10\avgnsx.exe
    2060 C:\Program Files\AVG\AVG10\avgemcx.exe
    3424 wmiprvse.exe
    3524 alg.exe
     552 C:\Program Files\Belkin\Router Setup and Monitor\ndis_events.exe
    2972 C:\WINDOWS\system32\wuauclt.exe
    3868 C:\Program Files\Belkin\Router Setup and Monitor\wpa_supplicant.exe
    3584 C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    2820 C:\PROGRA~1\AVG\AVG10\avgrsx.exe
     432 C:\Program Files\AVG\AVG10\avgcsrvx.exe
     388 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    2744 C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
     684 C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    3984 C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    1212 C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
     764 C:\Documents and Settings\user\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00  (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK4018GAP, Rev: M0.03 A 

      Size  Device Name          MBR Status
  --------------------------------------------
     37 GB  \\.\PhysicalDrive0   Windows XP MBR code detected
            SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

MooK1983 0 Newbie Poster · Answer 3 · 2010-11-21T12:32:00+00:00

I think combofix had some problems operating because it stopped responding after 20 minutes...

MooK1983 0 Newbie Poster · Answer 4 · 2010-11-23T04:13:26+00:00

I followed it, when I tried to run it the monitor just went black.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 5 · 2010-11-23T04:17:41+00:00

You don't have anything set to go to sleep or hibernate do you, or screensavers, etc.?

MooK1983 0 Newbie Poster · Answer 6 · 2010-11-23T05:20:35+00:00

MooK1983 0 Newbie Poster

13 Years Ago

power save

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 7 · 2010-11-23T05:33:25+00:00

jholland1964 650 Posting Expert

13 Years Ago

Turn that off for ALL of this. Try again

MooK1983 0 Newbie Poster · Answer 8 · 2010-11-24T02:11:47+00:00

I did just as you said and turned off all screensavers, power-save, firewalls, and anti-virus programs. I let combofix run for over 16 hours and nothing happened. Do you think it's because my computer is that badly infected that it won't let combofix work properly? Do you think I might have to format?

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 9 · 2010-11-24T02:32:07+00:00

Well I hate to say it because I rarely do, but yes, a reformat is likely the way to go if you are prepared to do so. It probably would be much faster than attempting to run all the tools, or find the proper tools which will run.

Generic Host Process for Win32 Services has encountered a problem and needs to close

Recommended Answers Collapse Answers

All 13 Replies

Recommended Answers