generic host process for win 32

Discussion in 'Computer Support' started by MJP, Aug 17, 2004.

  1. MJP

    MJP Guest

    Are you a criminal/ spaceman or have otherwise been disengaged from normal
    earthly activities for some time??

    If so then you are probably not aware of probably the the widely known and
    recorded virus in history i.e. msblast AKA the blaster worm.
     
    MJP, Aug 17, 2004
    #1
    1. Advertisements

  2. hi, when surfing the net i keep getting a pop up box which says-generic host
    process for win 32 services has encountered a problem & needt to close, we
    are sorry for the inconvenience- i then get the option to debug but if i
    press to debug nothing happens,
    any ideas what this is anyone,?
    cheers,
    gordon.
     
    Gordon Edwards, Aug 17, 2004
    #2
    1. Advertisements

  3. MJP

    °Mike° Guest

    BLASTER WORM
    ---------------

    Boot into Safe Mode and start your registry editor:
    Start / Run / regedit

    Navigate to:
    HKEY_LOCAL_MACHINE
    +Software
    +Microsoft
    +Windows
    +CurrentVersion
    +Run

    In the right-hand pane, look for any entry/ies that include
    MSBLAST.EXE, PENIS32.EXE, TEEKIDS.EXE, MSPATCH.EXE,
    MSLAUGH.EXE, ENBIEI.EXE, ESCHLP.EXE or TFTP.EXE .
    DELETE it/them.
    These are the files associated with the different variants:
    Variant A - msblast.exe
    Variant B - penis32.exe
    Variant C - teekids.exe
    Variant D - mspatch.exe
    Variant E - mslaugh.exe
    Variant F - enbiei.exe
    Variant G (aka T) - eschlp.exe & svchosthlp.exe
    Variant H (aka K) - mschost.exe & tftp.exe

    You just disabled the worm from running at startup, so boot into
    normal mode again, and turn off ALL system restores to purge
    your system.

    Open Windows Explorer to the ..\Windows\System32\ or
    ...\WinNT\System32\ folder and DELETE *any* of the
    files named above.

    Next, go to the ..\Windows\Prefetch\ or ..\WinNT\Prefetch\
    and find the reference to the above file/s (any reference will
    be similar to: <filename.exe>-<alphanumerics>.PF), for example,
    msblast.exe-0235D8H6.pf, and DELETE it/them.

    Now you can download and install the patch, configure your
    firewall and update your virus scanner.

    Virus Alert About the Blaster Worm and Its Variants
    http://support.microsoft.com/default.aspx?kbid=826955

    Microsoft Security Bulletin MS03-026
    http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

    What you should know about the Blaster worm
    http://www.microsoft.com/security/incident/blast.asp

    Windows RPC DCOM Buffer Overflow Remote Exploit (MS03-026)
    http://www.k-otik.com/exploits/07.25.winrpcdcom.c.php

    How to Use The KB 823980 Scanning Tool to Identify Host Computers
    That Do Not Have The 823980 Security Patch (MS03-026) Installed
    http://support.microsoft.com/default.aspx?kbid=826369

    W32.Blaster.Worm
    http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

    W32.Blaster.B.Worm
    http://www.symantec.com/avcenter/venc/data/w32.blaster.b.worm.html

    W32.Blaster.C.Worm
    http://www.symantec.com/avcenter/venc/data/w32.blaster.c.worm.html

    W32.Blaster.D.Worm
    http://www.symantec.com/avcenter/venc/data/w32.blaster.d.worm.html

    W32.Blaster.E.Worm
    http://www.symantec.com/avcenter/venc/data/w32.blaster.e.worm.html

    W32.Blaster.F.Worm
    http://www.symantec.com/avcenter/venc/data/w32.blaster.f.worm.html

    W32.Blaster.T.Worm (aka G)
    http://www.symantec.com/avcenter/venc/data/w32.blaster.t.worm.html

    W32.Blaster.K.Worm (aka H)
    http://www.symantec.com/avcenter/venc/data/w32.blaster.k.worm.html

    W32.Blaster.Worm Removal Tool
    http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html



    SASSER WORM
    --------------

    The Sasser worm attempts to exploit the LSASS vulnerability
    discussed in Microsoft Security Bulletin MS04-011. To kill
    the worm before proceeding, boot into Safe Mode and
    start your registry editor:
    Start / Run / regedit

    Navigate to:
    HKEY_LOCAL_MACHINE
    +Software
    +Microsoft
    +Windows
    +CurrentVersion
    +Run

    In the right-hand pane, look for any entry/ies that include
    AVSERVE.EXE, AVSERVE2.EXE, SKYNETAVE.EXE .

    DELETE it/them.
    These are the files associated with the different variants:
    Variant A - avserve.exe
    Variant B - avserve2.exe
    Variant C - avserve2.exe
    Variant D - skynetave.exe

    You have now disabled the worm from running at startup, so
    boot into normal mode again, and turn off ALL system restores
    to purge your system of any remnants.

    Open Windows Explorer to the
    ..\Windows\
    or
    ..\WinNT\
    folder and DELETE *any* of the files named above.

    Next, go to the ..\Windows\Prefetch\ or ..\WinNT\Prefetch\
    folder and find the reference to the above file/s (any reference
    will be similar to: <filename.exe>-<alphanumerics>.PF), for
    example, avserve.exe-0235D8H6.pf, and DELETE it/them.

    Update your virus scanner and run a FULL system scan.

    Now you can download and install the patch from Microsoft.
    Microsoft Security Bulletin MS04-011
    http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

    What You Should Know About the Sasser Worm and It Variants
    http://www.microsoft.com/security/incident/sasser.asp

    Sasser A and Sasser B removal tool
    http://www.microsoft.com/downloads/details.aspx?FamilyID=76c6de7e-1b6b-4fc3-90d4-9fa42d14cc17

    Shorter link to above removal tool:
    http://makeashorterlink.com/?I14942538

    W32.Sasser.Worm
    http://www.sarc.com/avcenter/venc/data/w32.sasser.worm.html

    W32.Sasser.B.Worm
    http://www.sarc.com/avcenter/venc/data/w32.sasser.b.worm.html

    W32.Sasser.C.Worm
    http://www.sarc.com/avcenter/venc/data/w32.sasser.c.worm.html

    W32.Sasser.D.Worm
    http://www.symantec.com/avcenter/venc/data/w32.sasser.d.html

    Some users have also stated that the Sasser worm removes the shutdown
    button from the Start menu. If you find this to be the case, start your
    registry editor:

    Start \ Run \ regedit

    Navigate to:

    HKEY_CURRENT_USER
    +Software
    +Microsoft
    +Windows
    +CurrentVersion
    +Policies
    +Explorer

    In the right-hand window, look for:
    "NoClose" with a value of 0x0000001 (1)

    If the entry exists, double-click on it, and change the
    value to 0 (zero).
     
    °Mike°, Aug 17, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.