Pc issues

gnimia

Hi there,

I've been having a few problems with my pc - and was hoping someone here might have some clever suggestions

Everytime i open my pc, I get the following message about 10 mins after its started up

Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.]

For for more info bit says

C:\DOCUME~1\User\LOCALS~1\Temp\WER88b4.dir00\svchost.exe.mdmp
C:\DOCUME~1\User\LOCALS~1\Temp\WER88b4.dir00\appcompat.txt

I've tried googling it but the only info that comes back is a Windows patch from 2007, and i cant seem to install it anyway.

The computer also seems to have trouble starting (sometimes takes three or four goes), and last but not least, there is a "rootkit" that Avast cant seem to get rid of...
Am i doomed?

RussJK

The rootkit's probably the most significant issue. Does Avast give a name to it?

1. Save Hijackthis to the desktop. From the desktop, RIGHT CLICK on it and select Run as Administrator. Then do a scan and save a log, and post the log that comes up in notepad here. Don't make any changes yet.

2. Do a QUICK scan with Malwarebytes, and let it clean anything it finds. Post the log here if you don't mind.

These two steps will just be the beginning.

scheming_gypsy

First thing i'd do is empty the contents of \temp\ and then run a virus check and malwarebytes etc; as the message is coming from something inside your temporary files folder..

gnimia

Great I will try these things. Thank you Thought I'd run malware bytes anyway so that's going and will post the results
My wifi is playing up too so having to respond on phone...

And sorry for stupid (!) questions but how do I delete /temp/?
Thanks again!

scheming_gypsy

my computer, double click on c:, double click on documents and settings, double click on user, double click on local settings, click once on temp and then hit delete (or right click and click delete)

RussJK

scheming_gypsy wrote: »

First thing i'd do is empty the contents of \temp\ and then run a virus check and malwarebytes etc; as the message is coming from something inside your temporary files folder..

Anything active running from temp will require a reboot to remove, e.g. if just a standard tool like Ccleaner or manually going into the temp locations.

No problem if it was just a trojan, but want to see what Malwarebytes pulls up as it is useful in itself with some rootkits. If it's up to the rootkit stage, it's not as important what's in temp anyway. Also with Hijackthis, can see what the active processes are so we'll know what is running from temp, or what is set to run from temp.

Old Timer's Temp File Cleaner will try to force some to delete and will close active processes to do this, but it can risk causing the system to crash with some active programs (http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/).

scheming_gypsy

it will indeed... i'm just old school and like to clear the crap manually before running everything. It cuts down on the, run > clear > re-run...

RussJK

I know what you mean I suppose the other reason is I want to know what's detected, as over the net things can get murky. Radically different to how I approach things in person, don't always bother fighting rootkits from within Windows unless I'm curious.

closed

do an avast boot time scan

RussJK

If your wireless is playing up, is it possible to connect the PC to the modem via a network cable?

gnimia

Ok - I ran Malwarebytes and think i got rid of the Trojan it found - However, i cant get Hijack this to work properly, it seems to be crashing when i run it (and right click doesnt have a run as administrator option?) I downloaded it from http://uk.trendmicro.com/uk/products/personal/free-tools-and-services/

the rootkit is called MBR physicaldrive0

Malwarebytes' Anti-Malware 1.51.0.1200
https://www.malwarebytes.org

Database version: 7060

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

09/07/2011 19:37:41
mbam-log-2011-07-09 (19-37-41).txt

Scan type: Full scan (C:\|)
Objects scanned: 372355
Time elapsed: 1 hour(s), 13 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\User\application data\Sun\Java\deployment\cache\6.0\29\643e4fdd-4a0d97f9 (Trojan.FakeAlert.VGen) -> Quarantined and deleted successfully.