Abs.Net web Page

Share Your Knowledge, Build your Network..

Generic Host Processor error?. You got Artemis!

Posted by Hari Saryono on 21 February 2009


Hello, I just got a message about my windows. It says “Windows has prevent scvhost.exe from running”. And then a Generic host process error occur. It keeps ask to send report to microsoft (annoying, you bet). And your search engine sending error page when you try to search spesific location like : Generic host processor, virus etc.

Searching to the net, I found Trojan.Artemis, an heuristic detection from Mc. Afee. So, remove this thread by following procedure:

WARNING : Real SVCHOST.EXE in c:/windows/system32 is very important windows file. DO NOT DELETE!.

A. Checking files

This step to check wether your computer infected by same trojan as mine. If not goto step B.

1. Open your autoruns.exe. If you haven’t autoruns.exe, please download here. Unpack and choose autoruns.exe

2. Choose Everything Tab

3. Push Ctrl+F to open find dialog box. write svchost.exe

4. Locate string svchost in c:/program files/microsoft common/svchost.exe. Make sure you point the right place (this is not the right file. You see microsoft common?. It’s created by virus

5. Delete that string

B. Patching Windows

Now Patch your windows, so error is not keep showing, by download in windows update here.

C. Delete File

1. Locate c:/program files/microsoft common/svchost.exe (better use total Commander), and delete it. If it can’t be delete because still running, force delete using Unlocker.

D. Restart and test

Restart your computer and test wether your loading time is longer than it should. check again the virus location above. If file still exist, change your steps from C, A then B.

E. Still Can’t solve the problem? Check This Out

Maybe you got nfr virus. It’s identified by existence of this file :

  • c:/nfr.bat
  • %system%/drivers/nfr.dll
  • %system%/drivers/nfr.dll.assembly
  • %system%/drivers/nfr.sys

Check them with Total Commander

note : %system% mean c:/windows/system32/

If you’ve that file, this is removal steps:

  1. Download Avast BartPE 2009
  2. Burn in empty CD
  3. Restart and set your Booting sequence to CD ROM First
  4. Put your BART CD to CD ROM
  5. Restart using BART PE
  6. Scan for virus. This Edition of BART PE can’t detect this virus, but you must do this in case there’s other virus caught in this process
  7. Use Services/Drivers to check services. Disable nfr services.
  8. Use Servant Salamander, Search and delete files below:
  • c:/nfr.bat
  • %system%/drivers/nfr.dll
  • %system%/drivers/nfr.dll.assembly
  • %system%/drivers/nfr.sys
Restart your computer. Remove BART PE. Enter windows in normal mode. Your computer wil go normal again.

Addendum:

If you interested in removing registry created by this virus, here it’s. I’m too lazy to remove it manually. You can use Tune up utility to remove this registry after removing files above.

  • The following Registry Keys were created:
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NFR
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NFR000
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NFR000\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NFR.SYS
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NFR.SYS000
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NFR.SYS000\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nfr
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nfr\Parameters
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nfr\Security
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nfr\Enum
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nfr.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nfr.sys\Security
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nfr.sys\Enum
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NFR
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NFR000
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NFR000\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NFR.SYS
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NFR.SYS000
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NFR.SYS000\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfr
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfr\Parameters
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfr\Security
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfr\Enum
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfr.sys
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfr.sys\Security
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfr.sys\Enum
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
      • nfr = “nfr”
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NFR000\Control]
      • *NewlyCreated* = 0x00000000
      • ActiveService = “nfr”
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NFR000]
      • Service = “nfr”
      • Legacy = 0x00000001
      • ConfigFlags = 0x00000000
      • Class = “LegacyDriver”
      • ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
      • DeviceDesc = “nfr”
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NFR]
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NFR.SYS000\Control]
      • *NewlyCreated* = 0x00000000
      • ActiveService = “nfr.sys”
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NFR.SYS000]
      • Service = “nfr.sys”
      • Legacy = 0x00000001
      • ConfigFlags = 0x00000000
      • Class = “LegacyDriver”
      • ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
      • DeviceDesc = “nfr.sys”
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NFR.SYS]
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nfr\Enum]
      • 0 = “Root\LEGACY_NFR000”
      • Count = 0x00000001
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nfr\Security]
      • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nfr\Parameters]
      • ServiceDll = “%System%\drivers\nfr.dll”
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nfr]
      • Type = 0x00000020
      • Start = 0x00000002
      • ErrorControl = 0x00000001
      • ImagePath = “%System%\svchost.exe -k nfr”
      • ObjectName = “LocalSystem”
      • FailureActions = 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 14 00 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nfr.sys\Enum]
      • 0 = “Root\LEGACY_NFR.SYS000”
      • Count = 0x00000001
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nfr.sys\Security]
      • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nfr.sys]
      • Type = 0x00000001
      • Start = 0x00000001
      • ErrorControl = 0x00000001
      • Tag = 0x00000008
      • ImagePath = “%System%\drivers\nfr.sys”
      • DisplayName = “nfr.sys”
      • Group = “PNP_TDI”
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NFR000\Control]
      • *NewlyCreated* = 0x00000000
      • ActiveService = “nfr”
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NFR000]
      • Service = “nfr”
      • Legacy = 0x00000001
      • ConfigFlags = 0x00000000
      • Class = “LegacyDriver”
      • ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
      • DeviceDesc = “nfr”
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NFR]
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NFR.SYS000\Control]
      • *NewlyCreated* = 0x00000000
      • ActiveService = “nfr.sys”
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NFR.SYS000]
      • Service = “nfr.sys”
      • Legacy = 0x00000001
      • ConfigFlags = 0x00000000
      • Class = “LegacyDriver”
      • ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
      • DeviceDesc = “nfr.sys”
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NFR.SYS]
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfr\Enum]
      • 0 = “Root\LEGACY_NFR000”
      • Count = 0x00000001
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfr\Security]
      • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfr\Parameters]
      • ServiceDll = “%System%\drivers\nfr.dll”
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfr]
      • Type = 0x00000020
      • Start = 0x00000002
      • ErrorControl = 0x00000001
      • ImagePath = “%System%\svchost.exe -k nfr”
      • ObjectName = “LocalSystem”
      • FailureActions = 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 14 00 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfr.sys\Enum]
      • 0 = “Root\LEGACY_NFR.SYS000”
      • Count = 0x00000001
      • NextInstance = 0x00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfr.sys\Security]
      • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfr.sys]
      • Type = 0x00000001
      • Start = 0x00000001
      • ErrorControl = 0x00000001
      • Tag = 0x00000008
      • ImagePath = “%System%\drivers\nfr.sys”
      • DisplayName = “nfr.sys”
      • Group = “PNP_TDI”
  • The following Registry Values were modified:
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
      • (Default) = 0x0000000C
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
      • (Default) = 0x0000000C
  • The following Host Name was requested from a host database:
    • r-dns.com
  • The following GET request was made:
    • search.php?p=10006&s=I&v=43&uid=13441600&q=

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: