Hello,

My system is a Windows XP Pro SP2, clean install after a format, and Avast 5.0.677 Free.
I am using this at the office, in an office network, with a total of 4 pc’s. This only happens only to may pc.

Avast keeps informing me (around 11 am):

avast File System Shield has blocked a threat.
No further action is required.
Object: C:\Windows\System32\x
Infection: Win32:Confi [Wrm]
Action: Moved to chest
Process: C:\Windows\System32\svchost.exe
The threat was detected and blocked just before the file was executed.

Another messages says something else (same day around 12:15):

avast File System Shield has blocked a threat.
No further action is required.
Object:C:\Documents And Settings\NetworkService\Local Settings\Temporary Internet Files\Content IE5\zqhxi[1].jpg
Infection: Win32:Confi [Wrm]
Process: C:\Windows\System32\x.exe
The threat was detected and blocked just before the file was executed.

These messages repeat each day, no matter what I do. But the real harm is that after Avast kills SVCHOST.EXE i get this error:

Generic Host Process for Win32 Services has encountared an error and needs to close

I have attached the details of the entire error to this post, with the name Service error.jpg.

Ok so this error kills some of my important processes: Server process, Workstation process, windows audio process. I am able to start all these processes, except one, a vital one: Windows Firewall/Internet Connection Sharing (ICS), which has a path to: C:\WINDOWS\System32\svchost.exe -k netsvcs, yes the SVCHOST.exe that Avast killed and moved to chest. If I can’t start Windows Firewall/Internet Connection Sharing (ICS) means that, excludind the essetial firewall protection, other pc in my workgroup cannot see my SHARED FILES, vital to my office.

So how can I get rid of this virus? Or how can I start Windows Firewall/Internet Connection Sharing (ICS) service?

I have also attached a ComboFix log to this post, and a hijackthis log.
Thank you very much.

Try this

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update before you scan so you have the latest database
click on the remove selected button to quarantine anything found
you may post the scan log here

Thank you for taking the time to assist me in my particular issue.

Here is the log from MalwareBytes:

[b]Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4827

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

15/10/2010 08:32:18
mbam-log-2010-10-15 (08-32-18).txt

Scan type: Quick scan
Objects scanned: 134249
Time elapsed: 10 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LH1IG7AY\xzda[1].png (Worm.Conficker) → Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\UQJH2Z7Y\dwdgsvxg[1].bmp (Worm.Conficker) → Quarantined and deleted successfully.
[/b]

After this, I’ve restarted and scanned again, no viruses were found at the second scan.
I will try and monitor today and see if x.exe is still being created. My guess is that these files from C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LH1IG7AY\xzda[1].png create x.exe, or some .dll in my system somehow creates x.exe.

I just hope Avast won’t kill my SVCHOST.exe again, this will make my SHARED FOLDERS inaccessible again, and force me to restart.

Again, thank you.

OK keep us updated

Conficer Test : http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

Any reason to not update it to SP3?
Not a bad idea.
Support (MS updates) for SP2 has been withdrawn, if I remember correctly.

I agree with Tarq in updating SP2 to SP3. However given that the OP was exposed to the Confiker virus, I would suggest downloading the following for protection for the future to vaccinate his/her machine and any removable devices:
http://research.pandasecurity.com/panda-usb-and-autorun-vaccine/

I use this and it does not conflict with Avast at all. It is just an added measure of protection.

I would also clean your machine with something like CCleaner, a freeware system optimization, privacy and cleaning tool. There is a Slim version available as well at http://www.piriform.com/ccleaner/builds - 4th option down. It removes unused files (cache, temporary Internet files, etc.) from your system - allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history. Additionally it contains a fully featured registry cleaner, but I suggest making a backup prior to doing a registry cleaning.

Additionally, you can clean temp. Internet Files not cleaned with CCleaner with TFC by OldTimer - download to your desktop. http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
· Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
· It will close all programs when running, so make sure you have saved all your work before you begin.
· Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
· Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

However leave the items quarantined by MBAM there; do not delete. Keep your Avast definitions up to date and you may want to do a boot-time scan as well.

Since XP firewall is ineffective and only allows 1-way protection, I recommend a third-party firewall with 2-way protection (Online Armor, Outpost, and Comodo without AV seem to work well with Avast). You should consider changing your FW to maximize your protection.

@ Seymourr,

You’re welcome, and welcome to the forum.