This has many parts to it, so bear with me. I’m simply looking for the best way to resolve this issue permanently.

1. From time to time, avast! (Pro, version 5.0.677, up to date virus definitions) is popping up with a blocked connection warning. The Network Shield showed that from time to time my computer is trying to connect to a site that starts with 199.80.55.19/go.php?data= (after the =, it goes on for a while).

2. Also, svchost.exe seems to be infected. A recent (still on my screen) Application Error message said:
   "The instruction at “0x7c923845” referenced memory at “0x00000000”. The memory could not be “read”.
   “Click on OK to terminate the program”
   “Click on CANCEL to debug the program”

3. Directly after the previous error: “Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience”
   According to the error signature:
   szAppName: svchost.exe szAppVer: 5.1.2600.5512 szModName: ntdll.dll
   szModVer: 5.1.2600.5755 offset: 00023845

4. My desktop BSoD’d twice in a row during startup, while the desktop was loading. I don’t remember how to access the information stored during a BSoD.

5. During two consecutive scans with MBAM, malware has come up.
   On the first run:
   Trojan.Agent file at C:\WINDOWS\system32\certstore.dat
   Password.Stealer registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components{cb92d056-5802-4d2e-a0fe-59e3f5ef3598}
   Password.Stealer registry at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components{cb92d056-5802-4d2e-a0fe-59e3f5ef3598}

During the second run of MBAM one Trojan.Agent and one Password.Stealer came up.

I’m hoping that removing certstore.dat won’t damage my computer.
Running Windows XP, updated avast! Pro and MBAM.
I don’t know where the viruses came from, and if anything else comes up I’ll post here.

Edited on 11/06/10 to add details to the infected registry entries.

Before going to sleep last night I ran MBAM again.
Again, it detected a Password.Stealer Registry Key.
The (random alphanumeric string) from my last post is actually: {cb92d056-5802-4d2e-a0fe-59e3f5ef3598}
I was too tired/lazy to type it out earlier by hand, but I snatched it from the log.
A Google search of that string came up with a few posts on different sites related to malware removal, so obviously I’m not the only one having this problem.

I’m moving to my own place sometime tomorrow, and the infected computer belongs to the people I’ve been living with.
Was hoping I could fix their problem as a favor before I leave, so I’d appreciate help ;D

This Threat Expert link contains pretty much all information directly related to this threat.
Now to find out how to remove it…

re-install your window as if you remove svchost.exe then you will lose your operating system but if you don’t delete you will get the same error… trojan or worm made your OS (svchost.exe) corrupt.

Please look up information pertaining to svchost.exe processes before jumping straight to taking drastic measures.

If you’ve ever taken a look at the Services section in control panel you might notice that there are a Lot of services required by Windows. If every single service ran under a single svchost.exe instance, a failure in one might bring down all of Windows… so they are separated out.

Those services are organized into logical groups, and then a single svchost.exe instance is created for each group. For instance, one svchost.exe instance runs the 3 services related to the firewall. Another svchost.exe instance might run all the services related to the user interface, and so on.

To fix this particular issue, I imagine I’d need a way to remove the part of the process that is infected, ungroup it from the rest of the services in that particular svchost.exe process.

But that may not be the only problem, there’s also infected registries and stuff… ;_;

Suggestion…let Essexboy fix it ?

Follow this guide from our expert malware remover Essexboy, and post the log`s here
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple posts with copy and paste you have to attach the logs
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt.)

It is probably a netsvc running under svchost

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT

[/b]

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Here’s the OTL logs.
Though completely unrelated to the current issues, the fact that “My Web Search” and “ZangoToolbar” showed up didn’t make me happy.

I don’t know what netsvc means, but I didn’t see any negative results in the logs, then again I’m no expert so I’ll let you take a look.

I did have some files in %AppData%\Bitrix Security\ that were shown to be related to the current malware issue I’m having.

The link I posted to ThreatExpert is certainly the exact situation I have on my hands.
I just don’t know how to fix it…

EDIT: Should I upload the BSOD information, if so, where do I find it?
I think it was related to smserial.exe or something along those lines, so I don’t know if it has anything to do with the virus.

OK need to use the big boy next

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\S-1-5-21-3558250856-446557306-2862267258-1009\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = My Web Search IE - HKU\S-1-5-21-3558250856-446557306-2862267258-1009\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZJfox000&ptb=zx.edr9OmcUpE0u4cgjvWg&psa=&ind=2010063022&ptnrS=ZJfox000&si=&st=sb&n=77cf20ae&searchfor={searchTerms} FF - prefs.js..browser.search.selectedEngine: "MyWebSearch" [2010/09/27 08:24:43 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\7pbo49vx.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822} [2010/07/01 17:57:05 | 000,010,017 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\7pbo49vx.default\searchplugins\mywebsearch.xml O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O3 - HKU\S-1-5-21-3558250856-446557306-2862267258-1009\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKU\S-1-5-21-3558250856-446557306-2862267258-1009\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKU\S-1-5-21-3558250856-446557306-2862267258-1009\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found. [2010/11/06 12:00:00 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\xxoavzbw.job [2006/10/03 16:09:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\ZangoToolbar

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Here’s the combofix log.

What problems are you experiencing now ?

Trying to quote your post, to respond to this thread, only to realize I’m not signed in.
But thats completely unrelated and I feel a little stupid for doing so :
Oh and I keep typing on the wrong keyboard, I have two computers set up on the same desk, again, unrelated.

Back on topic:
Currently none, though I haven’t done much on that PC since running Combofix.
It starts up just fine, no BSoDs or anything, but I haven’t run any scans with avast! or MBAM yet.
Kinda too busy moving to a new place, but I’ll have the owner of the PC run those scans.

Upon startup, I’m given three choices (third choice is new) from the list “Please select the operating system to start:”
Microsoft Windows XP Home Edition (Default choice, runs automatically after 2 seconds)
Microsoft Windows Recovery Console (Was already there, someone must have added this some time ago)
do not select this [debugger enabled] (I’m assuming ComboFix put this here, what does it do if I select it?)

Other than that, nothing has showed up of interest yet. Perhaps everything’s fixed!

Ok that is the recovery console that CF installed - we can make that disappear and still keep the recovery console

Right click my computer (on the desktop)
Select Properties
Select the Advanced tab
Select Startup and Recovery settings
Remove the tick from Time to Display Operating systems
OK out and reboot

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

.
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe