Okay, this is my first real problem of this type with Avast, with ANY virus.
My computer is a custom-build from iBuyPower, not related to Acer in any way.
The warning message says Suspicious File Found! and lists the file:
C:\WINDOWS\SVCHOST.EXE
and the type of virus:
Rootkit: Hidden Process
The available actions box gives the options to Delete Now or Ignore, recommending Ignore.
In the submission box, the “Submit the file to ALWIL Software virus labs” checkbox is filled in.
I have read some other similar posts, and they have all said to NOT DELETE SVCHOST.EXE, but I have tried ignoring it, then restarting with the svchost startup entry disabled (thru CCleaner, most recent version), but still it shows up. What do I do? I really don’t want to have to reinstall everything should Windows fail without this file.
Anyways, after this happens, Avast gives me an option to schedule a boot-time scan of the operating memory. What do I do?
EDIT: Also, I seem to have come across a file in my Temporary Internet Files named “lol.js”, discovered while running a CCleaner analysis. Might this have anything to do with my problem?
Well on my system XP Pro svchost.exe is in the C:\WINDOWS\system32 folder so depending on the OS it could well be malware as this is a common tactic, use an existing system file name but in a different location.
Do a search using windows explorer for svchost and report where it is found, you are likely to have it in multiple locations ?
What is your OS ?
If you have XP or Vista I believe the file should be in the system32 folder and not the system folder, in which case (if it were me) I would have opted for delete since the only other option is ignore, though that is a potentially serious decision. So at the very least submit to Alwil and ignore and upload to virustotal, see below.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
as DavidR wrote: legit svchost should be located in \system32 folder… the file was sent to us and will be analysed (maybe already has been, i don’t know the exact situation, cause i’m on holidays)… wait a day or two and look for the change in detected malware name (listed in antirootkit dialog, when the exact detection is available)… if there’s something reliable (Win32:Trojan-gen etc), then you can schedule a boot time scan and your problem should be solved…