c:\windows\system32\svchost.exe Rootkit ;-(

Hello(at first i want to say sorry for my english ;p),
I have problem with that virus iv even formated all my disc’s and its still there.
Maybe its because new update?
I would be glad to get fast answer beacause i have to make some transfers with my bank account.

It might be a false alarm…
What exactly is reported?

File: c:\windows\system32\svchost.exe

Name of virus: Win32:Rootkit-gen [Rtk]

Type of virus: Rootkit

VPS Version : 080603-0, 2008-06-03

Can you send the file c:\windows\system32\svchost.exe to www.virustotal.com and check if it is infected?

Antywirus Wersja Ostatnia aktualizacja Wynik
AhnLab-V3 2008.5.30.1 2008.06.03 -
AntiVir 7.8.0.26 2008.06.03 -
Authentium 5.1.0.4 2008.06.02 -
Avast 4.8.1195.0 2008.06.03 Win32:Rootkit-gen
AVG 7.5.0.516 2008.06.03 -
BitDefender 7.2 2008.06.03 -
CAT-QuickHeal 9.50 2008.06.03 -
ClamAV 0.92.1 2008.06.03 -
DrWeb 4.44.0.09170 2008.06.03 -
eSafe 7.0.15.0 2008.06.02 -
eTrust-Vet 31.4.5845 2008.06.03 -
Ewido 4.0 2008.06.03 -
F-Prot 4.4.4.56 2008.06.02 -
F-Secure 6.70.13260.0 2008.06.03 -
Fortinet 3.14.0.0 2008.06.03 -
GData 2.0.7306.1023 2008.06.03 Win32:Rootkit-gen
Ikarus T3.1.1.26.0 2008.06.03 -
Kaspersky 7.0.0.125 2008.06.03 -
McAfee 5308 2008.06.02 -
Microsoft 1.3604 2008.06.03 -
NOD32v2 3155 2008.06.03 -
Norman 5.80.02 2008.06.03 -
Panda 9.0.0.4 2008.06.03 -
Prevx1 V2 2008.06.03 -
Rising 20.47.12.00 2008.06.03 -
Sophos 4.29.0 2008.06.03 -
Sunbelt 3.0.1143.1 2008.06.03 -
Symantec 10 2008.06.03 -
TheHacker 6.2.92.332 2008.06.03 -
VBA32 3.12.6.7 2008.06.03 -
VirusBuster 4.3.26:9 2008.06.03 -
Webwasher-Gateway 6.6.2 2008.06.03 BlockReason.0
Dodatkowe informacje
File size: 12800 bytes
MD5…: b3c95bfeef6781a82a1c429f466a3a11
SHA1…: 32aa15820e984a79664db0fd48ae943931b83514
SHA256: ab4a8e6f19a4c6ea504efff99613a590861cd981849f71c3a859c9eaf23a3afd
SHA512: 40ead71c8639ee659aab37839b72e8d20eec3a100750d627a562f2968bb1ee87
c4c6093a022a9d52f3a7a386a5ad9a18d72b1ff5beb833119109a9d968ce7da2
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1001ce2
timedatestamp…: 0x3b7de4c5 (Sat Aug 18 03:45:09 2001)
machinetype…: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2450 0x2600 6.10 c46beef3543b16a7814b0a030f0e5000
.data 0x4000 0x1f4 0x200 1.50 1a396ac5334432d459f3697937a48e6e
.rsrc 0x5000 0x408 0x600 2.47 df415f1328865e4cbd290ad3189697e1

( 4 imports )

ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, GetCurrentProcess, GetCurrentThread, HeapAlloc, LoadLibraryExW, LeaveCriticalSection, lstrcmpW, EnterCriticalSection, LCMapStringW, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, FreeLibrary, InterlockedCompareExchange, LoadLibraryA, LocalFree, GetProcAddress, DelayLoadFailureHook, LocalAlloc
ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, RtlCopySid, RtlSubAuthorityCountSid, NtClose, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlUnhandledExceptionFilter, wcslen, RtlImageNtHeader
RPCRT4.dll: RpcMgmtSetServerStackSize, RpcMgmtWaitServerListen, RpcMgmtStopServerListening, RpcServerUnregisterIf, RpcServerUnregisterIfEx, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status

( 0 exports )

and that:

Plik został już przeskanowany:
MD5: b3c95bfeef6781a82a1c429f466a3a11
First received: 2008.06.03 10:25:55 (CET)
Data: 2008.06.03 18:57:49 (CET) [<1D]
Wyniki: 3/32
Permalink: analisis/9c696c71028cd43d361d6dc67cc61d60

Is it infected?

Most probably not. Seems a false positive.
Can you send the file to virus (at) avast (dot) com
and explain in the email body it seems a false positive. Maybe add a link to this thread.

I believe it’s a false alarm in this case.
Can you please pack the file into a password-protected ZIP or RAR and send it to virus@avast.com, with “False alarm” in subject (and the password mentioned in the e-mail body)?
Thanks!

Sorry guys, I cant even comprese or copy it ;/
But im worried about that iv formated all my discs and its still there;/

It’s in use by Windows and probably its access is denied…

No, it’s normal. Every Windows system has a svchost.exe file running.

Sorry for my english.

In france we are a lot to have this problem. I send an alert to my friends at 6 pm today because i have deleted the file svchost.exe and of course windows was down !
you just have ton re install windows and perhaps sata driver to solve the problem but it’s not necessary to format. some other drivers must be re installed like graphic card for me.
all is ok for me excepted for my USB key.

thank you very much avast !

Do you mean avast detect a virus (rootkit) and clean your computer?
If so, to be sure you’re clean, I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

The original alert was : win32:rootkit-gen [Rtk] has been found in c:\windows\system32\svchost.exe and by inattention i have choose deleted but of course its was a big mistake.

i just scan my folder windows/system32 and i have a new alert :

File: C:\WINDOWS\system32\dllcache\svchost.exe
Name of virus: Win32:Rootkit-gen [Rtk]
Type of virus: Rootkit
VPS Version : 080603-0, 03/06/2008

This time i have selected quarantine

bad news : new alert on my file system32\svchost.exe and impossible ton put him on quarantine.
i’m not shure now it’s a false alert…

Hi All !

I’ve just restored a svchost.exe file from an unused PC ( it has not been connected to anything since last year ). I restored this file under an arbitrary name and compared it with the suspect sp1 svchost.exe file ( using Edhex ). They are strictly the same !

So I think it is definitively a False Positive and I suggest to Avast to urgently communicate ( maybe by mail to all users ) because many many people who are not familiar with this problems are about to crash their windows system by deleting a so important file !

Best regards.
Pulsar33

Yes, it is… file is in use and it’s essential for Windows to work. It will be replaced or any change will be blocked (move or Chest). So, I won’t be alarmed. I hope Alwil correct the false positive soon. Which is your language? Maybe it occurs just in some Windows languages…

I think it should be already corrected in the latest VPS - can you confirm, please?

I’m attach “infected” file.
The file have true Microsoft digital sign, I have checked
Now it is damaged more than 80 computers in the several organizations

http://www.rapidshare.ru/692602

Yes, I confirm :slight_smile:

No more detected by 080604-0

Tech said : Which is your language? Maybe it occurs just in some Windows languages...
For information, Calgero said he and his friends are French and I'm too. My OS version is XP SP1

Have a good day
Pulsar33

Confirmed.
Situation unpleasant. >:(

Calgero, are you saying that avast! let you delete this file? How exactly? (what options did you choose)
What version of avast! do you have?