Avast keeps reporting a rootkit which it can’t seem to delete.
Otherwise, the machine is becoming borderline unusable. It keeps rebooting randomly. While this might be because it’s dying, I’d like to rule the rootkit out as a cause before I bin it!
The filename reported is C:\Windows\system\system32\svchost
When I try to delete it (using the “Delete” button in avast window) it fails. I have told it to reboot immediately many times to perform a boot scan, but it doesn’t seem to help.
First - Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.
Why can’t avast deal with it, what errors are displayed ?
Is the path you have posted correct ?
As C:\Windows\system\system32\svchost is incorrect in a legit installation it would usually be C:\Windows\system32\svchost, the inclusion of a sub folder named system32 in the the windows\system folder is basically out to deceive the user into thinking it is a genuine version of svchost.
If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.
If I hit the delete button I get an error that it couldn’t be deleted.
Next thing that happens is an Avast window that warns of danger of rootkits and says I should reboot now and do a boot time scan. Again, if I do this it seems to have zero effect. I even tried a reboot to safe mode, logged in as admin and then enabled a boot scan. Still doesn’t go away.
There have been a couple of detections on svchost, some are considered false positives.
However, in your case the location you gave (C:\Windows\system\system32\svchost) of svchost.exe isn’t the standard location as I mentioned in my first reply and that in its own right is suspicious.
So is the reported location you gave is correct ?
If so I don’t believe it is a false positive.
I have just scanned my windows\system32\svchost.exe file XP Pro SP2 English language version and that comes up clean.
Some other tools you can try, also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.