Random rebooting and possible rootkit

Hi

Avast keeps reporting a rootkit which it can’t seem to delete.

Otherwise, the machine is becoming borderline unusable. It keeps rebooting randomly. While this might be because it’s dying, I’d like to rule the rootkit out as a cause before I bin it!

The filename reported is C:\Windows\system\system32\svchost

When I try to delete it (using the “Delete” button in avast window) it fails. I have told it to reboot immediately many times to perform a boot scan, but it doesn’t seem to help.

Any other advice?

Thanks
Peter

:slight_smile: Hi Peter :

Best to get a “2nd Opinion” by using the FREE “Rootkit Revealer”, available at
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx ; IF this
program “detects” anything, best to review the info on THEIR Support Forums
at http://forum.sysinternals.com/ .

First - Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

Why can’t avast deal with it, what errors are displayed ?

Is the path you have posted correct ?
As C:\Windows\system\system32\svchost is incorrect in a legit installation it would usually be C:\Windows\system32\svchost, the inclusion of a sub folder named system32 in the the windows\system folder is basically out to deceive the user into thinking it is a genuine version of svchost.

If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.

Thanks, I will try that.

Hi

If I hit the delete button I get an error that it couldn’t be deleted.

Next thing that happens is an Avast window that warns of danger of rootkits and says I should reboot now and do a boot time scan. Again, if I do this it seems to have zero effect. I even tried a reboot to safe mode, logged in as admin and then enabled a boot scan. Still doesn’t go away.

Cheers
Peter

This file is a false positive right now. Please, do not delete or move it to Chest.
Does not do it into boot time scanning!

Update your virus database asap!

Hum guys… So it was a false alarm?I dont have that virus?

There have been a couple of detections on svchost, some are considered false positives.

However, in your case the location you gave (C:\Windows\system\system32\svchost) of svchost.exe isn’t the standard location as I mentioned in my first reply and that in its own right is suspicious.
So is the reported location you gave is correct ?
If so I don’t believe it is a false positive.

I have just scanned my windows\system32\svchost.exe file XP Pro SP2 English language version and that comes up clean.

Some other tools you can try, also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.

Neither do I. Seems that only some localized Windows installations are suffering from this false positive.