** SVCHOST.EXE false positive issue ** instructions on how to handle

Viruses and worms
1

Hi,

anyone affected by the recent SVCHOST.EXE false positive issue, please have a look at this knowledge base article. It describes steps needed to fix the problem.

http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=306

Thanks
Vlk

2

Congratulations. Very professional answer to the problem.
Thanks Vlk.

3

Thanks for posting the link to the info, Vlk. :slight_smile:

4

Sorry but doesn’t work for me,
I’ve tried your patch for FR without success.
I’ve also tried to repair Winsock LSP with WinsockXPFix (http://www.pchellblog.com/downloads/WinsockFix.exe)
But the problem remain !

And no, my Windows XP version is not a cracked one, but a legal version of Windows XP FR, this is the original CD and licence key is sticked on my computer.

I’ve installed SP1 but not SP2.

I always get an error message at start from TomTom Home which can’t run any service.

For the rest:

  • no start menu
  • no task bar (only a white line at his place)
  • no internet connection
  • no mail

So:

  • How to recover the start menu ? (which is now replaced by a white line)
  • How to recover internet access (and emails)

Huh ?

Ho, and of course I’m unable to uninstall TomTom Home cause I can’t access the control panel ! (and there is no uninstall.exe in the c:\Program Files\TomTom Home folder)

5

Hi,

Hungarian Windows XP SP2 is also affected. Please help in recovery steps.

mrceeka

6

see also here http://forum.avast.com/index.php?topic=36078.0

7

Ahhh … it appears that the US English version of XP SP2 is also affected by this. We lose the following services amongst others.

Avast Web Scanning is dead
Automatic Updates is off and cannot be turned on
Windows Firewall is off and cannot be turned on

However, we can PING out to the Internet. Other workstations on the LAN canNOT ping the workstation IP.

HELP! I have about 10 workstations like this now. It all happened over the July 4th weekend.

8

Hmmm… are you sure it’s a false positive?

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586

9

FYI … my friend’s machine has XP Professional with SP3 installed and got the same problem. WinSockFix does not do anything for him. Even the system tray is missing when it boots up. >:(

10

svchost.exe is actally infected.
svchost.exe with user name [current user] in system processes.
Its location is %SystemRoot%\System32\Restore
with icon of music folder. It write data folder and itself spread to memory stick with autorun.inf
HKLM Run C:\Windows\System32\Restore\svchost32.exe
HKCU Run C:\Windows\System32\Restore\svchost32.exe

11

I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.