svchost.exe seems infected

system · 2007-04-09T21:19:57.000Z

Hi, I’m using the free version of avast, latest prog and virus-db-file.

Since a few days avast keeps telling me this upon system-start:
Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\windows\svchost.exe” file.

I tried the options “Repair” and “No action”, both show no effect. I don’t dare to delete or move the file, since it’s a windows-system-file.

Any suggestions? Thanks.
m.

DavidR · 2007-04-09T22:50:46.000Z

What Operating System are you using ?

Trojans generally can’t be repaired (either by the VRDB or avast virus cleaner), because the entire content of the file is malware, so it is either move to chest or delete, move to the chest being the best option (first do no harm). When a file is in the chest it can’t do any harm and you can investigate the infected warning.

The VRDB only protects certain files, .exe, dll and other system files, it doesn’t protect data files or all files, it is not a back-up program, so there are going to be many occasions where repair won’t be an option.

Only true virus infection can be repaired, e.g. when a virus infects a file it adds a small part to it, provided that file is one that avast’s VRDB would monitor and you have run the VRDB, then it may be possible to repair the file to its uninfected state.
However, for the most part so called viruses, trojans (adware/spyware/malware, etc.) can’t be repaired because the complete content of the file is malicious.

It may have the same name as a system file (a common tactic), but the location may be incorrect, in windows XP mine is in C:\windows\system32\svchost.exe and C:\windows\ServicePackFiles\i386\svchost.exe.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.

system · 2007-04-09T23:23:36.000Z

DavidR post:2:

It may have the same name as a system file (a common tactic), but the location may be incorrect, in windows XP mine is in C:\windows\system32\svchost.exe and C:\windows\ServicePackFiles\i386\svchost.exe.

It should normally run from c:\windows\system32 (the service pack files are OK, but it won’t be run from there).

C:\windows\svchost.exe is certainly suspicious.

DavidR · 2007-04-10T00:07:53.000Z

I know it is fine in both my locations, just pointing out the location reported by madom is likely to be incorrect if they are also using XP.

system · 2007-04-10T00:24:18.000Z

Sorry for the redundancy …

DavidR · 2007-04-10T00:50:42.000Z

Not a problem, hopefully we will get some feed back from madom about our duplication ;D and importantly confirmation via virustotal, etc.

system · 2007-04-10T20:41:20.000Z

First of all: Thanks for your tips. Using WinXP, I found out googleing about the file to be in the wrong folder myself last night and figured it to be a suspicous file. Therefore…

… I moved the file to the chest now and upon next reboot, I didn’t get a message anymore.

I have to say that neither Ad-Aware Professional nor Spybot Search & Destroy found the file to be suspicous… >:(

Results of Jotti Online Scanner:

AntiVir Found TR/Proxy.Small.DT
ArcaVir Found Trojan.Proxy.Small.Dt
Avast Found Win32:Trojan-gen. {VC}
AVG Antivirus Found Proxy.ICZ
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Proxy.Win32.Small.dt
Fortinet Found W32/Small.DT!tr
Kaspersky Anti-Virus Found Trojan-Proxy.Win32.Small.dt
NOD32 Found Win32/TrojanProxy.Small.DT
Norman Virus Control Found W32/Smalltroj.MKQ
Panda Antivirus Found nothing
Rising Antivirus Found Trojan.Proxy.Small.nc
VirusBuster Found nothing
VBA32 Found Trojan-Proxy.Win32.Small.dt

It really seems to be malware,good Job Avast! I hope it didn’t mess with my System…

DavidR · 2007-04-10T21:43:30.000Z

No problem, glad we could help.

You will probably be OK just monitor your system for unknown processes in the task manager and unauthorised outbound internet connections, etc. Of course your firewall (which is ?) should provide this outbound protection and the XP firewall doesn’t.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

system · 2007-04-10T21:48:00.000Z

Hey thanks, I will check this out. I would really not like to miss my Administrator Rights in daily Use since I play around a lot, install stuff, unistall. Probably not the most safety-concious user there is.

Another basic question: Can I put a system file in the chest? Say, the virus would have infected my real svchost.exe, could I have put it to the chest and still have my system running?

Thanks again.
m.

DavidR · 2007-04-10T22:08:43.000Z

The DropMyRights doesn’t restrict your administrator rights, it is applied to an application (you choose and set-up shortcuts to launch that application with restricted rights) and not the user. So installation won’t be effected since you have administrator rights.

avast will move any file that is infected to the chest if that is your decision. if it is in use windows will usually protect it. That is why regularly running the VRDB is advisable as the option to repair might well be available if that file was included in a previous VRDB scan.

Announcements