W32:Rootkit-Gen in /System32/svchost.exe

Hello,

Yesterday, Avast on my home computer reported that it was infected with a virus named as W32:Rootkit-Gen. The infected file was named as /System32/svchost.exe

While browsing this forum, I noticed that a few people had this problem, too. I wanted to ask - was this alert verified as true or false? I don’t know if there’s a need for alarm or not…

Another question: since Avast reported this infection, I’ve lost my Internet access on the (supposedly) infected computer. If that alert is a false one, what could be the cause for this problem and what could be done with it?

I must add that, initially, I ordered Avast to delete svchost.exe… Of course, that proved to be a mistake. I repaired my Windows with my installation disc, but the Internet connection is still down. Could the unnecessary deletion be the cause?

I’d very thankful for your help.

Look this thread
http://forum.avast.com/index.php?topic=36078.15

you’ll need to rollback the system by System Restore.
And update Avast to latest database…

Well, there is a problem with that: my System Restore function was turned off… :frowning:

Which firewall do you use?
If you repair your Windows installation, svchost.exe should be back.
Maybe running:
sfc /scanonce
will bring it back any system file that could eventually be missing.

What I can’t understand is that this false positives should be avoided by the digital signature of the file. Why isn’t avast working? Why isn’t this feature working?

if you have windows install disk, try to run install d:\i386\winnt32.exe and set install mode Update

Which firewall do you use?

Apart from Avast’s? None…

If you repair your Windows installation, svchost.exe should be back

Oh, I think it is back. Back the Internet access isn’t… I cannot get through to any webpage or check e-mail. And according to Windows, there’s no date coming in or out through the connection.

sfc /scanonce
will bring it back any system file that could eventually be missing

Is it a system feature, or some program like HijackThis?

if you have windows install disk, try to run install d:\i386\winnt32.exe and set install mode Update

Just for my information: what exactly would I do by running this?

You’ll update OS and restore svchost service.
For another way you need external utils for System Restore.

Sorry for my English. Russia.

You’ll update OS and restore svchost service.

Ah, thank you :slight_smile:

Sorry for my English. Russia.

No problem. Poland here :wink:

I ran sfc \scanonce yesterday. I didn’t help - my Internet connection is stil down.

I’ve de-installed Avast… It didn’t help, too.

I’m starting to suspect that Avast managed to screw up my Internet connection’s settings or relevant drivers. Does anybody have any ideas how to deal with this…?

Piotr, will this help?
http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

No, it didn’t… I also used the Russian patch provided on the other thread - didn’t help either.

It looks more and more like I’m going to spend the whole weekend on re-installing Windows…

… and Avast people still seem not to care about the mess they created. There’s still not a word of official comment on the website!

Sorry to sound bitter, but this is really annoying.

There is a message on the problem on support.avast.com - and there are instructions on how to deal with it for French and Russian OS there.
I’m afraid there’s nothing for Polish, however.
What service pack do you have installed?

There is a message on the problem on support.avast.com - and there are instructions on how to deal with it for French and Russian OS.

Yes, I’ve seen it. I tried the Russian solution, but it didn’t work. I didn’t try the French one yet, because the file server the patches are hosted at doesn’t let me download them (user limits per country).

What service pack do you have installed?

SP1 or none, I think.

Cześć PiotrW,

That is why we have a sticky in the “virus and worms” about what to do when a virus has been found.
A av-program, what kind of av product does not matter, is a dangerous tool to use. Always remember that and have that at the back of your head. All newbies and normal users should know this, that if you follow up a virus alarm without knowing actually what is the matter could ruin your installation, your OS, and your network connection. So in case of a virus alert first establish if other scanners also flag this, if only one product does the chance of a False Positive is gigantic. Then if you have a FP and delete an essential system file you are in for some proverbial head-aches. So first upload the file in question to virustotal, get info from a malware fighter here on the forum, and then you can make a confirmed decision what to do, else you could be playing Russian Roulette. Remember once that people were advised in an e-mail to delete an important win32 file, they lost the ability to restore long document names and they could not use Word or Outlook anymore.
Well the lesson learned here is, you have to experience this once to be twice shy the second time, I can tell you. I would never trust one av-scanner and run several non-resident next to avast to be absolutely certain the infection is real and the malware solution is not destroying my appl. or worse. “Nie smaczny”, but that is reality, so next time run DrWebCureIt first or scan the file with ClamAV,

pozdrawiam,

polonus

The files I mentioned are hosted on our servers, so they certainly aren’t blocked for anybody.
But it doesn’t change the fact that there’s no article for Polish currently :frowning:

I was referring to the Megaupload link provided by the French user, actually.

I downloaded the French fix from your server. Thank you :slight_smile: I’ll try using it… although I’m not sure it’ll work. I’m using Polish version of XP…

Hi PiotrW,

Disable system protection and then Run a System File Checker (sfc.exe), this will scan all protected Windows files to verify their versions have not been overwritten or damaged, and if so will replace the compromised version with a fresh copy. To run it, click Start/Run and type ‘sfc.exe /scannow’ (without the quotes but with the space between the ‘e’ and the ‘/’). Alternatively, you can click start/Run and type in CMD and click O.K., when the black window opens type in “sfc /scannow”. You will need to insert your Windows CD into the drive to enable sfc to effect the repair. Sfc.exe will just stop without any other sign than the statusbar is gone! And remember, never ever delete svchost.exe again, do not even think about it. Repairing it, well try this:

Verify Windows Update Service Settings

* Click on Start, Run and type the following command in the open box and click OK

  services.msc

* Find the Automatic Updates service and double-click on it.
* Click on the Log On Tab and make sure the "Local System Account" is selected as the logon account and the box for "allow service to interact with desktop" is UNCHECKED.
* Under the Hardware Profile section in the Log On Tab, make sure the service is enabled.
* On the General Tab, the Startup Type should be Automatic, if not, drop the box down and select Automatic. 
* Under "Service Status" on the General tab, the service should be Started, click the Start button enable it.
* Repeat the steps above for the service "Background Intelligent Transfer Service (BITS)"

Re-Register Windows Update DLLs

* Click on Start, Run, and type CMD and click ok
* In the black command window type the following command and press Enter

  REGSVR32 WUAPI.DLL

* Wait until you receive the "DllRegisterServer in WUAPI.DLL succeeded" message and click OK
* Repeat the last two steps above for each of the following commands:

  REGSVR32 WUAUENG.DLL
  REGSVR32 WUAUENG1.DLL
  REGSVR32 ATL.DLL
  REGSVR32 WUCLTUI.DLL
  REGSVR32 WUPS.DLL
  REGSVR32 WUPS2.DLL
  REGSVR32 WUWEB.DLL

Remove Corrupted Windows Update Files

* At the command prompt, type the following command and press Enter

  net stop WuAuServ
* Still at the command prompt,

  type cd %windir% and press Enter
* In the opened folder, type the following command and press Enter to rename the SoftwareDistribution Folder

  ren SoftwareDistribution SD_OLD
* Restart the Windows Update Service by typing the following at the command prompt

  net start WuAuServ

* type Exit and Press Enter to close the command prompt

Reboot Windows

* click on Start, Shut Down, and Restart to reboot Windows XP

Damian

I’ve run the French fix. Didn’t help either…

Damian - thank you very much for your instructions. I’ll try doing this tomorrow…

You should also check out this avast! knowledge base article, http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=306

You should also check out this avast! knowledge base article

As I mentioned earlier, I ran both fixes. Didn’t help…

Disable system protection and then Run a System File Checker (sfc.exe), this will scan all protected Windows files to verify their versions have not been overwritten or damaged, and if so will replace the compromised version with a fresh copy.

Damian, I ran SFC yesterday. It didn’t help…

BTW. I was toying with the idea that the problem lies in my Ethernet card, so I tried using ipconfig \release and ipconfig \ renew. The first command returned to me that the the card’s settings have already been released. The second command returned an error (“File not found” etc.).