Win32:Patched-IT found in C:\WINNT\system32\svchost.exe

Viruses and worms
21

It will probably allow you to download it, if it doesn’t you could also try changing the download name that you save it as to say safety-launch.exe. Hopefully that may bypass any file name detection so it doesn’t block it.

I don’t know if yo can run this tool from safe mode as that is possibly another option.

22

DavidR,

Can you answer this: Since I don’t have the means of replacing the infected file (see my prior posts), would this program miraculously be able to repair the file so that it doesn’t need to be replaced???

Because if it just deletes it, I am told the system won’t work (the svchost.exe file).

I am afraid to try anything, . . . and haven’t had the time to become enmeshed in doing so–though I so need my computer.

justintime: And, justintime, if you see this, can you tell me if you had a Windows File Protection problem along with this trojan? And also, can you tell me if the trojan was running when you were able to rename the file?? Because the trojan is running on my system, and I don’t know that it would let me rename the file.

Thanks everyone.

23

Short answer is I don’t know, but you haven’t said if you have tried DrWeb yet as it seems to be a program that can repair this so replacement isn’t so critical. So I would devote some time to trying that.

I really don’t know of a way round not having your OS CD and if there is no way of replacing the file from the dllcache folder. Have you checked a) if the svchost.exe file is in the dllcache folder and b) if it is clean ?

I’m not really sure what you mean by Windows File Protection as in theory everyone has that to stop you replacing files in use, but apparently it allows you to rename them in explorer as some have found.

Whilst my system isn’t infected, using explorer, I just right clicked on the c:\windows\system32\svchost.exe and selected rename and there were no objections, but obviously I didn’t rename it as there is nothing wrong with it.

Personally I wouldn’t do this simply to test a theory, but if my a** was in a sling and I had nothing else to try then it would be an option of last resort, but you must have a copy of the svchost in the c:\windows\system32\dllcache\ folder and it must be clean.