No problem, glad I could help.
Welcome to the forums.
Had a scare last night when avast reported this infection during a scan. unfortunately, my brother deleted the file when the warning popped up. The file’s location was C:\windows\softwaredistribution\download[string of numbers]\svchost.exe. the computer has booted up fine since then and further scans with Avast (with the newest update) and malwarebytes show no problems. do i have any reason to be worried?
Well that location isn’t where the in use svchost.exe would be, it is in the windows\system32\ folder. So its loss hopefully shouldn’t be an issue.
I don’t have a copy of svchost.32 in any c:\windows\softwaredistribution\download\ sub-folder, so I’m not entirely sure how yours came to be there. So this one would require further investigation, which since it has been deleted can’t happen.
You have to stop him deleting as a first course of action as it will bite you/him in the rear one day.
Thanks, I updated my VPS, and I was able to scan without it coming up. Result, 0 infected files. 
I do have a few questions, why do false positives happen in the first place? Is there any reason why the happen? This was like the first time I ever notice it. I’d just like an answer please.
Hi Wolfy,
Why do FP’s happen? Well it is because how av detection works and also while malcreants use encryption that is also used by legit software developers to pose as legit. With heuristics the good program or file can share characteristics of malware and in that case a False Positive is born. As soon as they are found these are being taken out and if a real FP will not appear after a new av scanner update,
polonus
this FP came up when an patched svchost.exe was added to detections (unfortunately it has not been caught by exact match)… anyway, there were not so much affected users and for those few affected we released a fixed VPS right when it was possible… and - the accidental deletion of svchost.exe is blocked by avast, so there should be no harm at all…
Thanks for explaining it and giving me a good idea on why it happened. Having it not happen to me before made me wonder. I’m glad it’s fixed now.
Unfortunately, this problem did affect me.
I am a volunteer computer administrator for my church. We had five Windows XP SP3 computers affected by this false positive. They had a scheduled scan run with the bad VPS, and when the false rootkit was detected in c:\windows\system32\svchost.exe, that file was moved to the chest. Later that morning there was a power outage and the computers rebooted. When they came back up, many of the standard Windows services no longer worked, including networking, system restore, etc.
As I said, I’m a volunteer without a huge amount of experience handling problems like this, and so I couldn’t figure out how to fix this problem. I tried repairing Windows, but that does not seem to have fixed all the problems. I’m looking at reinstalling Windows on 5 computers this weekend!
Very disappointed in Avast, I have to say…
I just had 15+ computers get this on 7/24. I am running the AVAST SBS Suite. It infected all workstations but not the server. I do not believe it was a false positive. The following are the symptoms.
AVAST reported a WIN32:Rootkit [RTK] infection on the file C:\WINDOWS\SYSTEM32\SVCHOST.EXE
Network access was terminated. IP number was set to 0.0.0.0 and the DHCP was shut off.
Access to network setting was disabled. You could see the option but could not run the application that allows you to set IP numbers, DNS, etc. Access via the netsh command was also disabled. Reported RPC errors.
Windows taskbar was minimized to it was just a line at the bottom of the screen and it was locked so it could not be enlarged.
Cut, Copy, Paste functionality was removed.
Window Defender produced an error message.
Installing other software products had various results. Some would install some would not.
Hi ozzie3860
I dont know that much about SBS but it appears that the avast server is fine.
If you go back to the start of this thread you come to a link that applied to this issue from a while back.
You may need to consider this fix in respect to workstations and then look to push through the server again, and may need reset, reconfigure networking routine. But I’m only speculating here. Perhaps the link may help you to sort out a solution to the problem.
This issue with WIN32:Rootkit [RTK] has been about the forum many times, so I’m sure that your problem can be resolved. Otherwise you could start a new thread under the avast Server topics section.
Hi ozzie3860,
I had six machines affected with the exact same symptoms you described.
Many of the services use the svchost.exe to start, including the RPC service. Many other services depend on RPC service to run. This caused many of the Windows functions to cease working, from network services to copy and paste.
If you search your hard drive you’ll find svchost.exe in a system restore folder. Copy it windows\system32 folder.
Now boot with an XP setup disk and go to the recovery console. There you can manually restore the registry.
All functions were restored when I restarted the pc. All scans with Avast (with today’s updated definitions) and Spybot came up clean.
Good luck.
Mike
hi mr squared
False positive or not, I chose delete svchost and now I got the symptoms like the previous post.
I’m not a virus expert, so I chose that option and after reboot I got a failing pc and I got lots of time lost.
this is 50 hours after and I got luck I have a spare install.
I spent any hours on spy ware forums, till I find out that the missing svchost deleted by avast must be the problem.
since finding this tread I m sure many victims are still out there
I really want that avast disables the delete function from now on seeing there is a long way finding out false pos or not.
Avast should be made to prevent failures, not to cause them.
Hi b0g
How long ago did this happen? Are you up to date?
Really need more details about the system you are using and the AV set up you have.
Have you seen this post earlier in the thread?
http://forum.avast.com/index.php?topic=47058.msg396464#msg396464
If you had deleted, which would be rare case, can be fixed.
Start at first post in thread if need be for history behind this issue.
Appreciate your input. Replacing svchost.exe with a backup version was one of the first things we tried. It did not solve the issue.
Also the error also showed up in various files with the .tmp extension.
If you had deleted, which would be rare case, can be fixed.
Yeah? with few efforts? when avast is dead?
avast 4 7 10 0 43 vps 090724 on win xp sp 3
the happy thing is I resolved it by recov console mentioned above. and saved my registry
Isn’t it supposed to be 4.8 version of avast? ???
it says 4.7 home ed in avast info and with installed services etc
win xp prof english
did a prog update manually + restart
update setting was > prog update: > ask when update is available is now autom
scan of C: no prob
I suggest an installation from the scratch:
- Download the latest version of avast! Uninstall Utility and save it.
- Download the latest avast! version and save it.
- Uninstall avast from Control Panel (if possible). If, for any reason, you can’t run it, try booting in Safe Mode and doing it from there. Anyway, boot after that.
- Use (run) the avast! Uninstall Utility saved on 1. If, for any reason, you can’t run it, try booting in Safe Mode and doing it from there. Anyway, boot after you’ve run it.
- Install avast! using the setup saved on 2. It will be good to accept the boot time scanning. Boot.
- Check and post the results.
I have noticed the svchost.exe in the restore directory to be infected as well. I have been restoring the file as follows:
- copy svchost.exe from c:\windows$ntservicepackuninstall$ to C:\ for easy access (This is a hidden folder)
- Boot to XP disk and go into repair mode (svchost.exe is not in use)
The following are command line entries:
3. cd \windows\system32
4. del svchost.exe
5. copy c:\svchost.exe c:\windows\system32
6. copy to any other directories you discovered were infected so the virus can no longer propogate