Author Topic: c:\windows\system32\svchost.exe Rootkit ;-(  (Read 171653 times)

0 Members and 2 Guests are viewing this topic.

pierrebulle

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #105 on: June 05, 2008, 02:42:42 PM »
Allez la procédure compléte:

Télécharger mon patch http://www.megaupload.com/fr/?d=DWCFOOBF
puis le dézipper sur une clé ou sur un CD

Sur le poste combinaison de touches Ctrl+Alt+Suppr (Del pour les anglophones)

Cliquez sur Fichier, Démarrez une nouvelle tache

Tapez cmd

Une fenetre Dos apparait, ici il faut tapez la ligne de commande suivante:

copy e:\svchost.exe c:\windows\system32

attention e: correspond à mon cas il faut adapter selon votre configuration et il faut bien copier dans SYSTEM32 et pas SYSTEM

tapez exit pour sortir de la fenetre

Ensuite si le poste de travail est sur le bureau, un clic droit et explorer, sinon de nouveau la combinaison de touches, la nouvelle tache et cette fois tapez explorer

Faire un double clic sur les fichiers REG un par un et redemarrez l'ordinateur.

Dans certains cas il peut etre nécessaire de passer WinsockxpFix.exe http://www.snapfiles.com/get/winsockxpfix.html

Voila et courage à tous


Complete Procedure:

Download my patch [url] http://www.megaupload.com/fr/?d=DWCFOOBF [/ url]
then unzip on a key or a CD

On the combination of Ctrl + Alt + Delete (Del for English speakers)

Click on File, Start a new job

Type cmd

A Dos window appears, here we must use the command line:

copy e: \ svchost.exe c: \ windows \ system32

Attention e: is my case it is necessary to adjust according to your configuration and it must be copied into SYSTEM32 not SYSTEM

type exit out of window

Then if the workstation is on the desktop, right click and explore, if not the key combination, the new job and this time enter explorer

Make a double-click on the REG files one by one and restart the computer.

In some cases it may be necessary to run WinsockxpFix.exe [url] http://www.snapfiles.com/get/winsockxpfix.html [/ url]

That's all and good luck

Raf

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #106 on: June 05, 2008, 02:47:36 PM »
SUPER MERCI  :-* :-* :-* :-* :-* :-* :-*

Sinon tu confirmes que le mode sans echec n'est pas obligatoire ?

kostik

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #107 on: June 05, 2008, 02:52:53 PM »
Merci, super sympa de ta part d'avoir détaillé ça :)

Reste 2 infos pour moi avant d'essayer :

Qu'en est-il du mode sans echec ?
Lorsque je grave le CD sur mon PC "sains", faut il que je grave l'archive, ou bien je dézippe et je grave ensuite ?

EDIT : grilled pour le sans echec ^^




pierrebulle

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #108 on: June 05, 2008, 02:55:28 PM »
Mode sans echec ou pas c'est idem pour moi

Dézipper avant de graver ou copier sur une clé, pas sur que le systéme instable accepte de dézipper correctement

Raf

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #109 on: June 05, 2008, 02:58:17 PM »
Mode sans echec ou pas c'est idem pour moi

Dézipper avant de graver ou copier sur une clé, pas sur que le systéme instable accepte de dézipper correctement

Clairement il y a pls archives sur mon pc qui sont devenue inaccessibles (pas toutes) je prendrai pas le risque perso.

Bon merci pour ta réponse Pierre (puisque je n'arrive pas à accéder au mode sans echec ;) ) je vous tiens au courant j'essaye ça dès ce soir.

Merci encore

REDACTED

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #110 on: June 05, 2008, 06:10:39 PM »
Pierre Bulle, félicitations !

En suivant tes conseils, j'ai réussi à éviter la nième installation de Windows.

Franck :)

TAG

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #111 on: June 05, 2008, 06:40:44 PM »
Pierre bulle.
Je dois dire que j'ai eu le même problème le 3 juin et voila 48 heures que je m'arrache les cheveux. Après avoir perdu mon temps à remettre en place un autre poste pour pouvoir travailler, j'ai lu attentivement tes posts et j'avoue avoir effectué ta procédure et comme par magie le poste fonctionne de nouveau normalement.
Je suis sous XP sp1. J'ai suivi ta procédure en mode normal et tout est ok (je n'ai pas encore rebranché les connexions réseau et web). Une chose est certaine, j'abandonne AVAST et poste un mail à tous mes contacts pour les avertir du problème !
Un grand merci.
xxxxxxxxxxxxxxxxxxxxxx
La seule chose est que pour copier ton svchost.exe, je n'avais pas accés à ctrl+alt+supp .... donc je suis passé par Démarrer - éxécuter puis tapé "CMD" et enfin éxécuté la commande que tu indiques copy e:\svchost.exe c:\windows\system32 en sachant que mon cd est en e:
Merci encore.

For our "english speaking friends"
Thanks to you for your help. I have followed all your information and My computer works normally.
After having copied the svchost.exe using the start-execute window, CMD (return) and done "copy e:\svchost.exe c:\windows\system32". Then I cliked on all the reg files.
Just be informed that I did it in normal mode with a XP pro SP1.
I thing is sure. I stop avast !
Thanks again
(sorry for my poor english from France !)

PiotrW

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #112 on: June 05, 2008, 08:05:44 PM »
Well, the patches didn't work for me. I used the Russian patch, I also ran WinSocksFix... and my Internet connection is still down!

Any other advice, people..?

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #113 on: June 05, 2008, 08:39:14 PM »
Knowledgebase articles for French and Russian OS have been posted on support.avast.com.
So, if you are affected, please check here.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #114 on: June 05, 2008, 09:01:49 PM »
Hi malware fighters,

A method to repair this, if this does not cure all problems try:
Verify Windows Update Service Settings

    * Click on Start, Run and type the following command in the open box and click OK

      services.msc

    * Find the Automatic Updates service and double-click on it.
    * Click on the Log On Tab and make sure the "Local System Account" is selected as the logon account and the box for "allow service to interact with desktop" is UNCHECKED.
    * Under the Hardware Profile section in the Log On Tab, make sure the service is enabled.
    * On the General Tab, the Startup Type should be Automatic, if not, drop the box down and select Automatic.
    * Under "Service Status" on the General tab, the service should be Started, click the Start button enable it.
    * Repeat the steps above for the service "Background Intelligent Transfer Service (BITS)"

Re-Register Windows Update DLLs

    * Click on Start, Run, and type CMD and click ok
    * In the black command window type the following command and press Enter

      REGSVR32 WUAPI.DLL

    * Wait until you receive the "DllRegisterServer in WUAPI.DLL succeeded" message and click OK
    * Repeat the last two steps above for each of the following commands:

      REGSVR32 WUAUENG.DLL
      REGSVR32 WUAUENG1.DLL
      REGSVR32 ATL.DLL
      REGSVR32 WUCLTUI.DLL
      REGSVR32 WUPS.DLL
      REGSVR32 WUPS2.DLL
      REGSVR32 WUWEB.DLL

Remove Corrupted Windows Update Files

    * At the command prompt, type the following command and press Enter

      net stop WuAuServ
    * Still at the command prompt,

      type cd %windir% and press Enter
    * In the opened folder, type the following command and press Enter to rename the SoftwareDistribution Folder

      ren SoftwareDistribution SD_OLD
    * Restart the Windows Update Service by typing the following at the command prompt

      net start WuAuServ

    * type Exit and Press Enter to close the command prompt

Reboot Windows

    * click on Start, Shut Down, and Restart to reboot Windows XP

Disable system protection and then Run a System File Checker (sfc.exe), this will scan all protected Windows files to verify their versions have not been overwritten or damaged, and if so will replace the compromised version with a fresh copy. To run it, click Start/Run and type 'sfc.exe /scannow' (without the quotes but with the space between the 'e' and the '/'). Alternatively, you can click start/Run and type in CMD and click O.K., when the black window opens type in "sfc /scannow". You will need to insert your Windows CD into the drive to enable sfc to effect the repair. Sfc.exe will just stop without any other sign than the statusbar is gone! And remember, never ever delete svchost.exe again, do not even think about it,


Damian
« Last Edit: June 05, 2008, 09:07:02 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Calambo

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #115 on: June 05, 2008, 09:15:03 PM »
Ca ne marche pas pour moi.

Pour une raison inconnue, il ne sauvegarde pas la base de registre. Quand je la met à jour, je vois bien les modifications, mais dès que je redémarre la machine, plus rien :(

Une idée ?

------------------------

It doesn't work for me.

For an unknown reason, it doesn't save the registry. When I update using the reg file, I see it in regedit, but after a reboot, all is gone.

Any idea ?

kstmb

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #116 on: June 05, 2008, 09:49:56 PM »
PiotrW, try rollback system for previous date. Start —> All Programs  —> Accessories  —> System Tools  — System Restore, or execute %SystemRoot%system32restorerstrui.exe.

You can try to restore registry by yourself. Replace SYSTEM file in dir CWINDOWSsystem32config, backup of this file you can find in:
1) C:\WINDOWS\system32\config\SYSTEM.sav
2) C:\WINDOWS\repair\system
3) C:\System Volume Information\_restore{xxxx-xxxx-...}\RPxx\snapshot\_REGISTRY_MACHINE_SYSTEM (search last restore folder)

But you need do it under ather OS.

Second way: you can load backup registry file by RegView http://paullee.ru/download/regv.zip. Choose one of backup file, then go to $$$PROTO.HIV->ControlSet001, select Services and press F2. Select HKEY_LOCAL_MACHINE, type filename, ask 'Y'. Execute .reg file that was created.

Service Pack 3 also can help you.

Good luck. 
« Last Edit: June 05, 2008, 10:05:14 PM by kstmb »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #117 on: June 05, 2008, 09:55:02 PM »
Hi all,

There a sticky now by avast's Vlk trying to solve this problem in a few simple steps. Go here:
http://forum.avast.com/index.php?topic=36123.0

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #118 on: June 05, 2008, 10:06:05 PM »
My questions remain unanswered:

Shouldn't it be digitally signed?
Isn't avast skipping digitally signed files by default?

If the user delete or move the file to Chest in boot scanning, how would it be allowed to logon again? Another incident that asks for a boot time access to Chest.
Will we have this on avast version 5?
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #119 on: June 05, 2008, 10:13:54 PM »
My questions remain unanswered:

So do mine (reply #48).

Isn't avast skipping digitally signed files by default

Yes, that's right. The false positive does not happen on "ordinary" system (at least with avast! 4.8; it doesn't apply to previous versions, which includes the Managed Clients at the moment, unfortunatelly :().
We installed Russian XP SP2, inserted the faulty VPS and there was no detection - until we switched off the checking of digital signatures.

The svchost.exe file is not signed by a signature directly in the file, but rather using Windows catalog. So, the affected systems must have their catalog corrupted somehow - either using some "tweaking tools" (nLite, vLite?), or maybe by using cracks to bypass Windows activation (just my guess, don't know what the cracks really do)... or maybe just corrupted?

If the user delete or move the file to Chest in boot scanning, how would it be allowed to logon again? Another incident that asks for a boot time access to Chest.

The system can be booted without this file, certainly into safe mode, so I'm not sure this is exactly the (probably quite rare) case when it would make a difference.
« Last Edit: June 05, 2008, 10:54:29 PM by igor »