viruses and worms > viruses and worms
c:\windows\system32\svchost.exe Rootkit ;-(
<< < (24/34) > >>
Calambo:
Ca ne marche pas pour moi.

Pour une raison inconnue, il ne sauvegarde pas la base de registre. Quand je la met à jour, je vois bien les modifications, mais dès que je redémarre la machine, plus rien :(

Une idée ?

------------------------

It doesn't work for me.

For an unknown reason, it doesn't save the registry. When I update using the reg file, I see it in regedit, but after a reboot, all is gone.

Any idea ?
kstmb:
PiotrW, try rollback system for previous date. Start —> All Programs  —> Accessories  —> System Tools  — System Restore, or execute %SystemRoot%system32restorerstrui.exe.

You can try to restore registry by yourself. Replace SYSTEM file in dir CWINDOWSsystem32config, backup of this file you can find in:
1) C:\WINDOWS\system32\config\SYSTEM.sav
2) C:\WINDOWS\repair\system
3) C:\System Volume Information\_restore{xxxx-xxxx-...}\RPxx\snapshot\_REGISTRY_MACHINE_SYSTEM (search last restore folder)

But you need do it under ather OS.

Second way: you can load backup registry file by RegView http://paullee.ru/download/regv.zip. Choose one of backup file, then go to $$$PROTO.HIV->ControlSet001, select Services and press F2. Select HKEY_LOCAL_MACHINE, type filename, ask 'Y'. Execute .reg file that was created.

Service Pack 3 also can help you.

Good luck. 
polonus:
Hi all,

There a sticky now by avast's Vlk trying to solve this problem in a few simple steps. Go here:
http://forum.avast.com/index.php?topic=36123.0

polonus
Tech:
My questions remain unanswered:


--- Quote from: Tech on June 04, 2008, 12:32:51 PM ---Shouldn't it be digitally signed?
--- End quote ---
Isn't avast skipping digitally signed files by default?


--- Quote from: Tech on June 04, 2008, 12:32:51 PM ---If the user delete or move the file to Chest in boot scanning, how would it be allowed to logon again? Another incident that asks for a boot time access to Chest.

--- End quote ---
Will we have this on avast version 5?
igor:

--- Quote from: Tech on June 05, 2008, 08:06:05 PM ---My questions remain unanswered:
--- End quote ---

So do mine (reply #48).


--- Quote from: Tech on June 04, 2008, 12:32:51 PM ---Isn't avast skipping digitally signed files by default
--- End quote ---

Yes, that's right. The false positive does not happen on "ordinary" system (at least with avast! 4.8; it doesn't apply to previous versions, which includes the Managed Clients at the moment, unfortunatelly :().
We installed Russian XP SP2, inserted the faulty VPS and there was no detection - until we switched off the checking of digital signatures.

The svchost.exe file is not signed by a signature directly in the file, but rather using Windows catalog. So, the affected systems must have their catalog corrupted somehow - either using some "tweaking tools" (nLite, vLite?), or maybe by using cracks to bypass Windows activation (just my guess, don't know what the cracks really do)... or maybe just corrupted?


--- Quote from: Tech on June 04, 2008, 12:32:51 PM ---If the user delete or move the file to Chest in boot scanning, how would it be allowed to logon again? Another incident that asks for a boot time access to Chest.
--- End quote ---

The system can be booted without this file, certainly into safe mode, so I'm not sure this is exactly the (probably quite rare) case when it would make a difference.
Navigation
Message Index
Next page
Previous page
avast! on Twitter | avast! on Facebook
Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now

Go to full version