Win32:Rootkit-Gen and svchost, please let it be a false positive.

[Wolfy]

Tonight, I decided to do a boot-time scan with Avast, and whenever it scans "svchost.exe", I keep getting a message saying it's infected with "Win32:Rootkit-Gen [rtk]".  I did some research on it, and I learned it was a false positive according to the Avast knowlegebase.

The problem is, I'm using an U.S. English version of Windows XP Home, with Service Pack 3, and the article states Russian and French versions of Windows.  Now I'm worried.  I can't erase it since it's an important file, I can't move it to chest, I can't even repair it.  Is it really a false positive or a real rootkit?

My version of Avast is 4.8 Home Edition, with the virus database version 090723-0.  Can I please get an answer or how to fix this problem without needing to reformat?

Before I forget, here's a link to the article I read... http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=306

[nmb]

upload the file to virustotal.com and post the link here.

[Wolfy]

upload the file to virustotal.com and post the link here.

Thanks, I did that, and here are my results...

http://www.virustotal.com/analisis/2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5-1248404988

Forgive me for asking, but how does this determine whether it's a rootkit or not?

[nmb]

Hello wolfy,

welcome to the forums

only the avast is detecting it as Win32:Rootkit-Gen. it might be a false positive. gdata also use the avast engine hence even it is detecting it as Win32:Rootkit-Gen. upload the file to avast. for that:

virus chest > user files > add files icon > select the file you want to upload and click email to avast icon. and do a manual update of the avast so that it is uploaded to avast.

[Wolfy]

Hello wolfy,

welcome to the forums

only the avast is detecting it as Win32:Rootkit-Gen. it might be a false positive. gdata also use the avast engine hence even it is detecting it as Win32:Rootkit-Gen. upload the file to avast. for that:

virus chest > user files > add files icon > select the file you want to upload and click email to avast icon. and do a manual update of the avast so that it is uploaded to avast.

I did that, but when I go to e-mail it, I have to either choose potential malware or false positive.  I don't know which to choose since I'm not sure if it's really a rootkit or not.

[nmb]

choose it as false positive

[Wolfy]

Thanks, I submitted it and did a manual update (even though I'm already up to date).  I hope something happens, I'm still worried a bit in case it isn't a false positive.  I just happen to found the knowlegebase article online.

[nmb]

always welcome wolfy. if it is a false positive, then it'll be fixed asap. (it must be a false positive since virustotal showed only avast is detecting it. ) come back later if you have any problems.

[Maxx_original]

the fixed VPS is available already (around 10:00 CEST)

[ZeroRam]

I had the same issue this morning, gave me the fright of my life!

After using another PC to get on to the internet I found this thread (and thousands of others) lots of searching, did full on boot scan, same issues - did not want to delete the file since it seems vital to the operating system.

It seems as if it WAS a false positive -  I had the same Virus Database 090723-0 later after I saw the last reply about the fixed VPS I updated and now Avast (and me!) is happy again.

[cinchez]

Glad its solved now^^

-AnimeLover^^

[TechnicS7]

Hello,

I had the same problem 1-2 hours ago after I woke up and started my machine. I want to know - should I worry for something?
What do I have to do?

[cinchez]

Can u pls upload the file to www.virustotal.com for analysis^^

Then post back the results here^^

-AnimeLover^^

[TechnicS7]

After avast found the Win32:Rootkit-Gen i clicked the close button on top of the avast window since i couldn't do anything and restarted computer - did i do something wrong?

this is the result http://www.virustotal.com/analisis/2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5-1248435939 and nothing seems wrong now

edit: after restarting the computer i didn't get this message for Win32:Rootkit

Should I be worried now? What should I do?

[TechnicS7]

I am sorry but i don't understand. Is everything alright now?