Is it infected?Most probably not. Seems a false positive.
Sorry guys, I cant even comprese or copy it ;/It's in use by Windows and probably its access is denied...
But im worried about that iv formated all my discs and its still there;/No, it's normal. Every Windows system has a svchost.exe file running.
thank you very much avast !Do you mean avast detect a virus (rootkit) and clean your computer?
bad news : new alert on my file system32\svchost.exe and impossible ton put him on quarantine.Yes, it is... file is in use and it's essential for Windows to work. It will be replaced or any change will be blocked (move or Chest). So, I won't be alarmed. I hope Alwil correct the false positive soon. Which is your language? Maybe it occurs just in some Windows languages...
i'm not shure now it's a false alert...
Tech said : Which is your language? Maybe it occurs just in some Windows languages...For information, Calgero said he and his friends are French and I'm too. My OS version is XP SP1
I send an alert to my friends at 6 pm today because i have deleted the file svchost.exe and of course windows was down !
I don't think it can be restored, sorry.May be copy svchost.exe and .reg-patch for restore main process? What esle avast! deleted?
Hi All !
I've just restored a svchost.exe file from an unused PC ( it has not been connected to anything since last year ). I restored this file under an arbitrary name and compared it with the suspect sp1 svchost.exe file ( using Edhex ). They are strictly the same !
So I think it is definitively a False Positive and I suggest to Avast to urgently communicate ( maybe by mail to all users ) because many many people who are not familiar with this problems are about to crash their windows system by deleting a so important file !
Best regards.
Pulsar33
it confirms that avast is really really a worse av
take antivir and see the difference !!!! ;D
No network problems
I've got the same problem here in BRAZIL with Windows XP SP1 (pt-br).I'm using it in two computers and was not alerted by avast.
How can a such problem be caused by a ANTI-VIRUS who is supposedly made to protect us? >:( NO MORE AVAST PRODUCTS will be installed on my computers...Not a software is perfect. Sorry for the inconvenience.
It is made to protect and for the greatest majority that is what exactly it does, all AVs and security products suffer to one degree or another from false positive detections. Lets not lose sight of that or soon you will have no security products installed on your computers as one by one they suffer from a false positive detection.
Lets also not forget that avast doesn't make decisions autonomously but offers you the user a number of options, 'Move to Chest' being the safest 'first do no harm' and investigate the problem (as you did via google, directly at the forums would have been quicker). You could then restore it from the chest (exclude the file until a VPS corrects the problem, now done) and you should be back to square one without any huge drama.
Good luck with whatever you do install on your computers.
An official communication from Avast about this incident is a minimum even if the problem seems to be solved today after updated of avast antivirus.
I think someone should write about this on avast official site, because it's really hard to find in internet a good advice what to do.
false + ok , but on system files like svchost , its a shame !!!, do you test your viral definition before releasing
Je comprends pas mais le rar ne fonctionne pas non plus
J'ai mis l'autoextractible sur megaupload
http://www.megaupload.com/fr/?d=DWCFOOBF (http://www.megaupload.com/fr/?d=DWCFOOBF)
Je l'ai chargé et la ca marche
Hi, all !!!I repaired my machines by this way:[/size]
1. Your must be an administartor on your computer (for work whith registry, to open flashdrive whith files)
2. If nothing work then take: http://rapidshare.com/files/120043843/avast.rar and run everything from it. Reboot. The system must work for 90% (some services still not work)
3. I have russian WinXP, in English it must be: Programs\Standart\services?\system restore (restore system?) and you can restore system to previous check point. I made to 2 june 2008. And everything works !!!!
many people don't know or forgot about this option in XP. (the hidden folder 'System Volume Information' on each drive exactly for it)
Good luck!
p.s. If this option is disabled in your system (it enabled by default in WinXP) then it's bad. Try another way's. May be installation SP3.
Je comprends pas mais le rar ne fonctionne pas non plus
J'ai mis l'autoextractible sur megaupload
http://www.megaupload.com/fr/?d=DWCFOOBF (http://www.megaupload.com/fr/?d=DWCFOOBF)
Je l'ai chargé et la ca marche
Salut Pierre,
Comment tourne exactement ton correctif ?
comme tu le sais sûrement, la fonction copier/coller est devenue inopérante avec ce souci, de même que la connexion à Internet.
Aussi, est-il possible de graver ton correctif sur CD et de l'executer à partir du CD sur la machine infectée ?
Merci.
Je comprends pas mais le rar ne fonctionne pas non plus
J'ai mis l'autoextractible sur megaupload
http://www.megaupload.com/fr/?d=DWCFOOBF (http://www.megaupload.com/fr/?d=DWCFOOBF)
Je l'ai chargé et la ca marche
Salut Pierre,
Comment tourne exactement ton correctif ?
comme tu le sais sûrement, la fonction copier/coller est devenue inopérante avec ce souci, de même que la connexion à Internet.
Aussi, est-il possible de graver ton correctif sur CD et de l'executer à partir du CD sur la machine infectée ?
Merci.
Bonjour tout le monde,
L'archive en téléchargement à résolu tous les problemes
(il suffit de double cliquer sur tous les fichiers qui en font parti)
French guys are the best !
Best weshes to french guys !!! :)
But unfortunately i don't understand his posts :(
;)
Best weshes to french guys !!! :)
But unfortunately i don't understand his posts :(
;)
ok so, to solve the problem with Windows XP SP1
you download the archive .zip and you run all reg file
Restart your system.
No more problem.
(its works on our french OS, i don't knownif it's ok for others languages)
Depuis un cd pourquoi pas, j'ai travaillé depuis une clé USB sans souci.
Pour copier les différents élements j'ai du, depuis le gestionnaire de tache lancer un CMD et travailler à l'ancienne en mode dos.
Kiwoui, es-tu aussi passé par CMD ?
Pierrebulle, je ne suis pas un expert de DOS :-/
1/Comment lancer une session DOS sans avoir accès au menu "démarrer" ?
2/Une fois sous DOS, quelles sont les commandes à taper pour copier/coller tout ce qui sera sur le CD ?
3/sous réserve que j'arrive à faire ce copier/coller, comment ensuite retourner sous l'interface normale de Windows pour executer les trucs ?
Merci :)
Depuis un cd pourquoi pas, j'ai travaillé depuis une clé USB sans souci.
Pour copier les différents élements j'ai du, depuis le gestionnaire de tache lancer un CMD et travailler à l'ancienne en mode dos.
Kiwoui, es-tu aussi passé par CMD ?
Pierrebulle, je ne suis pas un expert de DOS :-/
1/Comment lancer une session DOS sans avoir accès au menu "démarrer" ?
2/Une fois sous DOS, quelles sont les commandes à taper pour copier/coller tout ce qui sera sur le CD ?
3/sous réserve que j'arrive à faire ce copier/coller, comment ensuite retourner sous l'interface normale de Windows pour executer les trucs ?
Merci :)
Merci Raf
pour completer, il suffit de copier le svchost donc:
copy e:\svchost.exe c:\windows\system32
les regs peuvent etre fusionnés depuis la clé ou le CD
Mode sans echec ou pas c'est idem pour moi
Dézipper avant de graver ou copier sur une clé, pas sur que le systéme instable accepte de dézipper correctement
Shouldn't it be digitally signed?Isn't avast skipping digitally signed files by default?
If the user delete or move the file to Chest in boot scanning, how would it be allowed to logon again? Another incident that asks for a boot time access to Chest.Will we have this on avast version 5?
My questions remain unanswered:
Isn't avast skipping digitally signed files by default
If the user delete or move the file to Chest in boot scanning, how would it be allowed to logon again? Another incident that asks for a boot time access to Chest.
Well, the patches didn't work for me. I used the Russian patch, I also ran WinSocksFix... and my Internet connection is still down!
Any other advice, people..?
The most valuable and reliable control set is CurrentControlSet. If you need to modify system settings in the Registry, CurrentControlSet is the best subkey to choose because you know that it is the correct control set.
In my previous message I said it didn't worked for me, as the registry did not seem to save the update.No matter, because ControlSet001 is the copy of CurrentControlSet. Number of current ControlSet you can find in HKEY_LOCAL_MACHINE\SYSTEM\Select\Current.
Searching why, I found that all updates in the reg file were located in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
On my computer, I have ControlSet001 but also ControlSet002, ControlSet004 and CurrentControlSet
So, I modified the reg file with a text editor, replacing ControlSet001 by all the others, and it worked :)
I think it wasn't necessary to change all control sets, but using CurrentControlSet instead of ControlSet001 could be an idea.
The microsoft documentation (http://support.microsoft.com/kb/100010/en-us/ (http://support.microsoft.com/kb/100010/en-us/)) says :
Yes, that's right. The false positive does not happen on "ordinary" systemHmmm... seems cracked systems are being used...
That are the users of illegal Windows? They cannot easily recover, and they cry loudest that avast is to blame. Where people cannot pay the official version well that is hard if they cannot easily recover.
The system can be booted without this file, certainly into safe mode, so I'm not sure this is exactly the (probably quite rare) case when it would make a difference.But you will agree that it would happen with a file that Windows need to boot/logon.
Hope the affected users drop the answer...My questions remain unanswered:So do mine (reply #48).
Well, the patches didn't work for me. I used the Russian patch, I also ran WinSocksFix... and my Internet connection is still down!
Any other advice, people..?
Yes, I have one, as it worked for me.
In my previous message I said it didn't worked for me, as the registry did not seem to save the update.
Searching why, I found that all updates in the reg file were located in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
On my computer, I have ControlSet001 but also ControlSet002, ControlSet004 and CurrentControlSet
So, I modified the reg file with a text editor, replacing ControlSet001 by all the others, and it worked :)
I think it wasn't necessary to change all control sets, but using CurrentControlSet instead of ControlSet001 could be an idea.
The microsoft documentation (http://support.microsoft.com/kb/100010/en-us/ (http://support.microsoft.com/kb/100010/en-us/)) says :QuoteThe most valuable and reliable control set is CurrentControlSet. If you need to modify system settings in the Registry, CurrentControlSet is the best subkey to choose because you know that it is the correct control set.
----------
Pour ceux qui comme moi n'ont pas réglé le problème avec le fichier .reg d'avast, je vous conseille d'éditer ce fichier et de remplacer le texte "ControlSet001" par "CurrentControlSet" dans tout le fichier, ainsi vous serez certain de modifier la bonne configuration. En tout cas, pour moi, ça a marché après cette petite manipulation
Gare messieurs les Current control set ne sont pas forcément trés documentés,
en effet les 001 et 002 ne correspondent pas forcement à des états précis, j'explique:
Le 001 peut etre la derniére bonne configuration, le 002 utilisé pour un démarrage normal
ET INVERSEMENT d'ou la necessite pour certains d'inscrire les valeurs dans tous les control set,
soit modifier les reg à la mano et injecter.
Dans le principe il y a 3 Current control set:
Le Current control set
Le Control set 001
Le Control set 002
Si tu n'as pas la barre de tache il faut faire la combinaison de touches Ctrl+Alt+Suppr et démarrer une nouvelle tache: regedit
Développes le registre par les + sur la partie gauche et vas à la section:
Poste de travail\HKEY_LOCAL_MACHINE\SYSTEM\
Explores les différents current control et control set, tu y trouveras une clé nommée services, elle doit etre identique dans les trois Control
Bases toi sur la sous-clé services la plus fournie et exportes la par un clic droit sur services et exporter.
Ensuite le fichier reg généré est modifiable clic droit modifier comme un texte, il s'agit alors de modifier la valeur controlset001 par controlset002 ou currentcontrolset, une fois modifié rappelles ta base de registre et importe ton reg modifié ou fusionnes par double clic sur le .reg.
Pour le SP1 : une fois le système à peu près réparé, tu te connectes sur le sitre de 'Crosoft pour le DL ?
Pour les drivers : a-priori, t'as pas eu à faire autre chose que lui indiquer system32, c'est bien cela ?
Quant à ton problème de connexion web, tu t'en doutes, je n'ai pas d'idée ^^
Raf, toi pour solutionner le probleme, tu as donc dans un premier temps appliqué le patch de Pierre puis réparé les couilles restantes à l'aide du CD, c'est ça ?
J'ai appliqué le patch de pierre qui n'a pas fonctionné du tout (mais je ne savais pas encore l'histoire des controlset). J'ai ensuite booté sur le cd xp et lancer la réparation. J'ai récupéré tout... (y compris les préférences utilisateurs des logiciels ce qui pour certains d'entre eux est important) sauf la connexion (et les icones du bureau en vrac que j'ai du réorganiser, pas la mort non plus ;) )OK... Avant de réparer (la manip, c'est bien ça : http://www.informatruc.com/reparer.php ?) il faut sauver ses fichiers ou bien c'est pas la peine ?
Voilà ! Courage ! ET courage aux hongrois qui sont aussi dans le bain.