problems whth cisvc.exe

[feebright]

     2007-6-21 10:28:08   SYSTEM   600   Sign of "Win32:Trojan-gen. {VC}" has been found in "D:\share\cisvc.exe" file. 
      but cisvc.exe is the system file .
      why?

[Vladimyr]

If this suspect 'cisvc.exe' really is part of your operating OS, shouldn't it be loading from C:\WINDOWS\system32\cisvc.exe ?

[feebright]

If this suspect 'cisvc.exe' really is part of your operating OS, shouldn't it be loading from C:\WINDOWS\system32\cisvc.exe ?

  Yes,my os is windows2000,thank you!

[Vladimyr]

Okay then, if Avast! quarantines it, it shouldn't cause you any problems.

Some malware, like NETSKY, disguise themselves by using system file names but this one's location is way out of left field.

[Lisandro]

Okay then, if Avast! quarantines it, it shouldn't cause you any problems.

I suggest that 'system' files are 'moved' and not send to Chest.
Chest is not available in Safe Mode and if a system file is needed to boot, the user won't be able to restore them.
Sending to the 'moved' files folder is easier to restore it. Even infected, some files are needed to boot and you must 'clean' your computer before booting, otherwise, your system will be locked (can't boot).

[DavidR]

The problem being many users don't know which are system files or think a file is a system file but in the wrong location as in this detection. So it isn't so clear cut as many users aren't able to make that distinction.

[Lisandro]

The problem being many users don't know which are system files or think a file is a system file but in the wrong location as in this detection. So it isn't so clear cut as many users aren't able to make that distinction.

The user can't make the distinction but will pay its price... not booting...

[DavidR]

If it truly is an important system file that is required to boot, surely it won't matter if it is in the chest or moved folder, if it isn't in its original location 'it won't boot,' safe or otherwise.

[Tarq57]

feebright, that file was found in D:\shared...
Assuming the OS is on C:, it hints to me that the file is likely not important for the system, and also possibly you are using a p2p program which downloads to a shared folder?
If that is the case, it is quite possibly malware inadvertently downloaded.

[Vladimyr]

I suggest that 'system' files are 'moved' and not send to Chest.
Chest is not available in Safe Mode and if a system file is needed to boot, the user won't be able to restore them.
Sending to the 'moved' files folder is easier to restore it. Even infected, some files are needed to boot and you must 'clean' your computer before booting, otherwise, your system will be locked (can't boot).

Good general advice. Renaming is my preference too, however in this case I considered it extremely unlikely that a malware would have made the OS dependent on a file located in D:\share\. Tarq57's suggestion makes a lot of sense.

[feebright]

feebright, that file was found in D:\shared...
Assuming the OS is on C:, it hints to me that the file is likely not important for the system, and also possibly you are using a p2p program which downloads to a shared folder?
If that is the case, it is quite possibly malware inadvertently downloaded.

     the file is location at C:\WINDOWS\system32\cisvc.exe .when i delete the file ,and copy the file from another os,avast also alarm it as Win32:Trojan-gen

[Tarq57]

OK, that's slightly at odds with what was reported in your first post. Try uploading the file to http://www.virustotal.com/en/indexf.html and see if any other scanners detect it.
I suspect Avast detected it originally because of the weird location originally reported.
Does it (or anything similar) actually exist in D:\shared?

[mauserme]

C:\WINDOWS\system32\cisvc.exe is probably legitimate but other locations might indicate Family Keylogger

http://www.castlecops.com/s1203-cisvc_exe.html

Do others have acces to your computer?

I would also suggest Virus Total for all instances of the file.

[feebright]

OK, that's slightly at odds with what was reported in your first post. Try uploading the file to http://www.virustotal.com/en/indexf.html and see if any other scanners detect it.
I suspect Avast detected it originally because of the weird location originally reported.
Does it (or anything similar) actually exist in D:\shared?

    The file located at d:/share  is the copy file from another os,thanks!

[Tarq57]

If you could post the size of that file, and the version number (Find the file and right click, select properties) that may be useful. On my XP system its 5632 bytes (5.5Kb) and version 5.1.2600.2180, described as Content index service. May be same or slightly different on Win2K. If it's very different, I'd be a bit suspicious.
Did VirusTotal flag it at all?