Author Topic: c:\windows\system32\svchost.exe Rootkit ;-(  (Read 95488 times)

0 Members and 1 Guest are viewing this topic.

Offline Merralux

  • Newbie
  • *
  • Posts: 7
c:\windows\system32\svchost.exe Rootkit ;-(
« on: June 03, 2008, 08:46:27 PM »
Hello(at first i want to say sorry for my english ;p),
I have problem with that virus iv even formated all my disc's and its still there.
Maybe its because new update?
I would be glad to get fast answer beacause i have to make some transfers with my bank account.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11422
    • AVAST Software
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #1 on: June 03, 2008, 09:02:22 PM »
It might be a false alarm...
What exactly is reported?

Offline Merralux

  • Newbie
  • *
  • Posts: 7
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #2 on: June 03, 2008, 09:06:09 PM »
File:    c:\windows\system32\svchost.exe

Name of virus:   Win32:Rootkit-gen [Rtk]

Type of virus:       Rootkit

VPS Version : 080603-0, 2008-06-03

Online Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 65928
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #3 on: June 03, 2008, 09:11:32 PM »
Can you send the file c:\windows\system32\svchost.exe to www.virustotal.com and check if it is infected?
The best things in life are free.

Offline Merralux

  • Newbie
  • *
  • Posts: 7
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #4 on: June 03, 2008, 09:15:28 PM »
Antywirus    Wersja    Ostatnia aktualizacja    Wynik
AhnLab-V3    2008.5.30.1    2008.06.03    -
AntiVir    7.8.0.26    2008.06.03    -
Authentium    5.1.0.4    2008.06.02    -
Avast    4.8.1195.0    2008.06.03    Win32:Rootkit-gen
AVG    7.5.0.516    2008.06.03    -
BitDefender    7.2    2008.06.03    -
CAT-QuickHeal    9.50    2008.06.03    -
ClamAV    0.92.1    2008.06.03    -
DrWeb    4.44.0.09170    2008.06.03    -
eSafe    7.0.15.0    2008.06.02    -
eTrust-Vet    31.4.5845    2008.06.03    -
Ewido    4.0    2008.06.03    -
F-Prot    4.4.4.56    2008.06.02    -
F-Secure    6.70.13260.0    2008.06.03    -
Fortinet    3.14.0.0    2008.06.03    -
GData    2.0.7306.1023    2008.06.03    Win32:Rootkit-gen
Ikarus    T3.1.1.26.0    2008.06.03    -
Kaspersky    7.0.0.125    2008.06.03    -
McAfee    5308    2008.06.02    -
Microsoft    1.3604    2008.06.03    -
NOD32v2    3155    2008.06.03    -
Norman    5.80.02    2008.06.03    -
Panda    9.0.0.4    2008.06.03    -
Prevx1    V2    2008.06.03    -
Rising    20.47.12.00    2008.06.03    -
Sophos    4.29.0    2008.06.03    -
Sunbelt    3.0.1143.1    2008.06.03    -
Symantec    10    2008.06.03    -
TheHacker    6.2.92.332    2008.06.03    -
VBA32    3.12.6.7    2008.06.03    -
VirusBuster    4.3.26:9    2008.06.03    -
Webwasher-Gateway    6.6.2    2008.06.03    BlockReason.0
Dodatkowe informacje
File size: 12800 bytes
MD5...: b3c95bfeef6781a82a1c429f466a3a11
SHA1..: 32aa15820e984a79664db0fd48ae943931b83514
SHA256: ab4a8e6f19a4c6ea504efff99613a590861cd981849f71c3a859c9eaf23a3afd
SHA512: 40ead71c8639ee659aab37839b72e8d20eec3a100750d627a562f2968bb1ee87
c4c6093a022a9d52f3a7a386a5ad9a18d72b1ff5beb833119109a9d968ce7da2
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1001ce2
timedatestamp.....: 0x3b7de4c5 (Sat Aug 18 03:45:09 2001)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2450 0x2600 6.10 c46beef3543b16a7814b0a030f0e5000
.data 0x4000 0x1f4 0x200 1.50 1a396ac5334432d459f3697937a48e6e
.rsrc 0x5000 0x408 0x600 2.47 df415f1328865e4cbd290ad3189697e1

( 4 imports )
> ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
> KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, GetCurrentProcess, GetCurrentThread, HeapAlloc, LoadLibraryExW, LeaveCriticalSection, lstrcmpW, EnterCriticalSection, LCMapStringW, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, FreeLibrary, InterlockedCompareExchange, LoadLibraryA, LocalFree, GetProcAddress, DelayLoadFailureHook, LocalAlloc
> ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, RtlCopySid, RtlSubAuthorityCountSid, NtClose, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlUnhandledExceptionFilter, wcslen, RtlImageNtHeader
> RPCRT4.dll: RpcMgmtSetServerStackSize, RpcMgmtWaitServerListen, RpcMgmtStopServerListening, RpcServerUnregisterIf, RpcServerUnregisterIfEx, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status

( 0 exports )








and that:





Plik został już przeskanowany:
MD5:    b3c95bfeef6781a82a1c429f466a3a11
First received:    2008.06.03 10:25:55 (CET)
Data:    2008.06.03 18:57:49 (CET) [<1D]
Wyniki:    3/32
Permalink:    analisis/9c696c71028cd43d361d6dc67cc61d60



Is it infected?

Online Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 65928
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #5 on: June 03, 2008, 09:19:42 PM »
Is it infected?
Most probably not. Seems a false positive.
Can you send the file to virus (at) avast (dot) com
and explain in the email body it seems a false positive. Maybe add a link to this thread.
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11422
    • AVAST Software
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #6 on: June 03, 2008, 09:20:25 PM »
I believe it's a false alarm in this case.
Can you please pack the file into a password-protected ZIP or RAR and send it to virus@avast.com, with "False alarm" in subject (and the password mentioned in the e-mail body)?
Thanks!

Offline Merralux

  • Newbie
  • *
  • Posts: 7
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #7 on: June 03, 2008, 09:28:30 PM »
Sorry guys, I cant even comprese or copy it ;/
But im worried about that iv formated all my discs and its still there;/

Online Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 65928
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #8 on: June 03, 2008, 10:48:53 PM »
Sorry guys, I cant even comprese or copy it ;/
It's in use by Windows and probably its access is denied...

But im worried about that iv formated all my discs and its still there;/
No, it's normal. Every Windows system has a svchost.exe file running.
The best things in life are free.

Offline calgero

  • Newbie
  • *
  • Posts: 4
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #9 on: June 04, 2008, 12:48:11 AM »
Sorry for my english.

In france we are a lot to have this problem. I send an alert to my friends at 6 pm today because i have deleted the file svchost.exe and of course windows was down !
you just have ton re install windows and perhaps sata driver to solve the problem but it's not necessary to format. some other drivers must be re installed like graphic card for me.
all is ok for me excepted for my USB key.

thank you very much avast !

Online Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 65928
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #10 on: June 04, 2008, 01:05:22 AM »
thank you very much avast !
Do you mean avast detect a virus (rootkit) and clean your computer?
If so, to be sure you're clean, I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.
The best things in life are free.

Offline calgero

  • Newbie
  • *
  • Posts: 4
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #11 on: June 04, 2008, 01:23:10 AM »
The original alert was : win32:rootkit-gen [Rtk] has been found in c:\windows\system32\svchost.exe and by inattention i have choose deleted but of course its was a big mistake.

i just scan my folder windows/system32 and i have a new alert :

File:    C:\WINDOWS\system32\dllcache\svchost.exe
Name of virus:   Win32:Rootkit-gen [Rtk]
Type of virus:  Rootkit
VPS Version : 080603-0, 03/06/2008

This time i have selected quarantine

Offline calgero

  • Newbie
  • *
  • Posts: 4
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #12 on: June 04, 2008, 01:33:44 AM »
bad news : new alert on my file system32\svchost.exe and impossible ton put him on quarantine.
i'm not shure now it's a false alert...

Offline Pulsar33

  • Newbie
  • *
  • Posts: 9
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #13 on: June 04, 2008, 02:16:49 AM »
Hi All !

I've just restored a svchost.exe file from an unused PC ( it has not been connected to anything since last year ). I restored this file under an arbitrary name and compared it with the suspect sp1 svchost.exe file ( using Edhex ). They are strictly the same !

So I think it is definitively a False Positive and I suggest to Avast to urgently communicate ( maybe by mail to all users ) because many many people who are not familiar with this problems are about to crash their windows system by deleting a so important file !

Best regards.
Pulsar33

Online Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 65928
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #14 on: June 04, 2008, 03:06:11 AM »
bad news : new alert on my file system32\svchost.exe and impossible ton put him on quarantine.
i'm not shure now it's a false alert...
Yes, it is... file is in use and it's essential for Windows to work. It will be replaced or any change will be blocked (move or Chest). So, I won't be alarmed. I hope Alwil correct the false positive soon. Which is your language? Maybe it occurs just in some Windows languages...
The best things in life are free.