Other > Viruses and worms
c:\windows\system32\svchost.exe Rootkit ;-(
(1/34) > >>
Merralux:
Hello(at first i want to say sorry for my english ;p),
I have problem with that virus iv even formated all my disc's and its still there.
Maybe its because new update?
I would be glad to get fast answer beacause i have to make some transfers with my bank account.
igor:
It might be a false alarm...
What exactly is reported?
Merralux:
File:    c:\windows\system32\svchost.exe

Name of virus:   Win32:Rootkit-gen [Rtk]

Type of virus:       Rootkit

VPS Version : 080603-0, 2008-06-03
Lisandro:
Can you send the file c:\windows\system32\svchost.exe to www.virustotal.com and check if it is infected?
Merralux:
Antywirus    Wersja    Ostatnia aktualizacja    Wynik
AhnLab-V3    2008.5.30.1    2008.06.03    -
AntiVir    7.8.0.26    2008.06.03    -
Authentium    5.1.0.4    2008.06.02    -
Avast    4.8.1195.0    2008.06.03    Win32:Rootkit-gen
AVG    7.5.0.516    2008.06.03    -
BitDefender    7.2    2008.06.03    -
CAT-QuickHeal    9.50    2008.06.03    -
ClamAV    0.92.1    2008.06.03    -
DrWeb    4.44.0.09170    2008.06.03    -
eSafe    7.0.15.0    2008.06.02    -
eTrust-Vet    31.4.5845    2008.06.03    -
Ewido    4.0    2008.06.03    -
F-Prot    4.4.4.56    2008.06.02    -
F-Secure    6.70.13260.0    2008.06.03    -
Fortinet    3.14.0.0    2008.06.03    -
GData    2.0.7306.1023    2008.06.03    Win32:Rootkit-gen
Ikarus    T3.1.1.26.0    2008.06.03    -
Kaspersky    7.0.0.125    2008.06.03    -
McAfee    5308    2008.06.02    -
Microsoft    1.3604    2008.06.03    -
NOD32v2    3155    2008.06.03    -
Norman    5.80.02    2008.06.03    -
Panda    9.0.0.4    2008.06.03    -
Prevx1    V2    2008.06.03    -
Rising    20.47.12.00    2008.06.03    -
Sophos    4.29.0    2008.06.03    -
Sunbelt    3.0.1143.1    2008.06.03    -
Symantec    10    2008.06.03    -
TheHacker    6.2.92.332    2008.06.03    -
VBA32    3.12.6.7    2008.06.03    -
VirusBuster    4.3.26:9    2008.06.03    -
Webwasher-Gateway    6.6.2    2008.06.03    BlockReason.0
Dodatkowe informacje
File size: 12800 bytes
MD5...: b3c95bfeef6781a82a1c429f466a3a11
SHA1..: 32aa15820e984a79664db0fd48ae943931b83514
SHA256: ab4a8e6f19a4c6ea504efff99613a590861cd981849f71c3a859c9eaf23a3afd
SHA512: 40ead71c8639ee659aab37839b72e8d20eec3a100750d627a562f2968bb1ee87
c4c6093a022a9d52f3a7a386a5ad9a18d72b1ff5beb833119109a9d968ce7da2
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1001ce2
timedatestamp.....: 0x3b7de4c5 (Sat Aug 18 03:45:09 2001)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2450 0x2600 6.10 c46beef3543b16a7814b0a030f0e5000
.data 0x4000 0x1f4 0x200 1.50 1a396ac5334432d459f3697937a48e6e
.rsrc 0x5000 0x408 0x600 2.47 df415f1328865e4cbd290ad3189697e1

( 4 imports )
> ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
> KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, GetCurrentProcess, GetCurrentThread, HeapAlloc, LoadLibraryExW, LeaveCriticalSection, lstrcmpW, EnterCriticalSection, LCMapStringW, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, FreeLibrary, InterlockedCompareExchange, LoadLibraryA, LocalFree, GetProcAddress, DelayLoadFailureHook, LocalAlloc
> ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, RtlCopySid, RtlSubAuthorityCountSid, NtClose, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlUnhandledExceptionFilter, wcslen, RtlImageNtHeader
> RPCRT4.dll: RpcMgmtSetServerStackSize, RpcMgmtWaitServerListen, RpcMgmtStopServerListening, RpcServerUnregisterIf, RpcServerUnregisterIfEx, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status

( 0 exports )








and that:





Plik został już przeskanowany:
MD5:    b3c95bfeef6781a82a1c429f466a3a11
First received:    2008.06.03 10:25:55 (CET)
Data:    2008.06.03 18:57:49 (CET) [<1D]
Wyniki:    3/32
Permalink:    analisis/9c696c71028cd43d361d6dc67cc61d60



Is it infected?
Navigation
Message Index
Next page

Go to full version