Author Topic: c:\windows\system32\svchost.exe Rootkit ;-(  (Read 173641 times)

0 Members and 1 Guest are viewing this topic.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11865
    • AVAST Software
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #15 on: June 04, 2008, 08:01:29 AM »
I think it should be already corrected in the latest VPS - can you confirm, please?

Boglen

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #16 on: June 04, 2008, 08:07:55 AM »
I'm attach "infected" file.
The file have true Microsoft digital sign, I have checked
Now it is damaged more than 80 computers in the several organizations

http://www.rapidshare.ru/692602

Pulsar33

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #17 on: June 04, 2008, 08:11:15 AM »
Yes, I confirm   :)

No more detected by 080604-0

Quote
Tech said : Which is your language? Maybe it occurs just in some Windows languages...
For information, Calgero said he and his friends are French and I'm too. My OS version is XP SP1

Have a good day
Pulsar33

Boglen

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #18 on: June 04, 2008, 08:19:20 AM »
Confirmed.
Situation unpleasant. >:(

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11865
    • AVAST Software
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #19 on: June 04, 2008, 08:22:40 AM »
I send an alert to my friends at 6 pm today because i have deleted the file svchost.exe and of course windows was down !

Calgero, are you saying that avast! let you delete this file? How exactly? (what options did you choose)
What version of avast! do you have?
« Last Edit: June 04, 2008, 08:34:39 AM by igor »

Dmitrii

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #20 on: June 04, 2008, 09:02:06 AM »
Hi, all!

I'm from Russia, and have this problem too.
Yesterday on one machine and today on four.
It seems that Avast not only delete the svchost.exe, but delete something in registry.
Because i copy this file from other machine but Windows does not work! From about 50 services remains only 19 !!!
In russian forum many people has this problem. Somebody has onehalf machines destroyed in office!
It's a big trouble  :(.

Sorry for english

Dmitrii

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #21 on: June 04, 2008, 09:14:06 AM »
How can we restore the system?  (Win XP SP2)

Most of services was deleted. >:(

Many people are shocked, they had many machines and the work were stoped.  >:(

To reinstall Windows is not good idea

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11865
    • AVAST Software
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #22 on: June 04, 2008, 09:27:33 AM »
I don't think it can be restored, sorry.
You may try "Repair" from Windows installation CD, but I don't know if it'll work.

What version of avast! do you have installed?

kstmb

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #23 on: June 04, 2008, 09:40:40 AM »
Win XP Pro SP2 RUS, avast! Home 4.8.1201, VPS 080604-0. The same problem. Lastest update has no effect. avast! deleted all ImagePath string with svchost.exe from services in registry. So, my Windows is dead.

Quote
I don't think it can be restored, sorry.
May be copy svchost.exe and .reg-patch for restore main process? What esle avast! deleted?

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #24 on: June 04, 2008, 10:10:54 AM »
also the russian version is fixed now... download the latest VPS update ;)

Dmitrii

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #25 on: June 04, 2008, 10:11:58 AM »
We have Avast Network Client 4.7.820

I saw that our mirror has Avast Professional 4.7.1201, but NetWork Clients are still 4.7.820

In my machine (from i work now) there is a message that Avast found svchost.exe every 5 second, and the chest had about 51M of this file yet  :-\. The VBA is updated to 080604-0, but i don't want to reboot, because something tell me, that i'll can't work on my machine  :o

Dmitrii

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #26 on: June 04, 2008, 10:32:06 AM »
Wow, i just had a VPS update and the message about svchost were lost.
But i still afraid to reboot  :(

And can we something do whith died machines? People need to work, and reinstall Win not good idea  :o

calvesi

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #27 on: June 04, 2008, 10:46:38 AM »
hello, help me could you send svchost.exe file for windows professionnal sp1 please :-[
Hi All !


I've just restored a svchost.exe file from an unused PC ( it has not been connected to anything since last year ). I restored this file under an arbitrary name and compared it with the suspect sp1 svchost.exe file ( using Edhex ). They are strictly the same !

So I think it is definitively a False Positive and I suggest to Avast to urgently communicate ( maybe by mail to all users ) because many many people who are not familiar with this problems are about to crash their windows system by deleting a so important file !

Best regards.
Pulsar33


Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11865
    • AVAST Software
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #28 on: June 04, 2008, 10:51:16 AM »
I'm afraid just replacing svchost.exe will not work.
Try the "Repair" option from Windows installation CD.

Faland

  • Guest
Re: c:\windows\system32\svchost.exe Rootkit ;-(
« Reply #29 on: June 04, 2008, 12:07:16 PM »
http://ifolder.ru/6844462

svchost + .reg file