W32:Rootkit-Gen in /System32/svchost.exe

[PiotrW]

Hello,

Yesterday, Avast on my home computer reported that it was infected with a virus named as W32:Rootkit-Gen. The infected file was named as /System32/svchost.exe

While browsing this forum, I noticed that a few people had this problem, too. I wanted to ask - was this alert verified as true or false? I don't know if there's a need for alarm or not...

Another question: since Avast reported this infection, I've lost my Internet access on the (supposedly) infected computer. If that alert is a false one, what could be the cause for this problem and what could be done with it?

I must add that, initially, I ordered Avast to delete svchost.exe... Of course, that proved to be a mistake. I repaired my Windows with my installation disc, but the Internet connection is still down. Could the unnecessary deletion be the cause?

I'd very thankful for your help.

[Boglen]

Look this thread
http://forum.avast.com/index.php?topic=36078.15

you'll need to rollback the system by System Restore.
And update Avast to latest database...

[PiotrW]

Well, there is a problem with that: my System Restore function was turned off... 

[Lisandro]

Which firewall do you use?
If you repair your Windows installation, svchost.exe should be back.
Maybe running:
sfc /scanonce
will bring it back any system file that could eventually be missing.

What I can't understand is that this false positives should be avoided by the digital signature of the file. Why isn't avast working? Why isn't this feature working?

[Boglen]

if you have windows install disk, try to run install d:\i386\winnt32.exe and set install mode Update

[PiotrW]

> Which firewall do you use?

Apart from Avast's? None...

> If you repair your Windows installation, svchost.exe should be back

Oh, I think it *is* back. Back the Internet access isn't... I cannot get through to any webpage or check e-mail. And according to Windows, there's no date coming in or out through the connection.

> sfc /scanonce
> will bring it back any system file that could eventually be missing

Is it a system feature, or some program like HijackThis?

> if you have windows install disk, try to run install d:\i386\winnt32.exe and set install mode Update

Just for my information: what exactly would I do by running this?

[Boglen]

You'll update OS and restore svchost service.
For another way you need external utils for System Restore.

Sorry for my English. Russia.

[PiotrW]

> You'll update OS and restore svchost service.

Ah, thank you

> Sorry for my English. Russia.

No problem. Poland here ;-)

[PiotrW]

I ran sfc \scanonce yesterday. I didn't help - my Internet connection is stil down.

I've de-installed Avast... It didn't help, too.

I'm starting to suspect that Avast managed to screw up my Internet connection's settings or relevant drivers. Does anybody have any ideas how to deal with this..?

[Lisandro]

Piotr, will this help?
http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

[PiotrW]

No, it didn't... I also used the Russian patch provided on the other thread - didn't help either.

It looks more and more like I'm going to spend the whole weekend on re-installing Windows...

... and Avast people *still* seem not to care about the mess they created. There's still not a word of official comment on the website!

Sorry to sound bitter, but this is really annoying.

[igor]

There is a message on the problem on support.avast.com - and there are instructions on how to deal with it for French and Russian OS there.
I'm afraid there's nothing for Polish, however.
What service pack do you have installed?

[PiotrW]

> There is a message on the problem on support.avast.com - and there are instructions on how to deal with it for French and Russian OS.

Yes, I've seen it. I tried the Russian solution, but it didn't work. I didn't try the French one yet, because the file server the patches are hosted at doesn't let me download them (user limits per country).

> What service pack do you have installed?

SP1 or none, I think.

[polonus]

Cześć PiotrW,

That is why we have a sticky in the "virus and worms" about what to do when a virus has been found.
A av-program, what kind of av product does not matter, is a dangerous tool to use. Always remember that and have that at the back of your head. All newbies and normal users should know this, that if you follow up a virus alarm without knowing actually what is the matter could ruin your installation, your OS, and your network connection. So in case of a virus alert first establish if other scanners also flag this, if only one product does the chance of a False Positive is gigantic. Then if you have a FP and delete an essential system file you are in for some proverbial head-aches. So first upload the file in question to virustotal, get info from a malware fighter here on the forum, and then you can make a confirmed decision what to do, else you could be playing Russian Roulette. Remember once that people were advised in an e-mail to delete an important win32 file, they lost the ability to restore long document names and they could not use Word or Outlook anymore.
Well the lesson learned here is, you have to experience this once to be twice shy the second time, I can tell you. I would never trust one av-scanner and run several non-resident next to avast to be absolutely certain the infection is real and the malware solution is not destroying my appl. or worse. "Nie smaczny", but that is reality, so next time run DrWebCureIt first or scan the file with ClamAV,

pozdrawiam,

polonus

[igor]

The files I mentioned are hosted on our servers, so they certainly aren't blocked for anybody.
But it doesn't change the fact that there's no article for Polish currently