W32:Rootkit-Gen in /System32/svchost.exe

[PiotrW]

I was referring to the Megaupload link provided by the French user, actually.

I downloaded the French fix from your server. Thank you :-) I'll try using it... although I'm not sure it'll work. I'm using Polish version of XP...

[polonus]

Hi PiotrW,

Disable system protection and then Run a System File Checker (sfc.exe), this will scan all protected Windows files to verify their versions have not been overwritten or damaged, and if so will replace the compromised version with a fresh copy. To run it, click Start/Run and type 'sfc.exe /scannow' (without the quotes but with the space between the 'e' and the '/'). Alternatively, you can click start/Run and type in CMD and click O.K., when the black window opens type in "sfc /scannow". You will need to insert your Windows CD into the drive to enable sfc to effect the repair. Sfc.exe will just stop without any other sign than the statusbar is gone! And remember, never ever delete svchost.exe again, do not even think about it. Repairing it, well try this:

Verify Windows Update Service Settings

    * Click on Start, Run and type the following command in the open box and click OK

      services.msc

    * Find the Automatic Updates service and double-click on it.
    * Click on the Log On Tab and make sure the "Local System Account" is selected as the logon account and the box for "allow service to interact with desktop" is UNCHECKED.
    * Under the Hardware Profile section in the Log On Tab, make sure the service is enabled.
    * On the General Tab, the Startup Type should be Automatic, if not, drop the box down and select Automatic.
    * Under "Service Status" on the General tab, the service should be Started, click the Start button enable it.
    * Repeat the steps above for the service "Background Intelligent Transfer Service (BITS)"

Re-Register Windows Update DLLs

    * Click on Start, Run, and type CMD and click ok
    * In the black command window type the following command and press Enter

      REGSVR32 WUAPI.DLL

    * Wait until you receive the "DllRegisterServer in WUAPI.DLL succeeded" message and click OK
    * Repeat the last two steps above for each of the following commands:

      REGSVR32 WUAUENG.DLL
      REGSVR32 WUAUENG1.DLL
      REGSVR32 ATL.DLL
      REGSVR32 WUCLTUI.DLL
      REGSVR32 WUPS.DLL
      REGSVR32 WUPS2.DLL
      REGSVR32 WUWEB.DLL

Remove Corrupted Windows Update Files

    * At the command prompt, type the following command and press Enter

      net stop WuAuServ
    * Still at the command prompt,

      type cd %windir% and press Enter
    * In the opened folder, type the following command and press Enter to rename the SoftwareDistribution Folder

      ren SoftwareDistribution SD_OLD
    * Restart the Windows Update Service by typing the following at the command prompt

      net start WuAuServ

    * type Exit and Press Enter to close the command prompt

Reboot Windows

    * click on Start, Shut Down, and Restart to reboot Windows XP




Damian

[PiotrW]

I've run the French fix. Didn't help either...

Damian - thank you very much for your instructions. I'll try doing this tomorrow...

[DavidR]

You should also check out this avast! knowledge base article, http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=306

[PiotrW]

> You should also check out this avast! knowledge base article

As I mentioned earlier, I ran both fixes. Didn't help...

> Disable system protection and then Run a System File Checker (sfc.exe), this will scan all protected Windows files to verify their versions have not been overwritten or damaged, and if so will replace the compromised version with a fresh copy.

Damian, I ran SFC yesterday. It didn't help...

BTW. I was toying with the idea that the problem lies in my Ethernet card, so I tried using ipconfig \release and ipconfig \ renew. The first command returned to me that the the card's settings have already been released. The second command returned an error ("File not found" etc.).

[kstmb]

PiotrW, try to restore registry, or reinstall your netcard, or use WinSock XP Fix.

[PiotrW]

Hello Damian,

Good news! I've managed to get my Internet connection running by following Calambo's advice (on the other thread) regarding modifying the registry fixes. So far, everything looks to be working all right...

Anyway, thank you for your time!

BTW. A question: should the BITS service be set as "Automatic"? After I used the modified registry fixes, my Internet was back - even though BITS was still set as "Manual"... So, is the change you suggested necessary? Just out of curiosity...

[DavidR]

BITS (Background Intelligent Transfer Service) is required for windows update (WU), without it it won't update. It is normally set to Automatic.
However, I too have mine set to manual as I no longer use windows update preferring to manually download the updates I need to install off-line.

I don't know if the WU is smart enough to start BITS if it isn't running when you visit or if it can being a remote location, so you may have to set it to Auto if you use WU. You could leave it on manual and test it on the next patch Tuesday (10 June 2008) and see if WU works. If not change it to Auto and Start it.