Re: win32Rootkit-gen



Donald Eagle wrote:
Yes, thanks Jen. I learned that a little earlier from the Avast Web
Forum. I have updated the definitions. Pete, I also re-scanned with
Sophos, and it no longer finds anything. I also scanned with GMER, and
it found nothing. I still do not know why I could not upload the file
since someone else did. My svchost.exe file has been 14kB all along.

Don Eagle

"1PW" <barcrnahgjuvfgy@xxxxxxx> wrote in message
news:h4d73m$dcp$1@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
jen wrote:
"Donald Eagle" <aguila@xxxxxxxxxxx> wrote in message
news:eiLIyKADKHA.3740@xxxxxxxxxxxxxxxxxxxxxxx
I run XP home, SP3 updated to today with Zone Alarm free, Avast 4 Home,
Malwarebytes, and SuperAntiSpyware.
This afternoon Avast told me it had detected Win32Rootkit-gen in
Windows\system32\svchost.exe, but could not quarantine it, Windows
Defender, MalwareBytes and SuperAntiSpyware found nothing. A boot
scan from Avast also found it, but I did not attempt a repair because
it is a Windows file. Scanforfree.com root kit remover did not find
it, but Sophos Anti-Rootkit did, but gave the following message:
Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWS\system32\svchost.exe
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)
What do I do now? Can I tell Sophos to remove it and regenerate the
file? Can I repair it from an Avast boot scan? If I do either of
these, will I still be able to boot to Windows?
Suggestions for a solution greatly appreciated.

It's a false positive.
Fixed now. Update your defs...
Win32:Rootkit-Gen and svchost, please let it be a false positive:
http://forum.avast.com/index.php?topic=47058.0

-jen

The plot thickens a bit. It still makes me wonder why the OP couldn't
send his svchost.exe file to VT.

I suppose it's worth scanning with Sophos again and maybe other
reputable on-line scanners.

Svchost.exe on a XP Home SP3 /should/ be about 14KB instead of 0 KB.

Interesting,

Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Hello Don:

Now that a few things have become clearer, I'd like to ask you if you
would like to try and send your C:\WINDOWS\system32\svchost.exe file
to Virus Total again.

This time, please drop the SSL option from the URL and try uploading to:

<http://www.virustotal.com/>

Perhaps we can establish the correct methodology for a future incident.

Thank you kindly,

Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
.



Relevant Pages

  • Re: win32Rootkit-gen
    ... Sophos, and it no longer finds anything. ... Can I repair it from an Avast boot scan? ... reputable on-line scanners. ... Pete, this time it uploaded without incident, and was analysed. ...
    (microsoft.public.security.virus)
  • Re: win32Rootkit-gen
    ... Sophos, and it no longer finds anything. ... scan from Avast also found it, but I did not attempt a repair because ... reputable on-line scanners. ... Pete, this time it uploaded without incident, and was analyzed. ...
    (microsoft.public.security.virus)
  • Re: pc infected but cannot find the virus
    ... Sophos and/or Kaspersky AV scanners. ... | My anti virus program is "AntiVir"!! ...
    (microsoft.public.scripting.virus.discussion)
  • Re: pc infected but cannot find the virus
    ... Sophos and/or Kaspersky AV scanners. ... My anti virus program is "AntiVir"!! ...
    (microsoft.public.scripting.virus.discussion)
  • Re: A disc read error occurred
    ... I uninstalled Panda then - stupidly forgetting I hadn't immediately rebooted - I installed Sophos. ... Boot from CD: ... That's as far as it will go.I don't even have access to my second W2K emergency installation on HD5. ...
    (microsoft.public.win2000.general)