Donald Eagle wrote:

> I run XP home, SP3 updated to today with Zone Alarm free, Avast 4
> Home, Malwarebytes, and SuperAntiSpyware.
> This afternoon Avast told me it had detected Win32Rootkit-gen in
> Windows\system32\svchost.exe, but could not quarantine it, Windows
> Defender, MalwareBytes and SuperAntiSpyware found nothing.

Another example of how AV and firewall software is mostly horse ****.

"1PW" wrote:

> Hello Donald:
>
> Upload your suspected C:\WINDOWS\system32\svchost.exe to
> virustotal.com

Donald Eagle wrote:

> Thanks, Pete, but I am unable to do that. When I tried from the
> web site, 0 bytes were sent. When I tried from email, that would
> not work either; I could not attach the file. I tried to download
> and use their Virus Total Uploader, but that would not run either.
> Do you have any other suggestions?

Your best course of action is to remove your hard drive and connect it
to another system as a slave drive. Then re-scan the drive on that
system. You will at least be able to access any suspicious files and
quarantine them or submit them to virus total.

But even if you think you've removed all suspicious files and set the
drive back to "normal", the drive will most likely still contain
undetected malware or back doors, and your better off backing up all
personal files and applications and reformatting and reinstalling
windoze on that drive. Again, this is best done while the drive is a
slave attached to another PC.

"Virus Guy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Donald Eagle wrote:
>
>> I run XP home, SP3 updated to today with Zone Alarm free, Avast 4
>> Home, Malwarebytes, and SuperAntiSpyware.
>> This afternoon Avast told me it had detected Win32Rootkit-gen in
>> Windows\system32\svchost.exe, but could not quarantine it, Windows
>> Defender, MalwareBytes and SuperAntiSpyware found nothing.
>
> Another example of how AV and firewall software is mostly horse ****.
>
> "1PW" wrote:
>
>> Hello Donald:
>>
>> Upload your suspected C:\WINDOWS\system32\svchost.exe to
>> virustotal.com
>
> Donald Eagle wrote:
>
>> Thanks, Pete, but I am unable to do that. When I tried from the
>> web site, 0 bytes were sent. When I tried from email, that would
>> not work either; I could not attach the file. I tried to download
>> and use their Virus Total Uploader, but that would not run either.
>> Do you have any other suggestions?
>
> Your best course of action is to remove your hard drive and connect it
> to another system as a slave drive. Then re-scan the drive on that
> system. You will at least be able to access any suspicious files and
> quarantine them or submit them to virus total.
>
> But even if you think you've removed all suspicious files and set the
> drive back to "normal", the drive will most likely still contain
> undetected malware or back doors, and your better off backing up all
> personal files and applications and reformatting and reinstalling
> windoze on that drive. Again, this is best done while the drive is a
> slave attached to another PC.

Why would you install Windows on the slave drive of another computer?

"Lil' Abner" <(E-Mail Removed)> wrote in message
news:Xns9C52E4D0634Fbutter@wefb973cbe498...
> "FromTheRafters" <(E-Mail Removed)> wrote in
> news:h4dkq5$bgr$1
> @news.eternal-september.org:
>
>> "Virus Guy" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Donald Eagle wrote:
>>>
>>>> I run XP home, SP3 updated to today with Zone Alarm free, Avast 4
>>>> Home, Malwarebytes, and SuperAntiSpyware.
>>>> This afternoon Avast told me it had detected Win32Rootkit-gen in
>>>> Windows\system32\svchost.exe, but could not quarantine it, Windows
>>>> Defender, MalwareBytes and SuperAntiSpyware found nothing.
>>>
>>> Another example of how AV and firewall software is mostly horse
>>> ****.
>>>
>>> "1PW" wrote:
>>>
>>>> Hello Donald:
>>>>
>>>> Upload your suspected C:\WINDOWS\system32\svchost.exe to
>>>> virustotal.com
>>>
>>> Donald Eagle wrote:
>>>
>>>> Thanks, Pete, but I am unable to do that. When I tried from the
>>>> web site, 0 bytes were sent. When I tried from email, that would
>>>> not work either; I could not attach the file. I tried to download
>>>> and use their Virus Total Uploader, but that would not run either.
>>>> Do you have any other suggestions?
>>>
>>> Your best course of action is to remove your hard drive and connect
>>> it
>>> to another system as a slave drive. Then re-scan the drive on that
>>> system. You will at least be able to access any suspicious files
>>> and
>>> quarantine them or submit them to virus total.
>>>
>>> But even if you think you've removed all suspicious files and set
>>> the
>>> drive back to "normal", the drive will most likely still contain
>>> undetected malware or back doors, and your better off backing up all
>>> personal files and applications and reformatting and reinstalling
>>> windoze on that drive. Again, this is best done while the drive is
>>> a
>>> slave attached to another PC.
>>
>> Why would you install Windows on the slave drive of another computer?
>
> Sometimes you just have to go by what someone means and not what they
> say. I understood it from the getgo.

It's much better if they say what they mean.

I could see the first part needing a second computer, but that second
part? He proposes taking out the drive and making it a slave on a second
computer for the purpose of formatting and reinstalling the OS. Oh, and
make sure you back up your personal applications from that drive you
believe has hidden backdoors in it - wtf?

Lil' Abner wrote:

> >> But even if you think you've removed all suspicious files and
> >> set the drive back to "normal", the drive will most likely
> >> still contain undetected malware or back doors, and your better
> >> off backing up all personal files and applications and
> >> reformatting and reinstalling windoze on that drive. Again,
> >> this is best done while the drive is a slave attached to
> >> another PC.
> >
> > Why would you install Windows on the slave drive of another
> > computer?
>
> Sometimes you just have to go by what someone means and not what
> they say. I understood it from the getgo.

I admit I could have been a little clearer.

I did not mean that windows should be re-installed while the drive is
still a slave in the second PC.

I meant that the retrieval or backup of personal files and other
material is best done while the drive is still installed in the second
PC as a clone.

"Virus Guy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Lil' Abner wrote:
>
>> >> But even if you think you've removed all suspicious files and
>> >> set the drive back to "normal", the drive will most likely
>> >> still contain undetected malware or back doors, and your better
>> >> off backing up all personal files and applications and
>> >> reformatting and reinstalling windoze on that drive. Again,
>> >> this is best done while the drive is a slave attached to
>> >> another PC.
>> >
>> > Why would you install Windows on the slave drive of another
>> > computer?
>>
>> Sometimes you just have to go by what someone means and not what
>> they say. I understood it from the getgo.
>
> I admit I could have been a little clearer.
>
> I did not mean that windows should be re-installed while the drive is
> still a slave in the second PC.
>
> I meant that the retrieval or backup of personal files and other
> material is best done while the drive is still installed in the second
> PC as a clone.

So a false positive declaration necessitates a format and reinstall of
the OS after slaving the drive in another computer in order to make
backups of personal data and applications?

Full-Quoter FromTheRafters wrote:

> > I meant that the retrieval or backup of personal files and other
> > material is best done while the drive is still installed in the
> > second PC as a clone.
>
> So a false positive declaration necessitates a format and reinstall
> of the OS after slaving the drive in another computer in order to
> make backups of personal data and applications?

I posted the first message before it was known that it was a false
positive and the OP was seeking a course of action in how to deal with
the detection of malware on his system. I posted a clarification to
clear up some confusion about what I meant, regardless that it comes
after the knowledge that the original situation was a false-positive
detection.

Are you not capable of understanding the order of events?

"Virus Guy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Full-Quoter FromTheRafters wrote:
>
>> > I meant that the retrieval or backup of personal files and other
>> > material is best done while the drive is still installed in the
>> > second PC as a clone.
>>
>> So a false positive declaration necessitates a format and reinstall
>> of the OS after slaving the drive in another computer in order to
>> make backups of personal data and applications?
>
> I posted the first message before it was known that it was a false
> positive and the OP was seeking a course of action in how to deal with
> the detection of malware on his system. I posted a clarification to
> clear up some confusion about what I meant, regardless that it comes
> after the knowledge that the original situation was a false-positive
> detection.
>
> Are you not capable of understanding the order of events?

Are you not capable of understanding that your suggestions with regard
to dealing with malware have to include the possibility that a false
positive may have occurred? Attaching a harddrive as a slave on another
computer is only *one* way of ensuring that the suspected malware is not
actively defending itself. Why go there *first*?

FromTheRafters wrote:

> > Are you not capable of understanding the order of events?
>
> Are you not capable of understanding that your suggestions with
> regard to dealing with malware have to include the possibility
> that a false positive may have occurred?

What would have been the course of action in that case?

If your AV tells you that it detected some malware, then you have two
choices:

1) Assume that it's a false positive and just ignore it.

2) Assume that it's a true positive and take steps to deal with it.

The OP apparently chose (2), and nobody else responding to him suggested
(1). I have never seen anyone give (a) as advice in situations like
this unless they have specific knowledge that this is a known and
documented detection error with the AV in question.

> Attaching a harddrive as a slave on another computer is only
> *one* way of ensuring that the suspected malware is not
> actively defending itself.

Booting an AV product via CD or USB drive is another way, but it can
take time to seek out and prepare that solution for deployment. Slaving
a suspect drive to a known-good trusted system that has pre-installed
malware detection tools can be (or would be) a faster solution.

Is there a third way?

> Why go there *first*?

What would you suggest?

Are you saying that the first (best) course of action is to assume a
false positive?

"Virus Guy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> FromTheRafters wrote:
>
>> > Are you not capable of understanding the order of events?
>>
>> Are you not capable of understanding that your suggestions with
>> regard to dealing with malware have to include the possibility
>> that a false positive may have occurred?
>
> What would have been the course of action in that case?

Well, compare the suspect file against a known good copy. I also
recommend having more than one AV scanner available on the machine. Only
one "on access" scanner and others on demand - for cases such as these
where the option for VT or Jotti is not available.

Also, if the AV in question finds the same malware in a known clean copy
of the program (like from the installation disk) you can just figure
that is a FP.

> If your AV tells you that it detected some malware, then you have two
> choices:
>
> 1) Assume that it's a false positive and just ignore it.

Works for me.

> 2) Assume that it's a true positive and take steps to deal with it.

If you have decided it is a real detection of (generic) malware then the
first step is to identify what it is so that you can deal with it
properly. Safe mode may be an option for not having the malware actively
defending itself. Failing that, booting from an alternate source will
often suffice. Booting from an alternate source with an alternate OS may
also be an option. I my opinion obtaining and booting from a "live cd"
is much easier than disconnecting the harddrive and connecting it to
another computer as a slave device.

> The OP apparently chose (2), and nobody else responding to him
> suggested
> (1). I have never seen anyone give (a) as advice in situations like
> this unless they have specific knowledge that this is a known and
> documented detection error with the AV in question.

Well, I don't trust AV that much. Going out on a limb here I could say
that most malware professionals would take that particular detection as
a FP when that (and some others) AV reports it - yet take it as a
potentially real threat when reported by "better" AV programs.

>> Attaching a harddrive as a slave on another computer is only
>> *one* way of ensuring that the suspected malware is not
>> actively defending itself.
>
> Booting an AV product via CD or USB drive is another way, but it can
> take time to seek out and prepare that solution for deployment.
> Slaving
> a suspect drive to a known-good trusted system that has pre-installed
> malware detection tools can be (or would be) a faster solution.

This is a really good idea for the housecall technician. If you are
called upon to "fix" someones malware problem, and you have such a setup
that makes swapping HDs *easy* - it is a very good idea. I wouldn't
expect the average home user to tackle such a thing.

> Is there a third way?

Recovery console, but I don't think it entirely trustworthy if installed
on the affected harddrive - so that is equivalent to the LiveCD method.
The capabilities of the recovery console vary from OS to OS, but there
may be some way to affect the problem.

>> Why go there *first*?
>
> What would you suggest?

Investigation.

> Are you saying that the first (best) course of action is to assume a
> false positive?

Yes, and no. Yes, assume it "may be" a false positive, but that doesn't
mean to just ignore it (although that has worked for me in the past).
Second, third or more opinion scans help.