Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

svchost.exe virus

- - - - -

  • This topic is locked This topic is locked
37 replies to this topic

#1
PeterEl

PeterEl

    Newbie

  • Member
  • 17 posts
  • Joined 28-August 12
  • OS:none specified
  • Country: Country Flag
Hello anybody!

I found a virus in svchost.exe file that i download from microsoft.com.
Tell the order:
I went to the website microsoft.com and download the update ServicePack3 for XP windows,
then I found file "svchost.ex_" and extract it to a file "svchost.exe",
and then I checked this file on VIRUSTOTAL.COM and it found a VIRUS!!! - McAfee-GW-Edition (antivirus program) Heuristic.LooksLike.Win32.Suspicious.I

So... Microsoft sells products with viruses ??????

What are you think about it?

Edited by PeterEl, 28 August 2012 - 09:14 AM.



How to remove advertisement from MSFN

#2
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,383 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag
What do I think?
http://support.micro....com/kb/2025695

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#3
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,814 posts
  • Joined 13-January 06
In first place, why would you need to download svchost.exe (your windows OS already have it) ?
Also using caps/bold/big font won't help more...

#4
PeterEl

PeterEl

    Newbie

  • Member
  • 17 posts
  • Joined 28-August 12
  • OS:none specified
  • Country: Country Flag

In first place, why would you need to download svchost.exe (your windows OS already have it) ?
Also using caps/bold/big font won't help more...


ya, ya ))) I know...

I first began to verify the file that already exists in my windows.
When I discovered by the above method a virus in it, I decided to download svchost.exe from microsoft.com - assuming that there will not be a virus. But virus was there, too.

#5
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,383 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag
JEEZ, dude - FALSE POSITIVE!!!!

Wiki

A "false positive" is when antivirus software identifies a non-malicious file as a virus.

In April 2010, McAfee VirusScan detected svchost.exe, a normal Windows binary, as a virus on machines running Windows XP with Service Pack 3, causing a reboot loop and loss of all network access.


In addition, if YOU did not upload it and are DEPENDING ON OTHER VERSIONS and ONLY looking at OTHERS results - THOSE are YES because there IS one going around!

Get a program "Hashmyfiles" and CHECK THE HASH! I will BET that YOUR file will NOT be listed!

Results of MY XP-SP3:
Name / MD5 / Sha-1 / CRC32 / Date /Size / Version
svchost.exe 27c6d03bcdb8cfeb96b716f3d8be3e18 49083ae3725a0488e0a8fbbe1335c745f70c4667 6ef02438 2008-04-14 10:00:00 AM 14,336 5.1.2600.5512 (xpsp.080413-2111)

NO VIRUS! (and I FOUND the "analysis" - McAfee is a POS!)
TRY THIS ANALYSIS, DUDE!

edit - the SHA256:
2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5
Appears that THERE IS NO VIRUS (last "analysis" link I gave IS the one)

(sheesh!)

Edited by submix8c, 28 August 2012 - 11:05 AM.

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#6
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,814 posts
  • Joined 13-January 06
Ok, but be careful the official svchost.exe can load virus like conficker as it is only a service hosting functionnality so if you see svchost.exe process downloading doing strange things it could be that the hosted dll is a trojan (like conficker).
I take conficker as example, as it is the worse virus created and it is still spreading even though it was "released" in 2008 (Almost 4 years for a virus still spreading is perhaps world record).

#7
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,383 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag
Yes, it CAN load viruses. SERVICES.EXE can be compromised as well (even worse to root out - look it up). But the OFFICIAL one is NOT a virus. The OP is going totally paranoid with misinformation and misunderstandings (ref: this).

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#8
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,814 posts
  • Joined 13-January 06
Hum, i disagree there: The OP is already a little paranoid (the way i see it it's a quality). It already use a firewall and is behind a router which isn't really mandatory.

#9
PeterEl

PeterEl

    Newbie

  • Member
  • 17 posts
  • Joined 28-August 12
  • OS:none specified
  • Country: Country Flag

JEEZ, dude - FALSE POSITIVE!!!!

Wiki

A "false positive" is when antivirus software identifies a non-malicious file as a virus.

In April 2010, McAfee VirusScan detected svchost.exe, a normal Windows binary, as a virus on machines running Windows XP with Service Pack 3, causing a reboot loop and loss of all network access.


In addition, if YOU did not upload it and are DEPENDING ON OTHER VERSIONS and ONLY looking at OTHERS results - THOSE are YES because there IS one going around!

Get a program "Hashmyfiles" and CHECK THE HASH! I will BET that YOUR file will NOT be listed!

Results of MY XP-SP3:
Name / MD5 / Sha-1 / CRC32 / Date /Size / Version
svchost.exe 27c6d03bcdb8cfeb96b716f3d8be3e18 49083ae3725a0488e0a8fbbe1335c745f70c4667 6ef02438 2008-04-14 10:00:00 AM 14,336 5.1.2600.5512 (xpsp.080413-2111)

NO VIRUS! (and I FOUND the "analysis" - McAfee is a POS!)
TRY THIS ANALYSIS, DUDE!

edit - the SHA256:
2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5
Appears that THERE IS NO VIRUS (last "analysis" link I gave IS the one)

(sheesh!)


Thank for answers. I get "Hashmyfiles" and there you are:
svchost.exe e948a9079d0e6350be92d4d3e0077f81(MD5) 82379592eca1117386e97f7a0500b3f34204d92e(SHA1) 77e6bc31(CRC32) 399d4b8eed157c15e93eaab7b6f9ba523bb768b8fd49d66c1450eb310a813ade(SHA256) 15.04.2008 12:00:00(modified) 27.08.2012 13:30:00(created) 14 336(file size) 5.1.2600.5512 (xpsp.080413-2111)

Maybe I'm not good understanding..(sorry) but MY SHA-256 is different from your link SHA-256 where is no found malware "THIS". This mean, that my svchost is virus?

#10
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,383 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag
No... "HashMyFiles" doesn't give SHA256 - only SHA1, MD5, CRC32. VirusTotal only uses SHA256.

I got SHA256 shown above using this Online one. That's what I cross-checked to VirusTotal (search on the SHA256 - that's how I found the NOT VIRUS link).

WHY in the WORLD do you think Microsoft would give a Service Pack with a VIRUS in it? If you downloaded DIRECTLY from Microsoft, IT IS NOT A VIRUS!!!!! The OTHER SHA256 ones at VirusTotal MAY be (and probably are). The ones Listed on VirusTotal (NOT the one with NO VIRUS FOUND) are part of a Trojan as is MANY (and probably all) instances of SERVICES.EXE that are NOT the REAL one (from Microsoft).

Bottom line - you can search on nearly ANY Microsoft Program Name and discover SOMEWHERE a case of a Trojan/Virus that is NOT from Microsoft. Try it and see (for example SERVICES.EXE).

YOURS IS NOT A VIRUS!!!!! OK? Please stop accusing Microsoft of supplying Viruses and Trojans.

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#11
PeterEl

PeterEl

    Newbie

  • Member
  • 17 posts
  • Joined 28-August 12
  • OS:none specified
  • Country: Country Flag

No... "HashMyFiles" doesn't give SHA256 - only SHA1, MD5, CRC32. VirusTotal only uses SHA256.

I got SHA256 shown above using this Online one. That's what I cross-checked to VirusTotal (search on the SHA256 - that's how I found the NOT VIRUS link).

WHY in the WORLD do you think Microsoft would give a Service Pack with a VIRUS in it? If you downloaded DIRECTLY from Microsoft, IT IS NOT A VIRUS!!!!! The OTHER SHA256 ones at VirusTotal MAY be (and probably are). The ones Listed on VirusTotal (NOT the one with NO VIRUS FOUND) are part of a Trojan as is MANY (and probably all) instances of SERVICES.EXE that are NOT the REAL one (from Microsoft).

Bottom line - you can search on nearly ANY Microsoft Program Name and discover SOMEWHERE a case of a Trojan/Virus that is NOT from Microsoft. Try it and see (for example SERVICES.EXE).

YOURS IS NOT A VIRUS!!!!! OK? Please stop accusing Microsoft of supplying Viruses and Trojans.


1) Ok. Tell me please, if you get your SVCHOST.EXE file and check it out on VIRUSTOTAL.COM - is there will be virus?
2) <<"HashMyFiles" doesn't give SHA256>> It sounds strange... in my HashMyFiles what i downloaded it is got SHA256 if choose VIEW SETTINGS and choose SELECT COLUMNS there will be SHA256. By the way, in "HashMyFiles" that I downloaded VIRUSTOTAL found a virus too!!! but another one.

#12
PeterEl

PeterEl

    Newbie

  • Member
  • 17 posts
  • Joined 28-August 12
  • OS:none specified
  • Country: Country Flag
I carefully pay attention to viruses in SVCHOST.EXE file becouse FIREWALL permanently registers OUTgoing connections to different IP-addresses (some of whom are belong GOOGLE, YANDEX(searchengine), and some unknown people, I checked IP's on whois service)

Here is screenshot of this: Attached File  OUT_connections.gif   45.61KB   10 downloads

#13
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,383 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag
Then your CURRENT one has a Trojan/Virus. the REAL one does not do that.

In fact, your Trojan/Virus may be in your TEMP folder or "Temporary Internet Files" folder and an entry was put in the Registry to cause SVCHOST.EXE (a real one) to "run" the Trojan/Virus. SVCHOST.EXE is a "driver" (if you will) for Services and of itself does NOT do any "connections" - that's left to the "loaded" program. Look that up, my friend.

And if you CONNECT to a website, you will indeed get "connections" shown. I showed that in the other thread about your Router settings.

So... you're telling me the HashMyFiles that YOU UPLOADED to VirusTotal says it's a VIRUS? Are you SERIOUS?

How about that? I have an older version. Thanks for the tip on that.

Oh, and BTW, I do NOT upload files to VirusTotal but I'll be glad to do it if it'll make you happy.
...BWAHAHAH!!!!! Done! Again, McAfee is a POS (look up that acronym)! And I would BET that the Definitions are outdated! DID YOU READ THE MICROSOFT ARTICLE? It SPECIFICALLY names THAT ANTIVIRUS as giving FALSE POSITIVE.

GIVE UP, dude, it's NOT that program if you indeed HAVE a Trojan/Virus! Riddle me this, Batman - How can you explain the EXACT SAME FILE giving TWO DIFFERENT RESULTS for the SAME FILE? (Remember the OTHER link?)

BTW, the SYMPTOMS of the Trojan/Virus is HIGH CPU USAGE for SVCHOST. Do YOU have that symptom? If not, then YOU ARE IN GOOD SHAPE and more than likely "clean"! LOOK THAT UP, dude!

I'm done with this. YOU ARE WRONG!

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#14
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,814 posts
  • Joined 13-January 06
You should use tcpview first to know which process(es) (also get the pid to check which user is launching them) are doing those requests.
Then depending on the process(es) and/or the user launching them, different solutions may arise.
Edit: The pid will help you to find in tasks manager or better in process explorer which user is launching them (you 'll need to add the right columns in view menu).

Edited by allen2, 29 August 2012 - 09:41 AM.


#15
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,383 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag
@allen2 - the crux of the Topic is the assertion that since VirusTotal is using a "bad" Antivirus Definition (see MS Link) that the file is a "virus". This is a false assumption.

And again, google both "SVCHOST.EXE" and "SERVICES.EXE" in conjunction with "TROJAN OR VIRUS" and you'll see the CPU-usage symptom and what the REAL culprit will be.


Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#16
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,814 posts
  • Joined 13-January 06
I disagree with you there:
- if you're right, you don't need to be that angry/harsh when you're explaining something. If he doesn't understand, that is either because he need more information or because the problem wasn't explained properly.
- The OP need to learn how to diagnose those problems by himself and if no one explain properly how to do it, he will still have doubt about your (or my ) diagnostic.

Of course the downloaded svchost.exe from SP3 couldn't be virus but that doesn't mean the OP resolved his problem. He is right wanting to understand why and how he got this false positive.
The only way to help him now is to let him learn how monitor its computer tcp connections and how to check which process(es) are using them.
Most likely, there should be a good reason for every connections but knowing the reason will help him understand what is happening there and why. Also that is the only way to reassure him.

#17
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,383 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag
allen2 - did you miss this (above)?
http://support.micro....com/kb/2025695

McAfee delivers a false-positive detection<snip>Svchost.exe<snip>(SP3)<snip>

I again say it's a failing of McAfee. Heck, that's the ONLY one that "thinks" it's "bad". THAT is what the OP started with - nothing to do with "IP addresses" until the OP's INSISTENCE of a "virus".

AGAIN... google said items (above). You'll see what I mean about a REAL Trojan/Virus.

AND, I had clearly stated why "traffic" was seen in the OP's other thread. If the OP did not initiate the traffic, then there is a "hidden" Trojan/Virus.

http://www.techspot....al-help.179423/
Notice that it's NOT in the System32 folder? And this was found by just searching "SVCHOST".

http://en.wikipedia.org/wiki/Svchost
To OP - study up on what the program does.
Also, if you DON'T believe me, download and run MalwareBytes and Spybot, both EXTREMELY dependable and reputable software.

My assertion is that there more than likely is NOT a problem at all and this is a wild goose chase.

Again... I'm done. Waste of keystrokes.

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#18
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,814 posts
  • Joined 13-January 06
I don't know how virustotal works exactly but what i find strange is that it would use virus definitions from 2 years ago (taken from your link):

This issue occurs for version 5958 of the McAfee DAT file. This DAT file was released on April 21, 2010. This DAT file has been superseded by version 5959. Version 5959 which corrects the false-positive detection that is described in the "Summary" section. Additionally, McAfee has released an EXTRA.DAT file that can be used to suppress the false-positive detection of the Svchost.exe process for customers who are running version 5958 of the DAT file.



#19
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,383 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag
allen2 - This is just to point out the fallacies that McAfee has - even MS has said it goofs. And again, the ONLY one that sees a "problem" with SVCHOST. Coincidence? I think not. Just because SVCHOST runs services doesn't mean it should be flagged as "suspicious". I stated my opinion of McAfee and I stand by it.

If the OP wishes to know "how things work" as opposed to a blatant "MS serves viruses" then they should say so... after an exhaustive internet search doesn't reveal the requested info.

However, in this case, I have suggested TWO very good software to reassure them and Panda has a free HDD scan as well. VirusTotal is not the be-all/end-all.

Says it all..

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#20
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,814 posts
  • Joined 13-January 06
I don't want to discuss further without any solid evidence from the OP but it could happen that a virus running on his computer could have infected the downloaded svchost.exe right after downloading it (i've seen something similar about 10 years ago).
Also, just for the record, McAfee isn't the worst antivirus out there and the latest DAT definitions is 6819.
Also, i tried uploading the svchost.exe from XP SP3 to virustotal.com (SHA256: 2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5) and indeed it is detected as a virus by McAfee-GW-Edition but isn't detected as a virus by other Antivirus or McAfee "classic".

McAfee - 20120829
McAfee-GW-Edition Heuristic.LooksLike.Win32.Suspicious.I 20120829

So this one is most likely a false positive triggered by the heuristic analysis of McAfee GW and that isn't the first (and most likely not the last) time it happens.
Also, the MS KB was about McAfee "classic" and not the GW edition and both don't use the same kind of virus definitions (and in this case it isn't even related to a virus definition).

Edited by allen2, 29 August 2012 - 03:02 PM.


#21
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,383 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag
SHEESH, dude! Did you even read my posts? I DID THE SAME THING!

As for the OP having a virus, the OP willy-nilly chose his findings from the internet and NEVER said they uploaded ANYTHING (or did I really miss that). Those tools I mention WILL identify an "infected" one and even one RELATED to it (in the TEMP/Temp Inet). I have already done battle with these beasts so am knowledgeable else I wouldn't have suggested the "search", tools, or symptoms. The SERVICES.EXE one is a BEAR to get rid of - and it's not even THAT program that's infected!

And I must point out (re: the MS link) I said "just to point out" that I was, indeed, pointing out "false positives" (repeatedly)!
Try google
McAfee-GW-Edition false positive
FAIL!

What part of any of this is not being understand? I thought I was very clear in respect to the original "problem" which somehow transmogrified into Firewall Connections Logs (obviously misunderstanding "how stuff works") that were discussed in the OTHER topic. It appears obvious that the OP is testing out a newly minted install along with a brand spanky new router and firewall and going OMG MS HAS VIRUSES AND AM BEING ATTACKED FROM WITHOUT!

This must be one of these moments.

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#22
PeterEl

PeterEl

    Newbie

  • Member
  • 17 posts
  • Joined 28-August 12
  • OS:none specified
  • Country: Country Flag

but it could happen that a virus running on his computer could have infected the downloaded svchost.exe right after downloading it (i've seen something similar about 10 years ago).

:yes:
I thought about it just like you.


and that's why I asked you to try to download svchost.exe from microsoft.com and check it for viruses through virustotal.

and check your own svchost.exe from their computers.
and tell me results...

allen2, maybe you do this? please, it's not hard.

#23
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,814 posts
  • Joined 13-January 06

and check your own svchost.exe from their computers.
and tell me results...

allen2, maybe you do this? please, it's not hard.

I did it and got the same false positive for the downloaded svchost from XP SP3. I did try also with the one from my running OS and this one didn't get the false positive but it is because it is in another language.

#24
PeterEl

PeterEl

    Newbie

  • Member
  • 17 posts
  • Joined 28-August 12
  • OS:none specified
  • Country: Country Flag


and check your own svchost.exe from their computers.
and tell me results...

allen2, maybe you do this? please, it's not hard.

I did it and got the same false positive for the downloaded svchost from XP SP3. I did try also with the one from my running OS and this one didn't get the false positive but it is because it is in another language.


Thanks.
Another language? what language you downloaded from XP SP3? and what language in your runnig OS?

#25
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,814 posts
  • Joined 13-January 06
I downloaded English XP SP3 and the false positive was from this. And my runing Os is in French.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users