PeterEl

svchost.exe virus

38 posts in this topic

I disagree with you there:

- if you're right, you don't need to be that angry/harsh when you're explaining something. If he doesn't understand, that is either because he need more information or because the problem wasn't explained properly.

- The OP need to learn how to diagnose those problems by himself and if no one explain properly how to do it, he will still have doubt about your (or my ) diagnostic.

Of course the downloaded svchost.exe from SP3 couldn't be virus but that doesn't mean the OP resolved his problem. He is right wanting to understand why and how he got this false positive.

The only way to help him now is to let him learn how monitor its computer tcp connections and how to check which process(es) are using them.

Most likely, there should be a good reason for every connections but knowing the reason will help him understand what is happening there and why. Also that is the only way to reassure him.

0

Share this post


Link to post
Share on other sites

allen2 - did you miss this (above)?

http://support.microsoft.com/kb/2025695

McAfee delivers a false-positive detection<snip>Svchost.exe<snip>(SP3)<snip>
I again say it's a failing of McAfee. Heck, that's the ONLY one that "thinks" it's "bad". THAT is what the OP started with - nothing to do with "IP addresses" until the OP's INSISTENCE of a "virus".

AGAIN... google said items (above). You'll see what I mean about a REAL Trojan/Virus.

AND, I had clearly stated why "traffic" was seen in the OP's other thread. If the OP did not initiate the traffic, then there is a "hidden" Trojan/Virus.

http://www.techspot.com/community/topics/svchost-exe-trojan-agent-malware-removal-help.179423/

Notice that it's NOT in the System32 folder? And this was found by just searching "SVCHOST".

http://en.wikipedia.org/wiki/Svchost

To OP - study up on what the program does.

Also, if you DON'T believe me, download and run MalwareBytes and Spybot, both EXTREMELY dependable and reputable software.

My assertion is that there more than likely is NOT a problem at all and this is a wild goose chase.

Again... I'm done. Waste of keystrokes.

0

Share this post


Link to post
Share on other sites

I don't know how virustotal works exactly but what i find strange is that it would use virus definitions from 2 years ago (taken from your link):

This issue occurs for version 5958 of the McAfee DAT file. This DAT file was released on April 21, 2010. This DAT file has been superseded by version 5959. Version 5959 which corrects the false-positive detection that is described in the "Summary" section. Additionally, McAfee has released an EXTRA.DAT file that can be used to suppress the false-positive detection of the Svchost.exe process for customers who are running version 5958 of the DAT file.
0

Share this post


Link to post
Share on other sites

allen2 - This is just to point out the fallacies that McAfee has - even MS has said it goofs. And again, the ONLY one that sees a "problem" with SVCHOST. Coincidence? I think not. Just because SVCHOST runs services doesn't mean it should be flagged as "suspicious". I stated my opinion of McAfee and I stand by it.

If the OP wishes to know "how things work" as opposed to a blatant "MS serves viruses" then they should say so... after an exhaustive internet search doesn't reveal the requested info.

However, in this case, I have suggested TWO very good software to reassure them and Panda has a free HDD scan as well. VirusTotal is not the be-all/end-all.

Says it all..

0

Share this post


Link to post
Share on other sites

I don't want to discuss further without any solid evidence from the OP but it could happen that a virus running on his computer could have infected the downloaded svchost.exe right after downloading it (i've seen something similar about 10 years ago).

Also, just for the record, McAfee isn't the worst antivirus out there and the latest DAT definitions is 6819.

Also, i tried uploading the svchost.exe from XP SP3 to virustotal.com (SHA256: 2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5) and indeed it is detected as a virus by McAfee-GW-Edition but isn't detected as a virus by other Antivirus or McAfee "classic".

McAfee - 20120829

McAfee-GW-Edition Heuristic.LooksLike.Win32.Suspicious.I 20120829

So this one is most likely a false positive triggered by the heuristic analysis of McAfee GW and that isn't the first (and most likely not the last) time it happens.

Also, the MS KB was about McAfee "classic" and not the GW edition and both don't use the same kind of virus definitions (and in this case it isn't even related to a virus definition).

Edited by allen2
0

Share this post


Link to post
Share on other sites

SHEESH, dude! Did you even read my posts? I DID THE SAME THING!

As for the OP having a virus, the OP willy-nilly chose his findings from the internet and NEVER said they uploaded ANYTHING (or did I really miss that). Those tools I mention WILL identify an "infected" one and even one RELATED to it (in the TEMP/Temp Inet). I have already done battle with these beasts so am knowledgeable else I wouldn't have suggested the "search", tools, or symptoms. The SERVICES.EXE one is a BEAR to get rid of - and it's not even THAT program that's infected!

And I must point out (re: the MS link) I said "just to point out" that I was, indeed, pointing out "false positives" (repeatedly)!

Try google

McAfee-GW-Edition false positive

FAIL!

What part of any of this is not being understand? I thought I was very clear in respect to the original "problem" which somehow transmogrified into Firewall Connections Logs (obviously misunderstanding "how stuff works") that were discussed in the OTHER topic. It appears obvious that the OP is testing out a newly minted install along with a brand spanky new router and firewall and going OMG MS HAS VIRUSES AND AM BEING ATTACKED FROM WITHOUT!

This must be one of these moments.

0

Share this post


Link to post
Share on other sites
but it could happen that a virus running on his computer could have infected the downloaded svchost.exe right after downloading it (i've seen something similar about 10 years ago).

:yes:

I thought about it just like you.

and that's why I asked you to try to download svchost.exe from microsoft.com and check it for viruses through virustotal.

and check your own svchost.exe from their computers.

and tell me results...

allen2, maybe you do this? please, it's not hard.

0

Share this post


Link to post
Share on other sites

and check your own svchost.exe from their computers.

and tell me results...

allen2, maybe you do this? please, it's not hard.

I did it and got the same false positive for the downloaded svchost from XP SP3. I did try also with the one from my running OS and this one didn't get the false positive but it is because it is in another language.

0

Share this post


Link to post
Share on other sites

and check your own svchost.exe from their computers.

and tell me results...

allen2, maybe you do this? please, it's not hard.

I did it and got the same false positive for the downloaded svchost from XP SP3. I did try also with the one from my running OS and this one didn't get the false positive but it is because it is in another language.

Thanks.

Another language? what language you downloaded from XP SP3? and what language in your runnig OS?

0

Share this post


Link to post
Share on other sites

I downloaded English XP SP3 and the false positive was from this. And my runing Os is in French.

0

Share this post


Link to post
Share on other sites

PLEASE look up the definition of TROJAN (what McAfee THINKS it is).

NOW look up the definition of VIRUS (what YOU think McAfee said it is).

NOW download, install, and RUN both

1 - MalwareBytes AND

2 - Spybot.

Find anything?

NOW go to the

3 - Free Panda Scan.

Find anything?

You want US to REPEATEDLY do something and YOU have NOT done ANY of those things. NUTZ on that!

DO WHAT WAS TOLD (#1, #2, and #3) and report back! PERIOD!

Now... KNOCK IT OFF!!!!

post-72994-0-58035700-1346335931_thumb.j

post-72994-0-84599300-1346335959_thumb.j

post-72994-0-01121700-1346336410_thumb.j

Edited by submix8c
0

Share this post


Link to post
Share on other sites

PLEASE look up the definition of TROJAN (what McAfee THINKS it is).

NOW look up the definition of VIRUS (what YOU think McAfee said it is).

NOW download, install, and RUN both

1 - MalwareBytes AND

2 - Spybot.

Find anything?

NOW go to the

3 - Free Panda Scan.

Find anything?

You want US to REPEATEDLY do something and YOU have NOT done ANY of those things. NUTZ on that!

DO WHAT WAS TOLD (#1, #2, and #3) and report back! PERIOD!

Now... KNOCK IT OFF!!!!

the guy does not get excited, calmer.

thanks for your variant of troubleshooting, i'll make it.... some later...

thanks again. Nice pic! :D just to the point!

0

Share this post


Link to post
Share on other sites

Also, just for the record, McAfee isn't the worst antivirus out there ....

JFYI (and for a seemingly needed quick laugh :unsure: ):

page__view__findpost__p__951837

I think there are NO limits to "worse" :ph34r: , but quite frankly, I would be puzzled by a product that not only detects an "own" app as a virus, but additionally affirms that it has deleted it while it hasn't..... :whistle:

:lol:

jaclaz

0

Share this post


Link to post
Share on other sites

Also, just for the record, McAfee isn't the worst antivirus out there ....

JFYI (and for a seemingly needed quick laugh :unsure: ):

page__view__findpost__p__951837

I think there are NO limits to "worse" :ph34r: , but quite frankly, I would be puzzled by a product that not only detects an "own" app as a virus, but additionally affirms that it has deleted it while it hasn't..... :whistle:

:lol:

jaclaz

Of course McAfee is sometimes totally off but i've seen almost all other antivirus doing similar things or worse:

- Kaspersky is indexing files and stores its index in the file %windir%\system32\drivers\fidbox.dat and you can't change its location. Just google fidbox.dat to see the side effects.

- F-secure is well known for its memory leaks.

- Symantec AV or Endpoint is most likely one of the worst with it virus definitions using as much space as %systemdrive% can handle and then simply stoping working. Also its default settings are the worst.

- Sophos doesn't offer a good protection. It let some viruses bypass its protection even when it detect them (conficker for example).

- TrendMicro often get problem updating and older version might be detected as virus by the newer one's. But all in all it is not that bad.

- AVG is a little better than sophos but it let conficker spread on some computers.

For the others, i didn't had the opportunity to see them working in the real world so i can't tell.

Also, there are two important things that a good antivirus should be able (at least in my opinion):

- Properly detecting new viruses (most antivirus can do that properly). And it includes having a good virus definitions update scheme (that's were some are behind).

- Being able to remove viruses (quarantine or delete depending on your settings). And there, the gap between them might be huge.

Most of the time, end users still need to report strange behavior because their AV didn't properly do its job. For example, i'm pretty sure that almost all AV out there wouldn't be able to stop conficker (of course with some specials conditions like having a weak administrator password) as conficker has dictionnary attacks on admin$ shares.

0

Share this post


Link to post
Share on other sites

http://static.libsyn.com/p/assets/8/a/6/b/8a6b33a4237fddf9/FbR632.gif

Market Share

I use Symantec. I don't say it's "the best" though. TWICE in SEVEN years and "stopped" both times.

1 - In reference to "default settings", what AV (or any software for that matter) doesn't require "tweaking"

2 - As far as the "space" there is a way to "clean" the "bloat". Got any STATS for space utilization on "the others"?

3 - Extremely opinionated, aren't you?

Back on Topic - FALSE FALSE FALSE POSITIVE! Live with it! ;)

Edited by submix8c
0

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.