[PeterEl]

Hello anybody!

I found a virus in svchost.exe file that i download from microsoft.com.
Tell the order:
I went to the website microsoft.com and download the update ServicePack3 for XP windows,
then I found file "svchost.ex_" and extract it to a file "svchost.exe",
and then I checked this file on VIRUSTOTAL.COM and it found a VIRUS!!! - McAfee-GW-Edition (antivirus program) Heuristic.LooksLike.Win32.Suspicious.I

So... Microsoft sells products with viruses ??????

What are you think about it?

This post has been edited by PeterEl: 28 August 2012 - 09:14 AM

[submix8c]

What do I think?
http://support.micro....com/kb/2025695

[allen2]

In first place, why would you need to download svchost.exe (your windows OS already have it) ?
Also using caps/bold/big font won't help more...

[PeterEl]

allen2, on 28 August 2012 - 09:53 AM, said:

In first place, why would you need to download svchost.exe (your windows OS already have it) ?
Also using caps/bold/big font won't help more...

ya, ya ))) I know...

I first began to verify the file that already exists in my windows.
When I discovered by the above method a virus in it, I decided to download svchost.exe from microsoft.com - assuming that there will not be a virus. But virus was there, too.

[submix8c]

JEEZ, dude - FALSE POSITIVE!!!!

Wiki

Quote

A "false positive" is when antivirus software identifies a non-malicious file as a virus.

Quote

In April 2010, McAfee VirusScan detected svchost.exe, a normal Windows binary, as a virus on machines running Windows XP with Service Pack 3, causing a reboot loop and loss of all network access.

In addition, if YOU did not upload it and are DEPENDING ON OTHER VERSIONS and ONLY looking at OTHERS results - THOSE are YES because there IS one going around!

Get a program "Hashmyfiles" and CHECK THE HASH! I will BET that YOUR file will NOT be listed!

Results of MY XP-SP3:
Name / MD5 / Sha-1 / CRC32 / Date /Size / Version
svchost.exe 27c6d03bcdb8cfeb96b716f3d8be3e18 49083ae3725a0488e0a8fbbe1335c745f70c4667 6ef02438 2008-04-14 10:00:00 AM 14,336 5.1.2600.5512 (xpsp.080413-2111)

NO VIRUS! (and I FOUND the "analysis" - McAfee is a POS!)
TRY THIS ANALYSIS, DUDE!

edit - the SHA256:
2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5
Appears that THERE IS NO VIRUS (last "analysis" link I gave IS the one)

(sheesh!)

This post has been edited by submix8c: 28 August 2012 - 11:05 AM

[allen2]

Ok, but be careful the official svchost.exe can load virus like conficker as it is only a service hosting functionnality so if you see svchost.exe process downloading doing strange things it could be that the hosted dll is a trojan (like conficker).
I take conficker as example, as it is the worse virus created and it is still spreading even though it was "released" in 2008 (Almost 4 years for a virus still spreading is perhaps world record).

[submix8c]

Yes, it CAN load viruses. SERVICES.EXE can be compromised as well (even worse to root out - look it up). But the OFFICIAL one is NOT a virus. The OP is going totally paranoid with misinformation and misunderstandings (ref: this).

[allen2]

Hum, i disagree there: The OP is already a little paranoid (the way i see it it's a quality). It already use a firewall and is behind a router which isn't really mandatory.

[PeterEl]

submix8c, on 28 August 2012 - 10:43 AM, said:

JEEZ, dude - FALSE POSITIVE!!!!

Wiki

Quote

A "false positive" is when antivirus software identifies a non-malicious file as a virus.

Quote

In April 2010, McAfee VirusScan detected svchost.exe, a normal Windows binary, as a virus on machines running Windows XP with Service Pack 3, causing a reboot loop and loss of all network access.

In addition, if YOU did not upload it and are DEPENDING ON OTHER VERSIONS and ONLY looking at OTHERS results - THOSE are YES because there IS one going around!

Get a program "Hashmyfiles" and CHECK THE HASH! I will BET that YOUR file will NOT be listed!

Results of MY XP-SP3:
Name / MD5 / Sha-1 / CRC32 / Date /Size / Version
svchost.exe 27c6d03bcdb8cfeb96b716f3d8be3e18 49083ae3725a0488e0a8fbbe1335c745f70c4667 6ef02438 2008-04-14 10:00:00 AM 14,336 5.1.2600.5512 (xpsp.080413-2111)

NO VIRUS! (and I FOUND the "analysis" - McAfee is a POS!)
TRY THIS ANALYSIS, DUDE!

edit - the SHA256:
2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5
Appears that THERE IS NO VIRUS (last "analysis" link I gave IS the one)

(sheesh!)

Thank for answers. I get "Hashmyfiles" and there you are:
svchost.exe e948a9079d0e6350be92d4d3e0077f81(MD5) 82379592eca1117386e97f7a0500b3f34204d92e(SHA1) 77e6bc31(CRC32) 399d4b8eed157c15e93eaab7b6f9ba523bb768b8fd49d66c1450eb310a813ade(SHA256) 15.04.2008 12:00:00(modified) 27.08.2012 13:30:00(created) 14 336(file size) 5.1.2600.5512 (xpsp.080413-2111)

Maybe I'm not good understanding..(sorry) but MY SHA-256 is different from your link SHA-256 where is no found malware "THIS". This mean, that my svchost is virus?

[submix8c]

No... "HashMyFiles" doesn't give SHA256 - only SHA1, MD5, CRC32. VirusTotal only uses SHA256.

I got SHA256 shown above using this Online one. That's what I cross-checked to VirusTotal (search on the SHA256 - that's how I found the NOT VIRUS link).

WHY in the WORLD do you think Microsoft would give a Service Pack with a VIRUS in it? If you downloaded DIRECTLY from Microsoft, IT IS NOT A VIRUS!!!!! The OTHER SHA256 ones at VirusTotal MAY be (and probably are). The ones Listed on VirusTotal (NOT the one with NO VIRUS FOUND) are part of a Trojan as is MANY (and probably all) instances of SERVICES.EXE that are NOT the REAL one (from Microsoft).

Bottom line - you can search on nearly ANY Microsoft Program Name and discover SOMEWHERE a case of a Trojan/Virus that is NOT from Microsoft. Try it and see (for example SERVICES.EXE).

YOURS IS NOT A VIRUS!!!!! OK? Please stop accusing Microsoft of supplying Viruses and Trojans.

[PeterEl]

submix8c, on 29 August 2012 - 07:57 AM, said:

No... "HashMyFiles" doesn't give SHA256 - only SHA1, MD5, CRC32. VirusTotal only uses SHA256.

I got SHA256 shown above using this Online one. That's what I cross-checked to VirusTotal (search on the SHA256 - that's how I found the NOT VIRUS link).

WHY in the WORLD do you think Microsoft would give a Service Pack with a VIRUS in it? If you downloaded DIRECTLY from Microsoft, IT IS NOT A VIRUS!!!!! The OTHER SHA256 ones at VirusTotal MAY be (and probably are). The ones Listed on VirusTotal (NOT the one with NO VIRUS FOUND) are part of a Trojan as is MANY (and probably all) instances of SERVICES.EXE that are NOT the REAL one (from Microsoft).

Bottom line - you can search on nearly ANY Microsoft Program Name and discover SOMEWHERE a case of a Trojan/Virus that is NOT from Microsoft. Try it and see (for example SERVICES.EXE).

YOURS IS NOT A VIRUS!!!!! OK? Please stop accusing Microsoft of supplying Viruses and Trojans.

1) Ok. Tell me please, if you get your SVCHOST.EXE file and check it out on VIRUSTOTAL.COM - is there will be virus?
2) <<"HashMyFiles" doesn't give SHA256>> It sounds strange... in my HashMyFiles what i downloaded it is got SHA256 if choose VIEW SETTINGS and choose SELECT COLUMNS there will be SHA256. By the way, in "HashMyFiles" that I downloaded VIRUSTOTAL found a virus too!!! but another one.

[PeterEl]

I carefully pay attention to viruses in SVCHOST.EXE file becouse FIREWALL permanently registers OUTgoing connections to different IP-addresses (some of whom are belong GOOGLE, YANDEX(searchengine), and some unknown people, I checked IP's on whois service)

Here is screenshot of this:  OUT_connections.gif (45.61K)
Number of downloads: 9

[submix8c]

Then your CURRENT one has a Trojan/Virus. the REAL one does not do that.

In fact, your Trojan/Virus may be in your TEMP folder or "Temporary Internet Files" folder and an entry was put in the Registry to cause SVCHOST.EXE (a real one) to "run" the Trojan/Virus. SVCHOST.EXE is a "driver" (if you will) for Services and of itself does NOT do any "connections" - that's left to the "loaded" program. Look that up, my friend.

And if you CONNECT to a website, you will indeed get "connections" shown. I showed that in the other thread about your Router settings.

So... you're telling me the HashMyFiles that YOU UPLOADED to VirusTotal says it's a VIRUS? Are you SERIOUS?

How about that? I have an older version. Thanks for the tip on that.

Oh, and BTW, I do NOT upload files to VirusTotal but I'll be glad to do it if it'll make you happy.
...BWAHAHAH!!!!! Done! Again, McAfee is a POS (look up that acronym)! And I would BET that the Definitions are outdated! DID YOU READ THE MICROSOFT ARTICLE? It SPECIFICALLY names THAT ANTIVIRUS as giving FALSE POSITIVE.

GIVE UP, dude, it's NOT that program if you indeed HAVE a Trojan/Virus! Riddle me this, Batman - How can you explain the EXACT SAME FILE giving TWO DIFFERENT RESULTS for the SAME FILE? (Remember the OTHER link?)

BTW, the SYMPTOMS of the Trojan/Virus is HIGH CPU USAGE for SVCHOST. Do YOU have that symptom? If not, then YOU ARE IN GOOD SHAPE and more than likely "clean"! LOOK THAT UP, dude!

I'm done with this. YOU ARE WRONG!

[allen2]

You should use tcpview first to know which process(es) (also get the pid to check which user is launching them) are doing those requests.
Then depending on the process(es) and/or the user launching them, different solutions may arise.
Edit: The pid will help you to find in tasks manager or better in process explorer which user is launching them (you 'll need to add the right columns in view menu).

This post has been edited by allen2: 29 August 2012 - 09:41 AM

[submix8c]

@allen2 - the crux of the Topic is the assertion that since VirusTotal is using a "bad" Antivirus Definition (see MS Link) that the file is a "virus". This is a false assumption.

And again, google both "SVCHOST.EXE" and "SERVICES.EXE" in conjunction with "TROJAN OR VIRUS" and you'll see the CPU-usage symptom and what the REAL culprit will be.

[allen2]

I disagree with you there:
- if you're right, you don't need to be that angry/harsh when you're explaining something. If he doesn't understand, that is either because he need more information or because the problem wasn't explained properly.
- The OP need to learn how to diagnose those problems by himself and if no one explain properly how to do it, he will still have doubt about your (or my ) diagnostic.

Of course the downloaded svchost.exe from SP3 couldn't be virus but that doesn't mean the OP resolved his problem. He is right wanting to understand why and how he got this false positive.
The only way to help him now is to let him learn how monitor its computer tcp connections and how to check which process(es) are using them.
Most likely, there should be a good reason for every connections but knowing the reason will help him understand what is happening there and why. Also that is the only way to reassure him.

[submix8c]

allen2 - did you miss this (above)?
http://support.micro....com/kb/2025695

Quote

McAfee delivers a false-positive detection<snip>Svchost.exe<snip>(SP3)<snip>

I again say it's a failing of McAfee. Heck, that's the ONLY one that "thinks" it's "bad". THAT is what the OP started with - nothing to do with "IP addresses" until the OP's INSISTENCE of a "virus".

AGAIN... google said items (above). You'll see what I mean about a REAL Trojan/Virus.

AND, I had clearly stated why "traffic" was seen in the OP's other thread. If the OP did not initiate the traffic, then there is a "hidden" Trojan/Virus.

http://www.techspot....al-help.179423/
Notice that it's NOT in the System32 folder? And this was found by just searching "SVCHOST".

http://en.wikipedia.org/wiki/Svchost
To OP - study up on what the program does.
Also, if you DON'T believe me, download and run MalwareBytes and Spybot, both EXTREMELY dependable and reputable software.

My assertion is that there more than likely is NOT a problem at all and this is a wild goose chase.

Again... I'm done. Waste of keystrokes.

[allen2]

I don't know how virustotal works exactly but what i find strange is that it would use virus definitions from 2 years ago (taken from your link):

Quote

This issue occurs for version 5958 of the McAfee DAT file. This DAT file was released on April 21, 2010. This DAT file has been superseded by version 5959. Version 5959 which corrects the false-positive detection that is described in the "Summary" section. Additionally, McAfee has released an EXTRA.DAT file that can be used to suppress the false-positive detection of the Svchost.exe process for customers who are running version 5958 of the DAT file.

[submix8c]

allen2 - This is just to point out the fallacies that McAfee has - even MS has said it goofs. And again, the ONLY one that sees a "problem" with SVCHOST. Coincidence? I think not. Just because SVCHOST runs services doesn't mean it should be flagged as "suspicious". I stated my opinion of McAfee and I stand by it.

If the OP wishes to know "how things work" as opposed to a blatant "MS serves viruses" then they should say so... after an exhaustive internet search doesn't reveal the requested info.

However, in this case, I have suggested TWO very good software to reassure them and Panda has a free HDD scan as well. VirusTotal is not the be-all/end-all.

Says it all..

[allen2]

I don't want to discuss further without any solid evidence from the OP but it could happen that a virus running on his computer could have infected the downloaded svchost.exe right after downloading it (i've seen something similar about 10 years ago).
Also, just for the record, McAfee isn't the worst antivirus out there and the latest DAT definitions is 6819.
Also, i tried uploading the svchost.exe from XP SP3 to virustotal.com (SHA256: 2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5) and indeed it is detected as a virus by McAfee-GW-Edition but isn't detected as a virus by other Antivirus or McAfee "classic".

Quote

McAfee - 20120829
McAfee-GW-Edition Heuristic.LooksLike.Win32.Suspicious.I 20120829

So this one is most likely a false positive triggered by the heuristic analysis of McAfee GW and that isn't the first (and most likely not the last) time it happens.
Also, the MS KB was about McAfee "classic" and not the GW edition and both don't use the same kind of virus definitions (and in this case it isn't even related to a virus definition).

This post has been edited by allen2: 29 August 2012 - 03:02 PM