PeterEl Posted August 28, 2012 Posted August 28, 2012 (edited) Hello anybody!I found a virus in svchost.exe file that i download from microsoft.com.Tell the order: I went to the website microsoft.com and download the update ServicePack3 for XP windows,then I found file "svchost.ex_" and extract it to a file "svchost.exe",and then I checked this file on VIRUSTOTAL.COM and it found a VIRUS!!! - McAfee-GW-Edition (antivirus program) Heuristic.LooksLike.Win32.Suspicious.ISo... Microsoft sells products with viruses ??????What are you think about it? Edited August 28, 2012 by PeterEl
submix8c Posted August 28, 2012 Posted August 28, 2012 What do I think?http://support.microsoft.com/kb/2025695
allen2 Posted August 28, 2012 Posted August 28, 2012 In first place, why would you need to download svchost.exe (your windows OS already have it) ?Also using caps/bold/big font won't help more...
PeterEl Posted August 28, 2012 Author Posted August 28, 2012 In first place, why would you need to download svchost.exe (your windows OS already have it) ?Also using caps/bold/big font won't help more...ya, ya ))) I know...I first began to verify the file that already exists in my windows.When I discovered by the above method a virus in it, I decided to download svchost.exe from microsoft.com - assuming that there will not be a virus. But virus was there, too.
submix8c Posted August 28, 2012 Posted August 28, 2012 (edited) JEEZ, dude - FALSE POSITIVE!!!!WikiA "false positive" is when antivirus software identifies a non-malicious file as a virus.In April 2010, McAfee VirusScan detected svchost.exe, a normal Windows binary, as a virus on machines running Windows XP with Service Pack 3, causing a reboot loop and loss of all network access.In addition, if YOU did not upload it and are DEPENDING ON OTHER VERSIONS and ONLY looking at OTHERS results - THOSE are YES because there IS one going around!Get a program "Hashmyfiles" and CHECK THE HASH! I will BET that YOUR file will NOT be listed!Results of MY XP-SP3:Name / MD5 / Sha-1 / CRC32 / Date /Size / Versionsvchost.exe 27c6d03bcdb8cfeb96b716f3d8be3e18 49083ae3725a0488e0a8fbbe1335c745f70c4667 6ef02438 2008-04-14 10:00:00 AM 14,336 5.1.2600.5512 (xpsp.080413-2111)NO VIRUS! (and I FOUND the "analysis" - McAfee is a POS!)TRY THIS ANALYSIS, DUDE!edit - the SHA256:2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5Appears that THERE IS NO VIRUS (last "analysis" link I gave IS the one)(sheesh!) Edited August 28, 2012 by submix8c
allen2 Posted August 28, 2012 Posted August 28, 2012 Ok, but be careful the official svchost.exe can load virus like conficker as it is only a service hosting functionnality so if you see svchost.exe process downloading doing strange things it could be that the hosted dll is a trojan (like conficker).I take conficker as example, as it is the worse virus created and it is still spreading even though it was "released" in 2008 (Almost 4 years for a virus still spreading is perhaps world record).
submix8c Posted August 28, 2012 Posted August 28, 2012 Yes, it CAN load viruses. SERVICES.EXE can be compromised as well (even worse to root out - look it up). But the OFFICIAL one is NOT a virus. The OP is going totally paranoid with misinformation and misunderstandings (ref: this).
allen2 Posted August 28, 2012 Posted August 28, 2012 Hum, i disagree there: The OP is already a little paranoid (the way i see it it's a quality). It already use a firewall and is behind a router which isn't really mandatory.
PeterEl Posted August 29, 2012 Author Posted August 29, 2012 JEEZ, dude - FALSE POSITIVE!!!!WikiA "false positive" is when antivirus software identifies a non-malicious file as a virus.In April 2010, McAfee VirusScan detected svchost.exe, a normal Windows binary, as a virus on machines running Windows XP with Service Pack 3, causing a reboot loop and loss of all network access.In addition, if YOU did not upload it and are DEPENDING ON OTHER VERSIONS and ONLY looking at OTHERS results - THOSE are YES because there IS one going around!Get a program "Hashmyfiles" and CHECK THE HASH! I will BET that YOUR file will NOT be listed!Results of MY XP-SP3:Name / MD5 / Sha-1 / CRC32 / Date /Size / Versionsvchost.exe 27c6d03bcdb8cfeb96b716f3d8be3e18 49083ae3725a0488e0a8fbbe1335c745f70c4667 6ef02438 2008-04-14 10:00:00 AM 14,336 5.1.2600.5512 (xpsp.080413-2111)NO VIRUS! (and I FOUND the "analysis" - McAfee is a POS!)TRY THIS ANALYSIS, DUDE!edit - the SHA256:2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5Appears that THERE IS NO VIRUS (last "analysis" link I gave IS the one)(sheesh!)Thank for answers. I get "Hashmyfiles" and there you are:svchost.exe e948a9079d0e6350be92d4d3e0077f81(MD5) 82379592eca1117386e97f7a0500b3f34204d92e(SHA1) 77e6bc31(CRC32) 399d4b8eed157c15e93eaab7b6f9ba523bb768b8fd49d66c1450eb310a813ade(SHA256) 15.04.2008 12:00:00(modified) 27.08.2012 13:30:00(created) 14 336(file size) 5.1.2600.5512 (xpsp.080413-2111)Maybe I'm not good understanding..(sorry) but MY SHA-256 is different from your link SHA-256 where is no found malware "THIS". This mean, that my svchost is virus?
submix8c Posted August 29, 2012 Posted August 29, 2012 No... "HashMyFiles" doesn't give SHA256 - only SHA1, MD5, CRC32. VirusTotal only uses SHA256.I got SHA256 shown above using this Online one. That's what I cross-checked to VirusTotal (search on the SHA256 - that's how I found the NOT VIRUS link).WHY in the WORLD do you think Microsoft would give a Service Pack with a VIRUS in it? If you downloaded DIRECTLY from Microsoft, IT IS NOT A VIRUS!!!!! The OTHER SHA256 ones at VirusTotal MAY be (and probably are). The ones Listed on VirusTotal (NOT the one with NO VIRUS FOUND) are part of a Trojan as is MANY (and probably all) instances of SERVICES.EXE that are NOT the REAL one (from Microsoft).Bottom line - you can search on nearly ANY Microsoft Program Name and discover SOMEWHERE a case of a Trojan/Virus that is NOT from Microsoft. Try it and see (for example SERVICES.EXE).YOURS IS NOT A VIRUS!!!!! OK? Please stop accusing Microsoft of supplying Viruses and Trojans.
PeterEl Posted August 29, 2012 Author Posted August 29, 2012 No... "HashMyFiles" doesn't give SHA256 - only SHA1, MD5, CRC32. VirusTotal only uses SHA256.I got SHA256 shown above using this Online one. That's what I cross-checked to VirusTotal (search on the SHA256 - that's how I found the NOT VIRUS link).WHY in the WORLD do you think Microsoft would give a Service Pack with a VIRUS in it? If you downloaded DIRECTLY from Microsoft, IT IS NOT A VIRUS!!!!! The OTHER SHA256 ones at VirusTotal MAY be (and probably are). The ones Listed on VirusTotal (NOT the one with NO VIRUS FOUND) are part of a Trojan as is MANY (and probably all) instances of SERVICES.EXE that are NOT the REAL one (from Microsoft).Bottom line - you can search on nearly ANY Microsoft Program Name and discover SOMEWHERE a case of a Trojan/Virus that is NOT from Microsoft. Try it and see (for example SERVICES.EXE).YOURS IS NOT A VIRUS!!!!! OK? Please stop accusing Microsoft of supplying Viruses and Trojans.1) Ok. Tell me please, if you get your SVCHOST.EXE file and check it out on VIRUSTOTAL.COM - is there will be virus?2) <<"HashMyFiles" doesn't give SHA256>> It sounds strange... in my HashMyFiles what i downloaded it is got SHA256 if choose VIEW SETTINGS and choose SELECT COLUMNS there will be SHA256. By the way, in "HashMyFiles" that I downloaded VIRUSTOTAL found a virus too!!! but another one.
PeterEl Posted August 29, 2012 Author Posted August 29, 2012 I carefully pay attention to viruses in SVCHOST.EXE file becouse FIREWALL permanently registers OUTgoing connections to different IP-addresses (some of whom are belong GOOGLE, YANDEX(searchengine), and some unknown people, I checked IP's on whois service)Here is screenshot of this:
submix8c Posted August 29, 2012 Posted August 29, 2012 Then your CURRENT one has a Trojan/Virus. the REAL one does not do that.In fact, your Trojan/Virus may be in your TEMP folder or "Temporary Internet Files" folder and an entry was put in the Registry to cause SVCHOST.EXE (a real one) to "run" the Trojan/Virus. SVCHOST.EXE is a "driver" (if you will) for Services and of itself does NOT do any "connections" - that's left to the "loaded" program. Look that up, my friend.And if you CONNECT to a website, you will indeed get "connections" shown. I showed that in the other thread about your Router settings.So... you're telling me the HashMyFiles that YOU UPLOADED to VirusTotal says it's a VIRUS? Are you SERIOUS?How about that? I have an older version. Thanks for the tip on that.Oh, and BTW, I do NOT upload files to VirusTotal but I'll be glad to do it if it'll make you happy....BWAHAHAH!!!!! Done! Again, McAfee is a POS (look up that acronym)! And I would BET that the Definitions are outdated! DID YOU READ THE MICROSOFT ARTICLE? It SPECIFICALLY names THAT ANTIVIRUS as giving FALSE POSITIVE.GIVE UP, dude, it's NOT that program if you indeed HAVE a Trojan/Virus! Riddle me this, Batman - How can you explain the EXACT SAME FILE giving TWO DIFFERENT RESULTS for the SAME FILE? (Remember the OTHER link?)BTW, the SYMPTOMS of the Trojan/Virus is HIGH CPU USAGE for SVCHOST. Do YOU have that symptom? If not, then YOU ARE IN GOOD SHAPE and more than likely "clean"! LOOK THAT UP, dude!I'm done with this. YOU ARE WRONG!
allen2 Posted August 29, 2012 Posted August 29, 2012 (edited) You should use tcpview first to know which process(es) (also get the pid to check which user is launching them) are doing those requests.Then depending on the process(es) and/or the user launching them, different solutions may arise.Edit: The pid will help you to find in tasks manager or better in process explorer which user is launching them (you 'll need to add the right columns in view menu). Edited August 29, 2012 by allen2
submix8c Posted August 29, 2012 Posted August 29, 2012 @allen2 - the crux of the Topic is the assertion that since VirusTotal is using a "bad" Antivirus Definition (see MS Link) that the file is a "virus". This is a false assumption.And again, google both "SVCHOST.EXE" and "SERVICES.EXE" in conjunction with "TROJAN OR VIRUS" and you'll see the CPU-usage symptom and what the REAL culprit will be.
Recommended Posts