Strange svchost.exe

D

dos

Hi,
may i ask why do i have svchost(3).exe? MD5 is
8F078AE4ED187AAABC0A305146DE6716. How many svchost files is normal in win xp
home sp 2 ?
 
M

Mees de Roo

unless you mean that you have 3 instances of svchost.exe running that's
normal (unfortunately) and about as meaningfull and buggy as rundll(32) at
previous windows versions.

Mees de Roo

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uoWuyOapIHA.6096@TK2MSFTNGP06.phx.gbl...
> From: "dos" <dos@discussions.microsoft.com>
>
> | Hi,
> | may i ask why do i have svchost(3).exe? MD5 is
> | 8F078AE4ED187AAABC0A305146DE6716. How many svchost files is normal in win
> xp
> | home sp 2 ?
>
> There should be NO svchost(3).exe !
>
> Chances are it is malicious.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
 
D

David H. Lipman

From: "Mees de Roo" <mees.deroo.laatditweg@enditook.tiscali.nederland>

| unless you mean that you have 3 instances of svchost.exe running that's
| normal (unfortunately) and about as meaningfull and buggy as rundll(32) at
| previous windows versions.

| Mees de Roo


Let me clarify this...

If the file is named "svchost(3).exe" it has a high probability of being malicious.

It is is not the number of instances of svchost.exe running that is important, it is the
path from which it runs.

SVCHOST.EXE (or variations thereof) is the most common name used by malware to obfuscate
the malicious intent.

If the file is executed from %windir%\system32 it has the propensity of being legitimate
(unless trojanized/patched).

If the file is executed in any other location then the chances are extremely high it is
malicious.

If the file is found running under Win98/ME then the chances are extremely high it is
malicious.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
D

dos

"David H. Lipman" wrote:

> From: "Mees de Roo" <mees.deroo.laatditweg@enditook.tiscali.nederland>
>
> | unless you mean that you have 3 instances of svchost.exe running that's
> | normal (unfortunately) and about as meaningfull and buggy as rundll(32) at
> | previous windows versions.
>
> | Mees de Roo
>
>
> Let me clarify this...
>
> If the file is named "svchost(3).exe" it has a high probability of being malicious.
>
> It is is not the number of instances of svchost.exe running that is important, it is the
> path from which it runs.
>
> SVCHOST.EXE (or variations thereof) is the most common name used by malware to obfuscate
> the malicious intent.
>
> If the file is executed from %windir%\system32 it has the propensity of being legitimate
> (unless trojanized/patched).
>
> If the file is executed in any other location then the chances are extremely high it is
> malicious.
>
> If the file is found running under Win98/ME then the chances are extremely high it is
> malicious.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
> Service load:
0% 100%
File: svchost(3).exe
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results
will not be stored in the database)
MD5: 8f078ae4ed187aaabc0a305146de6716
Packers detected:
-
Bit9 reports:
Scanner results
Scan taken on 29 Apr 2008 20:05:58 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
Yes, the file is executed from %windir%\system32.
 
D

David H. Lipman

From: "dos" <dos@discussions.microsoft.com>




>> Service load:
| 0% 100%
| File: svchost(3).exe
| Status:

< snip >

| Found nothing
| Yes, the file is executed from %windir%\system32.

This is an illegitimate process...
%windir%\system32\svchost(3).exe

I am surprized that nothing was detected, even a heuristic detection.

Could you please provide me a sample.

Place svchost(3).exe in a password protected ZIP file with the password being infected
{ password = infected }

And send the file to DLipman~nospam~@Verizon.Net
removing ~nospam~ from trhe above address.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
You must log in or register to reply here.

Similar threads

K
Does BGP in Routing and Remote Access support MD5 authentication?
Replies
0
Views
36
Kyle Li (kyle.li)
K
Y
Dell Inspiron 16 Plus 7630 excessive ram usage
Replies
0
Views
14
Yusuf Emre Yazıcı1
Y
N
New PC, getting HYPERVISOR_ERROR bsod
Replies
0
Views
40
NMUN
N
A
How do I fix my computer? It says No Bootable Device.
Replies
0
Views
20
Anonymous173_049
A
I
strange folder in temp
Replies
0
Views
20
ItamarLiberman
I
Back
Top Bottom