Strange svchost.exe

dos · Apr 23, 2008

Hi,
may i ask why do i have svchost(3).exe? MD5 is
8F078AE4ED187AAABC0A305146DE6716. How many svchost files is normal in win xp
home sp 2 ?

David H. Lipman · Apr 23, 2008

From: "dos" <dos@discussions.microsoft.com>

| Hi,
| may i ask why do i have svchost(3).exe? MD5 is
| 8F078AE4ED187AAABC0A305146DE6716. How many svchost files is normal in win xp
| home sp 2 ?

There should be NO svchost(3).exe !

Chances are it is malicious.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Mees de Roo · Apr 24, 2008

unless you mean that you have 3 instances of svchost.exe running that's
normal (unfortunately) and about as meaningfull and buggy as rundll(32) at
previous windows versions.

Mees de Roo

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uoWuyOapIHA.6096@TK2MSFTNGP06.phx.gbl...
> From: "dos" <dos@discussions.microsoft.com>
>
> | Hi,
> | may i ask why do i have svchost(3).exe? MD5 is
> | 8F078AE4ED187AAABC0A305146DE6716. How many svchost files is normal in win
> xp
> | home sp 2 ?
>
> There should be NO svchost(3).exe !
>
> Chances are it is malicious.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

David H. Lipman · Apr 24, 2008

From: "Mees de Roo" <mees.deroo.laatditweg@enditook.tiscali.nederland>

| unless you mean that you have 3 instances of svchost.exe running that's
| normal (unfortunately) and about as meaningfull and buggy as rundll(32) at
| previous windows versions.

| Mees de Roo

Let me clarify this...

If the file is named "svchost(3).exe" it has a high probability of being malicious.

It is is not the number of instances of svchost.exe running that is important, it is the
path from which it runs.

SVCHOST.EXE (or variations thereof) is the most common name used by malware to obfuscate
the malicious intent.

If the file is executed from %windir%\system32 it has the propensity of being legitimate
(unless trojanized/patched).

If the file is executed in any other location then the chances are extremely high it is
malicious.

If the file is found running under Win98/ME then the chances are extremely high it is
malicious.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

dos · Apr 29, 2008

"David H. Lipman" wrote:

> From: "Mees de Roo" <mees.deroo.laatditweg@enditook.tiscali.nederland>
>
> | unless you mean that you have 3 instances of svchost.exe running that's
> | normal (unfortunately) and about as meaningfull and buggy as rundll(32) at
> | previous windows versions.
>
> | Mees de Roo
>
>
> Let me clarify this...
>
> If the file is named "svchost(3).exe" it has a high probability of being malicious.
>
> It is is not the number of instances of svchost.exe running that is important, it is the
> path from which it runs.
>
> SVCHOST.EXE (or variations thereof) is the most common name used by malware to obfuscate
> the malicious intent.
>
> If the file is executed from %windir%\system32 it has the propensity of being legitimate
> (unless trojanized/patched).
>
> If the file is executed in any other location then the chances are extremely high it is
> malicious.
>
> If the file is found running under Win98/ME then the chances are extremely high it is
> malicious.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
> Service load:
0% 100%
File: svchost(3).exe
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results
will not be stored in the database)
MD5: 8f078ae4ed187aaabc0a305146de6716
Packers detected:
-
Bit9 reports:
Scanner results
Scan taken on 29 Apr 2008 20:05:58 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
Yes, the file is executed from %windir%\system32.

David H. Lipman · Apr 29, 2008

From: "dos" <dos@discussions.microsoft.com>

>> Service load:
| 0% 100%
| File: svchost(3).exe
| Status:

< snip >

| Found nothing
| Yes, the file is executed from %windir%\system32.

This is an illegitimate process...
%windir%\system32\svchost(3).exe

I am surprized that nothing was detected, even a heuristic detection.

Could you please provide me a sample.

Place svchost(3).exe in a password protected ZIP file with the password being infected
{ password = infected }

And send the file to DLipman~nospam~@Verizon.Net
removing ~nospam~ from trhe above address.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp