is "xvchost.exe" a virus?

Discussion in 'malware problems & news' started by backfolder, Aug 31, 2004.

Thread Status:
Not open for further replies.
  1. backfolder

    backfolder Registered Member

    Joined:
    May 25, 2004
    Posts:
    72
    Location:
    Spain
    I´m sure yes, it is, but It wasn´t in my computer, just was in one friend´s pc. I just kill the process in memory and search in Windows dir. And there was, in System32 folder, so I just rename and reboot to see if the pc works correctly (there was also a xvchost.exe.#####.pf file). After see it was correct I proceed to delete the file, and clean the two O4 entrances in Hijackthis!. The .exe file was 106 KB.
    NOD32 (stand alone) doesn´t detect neither this and another trojan "downloader" called "vchost" also in Windows root folder.
    Sorry, because I should have saved this two files in a .rar or .zip and send it to NOD32 support.

    backfolder.-
     
  2. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    The real process name is svchost.exe, xvchost.exe ain't the real one.
     
  3. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
  4. backfolder

    backfolder Registered Member

    Joined:
    May 25, 2004
    Posts:
    72
    Location:
    Spain
    Thanks nadirah, I know that process.

    Yep, TAS, it´s a pitty I´ve didn´t sent a copy to NOD32 & KAV. I will try to recover the two files, and tell you so.

    backfolder.-

    EDIT: Unfortunately I wasn´t able to recover it, the only two things I hope helps to ESET people and other possible developers are the name and the weight: xvchost.exe and 106 KB, it remains in memory as a process, it is also accompanied of a .pf file (something like xvchost.exe.#####.pf, where # are numbers). Sorry.
     
    Last edited: Aug 31, 2004
  5. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    The file which you found is a pf file right? I guess you found it in the windows XP Prefetch folder? And why does the file show the numbers in #####? I think the file may be encrypted.
     
  6. backfolder

    backfolder Registered Member

    Joined:
    May 25, 2004
    Posts:
    72
    Location:
    Spain
    That isn´t the real file name, this ##### is a mask, there´s you must put ramdon numbers or predt. numbers made by the virus or your system. For example: xvchost.exe.32261.pf.

    backfolder.-
     
Loading...
Thread Status:
Not open for further replies.