"Scan Result:Infected"

Discussion in 'Prevx Releases' started by PatrickM, Nov 29, 2009.

Thread Status:
Not open for further replies.
  1. PatrickM

    PatrickM Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    15
    I sent as per instructions the "Infected" file for analysis & was told via e-mail I would hear back within 24 hours. It's over 24 hours now. I'm not impressed.
    The file the program says is infected is "svchost(4).exe" & after looking at it's date & file size & also running several scans with Eset A/V, Threatfire, multiple anti-malware scanners etc which all say no infections were found, I'm becoming frustrated with this program.

    The file in question was found during a normal system scan of this pc which hadn't been used for several days & was shut off by me, (I'm the only user). I also had my internet connection disconnected during this time. I had done a scan with the same prevx install before shutting the system completly down & it said it was clean? How does a computer become infected when it's off & everything is unplugged including power? No new program was installed before it was shut down & power to everything was unplugged. I am careful where I go on the internet & of what I download. In close to 15 years I've had one true infection which was very easy to clean.

    I also ran a "full scan" and it says another file is "infected"..."svchost.exe"

    common, svchost is malware?! It's a microsoft exe. I could run a dozen other highly rated programs & this is the only program that says these two files are infected. All the programs I use are well known & I don't use p2p or any other well known way to become infected.



    Question to anyone who can answer from experience. I'm still waiting for Claudia or someone else from Prevx to tell me what they found with the file I sent. I highly doubt it's infected & neither is svchost.exe but they're the experts right.

    Maybe they're too busy to reply or do they work on Sundays?

    While I wait, can anyone think of a program that can scan these two files so I can tell Prevx to consider them false positives? Personally, I think the other programs I scanned them with are enough but from what I've read on these forums, some of you are at odds with each other over what program is better.

    Thanks for reading my long winded rant.
     
  2. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    Personally I would wait for support to respond on this. svhost.exe is a Microsoft file. But it can be infected just like Explorer.exe. Your best bet here is to wait on support I don't know if they work on Sundays but I do know that Joe sometimes checks the boards on the weekend.


    Edit.

    Also is the file it's picking up named svchost(4).exe what disturbs me is Windows does not put (4) in the process manager, if that's the name of the file it could be a bogus file.
     
    Last edited by a moderator: Nov 29, 2009
  3. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    Here is a Example of what healthy svhost.exe looks like. If your getting any other file name then what is listed here then there could be a problem.

    example.jpg
     
  4. PatrickM

    PatrickM Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    15
    Hi Fajo, the file...actually both svchost(4).exe & svchost.exe are both in windows xp home & yes, I know the (4) doesn't seem right. I am a little suspect by it but after Nod32 4.0.467.0, Threatfire lastest updates, SuperAntispyware Pro, Malwarebytes on demand, Sophos Anti-Rootkit, Norton online scan, Dr Web Cure It have all found the system clean after full scans it makes me think Prevx sees the (4) & automatically thinks it's malware, which is a good thing. But all the other programs are wrong? And it's also showing svchost.exe as being infected with malware? I would appreciate if Prevx would automatically give a reason it thinks this instead of just saying "malware component"..component of? Not very helpful IMO.

    When I read on their website about svchost.exe for instance..it says basically that, it's a file their investigating..what?:blink:

    FYI..both files are 14k..svchost(4).exe is dated 2/28/2006 @ 8:00 File version is 5.1.2600.2180 ..."5.1.2600.2180 (xpsp_sp2_rtm.040803-215:cool:"

    svchost.exe is also 14k..dated 4/14/2008 @ 04:42
    version is "5.1.2600.5512 (xpsp.080413-2111)"

    I just right clicked on svchost.exe in system32..then told Prevx to scan it..the result is "svchost.exe in C:\windows\$ntservicepackuninstall$\" "malware component"?

    I scanned the file in system32 not "C:\windows\$ntservicepackuninstall$\"

    Me thinks Prevx is wrong & screwy in this particular event, but I'll be the first to admit I'm not a professional in security. I do know if I were to allow Prevx to remove the 2 files, I would be asking for major problems as the two files are required by xp.
     
  5. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
  6. PatrickM

    PatrickM Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    15
    Scoobs72...I see it mentions it but when I do a search in the SAS forums it says it found nothing on svchost(4).exe.

    And as we speak, I'm doing a full system scan with SAS PRO. I'll let you know what it finds when it's complete.
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    If you could please save a scan log by clicking Tools > Save Scan Results within Prevx and send this log to report@prevxresearch.com we will investigate it to determine if it is a false positive or actual infection.

    Let me know if you have any questions! :)
     
  8. PatrickM

    PatrickM Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    15
    Hi, I sent it to you yesterday along with the file svchost(4).exe. Did you not receive it?
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I don't see it :doubt: Could you double check that you're following these restrictions: https://www.wilderssecurity.com/showthread.php?t=245129

    If so, let me know and I'll get an alternate way of getting the data to us together :)
     
  10. PatrickM

    PatrickM Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    15
    Ok, I'll make sure & will try again. Thanks
     
  11. PatrickM

    PatrickM Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    15
    Ok, both svchost(4).exe & svchost.exe have been emailed. Also sent the scan log with it in 7zip using the password infected per instructions.

    Please let me know if you recieved them.

    I emailed them to report@prevxresearch.com
    "
    as well I uploaded both files & the log file to support..the page says "Conversation with Prevx Support" & the files are showing "Nov 29, 2009 19:14

    Subject : "Threat" "Name svchost(4).exe in C:\windows\system32\ "Malware Component" (File Uploaded) (File Up
    A File has been Uploaded. The file is called svchost(4).7z"
     
    Last edited: Nov 29, 2009
  12. PatrickM

    PatrickM Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    15
    SAS PRO full system scan found 53 cookies..other than that here's the log.


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 11/29/2009 at 03:08 PM

    Application Version : 4.31.1000

    Core Rules Database Version : 4317
    Trace Rules Database Version: 2177

    Scan type : Complete Scan
    Total Scan Time : 00:40:44

    Memory items scanned : 562
    Memory threats detected : 0
    Registry items scanned : 5844
    Registry threats detected : 0
    File items scanned : 18447
    File threats detected : 53
     
  13. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Still looks very suspicious. Some malware makes copies of svchost.exe and injects executable code into it. I would be very cautious until you get an adequate explanation of why you have a second svchost.exe in your system 32 folder.
     
  14. PatrickM

    PatrickM Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    15
    Here's a screenshot of Prevx.
     

    Attached Files:

  15. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    That svhost seems like it has ether been infected or is a bogus svhost, Have you ever been infected before on this install of windows. This could be leftovers of that if so. But best thing is let Joe pick it apart and give us the :thumb: or :thumbd:.
     
  16. PatrickM

    PatrickM Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    15
    No, that's the strange thing. Before I shut off this system & unplugged everything for several days, until I began to use it again yesterday Prevx scans were clean? I use Norton Ghost 2003 to make full images of the HDD..no partitions. If I have to I could restore the most recent image & see if svchost(4).exe was there..I suspect it was as the date is showing as 2006 as you can see from an earlier post.
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    I've analyzed the sample and while it isn't directly malicious, Prevx has detected it because it is a vulnerable version of svchost.exe. I've adjusted the detection now to only grab onto it if it is configured to be the default svchost.exe and not just a file in the system (the name of svchost(4).exe is peculiar) but this file's version is 5.1.2600.2180 and because your OS is XP SP3, you should be using at least v5.1.2600.5512. This mismatch caused Prevx to flag it as a Malware Component - not an actual infection by itself per-se, but one that could lead to further infections.

    However, from your log, you are indeed using the correct version of svchost.exe as your actual svchost.exe (v5.1.2600.5512) but it would still be useful to remove the svchost(4).exe manually from your PC as it is hanging around unnecessarily and if something was to step in and rename/copy it over your legitimate svchost.exe, you could be more susceptible to problems.

    Let me know if you have any questions with this! Besides this stray file, everything looks to be in order and your system is indeed clean :)
     
  18. PatrickM

    PatrickM Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    15
    Hello & thank you very much for you help. Appreciate it very much.

    So I am to delete the svchost(4).exe from the system, correct? And this won't cause any programs to stop responding?

    Also, why is Prevx saying the other svchost.exe is infected?

    I will wait for your reply before deleting "svchost(4).exe" and your explanation on why the other svchost.exe is being targeted as malware.

    Thank you
     
  19. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    It is safe to delete. Also as for the other one its a copy of that svhost(4) incase you were to uninstall the service packs that windows has it would revert to that one.

    So all in all it flagged Svhost(4).exe and the Backup copy of the same svhost.
     
  20. PatrickM

    PatrickM Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    15
    So even though one has the (4).exe in system32 & the other one is in an area to uninstall SP3 & doesn't have the (4).extention, they are the same file so to speak?
     
  21. PatrickM

    PatrickM Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    15
    I Should advise Prevx that after looking through the system32 folder in XP Home SP3..I have found numerous .exe files with (3).exe & (4).exe. It seems for whatever reason when I downloaded & installed service pack 3 it added these changes to older files. Odd, since it appears that no one else has noticed this happening.

    All files affected seem to be .exe files.

    One would think when Microsoft installs a new service pack, these redundant files would be removed or just left as is?

    Not exactly well thought out IMO.

    So, another question.

    Do I go through all files in system32 & remove all that have the (#).exe since every one that does appears to have another duplicate with the expected .exe?

    PS..It's getting late in the day here. I'll check back tomorrow to see if I can delete the files mentioned above as they seem to have been renamed after newer versions were installed by Microsoft's SP3.
     
    Last edited: Nov 29, 2009
  22. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes, I suspect these are all just garbage left over's from the OS upgrade. The svchost(4).exe and svchost.exe in your service pack uninstall folder, as Fajo said, are exact duplicates. When Prevx detects a file, it will search for all duplicates of that file across the system on the next scan to ensure that it will pick up any remnants left over.

    Hope that helps clear it up! :) Let me know if you'd like any further clarification :)
     
  23. PatrickM

    PatrickM Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    15
    Thanks again for your help. I'll take care of getting rid of the older files.

    Prevx appears to be a great addition to help protect my system, I just had a little learning to do in this situation. Great job helping me out (customer support!):thumb: :thumb:
     
Thread Status:
Not open for further replies.