Svchelper.exe...probably unknown NewHeur_PE virus

My Nod32 2.5 with last signature, report:

C:\windows\system32\svchelper.exe.....probably unknown NewHeur_PE virus

...svchelper.exe is a file of windows system....i don't know if i must deleted or like see in other forum....is a false warning..??

Thank for help
Wal

 

C:\windows\system32\svchelper.exe is not on my Windows XP SP2 computer. I do a Google search for it and get nothing at all. I bet it really is a new virus.

If that file is still on your computer, right-click it, look at Properties, and check the Creation Date in the General tab. On the Version tab, look at the Description field and also look at the other info, like Company, File Version, etc. A file that is really from Microsoft will have good values for all these fields. A virus usually has nothing or garbage here.

 

Likewise, no such file on my Win XP SP2 pc.

I would submit it to Eset for further analysis.

Regards,

Jag

 

Some note from Properties of file (right click):

Description:Generic Host Process for Win32 System Helper
Product:Microsoft® Windows® Operating System
Version: 5.02.0479
Company:Microsoft Corporation

 

That file is not on my computer either

 

no. not on mine

 

... nor on mine... I don't think there even IS a MS file by that name...

I suggest you upload Svchelper.exe at Jotti's in order for it to be tested:

http://virusscan.jotti.org/

Please give us a copy and paste of the scan results.

 

I don't thave that file either.

 

Uh, oh. It sounds like virus writers are starting to get more clever. What is the creation date of that file?

 

fROM: http://virusscan.jotti.org/

Report:

File: svchelper.exe
Status:
POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
MD5 91c70f2aeddee196397090d1d2caf755
Packers detected:
-
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

.....

 

Put this file on quarantine, sent it to ESET for analysis and wait for the next updates to see what will happen...

 

I'd like to have a closer look at this file myself, if possible.

You can send it to submit_stuffATxs4all.nl for analysis. (replace 'AT' by @)

Much appreciated!

 

The version number of that file is not right either. All WinXP system files (except DirectX) are supposed to be of version number 5.1.xxxx, not 5.0.xxxx

 

Well, there's absolutely nothing at all to be found on this file on the Net, and it it were indeed a Windows file that would be rather unlikely...

 

There is a file called "svchelper" that is on google......looks like it may have something to do with Tight VNC server software.........

Do a google on svchelper

 

Yes, but it refers to a SVCHELPER option, doesn't mention a file by that name tho...

I'd really like a copy of that file as requested. That should hopefully help identifying it.

If necessary, I'll simply execute it and log what happens.

 

....okay i send tje file to NOD32 mail support...and await some news....i hope

Thank to all
Wal

 

Would you send me a copy as well, please? I'd like to have a closer look at it myself.
You *might* just get a swifter reaction that way too...

Thanks!

 

To all who have been following this thread.

It appears to be a new strain of the Rbot series with the XTreme-Protector 1.05 packing method.

A port is opened to irc2.tin.it:6667.

Sound familiar?

 

A demonstration of NOD advanced heuristics in action.

 

.....Tony...no problem...send me a PM with your mail

Wal

 

Hi Wal,

For Tony's addy see reply # 12 in this thread

 

Yup, what Jan said...

Thanks, Wal!

(and thank you, Jan!)

 

Hi,

Good job Eset on finding that virus first. You may also want to submit the file to http://www.virustotal.com/flash/index_en.html as the file will get passed on to all other AV's that did not detect.

I know Jotti's scanner does the same but only if 2 or more scanners detect the file as suspect (message said this will not be stored)

Cheers

Jlo

 

..."For Tony's addy see reply # 12 in this thread "

Okay i send
Tk
Wal