svchost.exe trojan?

First let me say - I don’t think this is a False Positive, but I don’t know where else to post it. Please tell me if there is a more appropriate forum.

I have just scanned a hard drive partition that I don’t use often (Windows 7 64-bit), and CIS flagged a copy of svchost.exe as UnClassifiedMalware@132214640

The file is found in M:\Users[…]\AppData\Local\Temp\ is that a red flag right away? In this article:

it says this:

IMPORTANT: The svchost.exe file should be in the C:\Windows\System32 folder. If you find it anywhere else, then svchost.exe could be a virus, trojan, worm, or spyware! Scan your computer with Auslogics Antivirus to make sure it’s not infected.

(But I don’t know if it’s normal for a file like svchost to sometimes get run from underneath AppData)

The VirusTotal report looks ugly:

So I think I have a real bug. I am most interested in trying to figure out if the file has in fact infected my system, and most importantly I would like to find out what kind of damage it may have done.

I understand that this is beyond the scope of asking whether or not it is a FP. Please feel free to point me somewhere else if there is a better place to discuss and explore this…


delete the files by comodo, after this :

launch MALWAREBYTES, update it and run a quick scan, remove all detected files.

virustotal doesnt let much space for the estimation of “just a bug”. and this result is not for discussion.

all signs are pointing to “infection”. you gave the hints yourself.

let another scanner run. malwarebytes free is a good second opinion. or a-squared free edition.

you cant be sure after “desinfection” that your system is repaired then! try to find out, what this “virus” does, and if it is making for example backdoors, well, i would not trust the computer again, until reinstall of operation system.

usually antivirus companies give an explaination about the virus when you search for the name.

Dont say stupidity, if the process is not anymore running you are safe.
Anyway you can try submit svchost.exe to

lol, dont speak about stupidity when you speak stupid:
when a virus makes a backdoor, its totally unimportant if the (virus)process is running anymore or not. its like a worker who has finished his work. is a house destructed when the worker leaves?

dont say things that you cant be sure of as a fact.

without the process running, backdoor is not working.
I call junk registry files.

so, you programmed this special virus, or why are you so sure that you know all about it?

as long as you cant be sure, you should not pretend. its not about who is right or wrong, its about: can we be sure?
and i said, he should read in the antivirus companies description what this virus does. and when it is doing some stuff, it could be that this stuff can stay dangerous.

do you suggest him to use online banking? can he be absolutely sure that his pc is “clean” now? dont put someone in danger by ignoring “danger”.

… if its really a trojan.downloader (read at virustotal) … do all the downloaded things disappear with him? is all rolled back what they have done too?
i would not bet on it!

Both the fact that a file named svchost.exe in a non standard folder and the VT report indicate you are infected.

First thing to try is simply clean the temp folder and see if the file can be easily deleted and comes back after deleting. This is to see if it is protected.

Also check your computer with various scanners (when needed in Windows Safe Mode):
Emsisoft Antimalware (formerly known as a-squared anti malware)
Super Antispwyare
Malwarebytes Anti Malware
Avira’s Antivir anti virus (as on demand scanner)
Spybot Search and Destroy
Gmer anti rootkit scanner

Let us know how things go. Will move this to the virus removal board.

feel free to use file checker
Click on the “START” button ----> Click on “RUN” Type in:
sfc /scannow

Let it do it’s thing, hopefully your good to go

To ensure your system is not still infected please read this.