home

svchost.exe

The executable svchost.exe has been detected as malware by 34 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘GoogleUpdate’. Although this file uses the name svchost.exe, this is NOT the Windows SvcHost (Service Host) distributed with the OS.
Version:
3.6

MD5:
82b7de165d53f70a791f452a82384c1b

SHA-1:
db4122bee48f8b9e28730cb3ba0e4bac2a7a214f

SHA-256:
22dbd3e5f3e4c4efb8928df175c05b77496e25eb95246468fefeafa9289e30d6

Scanner detections:
34 / 68

Status:
Malware

Analysis date:
4/25/2024 2:40:03 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.MSILKrypt.3
856

Agnitum Outpost
Backdoor.Agent
7.1.1

AhnLab V3 Security
Trojan/Win32.ADH
2014.10.02

Avira AntiVirus
TR/ATRAPS.Gen
7.11.176.8

avast!
Win32:Malware-gen
2014.9-141002

AVG
PSW.Agent
2015.0.3334

Baidu Antivirus
Trojan.MSIL.Agent
4.0.3.14102

Bitdefender
Gen:Variant.MSILKrypt.3
1.0.20.1375

Bkav FE
W32.Clod721.Trojan
1.3.0.4959

Clam AntiVirus
Win.Trojan.Agent-561442
0.98/21411

Comodo Security
UnclassifiedMalware
19673

Dr.Web
Trojan.DownLoader5.54703
9.0.1.0275

Emsisoft Anti-Malware
Gen:Variant.MSILKrypt
8.14.10.02.04

ESET NOD32
MSIL/Spy.Agent.CT (variant)
8.10496

Fortinet FortiGate
W32/SPNR.07EB11!tr
10/2/2014

F-Prot
W32/MSIL_Parple.A.gen
v6.4.7.1.166

F-Secure
Gen:Variant.MSILKrypt.3
11.2014-02-10_5

G Data
Gen:Variant.MSILKrypt
14.10.24

IKARUS anti.virus
Trojan-Spy.MSIL
t3scan.1.7.8.0

K7 AntiVirus
Spyware
13.183.13550

Kaspersky
Trojan-Spy.MSIL.Agent
14.0.0.3164

Malwarebytes
Trojan.Dropper
v2014.10.02.04

McAfee
Generic.tfr!j
5600.6990

Microsoft Security Essentials
Backdoor:MSIL/Gensteal.A
1.11005

MicroWorld eScan
Gen:Variant.MSILKrypt.3
15.0.0.825

NANO AntiVirus
Trojan.Win32.ATRAPS.jhgkg
0.28.2.62440

Norman
Suspicious_Gen2.ICGOJ
11.20141002

Panda Antivirus
Generic Backdoor
14.10.02.04

Qihoo 360 Security
Win32/Trojan.Spy.a2b
1.0.0.1015

Sophos
Mal/MsilSteal-A
4.98

Trend Micro House Call
TROJ_SPNR.07EB11
7.2.275

Trend Micro
TROJ_SPNR.07EB11
10.465.02

VIPRE Antivirus
Trojan.Win32.Generic
33584

Zillya! Antivirus
Trojan.Agent.Win32.207740
2.0.0.1939

File size:
141 KB (144,384 bytes)

Product version:
3.6

Original file name:
svchost.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\roaming\microsoft\svchost.exe

File PE Metadata
Compilation timestamp:
9/5/2010 12:11:00 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
3072:jwIWpNoAwfwnzIAqU+NkVuL9EGHAHHZOXtDYKLb1O3fs:5Wzo9cAJgZOXtDYg

Entry address:
0x248EA

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
138.5 KB (141,824 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
GoogleUpdate

Command:
C:\users\{user}\appdata\roaming\microsoft\windows\templates\svchost.exe


Remove svchost.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.