Svchost.exe - Behaveslike:win32.explorerhijack - Possible False Positive

For the last few weeks, I get a notice from BitDefender Antivirus every time I launch Windows, which reports 14 instances of BehavesLike:Win32.ExplorerHijack infecting file c:/windows/system32/svchost.exe=>:ext.exe. "svchost.exe" is a system file, so deleting it manually is not an option. I've searched BitDefender's knowledge base & forum and other resources and have yet to find a solution to the problem. I have read, however, that ext.exe is a malevolent extension and has to be removed, though how to do that eludes me.


I am using an up-to-date version of BitDefender Antivirus 2009 on a Windows XP SP3 system. I am connected to the internet through a firewalled router. Other computers in my home network (also using BitDefender) do not seem to be affected.


Here are screen caps of my Antivirus scan results:


post-20643-1230664260_thumb.png


post-20643-1230664434_thumb.png


Here is the infected file (password: infected):


/applications/core/interface/file/attachment.php?id=4395" data-fileid="4395" rel="">svchost.rar

Comments

  • csalgau
    csalgau ✭✭
    edited December 2008

    I'm not sure why BitDefender failed on those issues, but the file is not svchost.exe, but svchost.exe:ext.exe. That is an ADS. In order to remove it, you may try using hijackthis. Kill any running process(use task manager) called ext.exe then under misc tools in hijackthis select Open ADS spy. after a scan, select ext.exe and click remove selected.


    Also note that the file you sent looks slightly modified but not in any cosiderable amount.

  • lebleu
    edited December 2008

    I am not a complete neophyte, but by no means an expert. Does that mean there might be some editing to do in the REG entries for svchost.exe after I removed the threat with Hijackthis ?


    Also, after a quick check, there does not seem to be any running process called ext.ext. Could it be blocked from running by BitDefender ?

  • It's quite possible. BitDefender should prevent it from running but may have problems locating it. I'll see if we can reproduce this situation in the labs.


    Depending on where the file is run from, it might be sufficient to remove it or it might need some extra help.


    You could try removing it then running CCleaner or a similar product to correct entries pointing to missing files.


    I would actually love to have the file to examine but I think I'm asking for too much:)

  • If you can help me locate it, or if a hijackthis log can help you help me locate it, I'd be happy to provide it.

  • A hijackthis log will will not show all relevant locations for this. You might have better luck providing an AVIS or a Sysinternals Autoruns log.