Malwarebytes Detecting Virus

[Knightmare]

My computer was having a hard time running today, so I decided to run a Malwarebytes' scan to see if any malware could be causing my issue. I first ran a hyper scan for just the Windows' files and folders. When that scan found svchost.exe in Windows\temp, I quarantined it and I decided to run a full scan. I left to visit some friends while the scan was running, and when I came back, it detected the same item. Is this a false positive? Does anyone else have svchost in their Windows\temp folder? The only other thing in the Windows\temp folder is a folder for VMWare.

[davmil]

You're right. It's suspicious at best. After purging with crapcleaner, I'd run combofix, Adw_cleaner, hitman pro, TrendMicro Housecleaner and whatever else you can get your hands on. After all that, let SFC run and repair any problems it finds.

[steven36]

Malwarebytes has and svchost.exe signed by Malwarebytes in there folder but anywere else in x64 one is in C:\Windows\WinSxS\ the other one is in C:\Windows\WinSxS\x86

In x86 there in C:\Windows\System32

You should never have one in temp folder. What kind of antivirus you runing? because MAM is should only be used as 2nd opinion software it scores very low as an antivirus.
http://dennistechnologylabs.com/reports/s/a-m/2014/DTL_2014_Q2_Home.1.1.pdf

[Kalju]

This is a Windows file, but it should not be right in the folder Windows / Temp, but shold be in these folders:
%SystemRoot%\System32\Svchost.exe and also %SystemRoot%\SysWOW64\Svchost.exe if it is 64-bit system.

Because svchost.exe is used as a common system process, some malware often uses a process name of "svchost.exe" to disguise itself.

The original system file svchost.exe is located in C:\Windows\System32 folder. Any file named "svchost.exe" located in any other folder can be considered as malware. Determining the image path of a process, and its invoking command line, can help identify software masquerading in this way, and help locate the actual program file which is running under the assumed process name of "svchost.exe" (Windows allows multiple processes to all display the same name).

Some malware inject a .dll file into the authentic svchost process, for example Win32/Conficker worm.

Try to find, what uses it. This can be really a kind of malware file. which is called by the same name, which is a Windows file. Look at what processes have running. According to this, you can find the location of the malware. Probably any cleaning or anti-virus program does not help You. You must find the cause, and then eliminate it manually. Probably also to read how, somebody had done and get rid of his problem, don't help, because You may have absolutely different reason.

[steven36]

Mine are in C:\Windows\WinSxS\ the other one is in C:\Windows\WinSxS\x86 im on amd lol there signed by microsoft

You mat ask what is this folder - - C:\Windows\winsxs??

WinSxS Folder in Windows 7 | 8 explained

http://www.thewindowsclub.com/winsxs-folder-windows-7-8

Tthe one in xp in my vm is in C:\Windows\System32

[Knightmare]

Malwarebytes has and svchost.exe signed by Malwarebytes in there folder but anywere else in x64 one is in C:\Windows\WinSxS\ the other one is in C:\Windows\WinSxS\x86

In x86 there in C:\Windows\System32

You should never have one in temp folder. What kind of antivirus you runing? because MAM is should only be used as 2nd opinion software it scores very low as an antivirus.

http://dennistechnologylabs.com/reports/s/a-m/2014/DTL_2014_Q2_Home.1.1.pdf

I'm running ESET NOD32. It also seems like this file gets created on startup. I may have to do a clean boot, then enable programs one by one.

[avmad]

Try the SVC Host Viewer https://svchostviewer.codeplex.com/ to see what is running it.

[Knightmare]

Actually, I just went to this site, used Adwcleaner and JRT, and the file was successfully removed.