hi guys,

ok well, this virus problem is fixed first of all. i have zonealarm running in the background, and sometimes it asks me to allow SVSHOST.EXE access to the internet. now the question is, how do i know that SVCHOST.EXE is genuine? is there i can find out? because i recently healed/deleted a virus in this folder:

C:\Windows\Systems32\Wins\Svchost.exe

any suggestions on how to tell?

svshost.exe is a system file used for various purposes depending on what program calls on it:

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q250/3/20.ASP&NoWebContent=1

and

http://www.grtg.org/stuff/computers/windows/svchost_exe.php

G'day,

svchost.exe can also be altered/ compromised by viruses or spyware.
Check that the version that you have in your windows/system directory is valid.
If not, delete it and restore the original.
regards and seasons greetings,
Elric

Ryan, it looked like svShost was a typo, just checking on that.. as there are many variants. I kept getting thrown by the sheer number, and ended up making a shortlist. It looks like a case of "Dude, Where's my Virus???" but here goes.

**The legitimate files are found in the WINNT folder, and in the System32 folder
These are:
c:\ Winnt\Svchost.exe ; c:\ System32\svchost.exe

WARNING: These are vital Windows system file, and should not be touched!

>>>>>>>>>>>>>>>>>>>>>>>

SVC variants – Trojans, viruses and hijackers
These are usually found in the Windows folder and are often in plural form.

c:\windows\svchosts eg. Troj/Hostidel.B
c:\windows\svchostc.exe
c:\WINDOWS\svchost32.exe eg. Nachi Worm.
c:\Windows\system\svchosts.exe eg. Sdbot-N / Troj/Sdbot-Z virus!

However, there are these to check for in the system folders.
C:\WINDOWS\SYSTEM\svchost32.exe eg. BackDoor-AQT
C:\WINDOWS\SYSTEM32\svchosts.exe eg. IRC-Sdbot trojan

Restart your computer, and delete these files in your Windows folder.

There are numerous variants of these floating around; observe carefully:
SCV variants:
c:\windows\scvhost.exe……….. scvhost.exe is a result of the W32/GAOBOT worm
c:\windows\SCVHOSTS.EXE……….Windows Print Spooler (SCVHOSTS.EXE);
>>>>>>>>>>>>>>>>>>

HTH, and hope it is all correct – let me know if not; and feel free to add in any other variations you have come across, as I’m happy to update this info.

thanks iceblue. yeah it was a typo. it is svchost.exe. anyway, i was just wondering. just one more thing: how can tell from ZONEALARM, that svchost.exe is a virus or not when ZA asks for svchost.exe to access the internet? if there is way, please tell me. if there isn't, it's alright.

Ryan

ARRRGH...goddamn typo /cut and paste crap!!
[Damn I hate corrections]; but they are neccessary -coming in next post....]

ok -answering that last one first...
I haven't got ZA, so intuitively i would say you can't tell easily, if it's a similar format to Sygate.

Best way to reveal the full path of running processes is by Process Explorer from Sysinternals (or a similar proggie).
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Keep this in mind:
There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started.
It is normal for win processes to use cpu and normal for several concurrent svchost processes to happen. I have 4 or 5 usually.

The legit file for your XP system is

C:\WINDOWS\System32\svchost.exe

*note the slight change from the previous post above by the dipstick with the name similar to mine.......

Lets try that again.....

**For XP systems, the legitimate files are found in the System32 folder
These are:

C:\WINDOWS\System32\svchost.exe

WARNING: This is a vital Windows system file, and should not be touched!

>>>>>>>>>>>>>>>>>>>>>>>

SVC variants – Trojans, viruses and hijackers
These are usually found in the Windows folder and are often in plural form.

c:\windows\svchosts eg. Troj/Hostidel.B
c:\windows\svchostc.exe
c:\WINDOWS\svchost32.exe eg. Nachi Worm.
c:\Windows\system\svchosts.exe eg. Sdbot-N / Troj/Sdbot-Z virus!

However, there are these to check for in the system folders.
C:\WINDOWS\SYSTEM\svchost32.exe eg. BackDoor-AQT
C:\WINDOWS\SYSTEM32\svchosts.exe eg. IRC-Sdbot trojan

Restart your computer, and delete these files in your Windows folder.

There are numerous variants of these floating around; observe carefully:
SCV variants:
c:\windows\scvhost.exe……….. scvhost.exe is a result of the W32/GAOBOT worm
c:\windows\SCVHOSTS.EXE……….Windows Print Spooler (SCVHOSTS.EXE);
>>>>>>>>>>>>>>>>>>

HTH, and hope it is all correct – let me know if not; and feel free to add in any other variations you have come across, as I’m happy to update this info.

Each win service has a unique PID which is shown in Process Explorer, along with the full path of the service like C:\WINDOWS\System32\svchost.exe

You can compare the PIDs and check which service is running at any given time and whether it is the legit file in operation.

*Note - Sygate does have a toggle between Applications and Connections, in the 'View' tab which shows the PID and full path of the running service....Does ZA have this capability?

i don't think so. haven't really checked it out? is SYGATE free? i'll get process explorer as well. and out of all the TROJAN REMOVAL TOOLS out there, which in your opinion, is the best?

Ryan

Sygate has a free version.
Process Explorer is freeware.
The consensus in this forum for trojan protrction appears to be TDS-3 closely? followed by TrojanHunter...

http://www.diamondcs.com.au/tds/
(I'm not an expert in anti-troj proggies, and TDS-3 is on my to do list)

hello,
lve been reading the above and got totally lost ..lm having problems with svchost.exe l rebooted my pc after some divx tools and it went all wild, my processor is at 100% and using a lot of memory, lm not brilliant at pcs l only know this because l openend up the xp windows task manager.l have ended the svchost that is chewing the processor but l still cant do anything ..also the client session manager closes because of a problem.

How ever in safety mode the proccessor and memory are ok ..its just when l boot up normally ..the computer is in over load ..l dont know if this is a virus ..help anyone ??

teri_smile
happy to help;
after running Spybot and HijackThis could you repeat the comments above, and summarise the results of the Spybot scan and post the Hijack log in a NEW thread, thanks

details at;
http://www.computing.net/security/wwwboard/forum/6433.html

I have two instances of svchost showing up in my Windows folder on my XP machine:

svchost in C:\Windows\System32

as well as:

svchost.exe-3530F672.PF in C:\Windows\Prefetch

Is this ok, or do I have issues I need to address (at the risk of opening myself up to a whole bunch of jokes...)