hi guys, ok well, this virus problem is fixed first of all. i have zonealarm running in the background, and sometimes it asks me to allow SVSHOST.exe access to the internet. now the question is, how do i know that SVCHOST.exe is genuine? is there i can find out? because i recently healed/deleted a virus in this folder: C:\Windows\Systems32\Wins\Svchost.exe any suggestions on how to tell?

svshost.exe is a system file used for various purposes depending on what program calls on it: http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q250/3/20.ASP&NoWebContent=1 and http://www.grtg.org/stuff/computers/windows/svchost_exe.php

G'day, svchost.exe can also be altered/ compromised by viruses or spyware. Check that the version that you have in your windows/system directory is valid. If not, delete it and restore the original. regards and seasons greetings, Elric

Ryan, it looked like svShost was a typo, just checking on that.. as there are many variants. I kept getting thrown by the sheer number, and ended up making a shortlist. It looks like a case of "Dude, Where's my Virus???" but here goes. **The legitimate files are found in the WINNT folder, and in the System32 folder These are: c:\ Winnt\Svchost.exe ; c:\ System32\svchost.exe WARNING: These are vital Windows system file, and should not be touched! >>>>>>>>>>>>>>>>>>>>>>> SVC variants – Trojans, viruses and hijackers These are usually found in the Windows folder and are often in plural form. c:\windows\svchosts eg. Troj/Hostidel.B c:\windows\svchostc.exe c:\WINDOWS\svchost32.exe eg. Nachi Worm. c:\Windows\system\svchosts.exe eg. Sdbot-N / Troj/Sdbot-Z virus! However, there are these to check for in the system folders. C:\WINDOWS\SYSTEM\svchost32.exe eg. BackDoor-AQT C:\WINDOWS\SYSTEM32\svchosts.exe eg. IRC-Sdbot trojan Restart your computer, and delete these files in your Windows folder. There are numerous variants of these floating around; observe carefully: SCV variants: c:\windows\scvhost.exe……….. scvhost.exe is a result of the W32/GAOBOT worm c:\windows\SCVHOSTS.EXE……….Windows Print Spooler (SCVHOSTS.EXE); >>>>>>>>>>>>>>>>>> HTH, and hope it is all correct – let me know if not; and feel free to add in any other variations you have come across, as I’m happy to update this info.

thanks iceblue. yeah it was a typo. it is svchost.exe. anyway, i was just wondering. just one more thing: how can tell from ZONEALARM, that svchost.exe is a virus or not when ZA asks for svchost.exe to access the internet? if there is way, please tell me. if there isn't, it's alright. Ryan

ARRRGH...goddamn typo /cut and paste crap!! [Damn I hate corrections]; but they are neccessary -coming in next post....]

ok -answering that last one first... I haven't got ZA, so intuitively i would say you can't tell easily, if it's a similar format to Sygate. Best way to reveal the full path of running processes is by Process Explorer from Sysinternals (or a similar proggie). http://www.sysinternals.com/ntw2k/freeware/procexp.shtml Keep this in mind: There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. It is normal for win processes to use cpu and normal for several concurrent svchost processes to happen. I have 4 or 5 usually. The legit file for your XP system is C:\WINDOWS\System32\svchost.exe *note the slight change from the previous post above by the dipstick with the name similar to mine.......