A
AndyManchesta
Hi Reggie ,
Its probably malware but it really depends where you
found it.Svchost topics are always hard to comment on
because there so many possible reasons for the entry
because its a genuine file in the system folder but not
always,the malware files use this exact entry sometimes
and because its common to have more than one running its
hard to spot without using Antivirus Scanners.Scanning
any file you find suspicious is always the best
start.Jotti's site would help for that
( http://virusscan.jotti.org/ )
(Trojan.Hotword, Welchia.Worm, W32.Kipis,
Trojan.Tannick.B,Backdoor.Xordoor,W32.Mytob,Purityscan.Adw
are,Backdoor.Sdbot & more use this filename in the system
folder)
If the svchost is in the Windows\system32 folder then
most of the time its a genuine and essential file :
C:\WINDOWS\System32\svchost.exe
http://support.microsoft.com/kb/314056/EN-US/ (For XP pro)
http://support.microsoft.com/kb/250320/EN-US/ (Win2000)
The Genuine Svchost.exe handles processes executed from
DLLs.Its important for the safe and stable runnning of
the computer system.
Multiple svchost.exe files are loaded when a program
needs to be grouped from other Windows services. This is
a normal operation of Windows and it is common to see
four or five svchost.exe in the Task Manager processes.
It is possible that some malware has added the svchost
file or the virus has injected into svchost (In the case
of the Welchia worm it replaces the svchost file
with "Tftpd" which is a legitimate server program) This
allows the attacker to use ports on the pc and send and
receive information and commands to the infected
system.The use of tftp does not require an account or
password on the remote system either .
If you think the svchost file is damaged or corrupt your
best running some online virus scans to make sure the
problem is fully removed then using your Windows disc &
run the system file checker .To do this put the Windows
CD into the disk drive ,Goto Start then Run and type:
SFC /SCANNOW
It will replace any missing files if needed.
If the svchost file is in the program files folder or
c/drive under any folder name except Windows(Same also if
its in the system area inside a folder), its connected to
keylogging(Spying)software.
If the file you deleted was c:\Windows\svchost.exe then
this is a malicious entry but I cannot say exactly what
put it there as its used by alot my malware ,if its in
that folder there will be registry entries as well so
running some online scanners may clear them ,I know
symantec have some removal tools for %windir%\svchost but
its hard to know which to use untill something is
detected by your scanners ,
Here's some that use the c:\windows\svchost entry but
there's probably alot more
Spyware.Shopnav
Spyware.Shopnav.dl
Spyware.AdvancedKey
Spyware.ElfSpy
Spyware.HandyKeylogger
Spyware.QuickKeylogger
Findwhatever.Adware
2020search.Spyware
Trojan.Hazzer
Trojan.Ibiza
Backdoor.DEWIN
Backdoor.Plux
Backdoor.Fuwudoor
Backdoor.Doyorg
Backdoor.Ryejet
Backdoor.XTS
Backdoor.Kotilla
Backdoor.Graybird
Backdoor.Beasty.Family
Backdoor.Shellbot
Backdoor.Litmus.203.
PWSteal.Tarno
PWSteal.Tarno.B
Online Trojan
W32.HLLW.Torvel@mm
W32.HLLW.Repsan
W32.HLLW.Astef
W32.HLLW.Donk
W32.HLLW.Morb
W32.Hiton@mm
W32.Lovgate.Y@mm
W32.Darker.Worm
W32.Erkez.C@mm
W32.Mimail.L@mm
W32.Zori.
W32.Hostidel.Trojan.C
W32.Netsky.F@mm
W32.Hostidel.Trojan.
W32.Jeefo
W32.Nofer.A@mm
Theres no way of knowing what put it there unless you can
scan the file at Jotti's site and get a malware
result.Either that or run some online virus scanners to
make sure your system is clean.
Online Virus / Trojan Scanners :
--------------------------------
Trend Micro
http://housecall.antivirus.com/
Panda
http://www.pandasoftware.com/activescan/
Bitdefender
http://www.bitdefender.com/scan/Msie/index.php
Symantecs Security Check & Virus scanner
http://security.symantec.com/default.asp?
productid=symhome&langid=ie&venid=sym
Trojan Scanner
http://www.windowsecurity.com/trojanscan/trojanscan.asp
Heres Some Alternative spyware/adware removers that might
help :
Ad-Aware SE
http://www.download.com/3000-2144-10045910.html
Spybot Search & Destroy
http://fileforum.betanews.com/download/Spybot_Search_and_D
estroy/1043809773/1
CWShredder
http://cwshredder.net/bin/CWShredder.exe
Regards
Andy Manchesta
Its probably malware but it really depends where you
found it.Svchost topics are always hard to comment on
because there so many possible reasons for the entry
because its a genuine file in the system folder but not
always,the malware files use this exact entry sometimes
and because its common to have more than one running its
hard to spot without using Antivirus Scanners.Scanning
any file you find suspicious is always the best
start.Jotti's site would help for that
( http://virusscan.jotti.org/ )
(Trojan.Hotword, Welchia.Worm, W32.Kipis,
Trojan.Tannick.B,Backdoor.Xordoor,W32.Mytob,Purityscan.Adw
are,Backdoor.Sdbot & more use this filename in the system
folder)
If the svchost is in the Windows\system32 folder then
most of the time its a genuine and essential file :
C:\WINDOWS\System32\svchost.exe
http://support.microsoft.com/kb/314056/EN-US/ (For XP pro)
http://support.microsoft.com/kb/250320/EN-US/ (Win2000)
The Genuine Svchost.exe handles processes executed from
DLLs.Its important for the safe and stable runnning of
the computer system.
Multiple svchost.exe files are loaded when a program
needs to be grouped from other Windows services. This is
a normal operation of Windows and it is common to see
four or five svchost.exe in the Task Manager processes.
It is possible that some malware has added the svchost
file or the virus has injected into svchost (In the case
of the Welchia worm it replaces the svchost file
with "Tftpd" which is a legitimate server program) This
allows the attacker to use ports on the pc and send and
receive information and commands to the infected
system.The use of tftp does not require an account or
password on the remote system either .
If you think the svchost file is damaged or corrupt your
best running some online virus scans to make sure the
problem is fully removed then using your Windows disc &
run the system file checker .To do this put the Windows
CD into the disk drive ,Goto Start then Run and type:
SFC /SCANNOW
It will replace any missing files if needed.
If the svchost file is in the program files folder or
c/drive under any folder name except Windows(Same also if
its in the system area inside a folder), its connected to
keylogging(Spying)software.
If the file you deleted was c:\Windows\svchost.exe then
this is a malicious entry but I cannot say exactly what
put it there as its used by alot my malware ,if its in
that folder there will be registry entries as well so
running some online scanners may clear them ,I know
symantec have some removal tools for %windir%\svchost but
its hard to know which to use untill something is
detected by your scanners ,
Here's some that use the c:\windows\svchost entry but
there's probably alot more
Spyware.Shopnav
Spyware.Shopnav.dl
Spyware.AdvancedKey
Spyware.ElfSpy
Spyware.HandyKeylogger
Spyware.QuickKeylogger
Findwhatever.Adware
2020search.Spyware
Trojan.Hazzer
Trojan.Ibiza
Backdoor.DEWIN
Backdoor.Plux
Backdoor.Fuwudoor
Backdoor.Doyorg
Backdoor.Ryejet
Backdoor.XTS
Backdoor.Kotilla
Backdoor.Graybird
Backdoor.Beasty.Family
Backdoor.Shellbot
Backdoor.Litmus.203.
PWSteal.Tarno
PWSteal.Tarno.B
Online Trojan
W32.HLLW.Torvel@mm
W32.HLLW.Repsan
W32.HLLW.Astef
W32.HLLW.Donk
W32.HLLW.Morb
W32.Hiton@mm
W32.Lovgate.Y@mm
W32.Darker.Worm
W32.Erkez.C@mm
W32.Mimail.L@mm
W32.Zori.
W32.Hostidel.Trojan.C
W32.Netsky.F@mm
W32.Hostidel.Trojan.
W32.Jeefo
W32.Nofer.A@mm
Theres no way of knowing what put it there unless you can
scan the file at Jotti's site and get a malware
result.Either that or run some online virus scanners to
make sure your system is clean.
Online Virus / Trojan Scanners :
--------------------------------
Trend Micro
http://housecall.antivirus.com/
Panda
http://www.pandasoftware.com/activescan/
Bitdefender
http://www.bitdefender.com/scan/Msie/index.php
Symantecs Security Check & Virus scanner
http://security.symantec.com/default.asp?
productid=symhome&langid=ie&venid=sym
Trojan Scanner
http://www.windowsecurity.com/trojanscan/trojanscan.asp
Heres Some Alternative spyware/adware removers that might
help :
Ad-Aware SE
http://www.download.com/3000-2144-10045910.html
Spybot Search & Destroy
http://fileforum.betanews.com/download/Spybot_Search_and_D
estroy/1043809773/1
CWShredder
http://cwshredder.net/bin/CWShredder.exe
Regards
Andy Manchesta