C:\SVCHOST.EXE

[Randy]

Had a bear of a time with this one. Spyware installer
running in root as SVCHOST.EXE. Adaware, Spysweeper and
MS AntiSpyware missed it. My eyes missed it in the
hijackthis scan MANY times.

In safe mode. I disabled startup with Highjack this and
the deleted contents of file in notepad. rebooted and
deleted file.


Since search is disabled on this site hopefully I did not
duplicate this info.

Randy

 

[JohnF.]

I just cleaned this off a machine two days ago - these spyware authors are
busy! I wish I had the time they seem to have.

One of the MS people might want the file itself if you still have it. I was
so glad to be able to nuke it I forgot to save a copy!

 

[Randy]

I thought of saving just after I nuked it. It took me so
long to find that I was just glad to get rid of it.

Randy

 

[Guest]

svchost can be a microsoft program beware before deleting
it check its properies

 

[JohnF.]

Yes, we understand that, BUT:

It is not that file when it is running from C:\svchost.exe

which coincidently is the theme of this thread!

 

[Chris Ard [MSFT]]

Correct. The only valid instance of svchost is from
Windows\system32\svchost.exe. Any other instance of svchost that is
running is malware.
In some cases, the spyware may create a service that runs using some
semi-legitimate name like IP/TCP Services so just looking at svchost won't
be enough because the instance of svchost is legitimate, but the service
running under it is not.

Chris Ard
Security Support
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Bill Sanderson]

I had the highly educational experience of listening to Lee Yan on the
subject of root kits the other day--thanks very much for chiming in here.