svc.exe and host files

[Guest]

I read a post regarding the use of hoster.zip to restore your host files to
their original state. I now see only my local host listed. Will this list
eventually start to build again for protection ?

I also see under running processes 8 refrences to the same file "svc.exe"
(microsoft generic host process for win32 services) Is this normal ?

Thank you for your help.

Ben

 

[Guest]

Subject: All my Windows Hosts Files are directed to the same Destination IP
address.
From: "Bob" Sent: 9/13/2005 7:29:09 AM
ANNOUNCEMENTS


See and follow the links at
http://accs-net.com/hosts/what_is_hosts.html

Engel

 

[Guest]

I think you meant to type svchost.exe, not svc.exe.

Svc.exe is a part of the MAPFIND virus, whereas svchost.exe is the Microsoft
Generic Host Process for Win32 Services. Svchost.exe is needed to properly
connect to the Internet. A discription of the process can be found from
reading Article 314056 "A description of Svchost.exe in Windows XP"
(http://support.microsoft.com/default.aspx?scid=kb;en-us;314056).

The multiple occurrences of this process (svchost.exe) are because of the
different security levels of each service that must use the process.

Alan

 

[Guest]

Thank you.

I will read and see if I need the ones hoster.zip deleted ?

In addition I now see 8 named as "NEW"

 

[Guest]

Sorry, yes it is svchost.exe

Thank you Alan.

Ben

 

[Bill Sanderson]

I hope what you are seeing is SVCHOST.EXE.

If so, see this article for an explanation:

http://support.microsoft.com/?kbid=314056

It is a good idea to check your system drive for SVCHOST.EXE files.

I've got one in prefetch, one in system32, and one in servicepackfiles\i386,
which looks just like the one in system32. You don't want any in \windows
or \windows\system, for example--those would be good candidates for trojans.

Now--about those host file entries. One reason for returning the file to
the default is so that you can see, for certain, that there are no GOOD
sites mixed in with all the bad sites that those entries were "protecting"
you against visiting. If you want those protective entries back again, run
Spybot Search & Destroy, or some other third-party antispyware
programs--they are what placed the entries there originally.

 

[Guest]

Sorry for late reply

I printed and will read soon.

Thank you for your assistance

Ben

 

[Bill Sanderson]

The executive summary:

\%windowsroot%\system32\svchost.exe is safe, and having multiple instances
running under XP is perfectly normal, and, in fact, enhances security.

This filename in some other locations--\windows, \winnt, \windows\system, is
likely to be a trojan, as is any name chosen to be very similar but slightly
misspelled.
--