SVCHOST.EXE....please HELP !!!

[IQY]

I have run a virus scan using Norton (with updated
definitions), and it did not detect anything.

I did have a Welchia worm a few weeks back, but I removed
it (may not have completely been removed), or there is a
trace of a virus running as part of the background
processes, (in the form of that SVCHOST.EXE file that
prompts the NT AUTHORITIES shut down, if this process is
closed).

When I try and close this background file ("End Task"),
it causes my computer to shut down. This is not normal,
bearing in mind that no virus has been detected. It's
hidden in the registry! I tried remastering my computer,
and it is still running in the background processes (in
the form of one of the SVCHOST.EXE files.

How could I remove the bad part of the SVCHOST.EXE file?

I even ran Anti-Trojan 5.0, and it did not detect
anything either. I'm totally confused. I would
appreciate any help.

I would like to think it is not a virus, but why does
that shut down prompt pop-up when I close this
SVCHOST.EXE file.

Thank you

 

[Robert]

I had my svchost affected by a virus which was not
recognized by my anti-virus software, but was detected and
cleaned with McAfee's Stinger.exe. You can get it free
from the following link:

http://us.mcafee.com/virusInfo/default.asp?id=stinger

Good luck!

 

[IQY]

I've run the Mcafee's stinger, and nothing has been found.

What sort of virus did you have?

Thanks

 

[IQY]

I've run the Mcafee's stinger, and nothing has been found.

What sort of virus did you have?

Thanks

 

[fmiller]

You may want to read MS article on svchost.exe at:
http://support.microsoft.com/?kbid=314056

just a reader of newsgroups--Frank

 

[Robert]

I had the W32/Nachi.worm virus.

 

[Steve Nielsen]

If you did not update Windows or at least install the KB824146 hotfix
from MS then you're still vulnerable to blaster and welchia worms and
may have been re-infected. Some a/v software won't catch these worms at
all and some will disinfect and delete files but not reverse registry
changes. The removal tools from Symantec will stop the processes, delete
the worm files and reverse the registry changes, but make sure to patch
the machine first.

Steve

 

[Sharon F]

I have run a virus scan using Norton (with updated
definitions), and it did not detect anything.

I did have a Welchia worm a few weeks back, but I removed
it (may not have completely been removed), or there is a
trace of a virus running as part of the background
processes, (in the form of that SVCHOST.EXE file that
prompts the NT AUTHORITIES shut down, if this process is
closed).

When I try and close this background file ("End Task"),
it causes my computer to shut down. This is not normal,
bearing in mind that no virus has been detected. It's
hidden in the registry! I tried remastering my computer,
and it is still running in the background processes (in
the form of one of the SVCHOST.EXE files.

How could I remove the bad part of the SVCHOST.EXE file?

I even ran Anti-Trojan 5.0, and it did not detect
anything either. I'm totally confused. I would
appreciate any help.

I would like to think it is not a virus, but why does
that shut down prompt pop-up when I close this
SVCHOST.EXE file.

Thank you

SVCHOST is a normal file in Windows. It's not unusual to see 3 or 4
instances of it in Task Manager. Depending on what service a particular
instance is hosting, ending task could conceivably shutdown the computer.

Some of the recent viruses/worms/trojans added an extra (and bogus)
svchost.exe in a location that is different than the one for the normal
Windows file. The working copy of the Windows file resides in the
Windows\System32 folder. There should be a legit copy of it in the dllcache
folder as well.

If by any chance the virus effected your good copy of svchost before you
could remove it, the repair install that you performed should have
corrected that.

 

[Steve Nielsen]

SVCHOST is a normal file in Windows. It's not unusual to see 3 or 4
instances of it in Task Manager. Depending on what service a particular
instance is hosting, ending task could conceivably shutdown the computer.

Some of the recent viruses/worms/trojans added an extra (and bogus)
svchost.exe in a location that is different than the one for the normal
Windows file. The working copy of the Windows file resides in the
Windows\System32 folder. There should be a legit copy of it in the dllcache
folder as well.

If by any chance the virus effected your good copy of svchost before you
could remove it, the repair install that you performed should have
corrected that.

I hate to "dissagree" with an MVP, but....

From what I have read on MS and Symantec sites and from viewing log
files of cleaned machines the blaster and welchia worms do not infect,
replace, or drop a bogus copy of SVCHOST.EXE, but they use that service.
For example, running the FixBlast.exe tool from Symantec on a machine
infected with blaster it will stop the viral proccess, delete mblast.exe
and reverse the registry changes the worm made. In no log files have I
seen after running the fixblast or fixwelch tools on infected machines
do the logs indicate that the file SVCHOST.EXE is infected.

Also, on a fresh install of XP Pro, fully updated, I see only one copy
of SVCHOST.EXE which is in the Windows\System32 folder and there is no
SVCHOST.EXE file in dllcache folder.

Steve

 

[Sharon F]

I hate to "dissagree" with an MVP, but....

Why? If you have something to add --whether it confirms, questions or
expresses a different stance -- it's important to bring it up. The
resulting discussion gives everyone (MVPs included) a chance to learn more.

From what I have read on MS and Symantec sites and from viewing log
files of cleaned machines the blaster and welchia worms do not infect,
replace, or drop a bogus copy of SVCHOST.EXE, but they use that service.
For example, running the FixBlast.exe tool from Symantec on a machine
infected with blaster it will stop the viral proccess, delete mblast.exe
and reverse the registry changes the worm made. In no log files have I
seen after running the fixblast or fixwelch tools on infected machines
do the logs indicate that the file SVCHOST.EXE is infected.

I'm sure that you know there are other viruses besides blaster and welchia.
The original question seemed to express concern that the presence of
svchost in their task manager was a bad thing. So concerned, that they keep
trying to end task on it. Since several occurrences of svchost in task
manager are usually normal, they can stop worrying so much.

However, it's not unusual for viruses, worms or trojans to drop files with
legitimate names in non-standard locations. It took me 3 seconds with
Google to find one that drops a bogus svchost.exe file:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.xts.html

In other words, make sure normal is in fact normal before completely
relaxing. "Svchost," no matter what location it is loading from will still
look like "Svchost" in Task Manager. Dig a little deeper to make sure it is
the legit svchost file and check the system regularly with a good
up-to-date antivirus program.

Also, on a fresh install of XP Pro, fully updated, I see only one copy
of SVCHOST.EXE which is in the Windows\System32 folder and there is no
SVCHOST.EXE file in dllcache folder.

I have a two year old installation of XP and have the file in both places
that I mentioned. Both copies have the same date/time stamp as the original
WinXP files. My copy in dllcache is listed between svcext51.dll and
svcpack.dll when sorting by Name.

I have no idea why our setups are different in this respect. However the
important thing is the location of the *working* svchost file that Windows
is known to use (remembering to stay alert for bogus look alikes loading
from other locations). The copy in dllcache should match the working copy
since dllcache is used as a source folder to replace damaged or corrupt
system files.

 

[Steve Nielsen]

Why? If you have something to add --whether it confirms, questions or
expresses a different stance -- it's important to bring it up. The
resulting discussion gives everyone (MVPs included) a chance to learn more.

I know, but it rhymed!

I certainly have been learning quite a bit here and I apprecaite it.

I'm sure that you know there are other viruses besides blaster and welchia.
The original question seemed to express concern that the presence of
svchost in their task manager was a bad thing. So concerned, that they keep
trying to end task on it. Since several occurrences of svchost in task
manager are usually normal, they can stop worrying so much.

However, it's not unusual for viruses, worms or trojans to drop files with
legitimate names in non-standard locations. It took me 3 seconds with
Google to find one that drops a bogus svchost.exe file:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.xts.html

Point well put and taken. I sit corrected. I have focussed mainly on the
two worms I suppose because I've had to deal with those two on our large
WAN for the longest time and have had to learn way to much about them.
I've got the welchia-willie-nillies and blaster-brain now.

In other words, make sure normal is in fact normal before completely
relaxing. "Svchost," no matter what location it is loading from will still
look like "Svchost" in Task Manager. Dig a little deeper to make sure it is
the legit svchost file and check the system regularly with a good
up-to-date antivirus program.




I have a two year old installation of XP and have the file in both places
that I mentioned. Both copies have the same date/time stamp as the original
WinXP files. My copy in dllcache is listed between svcext51.dll and
svcpack.dll when sorting by Name.

I have no idea why our setups are different in this respect. However the
important thing is the location of the *working* svchost file that Windows
is known to use (remembering to stay alert for bogus look alikes loading
from other locations). The copy in dllcache should match the working copy
since dllcache is used as a source folder to replace damaged or corrupt
system files.

Understood. I don't know why our setups would be different either but I
suppose it could be for a number of possible reasons, initial version of
XP installed (ours includes SP1) order and number of hotfixes applied,
installed software, etc.

Anyway, thank you for you reply.

Steve

 

[Steve Nielsen]

Why? If you have something to add --whether it confirms, questions or
expresses a different stance -- it's important to bring it up. The
resulting discussion gives everyone (MVPs included) a chance to learn more.

I know, but it rhymed!

I certainly have been learning quite a bit here and I apprecaite it.

I'm sure that you know there are other viruses besides blaster and welchia.
The original question seemed to express concern that the presence of
svchost in their task manager was a bad thing. So concerned, that they keep
trying to end task on it. Since several occurrences of svchost in task
manager are usually normal, they can stop worrying so much.

However, it's not unusual for viruses, worms or trojans to drop files with
legitimate names in non-standard locations. It took me 3 seconds with
Google to find one that drops a bogus svchost.exe file:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.xts.html

Point well put and taken. I sit corrected. I have focussed mainly on the
two worms I suppose because I've had to deal with those two on our large
WAN for the longest time and have had to learn way to much about them.
I've got the welchia-willie-nillies and blaster-brain now.

In other words, make sure normal is in fact normal before completely
relaxing. "Svchost," no matter what location it is loading from will still
look like "Svchost" in Task Manager. Dig a little deeper to make sure it is
the legit svchost file and check the system regularly with a good
up-to-date antivirus program.




I have a two year old installation of XP and have the file in both places
that I mentioned. Both copies have the same date/time stamp as the original
WinXP files. My copy in dllcache is listed between svcext51.dll and
svcpack.dll when sorting by Name.

I have no idea why our setups are different in this respect. However the
important thing is the location of the *working* svchost file that Windows
is known to use (remembering to stay alert for bogus look alikes loading
from other locations). The copy in dllcache should match the working copy
since dllcache is used as a source folder to replace damaged or corrupt
system files.

Understood. I don't know why our setups would be different either but I
suppose it could be for a number of possible reasons, initial version of
XP installed (ours includes SP1) order and number of hotfixes applied,
installed software, etc.

Anyway, thank you for you reply.

Steve

 

[Sharon F]

Understood. I don't know why our setups would be different either but I
suppose it could be for a number of possible reasons, initial version of
XP installed (ours includes SP1) order and number of hotfixes applied,
installed software, etc.

Anyway, thank you for you reply.

You're welcome.
I have the original release with SP1 applied. The may very well be the
different right there.

Regards,