svhost - NOT svchost

[The Revd M Komor]

Hi
Can anyone tell me authoritatively if svhost.exe is a virus, or part of the
updating mechanism for XP?
Thanks

 

[Andrew Portess]

Hi
Can anyone tell me authoritatively if svhost.exe is a virus, or part of the
updating mechanism for XP?
Thanks

It is a virus and I also think it enables back door access to use you disk
space to circulate / share large files.

In order to delete the virus which can be found in C:\Windows\svhost.exe you
first need to search the Windows Registry for svhost.exe
Press Start / Run then type Regedit. Then press 'CTRL' + 'F' togther to
bring up the search dialogue box and type svhost.exe, press enter. Delete
the entry from the registry.

Re-boot the computer and then delete the file C:\Windows\svhost.exe

** The registry entry runs the virus on boot-up preventing you from deleting
the file. By deleting the registry entry and re-booting the computer the
virus doesn't run on boot up so you can delete it. **

Check your drive for a folder called WU Temp (may be a hidden folder) and
confirm that its contents where put there by yourself.



Andy

Most Valuable Primate

 

[Vanguardx]

Hi
Can anyone tell me authoritatively if svhost.exe is a virus, or part
of the updating mechanism for XP?
Thanks

A good place to look to check if a filename might be a virus is to check
the web sites of the anti-virus makers. For example, just go visit
http://securityresponse.symantec.com/avcenter/vinfodb.html and search on
"svhost". However, a filename can never designate whether or not the
file is a virus. YOU could rename autoexec.bat to svhost.exe. The name
is unimportant. The viruses have signatures whether in the file they
infect or in the content that gets put into memory when the file gets
loaded or compiled (i.e., at some point, it has to get into memory to
effect its payload). Or are you claiming that whatever anti-virus
product you use, which you didn't bother to mention, did not detect a
file named svhost.exe as infected under your presumption that filenames
dictated infected files? Is this a process you noticed in Task Manager
or a file you happened upon in Explorer?

If you suspected a virus, why didn't you then run a full scan of your
system using a recently updated anti-virus program? If you have an
anti-virus, why isn't it always loaded so its on-demand scanner can scan
memory to detect when a infected file gets loaded into memory or
something gets used to build the virus into memory? There are freebie
online scanners available from several of the anti-virus makers (most
probably require you to download an ActiveX control to run as a local
client that downloads the signatures and does the checking against your
files). Note that anti-virus products that only scan files can miss
some viruses. It is possible to hide a virus within file(s) but once it
gets loaded into memory then it can be detected. So the online scanners
are handy and scheduling a file scan using a local anti-virus product is
still recommended but you really need to have a local anti-virus program
that monitors memory. That is, you need the on-demand scanner provided
with anti-virus software that remains running while your computer is up.
So going the route of thinking the freebie online virus scanners should
find everything is driving blind and hoping the road is straight. Go
buy an anti-virus product and keep it updated daily if not more often.

If you want an authoritative answer then go buy anti-virus software.
Although I use Norton's, my vote goes to NOD32, then KAV, and followed
by the rest (Norton, McAfee, Panda, etc.). Most have trialware versions
so you can see what works for you. Pick one you will actually use as
selecting the one with the best coverage but which you won't use or
maintain or know how to use when infected renders it a worthless
anti-virus product. For example, there are 3rd party firewalls that are
far superior than the firewall included in Windows XP (and even in SP-2)
but even the included Windows XP firewall is better than no firewall.
Get protection software that you will actually use.

 

[The Revd M Komor]

Thanks for your fulsome reply; in fact the following protection programs
were all loaded and running: McAfee VirusScan 8, Spywareguard,
Spywareblaster, Adaware SE, Spybot Search and Destroy, Quik-Fix Pro, Agnitum
Outpost Pro 2.1. Nothing picked it up.
It was only when I noticed high levels of sending activity on the dsl line
that I managed, through Agnitum, to track down what was responsible.
When I investigated svhost in the registry, the values associated with it
suggested it was part of the MS Auto Update system, and as I'm waiting for
SP2 to download I thought it may be that.
Of the online scanners only F-Protect picked it up; Norton missed it.

 

[Vanguardx]

Thanks for your fulsome reply; in fact the following protection
programs were all loaded and running: McAfee VirusScan 8,
Spywareguard, Spywareblaster, Adaware SE, Spybot Search and Destroy,
Quik-Fix Pro, Agnitum Outpost Pro 2.1. Nothing picked it up.
It was only when I noticed high levels of sending activity on the dsl
line that I managed, through Agnitum, to track down what was
responsible.
When I investigated svhost in the registry, the values associated
with it suggested it was part of the MS Auto Update system, and as
I'm waiting for SP2 to download I thought it may be that.
Of the online scanners only F-Protect picked it up; Norton missed it.

If it is a new zombie, maybe you could dissect the file by using a hex
editor to see if you can find the URL where it phones home (probably a
chat service) along with the chat room name and password, and then
report it to the chat service. As mentioned, file scanners (even the
online ones) can miss viruses but the on-demand scanner running locally
might catch it when it gets loaded into memory. However, downloading
many trial versions of AV products to see which ones will detect using
their on-demain scanner is a pain.

I didn't realize that F-Prot had an online scanner available from its
web site. Got the link to it?