Dilemma exe ?

**wonwinglo** · 24-10-2005

svchost.exe is a bona fide file used by Microsoft,however it is also the identical file name for the nasty little W32_Welchia.worm which gives Windows LSASS Vulnerability.

Since this morning I have suddenly had something from the internet constantly trying to get through my firewall with this name which I have put a block on ?

A search finds the following in- C:WINDOWS\system32\svchost.exe now is this a genuine file or the little nasty ? when I attempt to remove it,it just says cannot delete this file ? what do I do ??
Will a spyware tool find it ? and if so which is a reliable one to use please ?

I am baffled how there can be two different applications,one ok and the other sinister for the same file name ? surely Microsoft should do something drastic there.

PS-Just checked my firewall block on this and it says-C:WINDOWS\system32\svchost.exe does not contain a virus and comes from Microsoft corporation,this contradicts what it says above,who do I believe and what exactly is the function of this file ?

squiffythewombat · 25-10-2005

my turn to help you...yay!

svchost is a file that windows uses to launch dynamic link libary files (DLL's) and is quite essential within the windows envoirment. It is normal for more than one copy of the file to run as it is nessisary for various different applications and resource mangement programs. However it is also quite common for this file to be hijacked by various malware spyware and this is usally accompied with HEAVY registary edits.

It is possible for you to manually check the registary and files yourself but this is long winded and pratically impossible if you dont know what your doing. Have you installed any new programs or applications recently? have you updated any programs or changed any network settings recently? If you have its likelly that this is a legit change, if you havent i surgest the following;

1) Download and install "Microsoft Antispyware"! Run it and use the full scan option. (this is also a really good IE popup/hijack blocker)
2) Visit Trendmico.com and use their free online virus scanner (beware its not a quick process)
3) If these programs dont find anything, heres some more you can try: Adaware, Spybot-search & destroy, Dr.Spy, anything by norton or trendmicro.

If your still having problems or unsure pop me a bell and ill investigate some more...

**wonwinglo** · 25-10-2005

Toby,that is a mine of information for me and just what I wanted,it looks as if it started with a Nortons Firewall update so as you say looks kosha,numerous checks have found nothing sinister so it looks as if I got a bit paranoid,but better safe than sorry as there are so many nasties lurking out there,once more the hackers are getting very clever as you well know,this is a typical example.
Thank you for responding so quickly,it is much appreciated and you have been a great help to me.