20-04-2006, 22:15
|
#1
|
|
cf.addict
Join Date: Apr 2005
Posts: 249
|
svchost.exe
I have a file on my PC which is called svchost.exe and Norton Internet Security 2003 is saying that it is a virus. After a quick google i found out that it is not a virus. But i continually get these Norton error messages saying that it cannot quarantine or delete the virus. I have tried manually deleting the virus but it can't do that. Does anyone have any ideas on how to fix this?
Last edited by topcreator; 20-04-2006 at 22:22.
|
|
|
|
20-04-2006, 22:23
|
#2
|
|
vista home premium user
Join Date: Jul 2004
Location: chavy Nottingham
Age: 24
Services: Freeview, Sky+ on big TV, 2 Mb/s NTL BB, mega PC, PSP, PDA, N95
Posts: 6,349
|
Re: svchost.exe
Depends where it is. If it's C:\Windows\System32 it's legit but should never appear in Msconfig.
__________________
PC: X2 4200+, 2GB RAM, X1650, 940GB HDDs, Audigy2ZS Platinum, HVR1100, Vista Home Premium Laptop: Advent 7203 (T5300, 2GB RAM, 80GB HDD, VHP) Server: WHS (XP 2800+, 1GB RAM, 820GB HDD)
 10111 pts
|
|
|
|
|
20-04-2006, 22:25
|
#3
|
|
cf.addict
Join Date: Apr 2005
Posts: 249
|
Re: svchost.exe
its in the location C:\Documents and Settings\All Users\Start Menu\Startup\svchost.exe if this helps
|
|
|
|
|
20-04-2006, 22:36
|
#4
|
|
Karateka
Join Date: Dec 2003
Age: 33
Posts: 7,098
|
Re: svchost.exe
Right click on it and select properties. If it was in Windows\system32 then it should be the legitimate Windows file of that name, but considering where it is and that your AV says it's infected, I'd tend to believe it and try quarantining it.
Here's an example of a worm that creates a file of the same name but that is infected... http://www.symantec.com/avcenter/ven...torvel@mm.html
Just because a file has the same name as a legitimate file, doesn't mean that it's not infected with a virus.
__________________
Quidquid latine dictum sit, altum sonatur.
|
|
|
|
|
20-04-2006, 22:44
|
#5
|
|
looking about
Join Date: Jun 2003
Location: Teesside
Age: 43
Posts: 7,553
|
Re: svchost.exe
Quote:
|
Originally Posted by topcreator
I have a file on my PC which is called svchost.exe and Norton Internet Security 2003 is saying that it is a virus. After a quick google i found out that it is not a virus. But i continually get these Norton error messages saying that it cannot quarantine or delete the virus. I have tried manually deleting the virus but it can't do that. Does anyone have any ideas on how to fix this?
|
There was another thread a while ago about this, there's some good info, plus, check out my links in post #9, they give you info on what each instance is 
Thread
__________________
|
|
|
|
|
20-04-2006, 22:47
|
#6
|
|
Owned by my cat Tigger
Join Date: Jul 2005
Location: Bolton
Age: 42
Services: 4MB NTL Broadband...but not for long if Virgin don't ditch Phorm!
Posts: 489
|
Re: svchost.exe
If you select Properties and click on the Version tab, if the file's legit it'll have the value 'Microsoft Corporation' next to 'Company Name' and there'll be a copyright message. The file will identify itself as 'Generic Host Process for Win32 Services'. If there's nothing there and/or the file is anywhere else but the Windows\System32 folder, it's a worm.
__________________
There are too many people in the world who look, but do not see; who listen, but do not hear; who acknowledge, but do not understand; who speak when they have nothing to say.
- Me
|
|
|
|
|
20-04-2006, 22:55
|
#7
|
|
Cable Forum Team
Join Date: Jul 2003
Location: Poole, Dorset
Age: 23
Services: Sky+
V-Box
VM 10MBit
Posts: 9,505
|
Re: svchost.exe
Quote:
|
Originally Posted by Anonymouse
If you select Properties and click on the Version tab, if the file's legit it'll have the value 'Microsoft Corporation' next to 'Company Name' and there'll be a copyright message. The file will identify itself as 'Generic Host Process for Win32 Services'.
|
This information can easily be spoofed in the file. You can set this information in whatever programming environment you use! |
|
|
|
20-04-2006, 23:01
|
#8
|
|
Busy Admin
Join Date: Oct 2003
Location: Nottingham
Age: 45
Services: ntl Phone : Sky+ (with multiroom) : ntl Cable (20 Mbps)
Posts: 14,377
|
Re: svchost.exe
Given it's location I would simply delete it - no genuine copy of scvhost.exe would reside there.
__________________
 Click here for a real, interactive, tv guide.
|
|
|
|
|
20-04-2006, 23:02
|
#9
|
|
CableForum - Talk to me!
Join Date: Dec 2003
Location: Baw deep in a munter
Age: 32
Services: Initiations, rep rigging and orgies!
Posts: 5,772
|
Re: svchost.exe
Im with Paul M it shouldnt be in startup, delete it.
__________________
XBox Live Member TE3BLUERAJA /// Go Retro Gaming here |
|
|
|
|
20-04-2006, 23:04
|
#10
|
|
Cable Forum Team
Join Date: Jul 2003
Location: Poole, Dorset
Age: 23
Services: Sky+
V-Box
VM 10MBit
Posts: 9,505
|
Re: svchost.exe
You might have to kill it first before you can delete it. If you check in the processes list of task manager the real SVCHosts should be owned by a user like "System" or "Network Service" or similar, whereas the dodgy one will probably be owned by Your Username.
|
|
|
|
|
21-04-2006, 06:43
|
#11
|
|
MoonUnit on UT2004
Join Date: Jun 2003
Location: great yarmouth
Services: Zen 2Mb adsl, Draytek 2820Vn
Posts: 596
|
Re: svchost.exe
you can submit a single file to be scanned on kaspersky
http://www.kaspersky.com/virusscanner |
|
|
|
|
21-04-2006, 09:59
|
#12
|
|
Karateka
Join Date: Dec 2003
Age: 33
Posts: 7,098
|
Re: svchost.exe
Contrary to Paul, I wouldn't delete it - I would quarantine it. Any decent antivirus has a quarantining function, which blocks the file from doing anything, but allows you to unquarantine it if your PC gets fubar'ed.
It's hard to get it back if you've deleted it however.
__________________
Quidquid latine dictum sit, altum sonatur.
|
|
|
|
|
21-04-2006, 11:55
|
#13
|
|
CableForum - Talk to me!
Join Date: Dec 2003
Location: Baw deep in a munter
Age: 32
Services: Initiations, rep rigging and orgies!
Posts: 5,772
|
Re: svchost.exe
Quote:
|
Originally Posted by Gareth
Contrary to Paul, I wouldn't delete it - I would quarantine it. Any decent antivirus has a quarantining function, which blocks the file from doing anything, but allows you to unquarantine it if your PC gets fubar'ed.
It's hard to get it back if you've deleted it however.
|
But he's got norton (snigger)... 
Seriously though, that product does quarantine, the real question is why hasnt it detected it IF its a virus?
Assuming thats what it is.
__________________
XBox Live Member TE3BLUERAJA /// Go Retro Gaming here |
|
|
|
|
21-04-2006, 16:11
|
#14
|
|
cf.addict
Join Date: Apr 2005
Posts: 249
|
Re: svchost.exe
Thanks for all your help, i have now sorted it. It was not a shortcut to the system32 folder and i tried manually deleting it and that didn't work so i have quarantined it and my system is now working alright
|
|
|
|
|
21-04-2006, 22:33
|
#15
|
|
Owned by my cat Tigger
Join Date: Jul 2005
Location: Bolton
Age: 42
Services: 4MB NTL Broadband...but not for long if Virgin don't ditch Phorm!
Posts: 489
|
Re: svchost.exe
Quote:
|
Originally Posted by Zeph
This information can easily be spoofed in the file. You can set this information in whatever programming environment you use!
|
Of course you can do that, and anyone who's writing legit apps should and probably will - but the maladjusted ******s who write such scumware generally don't. They're clever enough to write the crap, but not clever enough to include copyright info.
We hope.
And there's one property that's difficult to spoof, viz. the file size. It is - or should be - 7,952 bytes for Win2000 and 14,336 bytes (exactly 14K) in XP.
__________________
There are too many people in the world who look, but do not see; who listen, but do not hear; who acknowledge, but do not understand; who speak when they have nothing to say.
- Me
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT +1. The time now is 00:29.
|
Join CF
You are here: 
