svchost virus

[BreakGuy]

From what I can understand the only svchost.exe should be found in the system32 folder. However, I completed a search and I've discovered it's in a lot more folders than system32.

I need to get rid of these files as I believe they are the cause of my recent problems and annoyances. How do I go about doing this?

 

[WindowsStar]

svchost.exe can be in several folders and you may have 2 different versions. One in system32 (x64) and one in SysWOW64 (x86).

 

[BreakGuy]

These are the search results:
http://i47.tinypic.com/2w6xy1k.png

 

[WindowsStar]

The ones in the TEMP folder and the ones in C:\Windows look fishy. You may have a virus. I would do a full off-line virus scan.

Downloadable Computer Repair CDs | Technibble
http://www.microsoft.com/security_essentials/
Malwarebytes

BitDefender is good but you should use different ones to cover all the bases.
http://download.bitdefender.com/rescue_cd/

Note some of the links are old, you may have to look for the newest version but you get the idea.

 

[BreakGuy]

I've done numerous scans over the past week using my paid for BitDefender and it's failed to pick up on anything. However Prevx picked up on it, but I need to purchase their program in order for it to remove it.

 

[WindowsStar]

I've done numerous scans over the past week using my paid for BitDefender and it's failed to pick up on anything. However Prevx picked up on it, but I need to purchase their program in order for it to remove it.

Try: Malwarebytes it is free

 

[WindowsStar]

Try: All free.
Index of /devbuilds/RescueDisk10/
Rescue CD

 

[BreakGuy]

After waiting two and a half hours for the scan to complete.... nothing. MalwareBytes also failed to pick up on it.

 

[Bill2]

Why dont you just clean out the temp folder? Please do the following to access the Temp folder:

1. Click Start.
2. Type:
%tmp%
3. Press Enter.

This will open the temp folder. Delete everything in it.

Alternatively, you can use CCleaner.

 

[BreakGuy]

There is no svchost in C:\Users\<username>\AppData\Local\Temp. My problem is within the C:\Windows\Temp folder. Should I continue with the deletion?

 

[Bill2]

oops, my bad! But, yes, clean out C:\windows\temp folder. If it gives you a permissions warning, take ownership.

http://www.sevenforums.com/tutorials/1911-take-ownership-shortcut.html

 

[BreakGuy]

Have deleted the C:\Windows\Temp file and I guess I'll have to wait and see if any further problems arise (as scans aren't showing anything).

 

[Bill2]

Can you describe the annoying behaviour you mentioned in your first post? While svchost.exe is a valid windows generic host process, there is also a virus/worm that takes on that name. It is detected as W32/YahLover.Worm.gen by McAfee and Win32/Autorun.R.worm by NOD32. IDK what other AVs read it as.

The symptoms can be failure of the Task Manager and Registry editor to launch, or CMD restarting windows.

 

[BreakGuy]

BitDefender would pop up a message saying Trojan.Generic.4129231 (I think that number is right) with the file being svchost.exe. It would usually appear when I click on the start button and when I tried to access Windows Live Messenger, but also popped up frequently while simply going about my day-to-day business.

 

[Bill2]

Google didnt turn up anything for that particular number. But it could be a false positive. OTOH, it may not be. If you have Bitdefender still running, next time it throws up that message, try submitting it for analysis. That'll help establish what exactly it is.

 

[bigcitycat]

From what I understand the SVCHOST.EXE is a virus if it is capitalized.

svchost.exe Windows process - What is it?

 

[Jacee]

The "Application" svchost *random number*. tmp files are malware ...

Don't try to delete all, you could get a legit file!
Run Malwarebytes' Anti-malware as suggested above:
http://majorgeeks.com/download5756.html


C:\Windows\System32\ svchost.exe is the legitimate location and is the Host Process for Services