PDA

View Full Version : svchosts.exe

SeldomFixit
20th Dec 2004, 07:57
svchosts.exe ( not svchost.exe ) shows as a running process ( Win2k OS ) and all the google indications are that it's associated with a Trojan.
I've red X'd it in Zone Alarm Pro but am concerned that neither a fully updated Norton, TrendMicro housecall, Spybot S&D, Adaware, Spywareblaster, Adawarespy, detect any trojan on the machine.
Given the potential for harm indicated in the google results I'd love any possible assistance in getting rid of it.
Advance thanks - SF :(
BOAC
20th Dec 2004, 08:27
My Av service confirms it to be the result of a 'trojan'. If you are able, look in the registry (don't change anything!) for:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Registers = "Svchosts.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Registers = "Svchosts.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\W indows Registers = "Svchosts.exe"

If they are there, you are 'infected' and the next step would be to go to your AV services 'nasties' search page and see if they have a removal tool.
Toxteth O'Grady
20th Dec 2004, 08:56
Try PrevX (http://www1.prevx.com/prevxhome.asp)

and/or

Ewido (http://www.ewido.net/en/download/)
SeldomFixit
20th Dec 2004, 08:58
BOAC - thanks - I've run the regedit and found none of the listed values.
I googled Troj/Sdbot-N; sdbot; sdbot.n and checked for the listed registry values - nought found.
I'm stumped. It's there but it isn't - wierd. :confused:

Mr O'Grady - I'm checking your offereings as we speak - tyvm.
Will advise :ok:
Toxteth O'Grady
20th Dec 2004, 09:07
How to Remove Backdoor SDBot Trojan Program (http://www.pchell.com/virus/sdbot.shtml)

Also here (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.html)

Once you've got rid of it I would recommend you install PrevX. It's freeware and it's an Intruder Prevention System (IPS) as opposed to an Intruder Detection System (IDS). It's specifically designed to prevent trojans getting on your machine in the first place. i.e. you're shutting the stable door before the horse bolts!
BOAC
20th Dec 2004, 09:13
SF - well, it was a chance! What does your AV Virus programme have to say about svchosts.exe?
SeldomFixit
20th Dec 2004, 09:17
BOAC - Norton lists it as a nasty / Trojan but it isn't finding it on a scan. :{
E-Liam
20th Dec 2004, 09:48
Hi SF,

Could you post up a Hijack This log. Definitely dodgy. There are many different file names that pretend to look like svchost.exe so that upon cursory examination they look legit. ie.

scvhost
svch0st

you get the idea. :)

Cheers

Liam
SeldomFixit
20th Dec 2004, 10:31
Mr O'grady's EWIDO found the bugger where Norton/Housecall failed. I am rerunning EWIDO as I write this to see what comes up.

Liam - I'll PM you the log if I may ?

Thanks
E-Liam
20th Dec 2004, 11:14
Hi SF,

sent back the info via PM. Ewido's done all the work already.. :D

Cheers

Liam