svchost.exe

**Autumn** · Oct 24th, 2008, 10:14 pm

I suddenly have a firewall alert saying "'SVCHOST.EXE' from your computer wants to connect to 93.190.137.98, port 80" and my win patrol is alerting me that it has just been installed on my computer (see attachment).

A google search indicates this is a generic part of Windows, but if that is so, why didn't it come with the original software?

Should I deny the installation? I don't like weird crap like this. :bawling:

**Zap** · Oct 24th, 2008, 10:34 pm

svchost.exe is indeed native to Windows, however, it is basically a process that can be used by other processes. So, it often does get used by spyware programs to do their thing.

Safest bet is to deny the action, especially if it's not an action that you initiated.

**Autumn** · Oct 24th, 2008, 11:17 pm

So if it is already there, why is it trying to install it now?

I had just visited a dodgy site before all this crap started happening.

**Zap** · Oct 25th, 2008, 7:32 am

Originally Posted by Autumn

So if it is already there, why is it trying to install it now?

I had just visited a dodgy site before all this crap started happening.

Not trying to install it, more like trying to use it to run and/or install something else.

There is a tool that can get rid of a lot of different types of spyware automatically called combofix.
The download page for it is here.

Download it and save it to the root of your C: drive.
Before running it, disable any antivirus software that you have running, as it can interfere with the combofix program.
Also, shut down all running programs so that ONLY combofix is running.

WARNING: Combofix is a pretty potent program. It needs to be to get rid of some of the crapware that it gets rid of. So, treat it gently. Don't run anything else while it is running. It sometimes looks like it has stalled. Allow it to finish completely. It will prompt you when it's done. More often than not, you will have to reboot your computer to complete the removal process.

**Autumn** · Oct 25th, 2008, 1:54 pm

Wow that looks like a scary program

mg: Is there something less potent I could run? I have stayed clean till now with win patrol warning me of anything that tries to install.

**Zap** · Oct 27th, 2008, 6:26 am

Originally Posted by Autumn

Wow that looks like a scary program

mg: Is there something less potent I could run? I have stayed clean till now with win patrol warning me of anything that tries to install.

You can always use a combination of AdAware and Spybot Search And Destroy.
They are both easier on your system, but lack the teeth necessary for the really scary stuff.
It's a risk = reward type thing with spyware.
The weaker programs will remove the weaker spyware.
Sometimes something like combofix is warranted but I usually use it as the first step.
After that, I will use the blander programs to remove any remnants of spyware.

One more thing to note. After cleaning up a spyware infestation, you should turn off System Restore. That will delete all current restore points. (They will be infected and using one will reinfect your machine.). The process of turning off System Restore will automatically delete all your restore points. Reboot and then turn System Restore back on to begin monitoring your machine again. Then, manually create a new restore point with your freshly cleaned system so you'll have something to restore to, should there be trouble.

**Autumn** · Oct 27th, 2008, 2:28 pm

I have adaware already and some other beefy thingy (which is scary enough). I haven't had any more signs that there is anything amiss. I denied the "SVCHOST.EXE' from your computer wants to connect..." with the firewall and attempted to stop the install of svchost with winPatrol, but that also warned me that it was running and offered to clean it from the system

mg: I said no and there has been nothing going on since (that I know of).

**vectro** · Oct 28th, 2008, 12:23 am

When a system file like svchost.exe becomes infected or trojaned the removal is as Zap said not as simple as it is for other spyware. I use combofix as well. In other cases the only way to remove an infected system file is to do a repair installation of Windows, which unfortunately is even more complicated.

From the looks of the image you posted, it seems that some program might actually be trying to replace your svhost.exe with a bad one. In that case, it was probably a smart move to deny it. The other case is that the program you are trying to install was using svchost.exe to install something else which may or may not be harmless.

**Autumn** · Oct 28th, 2008, 3:59 am

I wasn't trying to install anything, this all happened after visiting a certain (dodgy) site. But you might be right about something trying to replace svchost.

**vectro** · Oct 28th, 2008, 4:07 am

I see. If it was trying to replace it then it was trying to hook a malicious DLL file into svchost.exe. Sometimes web sites try to take advantage of the fact that most people are logged into Windows with admin privileges and will try to install software or hook DLL files into system processes.

**Autumn** · Oct 29th, 2008, 2:05 pm

Looks like this is still trying to get in (see attachment). Normally I click yes to these things as it usually follows an update of some sort.

**Zap** · Oct 29th, 2008, 2:43 pm

Contrary to what that message says, Autumn, it may have already been replaced.
I think it's time for combofix.

**Autumn** · Oct 29th, 2008, 7:05 pm

I clicked no as WinPatrol also popped up again. I'll get started with some cleaners :S

Autumn added 183 Minutes and 40 Seconds later...

*Touch wood* it seems like search and destroy cleaned it up

ray:

**Zap** · Oct 29th, 2008, 7:09 pm

Originally Posted by Autumn

I clicked no as WinPatrol also popped up again. I'll get started with some cleaners :S

Autumn added 183 Minutes and 40 Seconds later...

*Touch wood* it seems like search and destroy cleaned it up

ray:

Cool. Best way to find out is to reboot and scan again. After a reboot, it should come back clean.

**Autumn** · Oct 29th, 2008, 7:18 pm

Originally Posted by Zap

Cool. Best way to find out is to reboot and scan again. After a reboot, it should come back clean.

Yup, after the first scan I tried to clean it but it didn't clean, it said that restarting might fix it, so I ran the scan again after restart and voila! Nothing

It did find a bunch of other stuff, mainly browser related, some of which I had heard of and some I have never seen before. So I cleaned all that too while I was at it.

**vectro** · Oct 29th, 2008, 7:29 pm

Originally Posted by Autumn

It did find a bunch of other stuff, mainly browser related, some of which I had heard of and some I have never seen before. So I cleaned all that too while I was at it.

I use Firefox and have it clear all private data when it closes. I also do not allow it to save passwords. This reduces the amount of browser junk found by scanners and cuts back on tracking cookies that track your browsing habbits.

To be even more secure, I use iespyad2 to block a huge list of know "bad" sites in Internet Explorer. Even though I never use that browser other programs do and you never know what they try to connect to.

Most of the junk on people's computers seems to slip in quietly from websites if not from someone downloading and installing a program that has a virus.