SVCHOST.exe virus? + clean backup

[aba]

A lot of inexperienced users (like me) have been suspicious of the Svchost.exe Windows file's memory usage, but this time AVG actually found a Trojan.. Possibly...

 

Does anyone know whether this was a false positive, or do I actually have a virus? A week ago I re-installed Windows, but it seems like some remnants of a virus stayed on my external hard drive backup..

 

The second part to my question would be how can I get rid of these remaining viruses that may hide in my backup files..?

 

 

[Langdon]

Run Malwarebytes and see if it detects it.

[aba]

Run Malwarebytes and see if it detects it.

Ran multiple malware, trojan scanners etc. (Basically the whole nine yards from "Bleepingcomputer.com") Nothing picked it up except AVG

[Langdon]

Ran multiple malware, trojan scanners etc. (Basically the whole nine yards from "Bleepingcomputer.com") Nothing picked it up except AVG

If only AVG picked it up out of everything, then I'd say it's a false positive. If you ran many scanners including Malwarebytes and they all didn't pick it up, it'd be highly unlikely that it's a real Trojan.

[whatthe_fuzz]

I have the EXACT same problem. scvhost.exe takes up 50% cpu usage and 2gb of RAM.

I think its a virus but im pretty meticulous when it comes to suspicious downloads

[Hazy125]

I have the EXACT same problem. scvhost.exe takes up 50% cpu usage and 2gb of RAM.

I think its a virus but im pretty meticulous when it comes to suspicious downloads

Thats why I have 32gb, all the useless background stuff chews RAM

[whatthe_fuzz]

Thats why I have 32gb, all the useless background stuff chews RAM

I have 16 so I dont notice a lag in memory but cpu wise...dang its a heavy hitter. I wish I could get rid of it <_<

[GoodBytes]

svchost.exe is a service with API, which allows programs to "attach" to it self and become a service.

This was done to allow devs to make services much easier. Also, it offers a secure, solid structure for services which benefits the user.

However, you can't do anything you want, it's limited, hence why some devs and Microsoft themselves makes custom services.

 

Now, it must be noted, that nothing says that a program that call itself svchost.exe is not a virus or malware. You can call your exe what ever you want. So how to know? Open Task Manager, and go under Details tab. On the titles of each column area, right-click, and select Select columns. A panel will open, scroll down to and check: Command Line, and click on OK, and now expend as needed the command line column.

 

The correct path of svchost.exe is: C:\WINDOWS\System32\svchost.exe.

If it has a dash next to it (should always have one), next to the path above, then that is the argument of the service to make it tie in with a process, or registered entry.

 

-> If the path is something completely differently, then you know that it's a malware, or virus that tries to fool you with the name, and should be deleted.

 

-> If the path has as argument is follows with a path that doesn't look like it should be good, for example: C:\WINDOWS\System32\svchost.exe -k C:\Users\aba\AppData\Local\Temp\dskkmf224r\jk.exe clearly it's wrong. Or  C:\WINDOWS\System32\svchost.exe -k spkdkslm23 is clearly wrong.

 

Now it doesn't mean that the virus didn't change some System32 process which is the same process, so that the service and program operate correctly, but has added code to make malware. But, like everything above, that is pretty much your responsibility. As if it is truly a virus or malware, you are the one that allowed it to gain administrative privileges. So far, there are no viruses that can by-pass the UAC system of Windows.

 

But, I doubt it that you have a virus this sophisticated, it's extremely rare.

 

An Anti-virus makring Windows system files as virus, is nothing new. Norton and McCafee was already guilty or destroying users system by marking critical Windows system files as viruses and remove them automatically.

[aba]

svchost.exe is a service with API, which allows programs to "attach" to it self and become a service.

This was done to allow devs to make services much easier. Also, it offers a secure, solid structure for services which benefits the user.

However, you can't do anything you want, it's limited, hence why some devs and Microsoft themselves makes custom services.

 

Now, it must be noted, that nothing says that a program that call itself svchost.exe is not a virus or malware. You can call your exe what ever you want. So how to know? Open Task Manager, and go under Details tab. On the titles of each column area, right-click, and select Select columns. A panel will open, scroll down to and check: Command Line, and click on OK, and now expend as needed the command line column.

 

The correct path of svchost.exe is: C:\WINDOWS\System32\svchost.exe.

If it has a dash next to it (should always have one), next to the path above, then that is the argument of the service to make it tie in with a process, or registered entry.

 

-> If the path is something completely differently, then you know that it's a malware, or virus that tries to fool you with the name, and should be deleted.

 

-> If the path has as argument is follows with a path that doesn't look like it should be good, for example: C:\WINDOWS\System32\svchost.exe -k C:\Users\aba\AppData\Local\Temp\dskkmf224r\jk.exe clearly it's wrong. Or  C:\WINDOWS\System32\svchost.exe -k spkdkslm23 is clearly wrong.

 

Now it doesn't mean that the virus didn't change some System32 process which is the same process, so that the service and program operate correctly, but has added code to make malware. But, like everything above, that is pretty much your responsibility. As if it is truly a virus or malware, you are the one that allowed it to gain administrative privileges. So far, there are no viruses that can by-pass the UAC system of Windows.

 

But, I doubt it that you have a virus this sophisticated, it's extremely rare.

 

An Anti-virus makring Windows system files as virus, is nothing new. Norton and McCafee was already guilty or destroying users system by marking critical Windows system files as viruses and remove them automatically.

Now it seems like the general consensus is that it's not a virus, but AVG has destroyed the file.. Its not in the virus vault or anything.. Nothing seems to be broken on my computer, so should I just leave it as it is? Or will this potentially harm Windows 7?

[GoodBytes]

It won't harm your computer (unless it's SuperFetch where performance will degrade as Windows will no longer pre-load applications before you do. especially if you have an HDD), but if one day you run something and it doesn't work in some fashion, or stuff like the computer can't find network folder/computers/files/drive or be found, and stuff like that, then you'll know it's for what. And you should not actually ask on a forum, because you'll waste everyone time, and you wont' get your answer. For example, it will end with "run this service", and you'll say you don't have it, or cant' start, or error code that know one knows, and cant' find any resources about, nor follows the documentation of error codes of Windows, and such. Then sfc /scanow command will be asked you to do, which will most likely not do anything, or partially fix the problem, and you'll be stuck with no answer, cause no one would know.

 

Of course, you might not be affected at all, as it could be a feature you simply would never use.

 

It must be noted, if you are on Windows 8, and install Windows 8.1 when it comes out officially, it might break your system.

[Lord Ami]

Did you also try Combofix from Bleepingcomputer? It's risky but recently it healed one of my friend's userinit.exe file.

 

Also, try Hitman Pro

http://www.surfright.nl/en

[mr-nipples]

Thats why I have 32gb, all the useless background stuff chews RAM

A little overkill, do you do video editing, CAD .etc?

[Hazy125]

A little overkill, do you do video editing, CAD .etc?

I run a lot of stuff through vegas, but that only uses a maximum of 8, my need for the RAM comes from VM's

[CAKEwasTRUE]

do this>

>Find in TaskManger

 

>Right click on it and hit "Open file location"

 

>Find the .ExE

 

>Delete file!

 

-->If not then delete entire folder its in.

[grayperview]

There is one that launches Svchost32.exe, that cause the GPU to run at 100% all the time, i had that one, luckily i caught it quickly and destroyed the files that was causing it, maybe there is a new variant doing the rounds???

[mgsstar]

I have the EXACT same problem. scvhost.exe takes up 50% cpu usage and 2gb of RAM.

I think its a virus but im pretty meticulous when it comes to suspicious downloads

Use process explorer to check if you can see what is relying on svchost.exe and scan that file on virustotal to make sure that it is safe. 

[MG2R]

svchost.exe is a service with API, which allows programs to "attach" to it self and become a service.

This was done to allow devs to make services much easier. Also, it offers a secure, solid structure for services which benefits the user.

However, you can't do anything you want, it's limited, hence why some devs and Microsoft themselves makes custom services.

This is the first time ever that anyone, ever has been able to explain properly what svchost.exe really is. Thanks for that! One internetz for you, sir.