I've heard a lot of people say that any svchost.exe file found outside the System32 folder was a virus, and I found that there were a couple of these.
I use Symantec Endpoint Protection and it keeps blocking a process called svchost.exe every half an hour or so. I scanned my computer a couple of times and it came out clean.
I looked at some of threads here, but I couldn't find an explanation.
I searched for svchost in the windows folder of my C:/ drive and this is what it came up with.
(http://i.imgur.com/0P2sHb4.png)
this is what it looks like when it gets blocked
Run Rogue Killer and JRT and get back to me. Those two programs are really good at picking up stuff.
Those actually don't look suspect to me. It's perfectly normal to have that file in those folders (svchost is just a container program for services that run on your computer). winsxs is Windows side by side. It basically keeps files from older versions of windows on your computer for compatibility purposes. You know, like when you run a program in compatibility mode? And syswow64 is actually just the 32bit version of system32, so it's also perfectly normal to have svchost in there as well.
As far as why it's blocking it, I'm not sure. It's likely a legitimate service trying to access the internet, it just doesn't have permission from your firewall. Does it provide you with any other details about what it is blocking?
My guess is that you aren't infected, but it never hurts to check though. So running scans is a good idea. In addition to what 1920 suggested, Malwarebytes does a good job of finding nasty little buggers as well.
I had already tried scanning with Malwarebytes as well, it didn't find anything either.
As far as the logs go, I can't find anything to do with svchost.exe. I might just not be looking in the right places, though.
I've had this virus before! There is an executable Kaspersky application that you can download and it will pick this up and remove it.
EDIT: Found it. The file is called TDSSKiller. Download the .exe and run it. GG.
http://support.kaspersky.com/viruses/utility
Let me know what comes from it. I'm almost positive this will work and I will be very happy to know if it works in this case.
Did you use the programs that I mentioned?
While it's possible that he has a virus or other malware, nothing he has described so far suggests that he does. Firewalls will routinely block legitimate services either out of faulty heuristics, because it doesn't recognize it, or simply because it just doesn't have permission. The files he has listed are perfectly normal and not located in questionable places. Pretty much any version of windows past Vista I think should have those files in those locations.
So, again, while it doesn't hurt to run some scans, I don't see anything here that suggests he has any problem beyond his firewall blocking what is likely a legitimate service from accessing the internet.
Your firewall should log details about traffic including what it blocks. I don't have any experience with that specific software bundle, so I'm not sure where to find it exactly, but it should be under your firewall somewhere.
Balderdash. Just because an anti-malware program doesn't pick a virus up doesn't make it legitimate. He's describing the same characteristics that I came across and I had a virus. The thing was that Malwarebytes didn't see it, Norton (lol) didn't see it, and even though Avast! saw it, it would attempt to get rid of it only to find it still there after the reboot due to a Rootkit.
Trust me, he's dealing with a virus here. The sooner he runs TDSSKiller, the better.
EDIT: It's not like TDSSKiller is going to kill the legitimate process on accident.
I'm not basing this on anti-malware scans. I'm basing it off the behavior and file locations he is describing. I've seen this type of behavior many times before with legitimate services, and know for a fact that those file locations for scvhost are perfectly normal. Now, again, I'm not saying he doesn't have a virus (it's possible), I'm saying based on what he has described (behavior wise), I don't see any reason to immediately jump to that conclusion. I also didn't tell him not to run TDSSKiller (or any other rootkit removal tool). In fact I said running a scan never hurts.
I contest that this behavior being described is indicative of a virus.
It CAN indicate a virus (though, it's usually accompanied by other evidence), but it more often doesn't. It's more likely that his firewall is simply blocking a legitimate service from accessing the internet. Hell, I've seen windows update service (which shows up on the surface as scvhost.exe) get blocked by an overzealous firewall.
Again, if you read my posts, I have never once said that he doesn't have a virus. I've simply said that it's more likely his firewall is simply blocking a legitimate service, and he should try and find more details about the service being blocked so we can tell exactly what is going on.
Did I tell him not to run a scan? Did I tell him to ignore 1920's advice? Or yours? No. I simply disagreed with your certitude that it was 100% an infection. It may well turn out to be so, but it's more likely that it's not.
We'll see once he runs the application I linked and reports back.
It turns out it was a network related thing. Thanks for all your help, everyone.
