7 replies to this topic

[Nid]

For the past three days I have had a security warning prompting me to run svchost.exe as soon as I start the computer and log into Windows.

Now, I know what svchost is, but why is it prompting me to run the .exe?

My computer claims that it is from an unknown publisher, which I couldn't understand at first, until I found out that the directory that the .exe claims to be running from doesn't exist on my computer.
(C:\Users\*accountname*\AppData\Roaming\Microsoft\svchost.exe)

I tried following the directory to make sure, to find out that the AppData folder doesn't exist. It seems a little fishy to me now.
I have run a virus scan several times now and it has not detected anything that seems to link in with this executable.
I have also ran searches on my computer for svchost.exe, and it isn't returning me with any odd looking results that aren't where svchost should be. (In System32, and in winsnx)

My questions are:
Why is this happening?
How can it be running from a directory that doesn't exist?
Am I right not to trust it and treat it as a possible virus until I can find out more?
How can I get rid of it if my Virus scanners still don't detect it, and it is hiding it's true directory?

Edited by Nidmeister, 22 July 2010 - 09:44.

[Dutchygamer]

Appdata is a hidden folder. You must make it so you can see all hidden folders. It's somewhere in folder options.

[Major Fuckup]

I got that on my old laptop once but it vanished within a month of me ignoring it and i had no clue as to why, probably ended up deleting it some how.

[Nid]

Thanks for that Dutchy, I managed to get to the directory, but I found that the exe was nowhere to be seen, I then set the folder to show me "protected operating system files" And this svchost exe appears to have appeared, with an xbox 360 icon for some reason :s

EDIT: I scanned the file individualy and it does appear to not be a threat according to avast. However, that 360 icon really throws me off that conclusion.

Edit Edit: After some research, I found out that it is a suspected Keylogger.

*Infection, terminated*

Edited by Nidmeister, 22 July 2010 - 09:58.

[CJ]

You mean that you deleted it? Well I'm not sure, but you'd better be expecting lots of fails on your connexion D:

[Sgt. Rho]

svchost.exe is a part of Windows, not sure what it does tho, DON'T delete it >.<

[Alias]

If it isn't in system32, it's a virus. Niddy said it was in Users, not in system32.

The real svchost is what operates Windows networking. Considering Niddy is still posting online I'd say it's fair he got rid of the impostor, not the real one.

[Nid]

Yeah don't worry, I know that the one under System32 is legit, I wouldn't touch anything in there.

I deleted the virus copy disguising itself as svchost.exe, not the actual copy, that was residing in a different directory (C:\Users\Nidmeister\AppData\ etc.) as Alias said.

Edited by Nidmeister, 22 July 2010 - 16:35.