Korean Job Discussion Forums

[toomuchtime]

Hi there,
Can someone offer me some advice?
My computer is working at a snail's pace, and when I looked at the task manager and looked at the processes at work, I found that there were three 'svchost.exe' processes going- among, perhaps, many other problems. I did a bit of investigation on the net and found that they all might be worms. My question is, how do I know which ones are worms and which one is the legit one? They all look the same. I don't want to get rid of the wrong one.
Thanks for reading.
Any help will be appreciated.

[Demophobe]

Well, good to see you did some homework...

The svchost.exe file is located only in the C:\windows\System32 folder. In other cases, svchost.exe may be a virus, spyware, trojan or worm....do a "search" for the "svchost.exe" and see what it comes up with.

I just checked my work computer here, and I have 5 such services running.

The copy of svchost.exe which isnt the real thing (and a copy of dllhost.exe) can be found in c:\windows\system32\wins these can be deleted, if removing the welchia worm manually, be sure to disable system restore before you do it. Some registry keys need to be deleted too...open the Registry Editor.

To do this, click Start>Run, type REGEDIT, then press Enter, In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>
In the left panel, delete the subkeys:
RpcPatch
RpcTftpd
Now install the patch found here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

Chech the "CPU usage" in the task manager next time you 'ctrl/Alt/Del'....if it's at 100% all the time, you may have a problem. Don't forget, this service is normal as well....and having many instances of it is normal as well.


Another "must have" utility:

http://grc.com/dcom/intro.htm