I have a virus that is hitting every port on the switch the file is srvhost32.exe

I have a virus that is hitting every port on the switch  The file is srvhost32.exe  If I stop the service on the 4 of 20 computers that have it the traffic stops. Norton is not detecting anything. I remove it from the run command in the reg but it comes back   HELP o ya windows 2000 pro fully patched and Norton with virus DAT's as of last night.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hello Brendle =)

Can you find this file on your hard drive with show hidden and protected files turned on ??
BrendleAuthor Commented:
I will check . . the file is scvhost32.exe not srv
>> scvhost32.exe

Im again confirming, is it "scvhost32.exe" OR "svchost32.exe"
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

BrendleAuthor Commented:
Yes  its in the winnt\system32 directory
BrendleAuthor Commented:
thanx :)
now before i give my next suggestion to remove this file, i want a last favour from you 8)

Download HijackThis v1.98.2 from here, run it and Save the LOG file:

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
Hit analyse, scroll down to the page, hit Save Analyse,
a new page will open, i want the address of that page :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hmm that sounds like a network spreading worm to me...

if SheharyaarSaahils method fails get a copy of the kaspersky virus scanner
==> http://www.kaspersky.com/trials
and scan one of the pcs with it.. i'm pretty sure that it will catch the virus and remove it..

if it does.. i would suggest you to disconnect each pc from the network..
or just disable the connection in the connection dialog and start to clean up every single pc that is infected with it..
and not connecting one back till each of them are cleaned!
Hey Brendle, =]

Identifing the virus:
Since it's on 4 different computer this is obviously a network issue, which is obviously a worm. Now, do you have any protection on the exchange server to prevent these types of attacks?  I would run a free online scan @: http://housecall.trendmicro.com/housecall/start_corp.asp  - just to verify what type of worm/trojan your dealing with.

Removal & Prevention:
Trend Micro Client/Server/Messaging Suite is great to handle all your security needs for a network.
"Trend Micro Client/Server/Messaging Suite provides a powerful, multi-layered defense against viruses, spyware, and other malicious code, to protect mail servers, file servers, and desktops. The suite of integrated products can be remotely configured and managed to create the right mix of security and performance for any organization."

http://www.trendmicro.com/en/products/suites/c-s-m-suite/evaluate/overview.htm  - That link will provide you with all the features, benefits and info on the product. ALso gives a 30 evaluation trial.

If you'd like to keep Norton and just addon security for exchange server to prevent these types of attacks from happening again, I recommend:

GFI MailSecurity: TO KEEP worms/viruses/spyware out of your mail servers.

GFiLANguard: This is a wonderful program to perform security audits and receive alerts of attacks and other critical events.

GFi products are a little on the higher budget side, however very effective products.

Let me know if you have any questions or concerns!!

good luck,


svchost.exe is the legit version but svchost32.exe is not (on XP anyway).

It would be wise to check the version information of the file.

If there is no version information then it is most definetly a virus.


BrendleAuthor Commented:
knoxj81  I allready use GFI products and YES! I do agree they are great.
BrendleAuthor Commented:
SheharyaarSaahil - Thanks for all the help. I was not able to identify the virus but I turned port 445 off(the flood) and deleted the file.
great brendle :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.