Hello, new to the forum.   Have had some issues with malware recently and hoped I had cleared them up, but not exactly sure.

C:\windows\system32\svchost.exe attempted to delete a file from Norton\Definitions\VirusDefs the other night, but NIS stopped this from happening.

I also see system32\svchost.exe involved in another process of "Default block uPnP Discover" stealthed (router address, Port ssdp (1900))

Inbound UDP packet.

My question is are these processes legit operations or is something using a windows\system32 legitimate file maliciously.

Thanks for any help!

Hi glennski51,

Welcome to the community!

NIS blocked the attempts from SVCHOST.exe to delete the files from the Virus definitions folder, because they are protected by the tamper protection feature. However, can you check in the security history to find if there are any events recorded?

One thing you may want to remember is that, a lot of malware programmers mask the malicious files with  genuine system file name. Moreover, they store it in the location where the system files usually are to make it even more deceptive. For instance, taskmgr.exe. If you find this file in c:\windows\system 32, then it is genuine. However, if you find it in c:\windows, then in all probabilities it can be a malware.

Let us know if this helps.

Thanks,

TomV

Norton Forums Moderator

Symantec Corporation

Svchost is a hosting file for a backgroung program to run.

If a malware is trying to do some damage at backgroung it will be executed using svchost. (service client host)

May b norton detected it and blocked that instance of svchost to execute.