I had the same problem with a false svchost.exe. In my case it spawned a ton of IEXPLORER.EXE processes which in the end caused my computer to become very unstable.

The real svchost is (under win2k) located at \winnt\system32\svchost.exe (with a backup copy in \winnt\system32\dllcache\svchost.exe), but the fake was placed in \winnt\svchost.exe. The fake was also about 2kb smaller than the real one, and didn't have any identity information, which the real one has.

It had created a registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so it would start each time the computer booted, and when run it attempts to download "http://download.online-dialer.com/connect.php?od-stnd22", which appears to be a modem hijacker or "porn dialer".

I have not yet figured out which program it came in with.