svchost gone wild!?
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: svchost gone wild!?

  1. #1
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567

    Question svchost gone wild!?

    AHH..I opened my tcpview only to find out that there are 17 or so svchost.exe running?

    Heres a snip-it i edited it for obvious reasons!:::::::::::::

    svchost.exe:1024 UDP myputer:1037 *:*
    svchost.exe:1024 UDP myputer:1042 *:*
    svchost.exe:1024 UDP myputer:1054 *:*
    svchost.exe:1024 UDP myputer:4921 *:*
    svchost.exe:1052 TCP myputer:5000 myputer:0 LISTENING
    svchost.exe:1052 UDP myputer:1900 *:*
    svchost.exe:1052 UDP myputer:1900 *:*
    svchost.exe:916 TCP myputer:epmap myputer:0 LISTENING
    svchost.exe:960 TCP myputer:1025 myputer:0 LISTENING
    svchost.exe:960 TCP myputer:netbios-ssn myputer:0 LISTENING
    svchost.exe:960 UDP myputer:ntp *:*
    svchost.exe:960 UDP myputer:netbios-ns *:*
    svchost.exe:960 UDP myputer:netbios-dgm *:*
    svchost.exe:960 UDP myputer:ntp *:*
    Now, is this normal? Cause before I noticed only two at the most! This is my very basic computer set up:

    WinXP pro
    Nortan Internet Security
    If you need more info tell me! Thanx

  2. #2
    There are viruses that use the task name SVCHOST.EXE to hide from visual detection.

    First, please do a virus scan using HouseCall - it is a very thorough,
    free, online scan and catches things when others fail.
    http://housecall.trendmicro.com/

    Next, have a look at this article:
    A Description of Svchost.exe in Windows XP
    http://support.microsoft.com/default...b;EN-US;314056

    Run regedit and navigate to
    HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost
    View what local services are running.

    See if lsass.exe (or whatever it is that you are turning off whenever
    you start your computer) is listed as a local service.
    If it is, go to Control Panel / Administrative Tools / Services and turn it off.

    If it isn't, it may be a matter of a process of elimination, one at a
    time, to figure out which one is causing you problems - possibly one
    called SSDPSRV.

    Whether the above has helped or not, I would suggest downloading and
    running the following programs (update them first), just to be sure.

    CWShredder:
    http://www.spychecker.com/program/coolwebshredder.html

    Adaware:
    http://www.spychecker.com/program/adaware.html

    HijackThis:
    http://www.spychecker.com/program/hijackthis.html

    Best of luck,
    Jeremy
    Dyn/Gnosis ~ Powerful/Knowledge
    www.Dyngnosis.com
    Tutorials - Site Penetration Logs - (TheCommunity)Forums - Toolss

  3. #3
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time . Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging.
    http://<a rel="nofollow" href="http:...bid=314056</a>

    This from the MS knowledge base, shows it isn't 'bad'.
    But you need to do a little more checking before you can sleep easy ...............
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  4. #4
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567

    Post

    k This is what I pulled out of ms-dos: I'm looking on google to see if anything on theses progs come up! Do you see something I do not? Thanx!

    kurt_der_koenig

    edit**

    I already have adaware and hijack this!

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Lets get to the guts straight away.....

    Drop the Hijack this log here and lets look at it....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567
    edit**

  7. #7
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    I'm glad TS asked for a HJT log.. my question was gfoing to be
    What do you have running.. then what services have you not disabled..ie Messenger, SSDP and uPNP

    Personly I use Process explorer and check the handles on any running svchost.. all svchosts should be running under services exe

    there are bettre ppl than I to continue answering this question..


    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I'm sorry Kurt... I spent 20 minutes typing a response only to find that some moron had pulled the power on the DSL modem my laptop connects through..... i don't have time for a full retype....

    I will say that there are some things running there that you would be well to google for and if you find _no_ results just go ahead and delete them.... There was BHO or two, the last two entries caught my eye too, there was a c:\windows\m* and another with the same pattern that I was suspicious about and a couple of other things... Google the final executable or dll will give you a good idea...

    As to you being negged, which I don't forget.....

    To Kurt's "negger": Go ahead and neg me, dumbass.... I asked for the hijack this dump and he gave it..... So what is _your_ problem? Just have a better reason when you neg me than you did when you negged Kurt......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Use "tasklist /SVC" to find out what's running behind the svchost processes...

    Ammo
    Credit travels up, blame travels down -- The Boss

  10. #10
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567
    Tiger Shark - you don't have to apologize to me. I understand that all to well here, as I have morons surrounding me too. lol jk. But I will look into what you said.

    And to everybody else I thank you! Also I'm sorry that this forum turned out to be somewhat of a fight and everything! Thanx again for all you help that you guys have given me since my first post&lt;jan 2004&gt; here at AO!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •