svchost gone wild!?

***kurt_der_koenig*** · August 27th, 2004, 08:58 PM

AHH..I opened my tcpview only to find out that there are 17 or so svchost.exe running?

Heres a snip-it i edited it for obvious reasons!:::::::::::::

svchost.exe:1024 UDP myputer:1037 *:*
svchost.exe:1024 UDP myputer:1042 *:*
svchost.exe:1024 UDP myputer:1054 *:*
svchost.exe:1024 UDP myputer:4921 *:*
svchost.exe:1052 TCP myputer:5000 myputer:0 LISTENING
svchost.exe:1052 UDP myputer:1900 *:*
svchost.exe:1052 UDP myputer:1900 *:*
svchost.exe:916 TCP myputer:epmap myputer:0 LISTENING
svchost.exe:960 TCP myputer:1025 myputer:0 LISTENING
svchost.exe:960 TCP myputer:netbios-ssn myputer:0 LISTENING
svchost.exe:960 UDP myputer:ntp *:*
svchost.exe:960 UDP myputer:netbios-ns *:*
svchost.exe:960 UDP myputer:netbios-dgm *:*
svchost.exe:960 UDP myputer:ntp *:*

Now, is this normal? Cause before I noticed only two at the most! This is my very basic computer set up:

WinXP pro
Nortan Internet Security
If you need more info tell me! Thanx

**dynagnosis** · August 27th, 2004, 09:04 PM

There are viruses that use the task name SVCHOST.EXE to hide from visual detection.

First, please do a virus scan using HouseCall - it is a very thorough,
free, online scan and catches things when others fail.
http://housecall.trendmicro.com/

Next, have a look at this article:
A Description of Svchost.exe in Windows XP
http://support.microsoft.com/default...b;EN-US;314056

Run regedit and navigate to
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost
View what local services are running.

See if lsass.exe (or whatever it is that you are turning off whenever
you start your computer) is listed as a local service.
If it is, go to Control Panel / Administrative Tools / Services and turn it off.

If it isn't, it may be a matter of a process of elimination, one at a
time, to figure out which one is causing you problems - possibly one
called SSDPSRV.

Whether the above has helped or not, I would suggest downloading and
running the following programs (update them first), just to be sure.

CWShredder:
http://www.spychecker.com/program/coolwebshredder.html

Adaware:
http://www.spychecker.com/program/adaware.html

HijackThis:
http://www.spychecker.com/program/hijackthis.html

Best of luck,
Jeremy

***foxyloxley*** · August 27th, 2004, 09:07 PM

The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time . Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging.

http://<a rel="nofollow" href="http:...bid=314056</a>

This from the MS knowledge base, shows it isn't 'bad'.
But you need to do a little more checking before you can sleep easy ...............

***kurt_der_koenig*** · August 27th, 2004, 09:23 PM

k This is what I pulled out of ms-dos: I'm looking on google to see if anything on theses progs come up! Do you see something I do not? Thanx!

kurt_der_koenig

edit**

I already have adaware and hijack this!

***Tiger Shark*** · August 27th, 2004, 09:48 PM

Lets get to the guts straight away.....

Drop the Hijack this log here and lets look at it....

***kurt_der_koenig*** · August 27th, 2004, 09:53 PM

edit**

***Und3ertak3r*** · August 27th, 2004, 10:13 PM

I'm glad TS asked for a HJT log.. my question was gfoing to be
What do you have running.. then what services have you not disabled..ie Messenger, SSDP and uPNP

Personly I use Process explorer and check the handles on any running svchost.. all svchosts should be running under services exe

there are bettre ppl than I to continue answering this question..

Cheers

***Tiger Shark*** · August 27th, 2004, 10:52 PM

I'm sorry Kurt... I spent 20 minutes typing a response only to find that some moron had pulled the power on the DSL modem my laptop connects through..... i don't have time for a full retype....

I will say that there are some things running there that you would be well to google for and if you find _no_ results just go ahead and delete them.... There was BHO or two, the last two entries caught my eye too, there was a c:\windows\m* and another with the same pattern that I was suspicious about and a couple of other things... Google the final executable or dll will give you a good idea...

As to you being negged, which I don't forget.....

To Kurt's "negger": Go ahead and neg me, dumbass.... I asked for the hijack this dump and he gave it..... So what is _your_ problem? Just have a better reason when you neg me than you did when you negged Kurt......

***ammo*** · August 27th, 2004, 10:56 PM

Use "tasklist /SVC" to find out what's running behind the svchost processes...

Ammo

***kurt_der_koenig*** · August 28th, 2004, 01:52 AM

Tiger Shark - you don't have to apologize to me. I understand that all to well here, as I have morons surrounding me too. lol jk. But I will look into what you said.

And to everybody else I thank you! Also I'm sorry that this forum turned out to be somewhat of a fight and everything! Thanx again for all you help that you guys have given me since my first post<jan 2004> here at AO!

Thread: svchost gone wild!?

Thread Tools

Display

svchost gone wild!?

Posting Permissions