svchost.exe


Recommended Posts

I have a xp home machine that always has and active svchost and cause constant internet activity. When i close svchost.exe (not the windows one)from ctrl-alt-del The activty stops and all is good

can any one help me figure out what it is and fix it?

I have tried the W32.Welchia.Worm fix from symantec but it said it didnt find anything

Link to comment
Share on other sites

There are files that can cause this problem. Set your system to show all files and reboot in safe mode. Open My Computer and the hard disk. Go to Windows/system32/wins folder. If there are any files in the folder (svchost & dllhost) delete them and reboot. This is a virus and deleteing these files will get your system back up and running. After you get back up, go to www.antivirus.com and run the House Call online scanner. It will make sure you are now clean. If you need a great antivirus solution (and free) go to www.grisoft.com and download the free version of AVG, it works better than Norton or McAfee. Good Luck.

Link to comment
Share on other sites

I get an application error from svchost.exe at shutdown, just before my computer turns off. It doesn't happen all the time but it did start after I installed Outlook 2003 (trial) any ideas. I've googled it and also looked on MS but to no avail. Any help would be appreciated!

Link to comment
Share on other sites

There are files that can cause this problem. Set your system to show all files and reboot in safe mode. Open My Computer and the hard disk. Go to Windows/system32/wins folder. If there are any files in the folder (svchost & dllhost) delete them and reboot. This is a virus and deleteing these files will get your system back up and running. After you get back up, go to www.antivirus.com and run the House Call online scanner. It will make sure you are now clean. If you need a great antivirus solution (and free) go to www.grisoft.com and download the free version of AVG, it works better than Norton or McAfee. Good Luck.

Does AVG detect worms? I think not. I was using AVG and got the Blaster virus, AVG did nothing. I installed Norton, and it at least quarrantined items.

Link to comment
Share on other sites

I'm not sure if it's related but recently there have been several China IPs that have been trying to connect to my pc through the svchost. I'm not sure why this is happening...no virus/trojan programs picked up a problem. I now just block any ip I see trying to access that file. so far I got three IP ranges going. The pcs are constantly trying to connect to me. Not sure of what is going on.

I would suggest installing a firewall to see what is going on. I recommend OutPost.

Link to comment
Share on other sites

Whoa! Stop!

Svchost.exe is a part of windows that 'hosts' the services that perform various functions (often network-related) in your system. It is not unusual to have multiple processes for svchost at once. Unless it is infected (obviously not) by a virus, it IS NOT A VIRUS. The internet activity from it is a fairly normal thing, which is really just your system keeping in contact with the net.

/edit: If you run %SYSTEMROOT%\system32\services.msc, you will see what services svchost is providing.

Link to comment
Share on other sites

Whoa! Stop!

Svchost.exe is a part of windows that 'hosts' the services that perform various functions (often network-related) in your system. It is not unusual to have multiple processes for svchost at once. Unless it is infected (obviously not) by a virus, it IS NOT A VIRUS. The internet activity from it is a fairly normal thing, which is really just your system keeping in contact with the net.

/edit: If you run %SYSTEMROOT%\system32\services.msc, you will see what services svchost is providing.

LOL I was just waiting for someone to say that. You don't go deleting svchost.exe and expect there to be no problems. Do it an you will find out. In the wins folder if there are two files, one is the welchia virus, the other is suppose to be there.

I have been getting radom connects to the svchost.exe, they as I gather are computers with the blaster virus (welchia also) and are looking to infect your system. I got the patches and still get those attempts, I block them everytime.

Link to comment
Share on other sites

Whoa! Stop!

Svchost.exe is a part of windows that 'hosts' the services that perform various functions (often network-related) in your system. It is not unusual to have multiple processes for svchost at once. Unless it is infected (obviously not) by a virus, it IS NOT A VIRUS. The internet activity from it is a fairly normal thing, which is really just your system keeping in contact with the net.

/edit: If you run %SYSTEMROOT%\system32\services.msc, you will see what services svchost is providing.

Not if it's from unknown IPs that are trying to connect to me. I can show you the logs if you want...this happens about 90+ times a day. It's not normal traffic. It specifically tries to connect port 1026. No harm has been done but why take a chance. I've read plenty on svchost already and have limited it's use in OutPost. My system runs just fine.

Link to comment
Share on other sites

If you think you have a virus go to http://www.pandasoftware.com/activescan/co...n_principal.htm

That site might help you.

If you don't have a firewall up on your network. Either go to http://www.zonelabs.com/store/content/home.jsp and download their free firewall.

Or http://www.helpdesk.umd.edu/documents/4/4206/ go there to see how to enable the Windows XP firewall.

Then finally go to http://www.grc.com/default.htm to test how secure you are. Click on Shields Up.

Link to comment
Share on other sites

If you think you have a virus go to http://www.pandasoftware.com/activescan/co...n_principal.htm

That site might help you.

If you don't have a firewall up on your network. Either go to http://www.zonelabs.com/store/content/home.jsp and download their free firewall.

Or http://www.helpdesk.umd.edu/documents/4/4206/ go there to see how to enable the Windows XP firewall.

Then finally go to http://www.grc.com/default.htm to test how secure you are. Click on Shields Up.

Sheilds UP, has been discontinued. If you want to test your software firewall, see my Firewall Configuration Thread. www.pcpitstop.com has two antivirus tests online and you can see how to tweak your computer some for better performance.

Link to comment
Share on other sites

Sheilds UP, has been discontinued. If you want to test your software firewall, see my Firewall Configuration Thread. www.pcpitstop.com has two antivirus tests online and you can see how to tweak your computer some for better performance.

Funny I was their thr other day and Shields Up is alive and kicking with some new tests also eg. File Sharing, Common Ports, All Service Ports etc etc tests!

besides that a good place to check your security is http://www.pcflank.com/ and http://www.hackerwatch.org/probe/

Link to comment
Share on other sites

Sheilds UP, has been discontinued. If you want to test your software firewall, see my Firewall Configuration Thread. www.pcpitstop.com has two antivirus tests online and you can see how to tweak your computer some for better performance.

Funny I was their thr other day and Shields Up is alive and kicking with some new tests also eg. File Sharing, Common Ports, All Service Ports etc etc tests!

besides that a good place to check your security is http://www.pcflank.com/ and http://www.hackerwatch.org/probe/

That was message I read one time at that site. But you can use almost any sleath scanner you want. I recommend sygate though. but pcflank is good.

Link to comment
Share on other sites

MANUAL REMOVAL INSTRUCTIONS

Removing the Malware Service

This removes the running malware service from memory on systems running Windows NT, 2000, and XP.

Open a command prompt window. Click Start>Run, type CMD and then press the Enter key.

At the command prompt, type the following:

NET STOP "Network Connections Sharing"

Press the Enter key. A message should indicate that the service has been stopped successfully.

Do the same to stop the following service:

NET STOP "WINS Client"

Close the command prompt window.

Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.

In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSetServices>

Still in the left panel, delete the subkeys:

RpcPatch

RpcTftpd

Close Registry Editor.

Removing Malware Components

This procedure removes the malware's other components:

Double-click the ?My Computer? icon from the desktop.

Look for the Windows system folder.

Double-click the following folder:

WINS

Right-click the following files and select Delete from the pop-up menu:

SVCHOST.EXE

DLLHOST.EXE

Click Yes when asked for confirmation.

Link to comment
Share on other sites

MANUAL REMOVAL INSTRUCTIONS

Removing the Malware Service

This removes the running malware service from memory on systems running Windows NT, 2000, and XP.

Open a command prompt window. Click Start>Run, type CMD and then press the Enter key.

At the command prompt, type the following:

NET STOP "Network Connections Sharing"

Press the Enter key. A message should indicate that the service has been stopped successfully.

Do the same to stop the following service:

NET STOP "WINS Client"

Close the command prompt window.

Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.

In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSetServices>

Still in the left panel, delete the subkeys:

RpcPatch

RpcTftpd

Close Registry Editor.

Removing Malware Components

This procedure removes the malware's other components:

Double-click the ?My Computer? icon from the desktop.

Look for the Windows system folder.

Double-click the following folder:

WINS

Right-click the following files and select Delete from the pop-up menu:

SVCHOST.EXE

DLLHOST.EXE

Click Yes when asked for confirmation.

thanks davey, I was wrong on that o:D. :D

Link to comment
Share on other sites

Perhaps you have been hacked, or to use the correct term, rooted. This is where people who run warez channels on irc use other peoples connections to host their files and let people leech from. This would explain the multiple connections, and some people name one of their files svchost.exe. Apparently. :ninja:

G-Dub

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.