BleepingComputer.com: SVCHOST.EXE

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

SVCHOST.EXE

#1 User is offline   EdBee 

  • Forum Regular
  • PipPipPip
  • Find Topics
  • Group: Members
  • Posts: 208
  • Joined: 13-July 04

  Posted 15 August 2004 - 06:35 PM

I think I understand the purpose of this, but I have some questions. first I have noticed that on some HJT logs there may be several (3 or 4) such files. Is this a clue that perhaps a trojan has set up such a file to help activate itself. If I opened the file what would I look for? I have read that trojans set up their nasties in the SVCHOST file? Very interesting!! A tutorial about where nasties hide and what they look like would be great. Your tutorials are tremendous---Keep it up. I saw a site the other day that gives file descriptions (I usually Google) it is called "KEPHYR". I hope besides the good description they didnt also give me a virus/spy. I have become paranoid.
EDBEE from NMUSA- RENOWNED MALWARE FIGHTER AND SWORN ENEMY OF ALL INTERNET HIJACKERS

#2 User is offline   Grinler 

  • Bleep Bleep!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Admin
  • Posts: 36,174
  • Joined: 24-January 04
  • Gender:Male
  • Location:USA

Posted 15 August 2004 - 11:35 PM

Kephyr is a good and valid site. You dont have to worry about them.

When a program is run it loads itself into memory as a process. This process can then be seen as running under the name of the file.. For example running bleeping.exe , would create a process called bleeping.exe

Now there are things called services that run in a special way . They can be started via their files themserlves (.exe files) or be stored as a dll file. These dll files can then be loaded via svchost. exe

It is perfectly normal to see multiple svchost.exe processes running, with each process handling multiple services running from dlls. That it is valid to see this, does not mean that hijackers do not use it as well, because they do. It just makes it harder to find
Lawrence Abrams
Circle BleepingComputer on Google+!
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this!

#3 User is offline   The Bear 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 79
  • Joined: 17-August 04
  • Gender:Male
  • Location:California

Posted 18 August 2004 - 03:10 AM

Normally they run out of the system 32 folder as I have posted below If you happen to find one in your windows folder you should probably scan for a trojan

c:/windows/system32/svchost.exe is a valid windows file :flowers:

But

c:/windows/svchost.exe is not :thumbsup:

This post has been edited by The Bear: 18 August 2004 - 03:11 AM

Computer help forums are full of those that go around the internet
clicking Willy Nilly and installing or downloading everything in site

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users