Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kaspersky - Svchost


  • Please log in to reply
1 reply to this topic

#1 adamsnez

adamsnez

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 25 September 2007 - 04:49 PM

My Kaspersky says "proactive defense: Riskware-Invader" on SVCHOST in the Win32 folder

TERMINATE
DENY
SKIP

I know its a windows proces for DLL's.... But it says infected?
I've tried googling but found no definate answer. What should I do? Thanks guys


EDIT: oops.. no Hijackthis here, didnt read sorry.. im new

Edited by adamsnez, 25 September 2007 - 05:53 PM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:56 PM

Posted 26 September 2007 - 09:56 AM

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs). This is a valid system process that belongs to the Windows Operating System which handles processes executed from DLLs. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load.

It is not unusual for multiple instances of Svchost.exe running at the same time in Task manager in order to optimise the running of the various services.

svchost.exe SYSTEM
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location on your computer. In XP, the legitimate Svchost.exe file is located in your C:\WINDOWS\system32\ folder.

Other legitimate copies can be found in the following folders:
C:\I386
C:\WINDOWS\ServicePackFiles\i386\
C:\WINDOWS\$NtServicePackUninstall$\
and a prefetch file located here: C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf

If svchost.exe is running as a startup (shows in msconfig), this can be bad as shown here and here.
Also make sure of the spelling. If it is scvhost.exe, then this a Trojan.

There are several ways to investigate svchost.exe and related processes.

You can download and use Process Explorer or Glarysoft Process Manager to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

The Process Explorer window shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.

Also see How to determine what services are running under a SVCHOST.EXE process.

If you have XP Pro, you can use Tasklist /SVC to view the list of services processes that are running in Svchost. The /SVC switch shows the list of active services in each process.

Go to Start > Run and type: cmd
press Ok
At the command prompt type: tasklist /svc >c:\taskList.txt
press Enter

Go to Start > Run and type: C:\taskList.txt
press Ok to view the list of processes

For help and syntax information, type the following command, and then press ENTER:
tasklist /?
Also see Syntax options[/i] and Tasklist Syntax.

You can also use the WMI command-line utility to view and list processes.
Go to Start > Run and type: cmd
press Ok
At the command prompt type: WMIC /OUTPUT:C:\ProcessList.txt PROCESS get Caption,Commandline,Processid
or: WMIC /OUTPUT:C:\ProcessList.txt path win32_process get Caption,Processid,Commandline
press Enter

Go to Start > Run and type: C:\ProcessList.txt
press Ok to view the details of all the processes.

And you can search the process name using Google, BC's: The File Database, File Research Center or the Process ID Database.

If you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users