Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help: Too Many Svchost.exe Running


  • This topic is locked This topic is locked
2 replies to this topic

#1 distroyer

distroyer

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:15 AM

Posted 03 December 2007 - 11:57 PM

I have Windows xp installed on my system. I see around 9 processes of svchost.exe running on my system till today's date. Of which 4 svchost belong to SYSTEM, 2 of NETWORK SERVICE and 3 of LOCAL SERVICE as I see in the Task Manager.

I am a knowledgible person and what solution u tell me i can understand.


I scanned with Spyware Doctor's latest version, Avg anti-spyware's latest version and NOD32 anti-virus latest version, But didnt find anythng. So I used HijackThis and here is the log file of processes:


Process list saved on 10:13:43 AM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
572 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
672 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
716 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
728 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
884 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1052 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1088 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1440 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
1820 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe 7.5.1.36 GRISOFT s.r.o.
1872 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1900 C:\Program Files\Eset\nod32krn.exe 2.70.32.0 Eset
1988 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
172 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1120 C:\WINDOWS\Explorer.EXE 6.0.2900.3156 Microsoft Corporation
1612 C:\Program Files\Eset\nod32kui.exe 2.70.32.0 Eset
4076 C:\Program Files\Yahoo!\Messenger\YPager.exe 7.0.2.120
3260 C:\Program Files\Google\Google Talk\googletalk.exe 1.0.0.104 Google
3796 C:\PROGRA~1\MOZILL~1\FIREFOX.EXE 1.8.20071.12718 Mozilla Corporation
240 C:\WINDOWS\system32\taskmgr.exe 5.1.2600.2180 Microsoft Corporation
3432 C:\PROGRA~1\WINZIP\winzip32.exe 18.0.6224.0 WinZip Computing, Inc.
3640 C:\Documents and Settings\Akshay\Local Settings\Temp\HijackThis.exe 2.0.0.2 Trend Micro Inc.
2684 C:\WINDOWS\system32\NOTEPAD.EXE 5.1.2600.2180 Microsoft Corporation


DLLs loaded by process C:\WINDOWS\system32\svchost.exe:

[full path to filename] [file version] [company name]
C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\kernel32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ShimEng.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\USER32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\GDI32.dll 5.1.2600.3159 Microsoft Corporation
C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\ole32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.3139 Microsoft Corporation
C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SHELL32.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\SHLWAPI.dll 6.0.2900.3157 Microsoft Corporation
C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\UxTheme.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\comctl32.dll 5.82.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\rpcss.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\WS2_32.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\WS2HELP.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\Secur32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.258 Microsoft Corporation
C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258 Microsoft Corporation
c:\windows\system32\termsrv.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\ICAAPI.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\SETUPAPI.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\AUTHZ.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\mstlsapi.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\ACTIVEDS.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\adsldpc.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2180 Microsoft Corporation
c:\windows\system32\ATL.DLL 3.5.2284.0 Microsoft Corporation
C:\WINDOWS\system32\REGAPI.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\rsaenh.dll 5.1.2600.2161 Microsoft Corporation
C:\WINDOWS\system32\Apphelp.dll 5.1.2600.2180 Microsoft Corporation



and here is the log file of general scan done using HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:08 AM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Akshay\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D453ED8-EEDF-4FE8-80AA-6B8EBF8980D3}: NameServer = 61.1.96.71,61.1.64.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{A82F9EC1-05B6-43AD-979D-19079AC12C8C}: NameServer = 218.248.240.208 218.248.255.193
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 3717 bytes


Please Help me out why are 9 processes of svchost running on my system, also I found some days before there were only 7 instances running now there are 9, what the hell is happening. I cant format because i dont have that much time and i have too much of important data on my system, i cant think of formatting. Tell me some other way.

Edited by distroyer, 04 December 2007 - 12:05 AM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:45 PM

Posted 04 December 2007 - 12:28 AM

Hello distroyer,

Welcome to Bleeping Computer :thumbsup:

There is nothing malicious in your log, and you do not have an unusual number of svchost.exe running. :blink: Lots of people have even more than that at one time, and I myself average at least 6. Not to worry. :wacko:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:45 PM

Posted 13 December 2007 - 02:48 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users