Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

5 Svchost.exe's Running?


  • Please log in to reply
1 reply to this topic

#1 infected-boy

infected-boy

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 25 August 2008 - 12:24 PM

Hey,


I have two hard drives on my PC. I was recently infected with (I think) some form of Virtumonde. I formatted and reinstalled my C: drive + and OS (windows XP). I left the E: drive because it is my backup drive.

Now, I still have 5 svchost.exe's running, (only is using 30,000kb memory - the highest memory hogging process on my PC!) even though the OS has been reinstalled.

Could the virus has infected my E: drive and survived? Isit normal to have so many svchost.exes and for one of them to be using so much memory?

Thanks

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:02 PM

Posted 25 August 2008 - 02:15 PM

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from DLLs. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load.

It is not unusual for multiple instances of Svchost.exe running at the same time in Task manager in order to optimize the running of the various services.

svchost.exe SYSTEM (there can be more than one listed)
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE (there can be more than one listed)

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location on your computer. In XP, the legitimate Svchost.exe file is located in your C:\WINDOWS\system32\ folder.

Other legitimate copies can be found in the following folders:
C:\I386
C:\WINDOWS\ServicePackFiles\i386\
C:\WINDOWS\$NtServicePackUninstall$\
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf

If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Make sure the spelling is correct. If it's scvhost.exe, then your dealing with a Trojan.

There are several ways to investigate svchost.exe and related processes. First, see "How to determine what services are running under a Svchost.exe process" using Proces Explorer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users