Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
2 replies to this topic

#1 EdBee


  • Members
  • 208 posts
  • Local time:12:42 PM

Posted 15 August 2004 - 06:35 PM

I think I understand the purpose of this, but I have some questions. first I have noticed that on some HJT logs there may be several (3 or 4) such files. Is this a clue that perhaps a trojan has set up such a file to help activate itself. If I opened the file what would I look for? I have read that trojans set up their nasties in the SVCHOST file? Very interesting!! A tutorial about where nasties hide and what they look like would be great. Your tutorials are tremendous---Keep it up. I saw a site the other day that gives file descriptions (I usually Google) it is called "KEPHYR". I hope besides the good description they didnt also give me a virus/spy. I have become paranoid.

BC AdBot (Login to Remove)


#2 Grinler


    Lawrence Abrams

  • Admin
  • 43,660 posts
  • Gender:Male
  • Location:USA
  • Local time:11:42 AM

Posted 15 August 2004 - 11:35 PM

Kephyr is a good and valid site. You dont have to worry about them.

When a program is run it loads itself into memory as a process. This process can then be seen as running under the name of the file.. For example running bleeping.exe , would create a process called bleeping.exe

Now there are things called services that run in a special way . They can be started via their files themserlves (.exe files) or be stored as a dll file. These dll files can then be loaded via svchost. exe

It is perfectly normal to see multiple svchost.exe processes running, with each process handling multiple services running from dlls. That it is valid to see this, does not mean that hijackers do not use it as well, because they do. It just makes it harder to find

#3 The Bear

The Bear

  • Members
  • 79 posts
  • Gender:Male
  • Location:California
  • Local time:11:42 AM

Posted 18 August 2004 - 03:10 AM

Normally they run out of the system 32 folder as I have posted below If you happen to find one in your windows folder you should probably scan for a trojan

c:/windows/system32/svchost.exe is a valid windows file :flowers:


c:/windows/svchost.exe is not :thumbsup:

Edited by The Bear, 18 August 2004 - 03:11 AM.

Computer help forums are full of those that go around the internet
clicking Willy Nilly and installing or downloading everything in site

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users