Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Alot of svchost.exe running

  • Please log in to reply
3 replies to this topic

#1 Greyowl


  • Members
  • 1 posts
  • Local time:10:38 AM

Posted 22 June 2009 - 08:06 PM

I need to know if this is normal to have so many svchost.exe running, its taking up alot of ram. My avg found earlier that about 9 or so svchost.exe are rootkits but it did not delete them, and warns me if i try do. also sometimes my internet gets really slow, and the network usage in task manager is at like max 1 percent so the internet must be restricted.

Below is a screenshot of my taskmanager with the svchost.exe
Posted Image

Edited by boopme, 22 June 2009 - 09:36 PM.
Moved from XP to AII~~boopme

BC AdBot (Login to Remove)



#2 hamluis



  • Moderator
  • 54,995 posts
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:38 PM

Posted 22 June 2009 - 09:18 PM

LOL...no, that's not normal at all.

I currently have 8 and that's the most I've ever seen on this system.

The normal ones are the ones with System, Network Service, or Local Service as the user.

I think I'd try to find out what all those others are...seems as if they are all installed programs.

A tool you might use, http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx


#3 OldPhil



  • Members
  • 3,900 posts
  • Gender:Male
  • Location:Long Island New York
  • Local time:08:38 PM

Posted 22 June 2009 - 09:47 PM

Ditto on eight let us know what you find that is a weird one.


Honesty & Integrity Above All!

#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 50,710 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:38 PM

Posted 23 June 2009 - 07:26 AM

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from .dll's. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual for multiple instances of Svchost.exe running at the same time in Task Manager in order to optimize the running of the various services.

svchost.exe SYSTEM (there can be more than one listed)
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE (there can be more than one listed)

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location on your computer. Another techinique is for the process to alter the registry and add itself as a Startup program so that it can run automatically each time the computer is booted. In XP, the legitimate Svchost.exe file is located in your C:\WINDOWS\system32\ folder.

Other legitimate copies can be found in the following folders:

If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Make sure the spelling is correct. If it's scvhost.exe, then your dealing with a Trojan.

There are several ways to investigate and see what services a Svchost.exe process is controlling:Note: Process Explorer shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.

Tools to investigate running processes and gather additional information to identify them and resolve problems:These tools will provide information about each process, CPU usage, file description and its path location If you right-click on a file and select properties, you will see more details.

However, if AVG is detecting rootkits then you probably should start by performing some other scans.

Please download F-Secure Easy Clean and save the file to your desktop.
Be sure to read the Frequently Asked Questions before performing a scan.
  • Double-click on fseasyclean.exe to launch the program.
  • Read the license agreement and click Accept.
  • Click Start to begin the scan and cleaning.
  • Please be patient as the scan may take a while to complete.
  • If a rootkit is detected, Easy Clean will require you to restart the computer in order to complete the removal process.
  • Once the computer restarts, Easy Clean will launch automatically and continue with disinfection.
  • When finished it will show the results of what was found and removed.
  • Exit Easy Clean when done.
Please download Malwarebytes Anti-Malware (v1.38) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

** If Malwarebytes Anti-Malware results in any error messages, please refer to Fixes for common problems and Error Codes. Some issues with errors can be related to malware infection but others are not.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users