Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Which software initiates svchost call that causes lots of download?


  • This topic is locked This topic is locked
5 replies to this topic

#1 GoshenBleeping

GoshenBleeping

  • Members
  • 264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 AM

Posted 24 December 2014 - 02:22 PM

System: Windows 7 Home Premium, 64 bit;  ASUS K52F laptop
 
I had some time in the past posted a similar question to this post but never received a good answer. So I am trying again.
 
Occasionally there is a svchost process that when initiated causes a lot of downloads. See the attached for the services called for this process. I would like to determine why these downloads are occurring. My goal, if possible, is to reduce or eliminate these downloads. So my question is:  How do I determine which software is initiating this svchost process to run? Or am I asking the wrong question?
 
Note:  Windows Update service is set to manual; Where possible, I have configured all installed software to not automatically install or even check for updates (I do these checks manually every week).


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:03 PM

Posted 24 December 2014 - 03:11 PM

Occasionally there is a svchost process that when initiated causes a lot of downloads.

This is often related to Infections that cause these problems. Any programs that over-use svchost process are often bad.

You may have been given some incorrect information, or others did not understand your problem earlier. Please place this in the hands of the Experts.
 

 

Please follow the instructions in the Malware Removal Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running DDS which will create two logs. Note: Windows 8.1 Users will not be able run DDS and create a log

When you have done that, Copy and Paste your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT Here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the requested logs, then still start the new topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one, to prevent others answering incorrectly.

 

Please note : The Volunteer Malware Response Group are very busy, so please post now and wait for a reply as soon as they are able to help you.

 

EDIT - Please read the Technology section of the post >> In Wikipedia for a better understanding of why you are often "harassed" by Akamai as you asked other times,but you did not get the answer that you were looking for.

 

Thank You -


Edited by noknojon, 24 December 2014 - 03:29 PM.


#3 hamluis

hamluis

    Moderator


  • Moderator
  • 56,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:03 AM

Posted 24 December 2014 - 03:20 PM

This is often related to the update or "phone home" functions built into just about every program these days.

 

Essentially...Windows Update and your installed AV program...are the only apps which probably are running in svchost.exe with any legitimacy re need...as opposed to all the browser plugins and junk programs which users install and which (probably) avail themselves of svchost.exe processes by virtue of the users selecting "default" install options for programs, toolbars, and other browser add-ons, IMO.

 

The items I speak of have nothing to do with malware, just user laziness or ignorance of what goes on when a program is installed or browser add-ons are employed.

 

How to determine what services are running under a SVCHOST.EXE process - http://www.bleepingcomputer.com/tutorials/tutorial129.html

 

Louis


Edited by hamluis, 24 December 2014 - 03:20 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:03 AM

Posted 24 December 2014 - 03:20 PM

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (.dll's) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from .dll's. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual to find multiple instances of Svchost.exe running at the same time in Windows Task Manager in order to optimize the running of the various services.

  • svchost.exe SYSTEM
  • svchost.exe LOCAL SERVICE
  • svchost.exe NETWORK SERVICE

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process identifier (PID)'s must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time. The PID is not static and can change with each logon but generally they stay nearly the same because they are always running services.

Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a legitimate or critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. The legitimate Svchost.exe file is located in the C:\WINDOWS\system32\ folder. In Windows 7 64-bit the file may be located in the SysWOW64 folder. Malicious Svchost.exe files are commonly located in C:\Users\[UserName]\msiexec.exe or C:\Users\[UserName]\AppData\Local\Temp.

Another technique is for the maicious process to alter the registry and add itself as a startup program or service so that it can run automatically each time the computer is booted. If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here. Always make sure the spelling is correct. If it's scvhost.exe, then your dealing with a Trojan.

You may want to read this tutorial: How to determine what services are running under a Svchost.exe process

Windows Task Manager does not provide enough information. These are tools to investigate running processes, programs that run at startup, services and gather additional information to identify them or resolve problems:

These tools will provide information about each process, CPU usage, file description and its location. Most of them are stand-alone portable apps in a zip file so no installation is necessary.
 

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 GoshenBleeping

GoshenBleeping
  • Topic Starter

  • Members
  • 264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 AM

Posted 24 December 2014 - 03:55 PM

 

Occasionally there is a svchost process that when initiated causes a lot of downloads.

This is often related to Infections that cause these problems. Any programs that over-use svchost process are often bad.

You may have been given some incorrect information, or others did not understand your problem earlier. Please place this in the hands of the Experts.
 

 

Please follow the instructions in the Malware Removal Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running DDS which will create two logs. Note: Windows 8.1 Users will not be able run DDS and create a log

When you have done that, Copy and Paste your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT Here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the requested logs, then still start the new topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one, to prevent others answering incorrectly.

 

Please note : The Volunteer Malware Response Group are very busy, so please post now and wait for a reply as soon as they are able to help you.

 

EDIT - Please read the Technology section of the post >> In Wikipedia for a better understanding of why you are often "harassed" by Akamai as you asked other times,but you did not get the answer that you were looking for.

 

Thank You -

 

 

I have created a new post at this URL:

http://www.bleepingcomputer.com/forums/t/560899/svchost-call-causing-lots-of-download-malware/

 

PLEASE NOTE: I tried copy/paste the DDS logs. But when I clicked on Post, even after 5 mins, the browser still had not completed the post. So instead I attached the 2 DDS logs. I apologize if this complicates the analysis.


Edited by hamluis, 24 December 2014 - 04:15 PM.


#6 hamluis

hamluis

    Moderator


  • Moderator
  • 56,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:03 AM

Posted 24 December 2014 - 04:11 PM

The logs are no problem, I can paste them into the topic :).

 

Now that you have properly posted a malware log topic, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on, the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.

Louis






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users