Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost file????


  • This topic is locked This topic is locked
7 replies to this topic

#1 unhandled_exception

unhandled_exception

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:50 AM

Posted 05 October 2015 - 09:38 PM

Could anyone explain any or part of this file I found? svchost dump

 

TThe system was put into  hibernation.
  \The system was resumed from hibernation. 
  üWindows has detected that the system firmware (BIOS) was updated [previous firmware date = %2, current firmware date %3]
 LA device driver is leaking locked I/O pages causing system degradation. The system has automatically enabled tracking code in order to try and catch the culprit.
 ÄThe ALPC message being canceled has already been retrieved from the queue on the other side.
  xThe system power state is transitioning from %2 to %3 
  ÈThe receive operation was successful. Check the ALPC completion list for the received message.
  œThe system power state is transitioning from %2 to %3 but could enter %4.
 dAccess to %1 is monitored by policy rule %2.
 ˜A valid hibernation file has been invalidated and should be abandoned.
  ˆBusiness rule scripts are disabled for the calling application.
 ˆThe specified copy of the requested data was successfully read.
 `{Image Relocated}
An image file was mapped at a different address from the one specified in the image file but fixups will still be automatically performed on the image.
  4The system has awoken
 XThe Directory Service is shutting down.
 The volume repair could not be performed while it is online.
Please schedule to take the volume offline so that it can be repaired.
  ÄOne or more services failed to start during the service startup phase of a run level switch.
  @Debugger will reply later



BC AdBot (Login to Remove)

 


#2 CodeSmasha

CodeSmasha

  • Banned
  • 524 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 PM

Posted 06 October 2015 - 01:39 AM

scvhost is a process that does various tasks in the background as what is described here:

 

 

You are no doubt reading this article because you are wondering why on earth there are nearly a dozen processes running with the name svchost.exe. You can’t kill them, and you don’t remember starting them… so what are they?

According to Microsoft: “svchost.exe is a generic host process name for services that run from dynamic-link libraries”. Could we have that in english please?

Some time ago, Microsoft started moving all of the functionality from internal Windows services into .dll files instead of .exe files. From a programming perspective this makes more sense for reusability… but the problem is that you can’t launch a .dll file directly from Windows, it has to be loaded up from a running executable (.exe). Thus the svchost.exe process was born.

If you’ve ever taken a look at the Services section in control panel you might notice that there are a Lot of services required by Windows. If every single service ran under a single svchost.exe instance, a failure in one might bring down all of Windows… so they are separated out.

Those services are organized into logical groups, and then a single svchost.exe instance is created for each group. For instance, one svchost.exe instance runs the 3 services related to the firewall. Another svchost.exe instance might run all the services related to the user interface, and so on.

 


Edited by CodeSmasha, 06 October 2015 - 01:40 AM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:50 AM

Posted 06 October 2015 - 07:48 AM

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (.dll's) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from .dll's. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual to find multiple instances of Svchost.exe running at the same time in Windows Task Manager in order to optimize the running of the various services.
  • svchost.exe SYSTEM
  • svchost.exe LOCAL SERVICE
  • svchost.exe NETWORK SERVICE
Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process identifier (PID)'s must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time. The PID is not static and can change with each logon but generally they stay nearly the same because they are always running services.

Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. For example, many legitimate programs are located in the C:\Windows\System32 folder. Malicious files with the same name are commonly located in C:\Users\[UserName]\ or C:\Users\[UserName]\AppData\Local\Temp. The user profile AppData, ProgramData, and temp folders are common hiding places for malicious files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 unhandled_exception

unhandled_exception
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:50 AM

Posted 07 October 2015 - 01:05 AM

Got some popup saying something about an "OLE drag and drop"......Then a window like a remote user saying something about pulling out battery.   ?????

Screen flashed then coputer restarted.

 

This happened after running the download in prev post.


Edited by unhandled_exception, 07 October 2015 - 01:06 AM.


#5 unhandled_exception

unhandled_exception
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:50 AM

Posted 07 October 2015 - 01:07 AM

I then got some kind popup about toaster / game console??????   WTH????



#6 unhandled_exception

unhandled_exception
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:50 AM

Posted 07 October 2015 - 01:15 AM

I finally got the svchost lookup to run but said nothing was running.....



#7 unhandled_exception

unhandled_exception
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:50 AM

Posted 07 October 2015 - 01:20 AM

This flshed on my screen then disappeared.       F o r m s   o r   a n   M D I F o r m   a r e   p a i n t e d   a t   r u n   t i m e   w i t h   3 - D   e f f e c t s



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:50 AM

Posted 07 October 2015 - 06:34 AM


I have moved (split away) your FRST log(s) to the Virus, Trojan, Spyware, and Malware Removal Logs forum as they are not permitted in this forum.

Please go here, click on the Follow this topic button in the upper right corner and select Immediate Notification to subscribe to that topic so you are notified when a helper replies.

Now that your new topic is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the information or any log(s) you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take several days to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers but your topic will be reviewed and answered as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

I advise checking your new topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, please follow Step One and CLICK the link so it will report your topic to the team members.

To avoid confusion, I am closing this topic.

The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users