Hello,

I just went through the procedure of
http://vil.nai.com/vil/content/v_100559.htm
to get rid of Nachi worm. I did the service
removal, file removal, stinger, SP2 upgrade,
the MS03-026 patch, etc. etc. (gasp!).
I didn't get much work done on my thesis tonight.

I still have *3* instances of svchost.exe in my
task manager. Is this normal??

Thanks.

Fred

P.S. Posted to:
alt.comp.anti-virus
alt.comp.virus
grc.security.software

Yes. Three is actually probably better than "normal". It probably means you
have already shut off some of your unnecessary services. If you look through
the services you have running in the service manager, you should have three
services currently running that show something similar to this as the path
to the executable:
C:\WINNT\System32\svchost.exe -k parameter

The name and description of each service tells you what they are.

> I still have *3* instances of svchost.exe in my
> task manager. Is this normal??

Bitstring <mNh1b.5755$(E-Mail Removed)>, from the
wonderful person David <(E-Mail Removed)> said
>Yes. Three is actually probably better than "normal". It probably means you
>have already shut off some of your unnecessary services. If you look through
>the services you have running in the service manager, you should have three
>services currently running that show something similar to this as the path
>to the executable:
>C:\WINNT\System32\svchost.exe -k parameter
>
>The name and description of each service tells you what they are.

And if you want to find out what's going on in each one, use 'tasklist'
with the /svc switch (start, help, tasklist for more info). I've got 4.
8>.

--
GSV Three Minds in a Can
Outgoing Msgs are Turing Tested,and indistinguishable from human typing.

In article <(E-Mail Removed)>, (E-Mail Removed) says...
>
>Hello,
>
>I just went through the procedure of
>http://vil.nai.com/vil/content/v_100559.htm
>to get rid of Nachi worm. I did the service
>removal, file removal, stinger, SP2 upgrade,
>the MS03-026 patch, etc. etc. (gasp!).
>I didn't get much work done on my thesis tonight.

>I still have *3* instances of svchost.exe in my
>task manager. Is this normal??
>
>Thanks.
>Fred
>P.S. Posted to:
************** REPLY SEPARATER *****************
SvcHost.exe is what Microsoft uses to load and manage DLL based services. For
most of them, that is not much of a problem and others have outlined how to
find out what is in them. The exception is the "NetSvc" group which handles
everything from soup to nuts, and this will be the largest memory user in the
Task List. Good luck trying to separate things in that group.

Also note that it is very easy to add another SvcHost.exe to the list of
services without conflict. Virus makers have already caught onto that one.

Why not just run all the services under a SINGLE svchost.exe instead of cluttering up Task Manager with multiple instances (which progressively increased with each new service pack)? Sheesh...Microslop inefficiency strikes again.

Duane Arnold wrote:

> Fred Ma <(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
> > I just went through the procedure of
> > http://vil.nai.com/vil/content/v_100559.htm
> > to get rid of Nachi worm. I did the service
> > removal, file removal, stinger, SP2 upgrade,
> > the MS03-026 patch, etc. etc. (gasp!).
> > I didn't get much work done on my thesis tonight.
> >
> > I still have *3* instances of svchost.exe in my
> > task manager. Is this normal??
>
> http://support.microsoft.com/default...b;EN-US;250320

So how are such rogue svchost.exe services detected? Sheesh...can Windows 2000 BE any more insecure?

John Coutts wrote:

> In article <(E-Mail Removed)>, (E-Mail Removed) says...
> >
> >I just went through the procedure of
> >http://vil.nai.com/vil/content/v_100559.htm
> >to get rid of Nachi worm. I did the service
> >removal, file removal, stinger, SP2 upgrade,
> >the MS03-026 patch, etc. etc. (gasp!).
> >I didn't get much work done on my thesis tonight.
>
> >I still have *3* instances of svchost.exe in my
> >task manager. Is this normal??

> SvcHost.exe is what Microsoft uses to load and manage DLL based services. For
> most of them, that is not much of a problem and others have outlined how to
> find out what is in them. The exception is the "NetSvc" group which handles
> everything from soup to nuts, and this will be the largest memory user in the
> Task List. Good luck trying to separate things in that group.
>
> Also note that it is very easy to add another SvcHost.exe to the list of
> services without conflict. Virus makers have already caught onto that one.

Bitstring <(E-Mail Removed)>, from the wonderful person Eep²
<(E-Mail Removed)> said
>What is "tasklist"? It's not in Windows 2000's help or a
>path-accessible program.


Sorry, I was assuming you were on XP. I don't know if Win2k has anything
comparable .. although doubtless there is some freeware out there on the
www that does the same thing.


--
GSV Three Minds in a Can
Outgoing Msgs are Turing Tested,and indistinguishable from human typing.

Fred,

Ignore the troll... There are plenty here who actually KNOW what they're
talking about....

Three instances of svchost.exe is absolutely normal, nothing to worry about
there... You still having a problem ?

JB

--



*** All outgoing mail scanned by Ontrack System Suite Anti-virus ***



"Eep²" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
> Why not just run all the services under a SINGLE svchost.exe instead of
cluttering up Task Manager with multiple instances (which progressively
increased with each new service pack)? Sheesh...Microslop inefficiency
strikes again.
>
> Duane Arnold wrote:
>
> > Fred Ma <(E-Mail Removed)> wrote in
> > news:(E-Mail Removed):
> >
> > > I just went through the procedure of
> > > http://vil.nai.com/vil/content/v_100559.htm
> > > to get rid of Nachi worm. I did the service
> > > removal, file removal, stinger, SP2 upgrade,
> > > the MS03-026 patch, etc. etc. (gasp!).
> > > I didn't get much work done on my thesis tonight.
> > >
> > > I still have *3* instances of svchost.exe in my
> > > task manager. Is this normal??
> >
> > http://support.microsoft.com/default...b;EN-US;250320
>

Eep² <(E-Mail Removed)> wrote in news:(E-Mail Removed):

> Why not just run all the services under a SINGLE svchost.exe instead
> of cluttering up Task Manager with multiple instances (which
> progressively increased with each new service pack)?
> Sheesh...Microslop inefficiency strikes again.
>
> Duane Arnold wrote:
>
>> Fred Ma <(E-Mail Removed)> wrote in
>> news:(E-Mail Removed):
>>
>> > I just went through the procedure of
>> > http://vil.nai.com/vil/content/v_100559.htm
>> > to get rid of Nachi worm. I did the service
>> > removal, file removal, stinger, SP2 upgrade,
>> > the MS03-026 patch, etc. etc. (gasp!).
>> > I didn't get much work done on my thesis tonight.
>> >
>> > I still have *3* instances of svchost.exe in my
>> > task manager. Is this normal??
>>
>> http://support.microsoft.com/default...b;EN-US;250320
>
>

As some of the other posters have indicated, three are the norm, but I
have really never noticed three of them active at one time at start-up.
But there can be more than 3 active. That's because not only does the O/S
use SVChost.exe but other non O/S program dll's like third party
application program may request the services of SVChost.exe to perform a
task and the other svchost.exe may be busy performing other duties. So if
that is the case, the O/S is going to start another svchost.exe to honor
the request.

Why is there not just one svchost.exe doing everything? Well not all
services on a NT based O/S need be loaded at one time and if one
svchost.exe was honoring all the requested tasks, I would think that
would slow the O/S down, because something would have to wait until
SVChost was free to honor the request. Using multiple occurrences of
svchost.exe along with the multi tasking, dual processors/cpu(s) usage
that can be accomplished with the NT based O/S makes for better
performance. This is also due to the fact that the workstation and sever
versions of a NT based O/S such as NT 4, Win 2K, XP, and 2K3 do not have
that much of a difference in the core components and the functionality of
the two versions. Think about it, you have 100 users or so using one
server, so the O/S needs to honor the requests and not be bottle necked,
because there is only one svchost.exe performing the tasks for
everything. So, your workstaion version has a lot of the fuctionality of
the server version.

HTH

Duane

> So how are such rogue svchost.exe services detected? Sheesh...can Windows
2000 BE any more insecure?

It depends on how slick the malware writer is. Do a search on some of the AV
sites and they will show you how the known exploits have done it. Something
can put malware on the machine in a different directory named svchost.exe,
it could try to install a malware dll that runs off of the valid copy of
svchost, or it could try to overwrite the valid copy of svchost with a
modified executable. The windows file protection mechanism and file
integrity software should catch a modified exe unless the malware writer is
good enough to defeat that also. A good AV definition will catch a rouge
registry entries from known malware and some heuristic engines, particularly
ones associated with trojan detection, will notice that specific registry
keys are being added or modified. Desktop firewalls with file integrity
protection(as well as standalone file integrity software) can detect new or
modified executables or dll's.

In general when a machine is configured take note of the number of instances
running before it is attached to a network. Look at the task manager now and
then, after installing new software, after installing service packs, etc.
and research any cases when the number of instances changes.

Be sure to check after installing service packs and maybe even some updates.
MS has added new functionality along the way that they enable by default
which you may or may not want to disable. I will often disable new
"features" because they are unneeded, but also because their new features
tend to be lightly tested and more often than not exploitable.