3 copies of svchost.exe?

[jacob]

hi,
I'm trying to locate an app/process/malware that auto connects me
to the internet, on random times. windows FW exceptions are all
unchecked. NAV/SPYBOT scans came with nothing so far.
During the search i found 2 extra(?) copies of 'svchost.exe':
1. c:\windows\system32\svchost.exe - 14336 bytes (ver 5.1.2600.2180)
2. c:\windows\ServicePackFiles\i386 - 14336 bytes (ver 5.1.2600.2180)
3. c:\windows\$NtServicePackUninstall$\ - 12800 bytes (ver 5.1.2600.0)

all support sites say that only the 1st one should be present.
any ideas?

 

[Gerry Cornell]

Jacob

1. Current in use.

2. Backup copy if 1 gets damaged.

3. Previous copy if you decide to uninstall update and go back.

Please show me a support site which says only one should
be present. I think you are misinterpreting what has been written.

svchost.exe is used by a number of applications, which can
all be running at one time.

Try another anti-spyware programme or several.
http://www.broomeman.com/spyware/

--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[jacob]

...........

Please show me a support site which says only one should
be present. I think you are misinterpreting what has been written.

...........

Gerry,
i'm beginning to think you are right about that, though here's
one of the sites that made me think the opposite:

http://process.networktechs.com/Svchost.exe.php

<quote>
VIRUS PRECAUTION:
The original file from Microsoft gets placed in the Located in
C:WINDOWSSystem32 directory. If you find it anywhere else
then you should be suspicious for sure.
</quote>

 

[Ken Blake, MVP]

I'm trying to locate an app/process/malware that auto connects me
to the internet, on random times. windows FW exceptions are all
unchecked. NAV/SPYBOT scans came with nothing so far.
During the search i found 2 extra(?) copies of 'svchost.exe':
1. c:\windows\system32\svchost.exe - 14336 bytes (ver 5.1.2600.2180)
2. c:\windows\ServicePackFiles\i386 - 14336 bytes (ver 5.1.2600.2180)
3. c:\windows\$NtServicePackUninstall$\ - 12800 bytes (ver 5.1.2600.0)

all support sites say that only the 1st one should be present.

No, that last statement is completely false. In fact having several examples
of svchost running is completely normal.

 

[AJR]

The site you listed refers to "1" listed in Gerry's response

 

[Zilbandy]

No, that last statement is completely false. In fact having several examples
of svchost running is completely normal.

I currently have 6 svchost.exe processes running on my computer. Three
of them are SYSTEM, two are NETWORK SERVICE, and one is LOCAL SERVICE.
As far as I know, my system is clean... I hope.

 

[Ken Blake, MVP]

I currently have 6 svchost.exe processes running on my computer. Three
of them are SYSTEM, two are NETWORK SERVICE, and one is LOCAL SERVICE.
As far as I know, my system is clean... I hope.

Right. Six is not at all unusual, nor does it represent a problem.

 

[jacob]

No, that last statement is completely false. In fact having several

examples of svchost running is completely normal.

Ken,
having several *processes* running with svchost is indeed normal,
but how would i know if they *all* were started by the *same*
file "svchost.exe" that resides in \system32?

 

[Gerry Cornell]

Yes


--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Ken Blake, MVP]

Ken,
having several *processes* running with svchost is indeed normal,
but how would i know if they *all* were started by the *same*
file "svchost.exe" that resides in \system32?

I'm confused by your question. Why should you expect anything different?

 

[FeMaster]

I'm confused by your question. Why should you expect anything different?

It seems pretty simple to me. He wants to make sure that all the svhost.exe
file that are running are actually the one located in the /system32 folder.
Not all the confusing of a question if you ask me.

I don't know of a method off hand. MS never bothered to include the ability
to view the actually file path in the Task Manger application, so you really
don't have any idea which "version" of a file is in use (i.e. if there is
more than one file by the same name found in multiple locations, which one
is actually in use.)

 

[jacob]

No, that last statement is completely false. In fact having several

I'm confused by your question. Why should you expect anything different?

By the size and location of my 2 extra copies, i know now that
they are ok. but, isn't it possible that some malware is disguised
as "svchost.exe", *not* in \system32 location, and appears in
fact as one of the processes in the tasks list?
i'm not alone with that "paranoia", as seen in my earlier reply
to Gerry.

 

[Ken Blake, MVP]

By the size and location of my 2 extra copies, i know now that
they are ok. but, isn't it possible that some malware is disguised
as "svchost.exe", *not* in \system32 location, and appears in
fact as one of the processes in the tasks list?
i'm not alone with that "paranoia", as seen in my earlier reply
to Gerry.

Are you experiencing any symptoms that lead you to suspect malware? If not,
and since you are dealing with a perfectly normal situation, I wouldn't
worry about it.

I suppose you could suspect than any process running might not be what it's
supposed to be, and might be disguised malware, but you can't spend all your
time worrying about and investigating remote possibilities. If you are
symptom-free, I wouldn't waste any more time on it.

 

[Blades]

Easiest way: Download Process Explorer:
http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx
and run it.

Then either hover your mouse over the process in question (to read the
details box), or right click on it to hit the Properties window.