A lot of services start as part of svchost.exe. Some are legit, others not.
What is the name of this one?
Svchost.exe is a general purpose process that Microsoft provides to run various
services (background tasks) that let you use the various features of Windows.
If one of the services is running heavily, you will see svchost.exe using a lot
of resources (CPU and memory).
If you want to know more about the many processes running on your computer, get
Process Explorer (free) from
<
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml>. Provides way more
information than Task Manager. You can look at any process and see what modules
it contains, and who wrote or distributed each module. For instances of
svchost.exe, you can see what services each provides, including the one that has
concerned you.
For a good reference to the many system services, see
<
http://www.blackviper.com/WinXP/servicecfg.htm>. For discussion about most
processes in general (what is each one, what does it do, is it necessary), just
type it's name in to your favorite search engine. Anything dangerous is
probably being discussed somewhere on the web.
If you have any concerns about the legitimacy of this service, check for
spyware. Start by downloading each of the following free tools:
AdAware <
http://www.lavasoftusa.com/>
CWShredder <
http://www.majorgeeks.com/download4086.html>
HijackThis <
http://www.majorgeeks.com/download.php?det=3155>
LSP-Fix <
http://www.cexx.org/lspfix.htm>
WinsockXPFix <
http://www.spychecker.com/program/winsockxpfix.html>
Spybot S&D <
http://www.safer-networking.org/index.php?page=download>
Stinger <
http://us.mcafee.com/virusInfo/default.asp?id=stinger>
TrendMicro Engine <
http://www.trendmicro.com/download/dcs.asp>
TrendMicro Signatures <
http://www.trendmicro.com/download/pattern.asp>
Create a separate folder for HijackThis, such as C:\HijackThis - copy the
downloaded file there. Create a separate folder for the two TrendMicro files,
such as C:\TrendMicro - copy the downloaded files there (unzipped if necessary).
AdAware, CWShredder, and Spybot S&D have install routines - run them. The other
downloaded programs can be copied into, and run from, any convenient folder.
First, run Stinger. Have it remove any problems found.
Next, close all Internet Explorer and Outlook windows, and run CWShredder. Have
it fix all problems found.
Next, disable System Restore.
<
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm>
Boot your computer into Safe Mode.
http://support.microsoft.com/?id=315222
Run C:\TrendMicro\Sysclean.com. Delete any infectors found.
Reboot your computer, and re enable System Restore.
Next, run AdAware. First update it ("Check for updates now"), configure for
full scan (<
http://forums.spywareinfo.com/index.php?showtopic=11150>), then
scan. When scanning finishes, remove all Critical Objects found.
Next, run Spybot S&D. First update it ("Search for updates"), then run a scan
("Check for problems"). Trust Spybot, and delete everything ("Fix Problems")
that is displayed in Red.
Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save the
HJT Log.
<
http://forums.spywareinfo.com/index.php?showtopic=227>
<
http://forums.spywareinfo.com/index.php?showtopic=11150>
Finally, have your HJT log interpreted by experts at one or more of the
following security forums (and please post a link to your forum posts, here):
Aumha: <
http://forum.aumha.org/index.php>
Net-Integration: <
http://forums.net-integration.net/>
Spyware Info: <
http://forums.spywareinfo.com/>
Spyware Warrior: <
http://spywarewarrior.com/index.php>
Tom Coyote: <
http://forums.tomcoyote.org/>
If removal of any spyware affects your ability to access the internet (some
spyware builds itself into the network software, and its removal may damage your
network), run LSP-Fix and / or WinsockXPFIx.
