svc host.exe

[FJV]

I had several trojans on my computer in the past. After using and running
all recommended antivirus and spyware removal programs, everything seems OK,
except when I access internet, Zone Alarm asks to allow SVC HOST.EXE to
access internet. If I deny it I cannot connect to any website. I did not
have that happen before infections. What does SVC HOST.EXE does, can/should
it be uninstalled? Does it mean that I am still infected by some
virus/spyware/trojans?
Thanks for the help.
FJV

 

[The Prophecy]

I had several trojans on my computer in the past. After using and
running all recommended antivirus and spyware removal programs,
everything seems OK, except when I access internet, Zone Alarm asks
to allow SVC HOST.EXE to access internet. If I deny it I cannot
connect to any website. I did not have that happen before infections.
What does SVC HOST.EXE does, can/should it be uninstalled? Does it
mean that I am still infected by some virus/spyware/trojans?
Thanks for the help.
FJV

svchost.exe is a critical system file in Windows. It is NOT a virus. The
next time it asks for internet access, Allow it.

 

[Chris]

That is not good advice to listen to FJV. There are trojans that name
themselves as svchost.exe. Its worth checking the request out in more
detail. A quick search on security websites suggests ways of seeing if your
svchost is legit.

 

[Duane Arnold]

That is not good advice to listen to FJV. There are trojans that name
themselves as svchost.exe. Its worth checking the request out in more
detail. A quick search on security websites suggests ways of seeing if
your svchost is legit.

If svchost.exe is not running out of c:\winnt\system32 on Win NT 4.0 and
Win 2k or c:\windows\system32 Win XP and Win 2K3, it's a Trojan and is as
simple as that. In addition, svchost.exe is the messenger for the O/S.
Not only does the O/S use svchost.exe on its behalf for communications,
malware will use svchost.exe on its behalf to get out too. One must
always be aware of what is using svchost.exe when unknown remote IP(s)
are being connected to by svchost.exe.

Tools such as Active Ports and (Process Explorer to look inside a process
to see what's using the process) will help one to determine what's
happening with a process running on the computer.

http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and
_Rootkit_Tools_in_a_Windows_Environment.html

Duane

 

[The Prophecy]

Yes true there are viruses that dump files on to your system with that name.
However, if you do a serach of your hard drive, the legit svchost.exe should
reside in the Windows\system32 folder. Any other files with that same name
will be in a different folder and will also be a virus.

 

[FJV]

Thanks guys, I did search my hard drive and found svchost.exe not only in
c:\windows\system32 but also in c:\I386. Does it mean I have a Trojan and
how do I remove it?
I do run updated NAV, Spybot S&D, AdAware, HijackThis (have a clean log),
CWS Shredder and have active SpywareBlaster. Everything is clean, except
when I run S&D in Safe Mode, "DSO exploit" spyware keeps showing up, on next
reboot, even thou I am immunizing it. My friend told me that it is due to a
conflict with AdAware and is not really a spyware. True?

 

[Duane Arnold]

Thanks guys, I did search my hard drive and found svchost.exe not only
in c:\windows\system32 but also in c:\I386. Does it mean I have a
Trojan and how do I remove it?

There is more than one svchost.exe that's on the O/S. There is one in
windows/system32/dllcache. The one in dllcache is a backup to the one
that's in system32. As a matter of fact, all files in the dllcache
directory are back files that the O/S will restore to the original
system32 directory in case they are deleted. You can use
Explorer/Tools/Folder Options/View and select *Show Hidden files and
folders* and uncheck *Hide protected O/S files* and you will be able to
see.

You can download Active Ports (free) and run it. If you see a svchost.exe
running that's not showing that it's *running* - (the threat) from C:
\windows\system32, it is a Trojan.

I don't think the one in C:\I386 is a Trojan as that is kind of like an
O/S directory, but if you see it running from that directory, you should
be very suspicious.

I do run updated NAV, Spybot S&D, AdAware, HijackThis (have a clean
log), CWS Shredder and have active SpywareBlaster. Everything is
clean, except when I run S&D in Safe Mode, "DSO exploit" spyware keeps
showing up, on next reboot, even thou I am immunizing it. My friend
told me that it is due to a conflict with AdAware and is not really a
spyware. True?

I don't know go with it.

You can *harden* the O/S to attack a little bit.

http://www.uksecurityonline.com/index5.php

Duane

 

[Duane Arnold]

Thanks guys, I did search my hard drive and found svchost.exe not only
in c:\windows\system32 but also in c:\I386. Does it mean I have a
Trojan and how do I remove it?

There is more than one svchost.exe that's on the O/S. There is one in
windows/system32/dllcache. The one in dllcache is a backup to the one
that's in system32. As a matter of fact, all files in the dllcache
directory are back files that the O/S will restore to the original
system32 directory in case they are deleted. You can use
Explorer/Tools/Folder Options/View and select *Show Hidden files and
folders* and uncheck *Hide protected O/S files* and you will be able to
see.

You can download Active Ports (free) and run it. If you see a svchost.exe
running that's not showing that it's *running* - (the threat) from C:
\windows\system32, it is a Trojan.

I don't think the one in C:\I386 is a Trojan as that is kind of like an
O/S directory, but if you see it running from that directory, you should
be very suspicious.

I do run updated NAV, Spybot S&D, AdAware, HijackThis (have a clean
log), CWS Shredder and have active SpywareBlaster. Everything is
clean, except when I run S&D in Safe Mode, "DSO exploit" spyware keeps
showing up, on next reboot, even thou I am immunizing it. My friend
told me that it is due to a conflict with AdAware and is not really a
spyware. True?

I don't know go with it.

You can *harden* the O/S to attack a little bit.

http://www.uksecurityonline.com/index5.php

Duane

 

[Shane]

I don't think the one in C:\I386 is a Trojan as that is kind of like an

O/S directory, but if you see it running from that directory, you should
be very suspicious.

C:\i386 is where the XP setup files are stored in an OEM setup where neither
an XP disc is supplied nor a hidden partition used.


Shane

 

[John Coutts]

I had several trojans on my computer in the past. After using and running
all recommended antivirus and spyware removal programs, everything seems OK,
except when I access internet, Zone Alarm asks to allow SVC HOST.EXE to
access internet. If I deny it I cannot connect to any website. I did not
have that happen before infections. What does SVC HOST.EXE does, can/should
it be uninstalled? Does it mean that I am still infected by some
virus/spyware/trojans?
Thanks for the help.
FJV

***************** REPLY SEPARATER *******************
SVCHOST.EXE is simply a tool that Microsoft uses to load DLL files as a
service. Not only can there be multiple copies of SVCHOST.EXE running, but each
one of them can host multiple DLLs (particularly in XP). This makes
troubleshooting them difficult, and also makes it an ideal place to hide a
trojan or virus.

Microsoft has a command line utility that you can use to find out more about
the services running on your machine. In XP, it is called tasklist.exe, and I
believe in 2000 it is called tlist.exe. To get the service information, you use
the /svc option.

C:\WINDOWS\SYSTEM32>tasklist /svc

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
SMSS.EXE 1576 N/A
CSRSS.EXE 1664 N/A
WINLOGON.EXE 1688 N/A
SERVICES.EXE 1732 Eventlog, PlugPlay
LSASS.EXE 1744 ProtectedStorage, SamSs
SVCHOST.EXE 1964 RpcSs
SVCHOST.EXE 1052 Dnscache
SVCHOST.EXE 1088 LmHosts
SVCHOST.EXE 1144 AudioSrv, CryptSvc, lanmanserver,
lanmanworkstation, Netman, ShellHWDetection,
winmgmt
SPOOLSV.EXE 1160 Spooler
CTsvcCDA.EXE 1328 Creative Service for CDROM Access
EXPLORER.EXE 428 N/A
Directcd.exe 504 N/A
WINVN.EXE 532 N/A
NTVDM.EXE 364 N/A
CMD.EXE 840 N/A
tasklist.exe 200 N/A
WMIPRVSE.EXE 1608 N/A

I have shut down many of the services on my computer, so your list will be much
longer. Now your task will be to find out what the tasks being hosted by each
SVCHOST.EXE are.

J.A. Coutts

 

[FJV]

Thanks a lot Duane, I followed your instructions, checked for svchost.exe
(with option: all hidden and system files shown) in windows\system
32\dllcache, but it's not there.
Downloaded and ran Active Ports program (neat little utility).
Svchost.exe (shows 9x) and runs only in windows\system32 folder (thank got
for that). One other program that runs from the same folder is LSASS.EXE
(don't know what it does).
Some other programs running are: MSMSGS.EXE (shows 4x) from: program
files\messenger folder (I hate that thing, can't stop it from running in
start up group), IEXPLORER.EXE (shows 3x) from: program files\internet
explorer folder, and ccApp.exe from: program files\common files\Symantec
shared folder.
I really appreciate the advice.

 

[The Prophecy]

Thanks a lot Duane, I followed your instructions, checked for
svchost.exe (with option: all hidden and system files shown) in
windows\system 32\dllcache, but it's not there.
Downloaded and ran Active Ports program (neat little utility).
Svchost.exe (shows 9x) and runs only in windows\system32 folder
(thank got for that). One other program that runs from the same
folder is LSASS.EXE (don't know what it does).
Some other programs running are: MSMSGS.EXE (shows 4x) from: program
files\messenger folder (I hate that thing, can't stop it from running
in start up group), IEXPLORER.EXE (shows 3x) from: program
files\internet explorer folder, and ccApp.exe from: program
files\common files\Symantec shared folder.
I really appreciate the advice.

msmsgs.exe is the executable for Windows Messenger. To make it stop running,
go to Start, Run, type in "gpedit.msc" (no quotes), under the Computer
Configuration section select Windows Components, Windows Messenger, Double
click on "Do not allow Windows Messenger to be run initially", Set it to
Enabled. If you have never used (or will never use in the future) Remote
Assistance (a program where a remote user can ask you to allow them to
temporarily take over your computer to fix a problem you are having) then
also set the "Do not allow Windows Mesenger to be Run" to "Enabled" as well.

 

[FJV]

I went to Start, Run and typed: gpedit.msc and got a message: Windows can
not find 'gpedit.msc'. I also tried just: gpedit but Windows could not find
it either.
As far as Active Port Utility is concerned, NAV (scan in safe mode)
identified it as a possible security threat. It could not be deleted or
quarantined. Hmmm. How do I uninstall it if no longer needed.
Thanks

 

[The Prophecy]

I went to Start, Run and typed: gpedit.msc and got a message: Windows
can not find 'gpedit.msc'. I also tried just: gpedit but Windows
could not find it either.
As far as Active Port Utility is concerned, NAV (scan in safe mode)
identified it as a possible security threat. It could not be deleted
or quarantined. Hmmm. How do I uninstall it if no longer needed.
Thanks

What Operating System do you have?

 

[FJV]

I have WindowsXP Home.

 

[The Prophecy]

I have WindowsXP Home.

That's why gpedit.msc could not be found. You did not (to this point) in
this thread say what operating system you have. Next time you post on Usenet
with a problem, please make sure you do. It makes problems MUCH easier to
solve.

Now, the only way I know of to stop Windows Messenger from starting in XP
Home, is to remove it completely. If anybody else knows of another method
for XP Home please tell me.

Go to Start, Run and type in this (without the quotes):

"rundll32 advpack.dll,LaunchINFSection %windir%\inf\msmsgs.inf,BLC.Remove"

If you are ever going to use Remote Assistance (as I described in a previous
post) you will need to go to Windows Update and reinstall it.

 

[Duane Arnold]

I have WindowsXP Home.

I don't know why you cannot see svchost.exe in dllcache as it's there on
my XP machines. If you left-click in an open area in the directory and
type svc the cursor will position to the start of the svc range.

Secondly, about Active Ports, I have a short-cut for that program in the
Start Folder so during the boot and logon process, Active Ports gives me
a clear picture as to what's trying to connect in and out with the
machine from remote IP(s).

Since malware can circumvent and defeat any personal firewall solution at
the system boot and get to the TCP/IP connection first and be done before
any non integrated O/S component such as a PFW can get there to stop it,
I use AP to see what's happening myself.

Duane

 

[Shane]

I don't know why you cannot see svchost.exe in dllcache as it's there on

my XP machines. If you left-click in an open area in the directory and

It hasn't been updated?

Since malware can circumvent and defeat any personal firewall solution at
the system boot and get to the TCP/IP connection first and be done before
any non integrated O/S component such as a PFW can get there to stop it,
I use AP to see what's happening myself.

Yes, one of the Windows Firewall improvements in SP2. Think I'll have a look
at Active Ports meantime.


Shane

 

[Duane Arnold]

It hasn't been updated?


Yes, one of the Windows Firewall improvements in SP2. Think I'll have
a look at Active Ports meantime.


Shane

You should set the AP's screen refresh rate to high.

Duane

 

[Shane]

You should set the AP's screen refresh rate to high.
Thanks. Downloaded but not yet installed.


Shane