NIck said:
Hello all,
I use a Netgear RM356 56K modem router combination on my
home network, every time I start my computer the
application svchost.exe dials the internet, can anyone
tell me why this happens?
regards Nick
Hey Nick - I did a Google on this and here is what I found:
***********************************************************
Svchost.exe means that you have services running from dynamic-link
libraries (DLLs). The Svchost.exe file is located in the
%SystemRoot%\System32 folder, as shown in your Owner identification.
At startup, Svchost.exe checks the services portion of the registry to
construct a list of services that it needs to load. There can be
multiple instances of Svchost.exe running at the same time.
Each Svchost.exe session can contain a grouping of services, so that
separate services can be run depending on how and where Svchost.exe is
started.
If you go to Start --> Run and type command, you can find out what the
svchost.exe files correspond to. Follow one of the methods below,
depending on your O/S.
(Windows XP) Once you have the command line up, type Tasklist /SVC.
(Windows 2K) Use Tlist.exe from the Windows 2000 CD-ROM; the syntax is
tlist -s at the command prompt.
For a list of associated files, and such see.
http://www.igknighttec.com/Windows/WindowsXP/svchost_exe.php
See also the microsoft site, for the registry key groups
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q250320 (W2K)
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314056 (XP)
See also
http://lists.insecure.org/firewall-wizards/2001/Sep/0029.html
Svchost.exe is tied in with RPC somehow and win2k needs it.
When the RPC service is disabled, so are some functions in win2k,
If you did a netstat -an in the DOS command prompt, and check what
ports are open, you should expect to see Poet 135. Port 135 is
assigned to DCE[1] (aka RPC - Remote Procedure Call) endpoint
resolution, but when rpc is disabled the svchost.exe is no longer in
the process list and port 135 is closed and it no longer shows up on
netstat.
I know people have found a lot of computers infected with a
trojaned copy of svchost.exe . The trojaned copy is bigger (about
550KB) then the original (about 8KB) and is located in C:\winnt\
instead of c:\winnt\system32\ . The trojan was listening on port
878/tcp and was used to exchange illegal software, movies and music.
Therefore, it is difficult to determine what may be causing the
problem because svchost.exe is normal.
1) do a netstat -an and check what active connections you open.
2) check which services are using the srvchost by one of the methods
shown, based on what O/S you have.
3) Run an up-to-date Antivirus software to check for any trojans on
your system. Bugbear worm is pretty popular right now and may be
making RPCs. Have you opened any strange attachments in the last few
days.
4) Check for the possible trojaned copy by looking for the fake one as
described above.
5) Don't disable the real version of svchost, i.e., don't use regedit
to set it to anything but Automatic because other functions may stop
working.
Anyway, I hope that's enough to provide you with some further
analysis.
