svhost: friend or foe?

Bozo Erectus

Bozo Erectus

Master Baker
Joined
Jan 22, 2003
Messages
22,389
Ive been doing some research on this and theres alot of contradictory information about it. On the one hand people say its harmless and comes with windows, and on the other people say its associated with mydoom and allows hackers to use your computers bandwidth and to get personal information. Theres also some confusion with svchost. I think that the confusion stems from the fact that it was originally harmless but has since been corrupted by hackers. Is that true? Should svhost and svchost be removed or blocked with a firewall?
 
there are actually several svchost.exe processes running at any one time - some of which you can quite safely disable - this page will give you more info (an excellent resource)
 
Zulu thanks, I had this page as a favorite on the old computer, I had forgotten all about it. Its hard to know which ones are safe to disable. My inclination is to go 'barebones' but I wouldnt want to slow down my internet connection either. Have you disabled any of the svhost processes?
 
If you have a process running called svhost.exe then you should remove it immediately, as it is a part of the Mydoom worm. The svchost.exe processes (with the c) are required for Windows XP to run properly. They can be hijacked by worms though, but in this case you should remove the cause of the problem, not the svchost.exe processes. Windows will soon shut down without them.

I had a worm a few months ago which caused svchost.exe to take up 100% of the CPU usage, so I know a bit about this process from the research I did on removing the worm.

zulu9812 said:
there are actually several svchost.exe processes running at any one time - some of which you can quite safely disable
Click to expand...
You should not disable any of the svchost.exe processes. The site you list recommends you shut down services which call upon the svchost.exe process. It doesn't tell you to shut down svchost.exe itself.

I would not recommend the 'barebones' setup as this will disable virtually all functions, including your internet connection. Use the 'safe' setup with some modifations to the networking settings if you need them.

Note: another process you should look out for is scvhost.exe (the c and v are switched), as this is definitely a worm.
 
In task manager/ processes Ive got 5 svchost processes running. 1 Local Service, 2 Network Service and 2 System. No svhost, but thats probably because when Norton asks me if I should block it, I do, temporarily, I havent permanently blocked it yet. Blocking it hasnt affected performance at all. No scvhost at all thankfully.
 
Robert, svhost seems to be the problem, not svchost. Like I said above, blocking svhost has no effect on anything that I can see.
 
Robbert said:
Any malicious programs running there?
Click to expand...
I can't see any. The best way to check is to google all of the processes listed. Most of them will come back as a system process, but there will be some which are not recognised but should be there.

The two easiest ways to recognise a worm are:
1) Your anti-virus program has been disabled.
2) Your pc is running much slower than it should.

If this second point is true then you will probably find the CPU constantly running at 100% in the processes list.

@Bozo, blocking svhost.exe won't make the problem go away, it will only mask it. Try using this free scan from Trend Micro to eliminate the actual worm:

LINK
 
Zakharov, Im extremely wary of allowing web pages to do things in my computer. The last time I did that, a few years ago, the page (I forget what it was, one of those 'Boost your computers performance!' deals I think) screwed up my registry and I had a bunch of problems. Id much rather try and do it myself.
 
That's your choice, but if a worm has disabled your anti-virus software then a web based scanner is your only option. (Unless you know the names of the files the worm has put on your pc).
 
I think Im worm free so far. The first thing I did when I turned on this comp for the first time was load up every antivirus, antspyware app known to man. I had so many firewalls up I could barely use the internet. I hope to learn enough about it so I can get rid of svhost manually.
 
Bozo Erectus said:
Zakharov, Im extremely wary of allowing web pages to do things in my computer. The last time I did that, a few years ago, the page (I forget what it was, one of those 'Boost your computers performance!' deals I think) screwed up my registry and I had a bunch of problems. Id much rather try and do it myself.
Click to expand...


Those "Boost your computers performance" sites 9 out of 10 times are filled with spyware. ;)
 
Zakharov said:
You should not disable any of the svchost.exe processes. The site you list recommends you shut down services which call upon the svchost.exe process. It doesn't tell you to shut down svchost.exe itself.
Click to expand...

yes, that's what I meant
 
just to add a little more info... svchost.exe is the generic process for programs to access the internet through Windows. Anything from your word processor to a virus uses these. Its like public transportation to the internet for your programs that don't have a car. :p
 
Here are a couple of links to more information and explanations about svhost, svchost and scvhost. Svchost, as mentioned, is a legitimate start-up.

http://www.liutilities.com/products/wintaskspro/processlibrary/svhost/
http://www.liutilities.com/products/wintaskspro/processlibrary/svchost/
http://www.liutilities.com/products/wintaskspro/processlibrary/scvhost/

(A word about the liutilities site...they offer a great deal of good information, but their "removal" link wants you to buy their product.)

For future reference....

TrendMicro's House Call is legitimate and it works. McAfee has a similar service. They are, after all, two of the majors in antivirus software.

McAfee
http://us.mcafee.com/?wt.mc.n=us_us_learnmore_home&wt.mc_t=int_pro_hom&cid=10348
TrendMicro
http://www.trendmicro.com/en/home/us/personal.htm

McAfee also has a standalone utility, Stinger, which can be downloaded and used if your antivirus is disabled for some reason.
http://vil.nai.com/vil/averttools.asp

Symantec and Panda offer a number of stand-alone utilities for specific threats. The trick, as Zakharov has noted, will be to get the right utility.

links:
http://www.pandasoftware.com/download/utilities/
http://securityresponse.symantec.com/avcenter/tools.list.html

One more link....to a start-up list. If you see something in Task Manager that makes you suspicious, compare it to this list -

http://startup.iamnotageek.com/page-0.html

which is based on the Pacs-Portal Start-Up List.
 
I permanently blocked svhost in NIS, and then wasnt able to use the internet. Svhost appears to be part of "Microsoft Generic Host Processes for Win 32 Services". I configured it to allow it for web browsing only.
 
You must log in or register to reply here.

Similar threads

Gori the Grey
World-spirit or ruler? (split out from guessing thread)
2 3
Replies
48
Views
3K
Zaarin
Zaarin
Seek
  • Poll Poll
Which UI Elements Do You Think Need Work The Most?
2 3
Replies
45
Views
3K
Seek
Seek
Xefjord
Civ 7 and Ara: A Cross Comparison 100 hours in.
3 4 5
Replies
82
Views
6K
KayAU
KayAU
RedCourtJester
Civ VII Weekly Reveal Guessing Thread
79 80 81
Replies
2K
Views
102K
Lonecat Nekophrodite
Lonecat Nekophrodite
R
Why the secrecy with the Prussia (or unlikely Britain) last civ reveal announcement?
Replies
17
Views
2K
stefffff
S
Back
Top Bottom