PDA

View Full Version : Computer OT, svchost?



Mike W
06-08-2004, 01:21 PM
I keep getting these alerts from my firewall:

Program C:\windows\system32\svchost.exe
Protocal UDP(inbound)

I don't have a clue about what this is, does anyone else get these?

Joel
06-08-2004, 01:36 PM
I know little about it but, it is a necessary MS program and several instances of it are usually running. If you wonder about a program, you can always "Google" it and usually get several answers.

http://support.microsoft.com/?kbid=314056

The only problem I ever have with my computer is that svchost.exe abnormally ends, and prevents me from enabling/disabling my network connection. I have no idea why this happens. If anyone can tell me how to fix it, I would definitely appreciate it.

Mike W
06-08-2004, 01:43 PM
Thanks Joel, how do you disable the network connection?

Tony
06-08-2004, 02:12 PM
svchost has been a problem child as i hear it. apparently its not just one program but quite a few all run under the same name. (and can have multiple instances running if its doing alot).

quite a few viruses (3 at least) attack svchost specifically.

mike, if your firewall is giving you the heads up theres probably something wrong.. adding it to an "ignore" database will make things worse.

have either of you two noticed svchost eating up alot of system resources? (like CPU usage?) check TaskManager>Processes>CPU

svchost viruses (worms, techincally) tend to replicate by substituting existing files on your machine. so anything thats passed a virus scan or firewall check probably wont be caught again. firewall might complain if an svchost program is trying to do something it usually shouldn't do... like write to your A: drive.

my advice?
1. download/install any security patches you might be missing from microsoft.com
2. run an up-to-date virus scan. search for svchost virus names and find virus-specific removal tools.
3. after that, install your original windows CD and run the "Repair" option.

-tony

Evan
06-08-2004, 02:30 PM
Funny, I just removed a virus this morning from a machine. The name of the viral file was scvhost.exe NOTE the difference.

Joel
06-08-2004, 02:46 PM
Mike, open control panel and click on network and dial-up connections, then right click. Disable or enable should be the top option. As I disable my connection when I am not using it, I created a shortcut and dragged it down to my taskbar for convenience.

Tony, my computer is clean, and task manager shows no anomalies. This problem started after a format and clean reinstallation of my OS (win 2000 pro). It never did it before, and I have had no viruses or other problems since the OS installation, primarily due to the router that was added at the same time.

Tony
06-08-2004, 04:49 PM
joel,
just for kicks, i'd run a few of the known svchost worm utilities.

trick with svchost worm(s!) is that it will embedd itself in your system root and REPLACE an already existing (legit) file with itself. ie.. if you, say, AdobeAcrobat.exe it will rename (and append) itself to AdobeAcrobat.exe

that won't show up on a virus scan.

i went through with with the sasser worm (attacked lsass.exe) ... cleaned and scrubbed and couldn't find anything. in fact, not even the utilities found anything. but after running them (blind) the problem went away.

svchost (the real one) is capable of doing just about anything on your computer. ie, runs little microsoft programs in the background. mostly for networking/telecomm stuff. the dropbox you might say for anything MS wants to "update" or "patch"

two things can happen with an .exe bug:
1. the virus/worm/whatever, is well written and works correctly but does something its not supposed to be doing.. and gets caught by security software (virus and/or firewall)

or

2. is poorly written (or written for a different platform, say XP instead of 2k), performs some sort of illegal system call, and hangs/aborts/abnormally ends.

it might stop execution before security software gets a chance to see it.

since multiple svchosts can run simultaneously, it might be hard to detect.. in your case, it just happens to crash the same svchost that's dictating port protocols.

again, this might not be the case, but its odd that its causing you problems.

run a few of the bug killers, they're free, see what happens. tops you might lose 1/2hr of your time.

good luck.. i know those things can be trying.

-tony

Ryobiguy
06-08-2004, 11:41 PM
Oh boy, I got caught with that #@$%ing sasser virus on my work XP machine. I think the last virus I had was the stoned virus I caught from a 5 1/4 floppy sneakernet file transfer back around '88. Or maybe that was my first...
I remember it was pretty darn pesky to get rid of sasser, I think I ended up just tracking it down from some registry searchs and deleting that entry and whatever files it referenced. Pretty bad at a high-tech company (that makes routers/firewalls) when virii get behind the corporate firewall. D'oh!

Evan
06-08-2004, 11:50 PM
It's like a plague of locusts.