# Multiple svchost.exe



## (Omega)

When I go into the task manager there are several svchost.exe processes, about 4 of them, 1 NETWORK service and 3 SYSTEM. Is this normal? Just concerned because I know that there is a trojan with the same name that steals passwords and personal data from a remote computer.


----------



## Dr. Leach

It is normal.

<<"Svchost.exe" (Generic Host Process for Win32 Services) is an integral part of Windows OS. It cannot be stopped or restarted manually. It manages 32-bit DLLs and other services. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. In normal conditions multiple instances of Svchost.exe run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.>>

It can be related to a virus/trojan, if its using lots of memory and/or cpu power it could be a virus.


----------



## (Omega)

Dr. Leach said:


> It is normal.
> 
> <<"Svchost.exe" (Generic Host Process for Win32 Services) is an integral part of Windows OS. It cannot be stopped or restarted manually. It manages 32-bit DLLs and other services. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. In normal conditions multiple instances of Svchost.exe run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.>>
> 
> It can be related to a virus/trojan, if its using lots of memory and/or cpu power it could be a virus.


I have 3 svchost.exe that are using about 4-6000 k and 1 that is using 17,000 k. My computer seems to run fast and there is no slowdown. But How do I determine if this is a virus?


----------



## Dr. Leach

Run anti-virus software


----------



## tetonbob

(Omega) said:


> But How do I determine if this is a virus?


In addition to what Dr. Leach has said....

Location. If it's in system32, it's more than likely legit. Also, navigate to the file in question, right click on it and check it's properties. It should be a Microsoft file.

If it's in any other location, it's suspect.

If the spelling of the file name is close but not exact, it's suspicious.

I currently have 5 instances of svchost.exe running in my TM.

This is normal.


----------



## neowolf

Yep, seems normal. I actually have 7 x svchost.exe at the moment.

The one time it got me was when it was scvhost.exe - it took me a little while to notice it.


----------



## auntiej

in another forum I recently saw someone report "sychost.exe", and the advice seemed to be it could be a virus.


----------



## dorts

"sychost.exe" is a virus.


http://www.liutilities.com/products/wintaskspro/processlibrary/sychost/ said:


> sychost.exe is a process added to the system as a result of the LEOX.B VIRUS. This process is a security risk and should be removed from your system.


"Svchost.exe" is not if is in the System32 folder.


----------



## tetonbob

> "Svchost.exe" is not if is in the System32 folder


Minor correction.....if it's _running_ from any other location, that's correct. However, it will also exist in system32\dllcache.


----------



## clutch516

I was hit with "svch0st.exe" with a zero. This turned out to be a keylogger and its origins are unknown at this point.


----------



## dorts

Hi clutch516,

Since you currently do not know where the file is, please follow MicroBell's 5 Step process outlined here

After running through all the steps, best thing to do is have one of the HijackThis helpers take a look at a log and begin the cleansing.

Please download HijackThis  - this program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

Double click on HijackThis.exe to run the program.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file in the HijackThis Log Help forum. Do not fix anything in HijackThis since they may be harmless.


----------



## clutch516

Thanks dorts... I did this already and am still waiting on a reply in the HijackThis forum. I did find the file, so I'm hoping I cleared everything up. Just want to make sure.


----------

