Svchost is launched by what process?

Status
Not open for further replies.
R

RockinJim

I searched the forums and found several posts about svchost.
I have a virus or unwanted piece of software. It is not dangerous or urgent, but I want it out of my computer. Mcafee, Sophos, and Trend scans don't find any problem. The details are thus:

Active Ports says I have a connection to 203.121.182.210, my port 1814 and 1546, remote port 4600, and that it is established. It is established by svchost. That address is located in Thailand, according to APNIC

NMAP probe does not show my ports are open.
Ethereal does not show any packets sent to 203.121.182.210 at boot, so I'm thinking ActivePorts may not be accurate on the establishment of the connection.

When I terminate the most recent svchost, the connection reported by ActivePorts disappears. Now the question:

Is there any tool which can identify the PID or process name used to launch svchost? I think when searching for viruses, this would be a useful tool. I think I can very laborously do this using windeb, but that means I have to re-create a computer with the same OS as the one with the virus, which is very painful.

Any knowledge on svchost out there?
 
Svchost is a process that hosts system services. Assuming that it is a legitimate svchost that is making the connection, then you shiuld look at your services and disable/unistall any evil ones.

It could also be some malware posing as svchost. In that case, you can easily track down the executable location with an advanced tool like Process Monitor from Sysinternals.

It wouldn't hurt to use some proper malware removal tools like Hijackthis or Spybot S&D..
 
Thanks for the input.

ProcessExplorer says this instance of svchost has no parent.

Having launched programs from inside my software, I think it's probably no problem to start my program, start an instance of svchost, and kill my process leaving svchost alive.

I believe all services (and legit instances of svchost) start under Session Manager, and Process Explorer shows this instance of svchost at the root (same level as system idle and explorer. So I don't think this instance of svchost is launched by Microsoft's registry, but rather as a result of the malware launching it and leaving it alive for some reason.

Thanks for the thoughts, tho.

Jim
 
In Process Explorer (yeah, that's what it was called), you can see the exact loction of the exe file in the tooltip. Just delete the file if it is not the system svchost. Then search the registry for this path and delete all references.
 
Status
Not open for further replies.

Similar threads

Cal Jeffrey
Sony came up with a better place to store and charge its new earbuds; inside your controller
Replies
2
Views
322
dangh
dangh
Daniel Sims
Modder powers Apple Mac Mini entirely through Ethernet
Replies
1
Views
378
m4a4
m4a4
Cal Jeffrey
Flipper Zero pranksters could cause DoS havoc on your iPhone
Replies
7
Views
499
RaXelliX
R

Latest posts

Back