TechSpot

Svchost is launched by what process?

By RockinJim
Feb 23, 2008
  1. I searched the forums and found several posts about svchost.
    I have a virus or unwanted piece of software. It is not dangerous or urgent, but I want it out of my computer. Mcafee, Sophos, and Trend scans don't find any problem. The details are thus:

    Active Ports says I have a connection to 203.121.182.210, my port 1814 and 1546, remote port 4600, and that it is established. It is established by svchost. That address is located in Thailand, according to APNIC

    NMAP probe does not show my ports are open.
    Ethereal does not show any packets sent to 203.121.182.210 at boot, so I'm thinking ActivePorts may not be accurate on the establishment of the connection.

    When I terminate the most recent svchost, the connection reported by ActivePorts disappears. Now the question:

    Is there any tool which can identify the PID or process name used to launch svchost? I think when searching for viruses, this would be a useful tool. I think I can very laborously do this using windeb, but that means I have to re-create a computer with the same OS as the one with the virus, which is very painful.

    Any knowledge on svchost out there?
     
  2. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    Svchost is a process that hosts system services. Assuming that it is a legitimate svchost that is making the connection, then you shiuld look at your services and disable/unistall any evil ones.

    It could also be some malware posing as svchost. In that case, you can easily track down the executable location with an advanced tool like Process Monitor from Sysinternals.

    It wouldn't hurt to use some proper malware removal tools like Hijackthis or Spybot S&D..
     
  3. RockinJim

    RockinJim TS Rookie Topic Starter

    Thanks for the input.

    ProcessExplorer says this instance of svchost has no parent.

    Having launched programs from inside my software, I think it's probably no problem to start my program, start an instance of svchost, and kill my process leaving svchost alive.

    I believe all services (and legit instances of svchost) start under Session Manager, and Process Explorer shows this instance of svchost at the root (same level as system idle and explorer. So I don't think this instance of svchost is launched by Microsoft's registry, but rather as a result of the malware launching it and leaving it alive for some reason.

    Thanks for the thoughts, tho.

    Jim
     
  4. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    In Process Explorer (yeah, that's what it was called), you can see the exact loction of the exe file in the tooltip. Just delete the file if it is not the system svchost. Then search the registry for this path and delete all references.
     
  5. jobeard

    jobeard TS Ambassador Posts: 9,326   +622

    port 4600 is associated with AGPM service AND
    Oracle Webcache -> Ports, creates Web Cache listener ports. AND

    this kb may be helpful
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...