svchost.exe

dahamsta · 10-05-2004 9:43am #1

I'm getting constant network activity on my fresh, fully patched install of XP Home, seemingly generated by a svchost.exe running under my username. I'm convinced I'm compromised but I can't figure out what with. Any tips for me?

(I was definitely compromised with a browser doodah the other day while visiting a nefarious website to collect some useful tools, but I thought I'd cleared up after that. Must remember to visit those particular sites /after/ patching in future.)

adam

ColmOT [MSFT] · 10-05-2004 10:03am

svchost.exe is a service that hosts many other services.

It's expected for it to request network access.

Let it do it's thing!

Image Name PID Services
========== ============
svchost.exe 876 RpcSs
svchost.exe 936 TermService
svchost.exe 1072 Dhcp, Dnscache
svchost.exe 1092 Alerter, LmHosts, W32Time
svchost.exe 1104 AudioSrv, BITS, CryptSvc, dmserver,
EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Messenger, Netman, Nla,
Schedule, seclogon, SENS, ShellHWDetection,
winmgmt, wuauserv, WZCSVC

quarryman · 10-05-2004 10:08am

probably wanna make sure you don't have this virus. it hides itself as svch0st.exe (note 'zero') instead of svchost.exe.

hostyle · 10-05-2004 10:22am

Two things I'd do if I was worried:

1. Try finding out whats its doing. "netstat -an" in a DOS window (when you're not anything online) and see if theres any suspicious IPs in there. Or get yourself some type of network traffic monitor that tells you ports in use, data being transferred, and source and destination IPs - I use Commview, but its not free.

2. Try to stop or control it. Software firewall of some sort. I've heard XPs built-in one isnt that great. I'm sure someone else can recommend a good one. svchost should be generating traffic but it should all be going out or staying local. There should be none coming in.

Than again I could be talking out my ass. I'm no Windows security guru.

ColmOT [MSFT] · 10-05-2004 10:27am

The Windows XP firewall from RTM to SP1 blocks inbound packets, but not outbound ones.

From Service Pack 2 and later, this firewall functionality is a 2 way blocker and supports the same functionality as a standard firewall.

If you're providing DHCP or are a DHCP client, you're going to get svchost activity. Most all network services depend on a scvhost instance. Blocking svchost network activity may impact on your connectivity and other fucntionality.

dahamsta · 10-05-2004 11:41am

Too much traffic on the network for it to be normal, i.e. 50MB in the last two hours. Not running Windows firewall as I'm NATted on the router. Resetting my router to see if it's going to the WAN...

adam

dahamsta · 10-05-2004 12:00pm

Most of it is on the LAN. Seems an awful lot of traffic for NetBIOS and the like...

Port	Status		TxPkts	RxPkts	Collisions	Tx B/s	Rx B/s	Up Time 
WAN	PPPOE		228	263	0		257	272	00:05:03 
LAN	100M/Full	8252	9783	0		5812	5667	00:05:26 
WLAN	11M/54M		343	0	0		181	0	00:05:11

hostyle · 10-05-2004 2:41pm

Just to compare:

System Up Time 00:05:12
Port 	Status 		TxPkts 	RxPkts 	Collisions 	Tx B/s 	Rx B/s 	Up Time
WAN 	PPPOE 		14 	19 	0	 	3 	10 	00:04:43
LAN 	100M/Full 	222 	0 	0	 	106 	0 	00:05:10
WLAN 	11M/54M 	406 	257 	0	 	472 	125 	00:05:01

Idle network, two 2kpro machines, one linux box, all connected via WLAN.

What services (likely to generate bandwidth) are you running, if any?

PS. I had that stats window set not to update for most of the 5 minutes.

svchost.exe

Comments