scvhost [Archive]

View Full Version : scvhost

Bas

January 8th 04, 02:24 PM

Scvhost.exe is using all my CPU? Norton antivirus is not
detecting any virus, and i just reinstalled XP. I Looked
on the internet (hundreds of hits) and I'm NOT the only
one having this problem. But does anyone have a solution?
TIA
Bas

purplehaz

January 8th 04, 02:24 PM

The real process is SVCHOST.exe. If you have scvhost.exe then you have a
virus. Update nortons and scan again or try another av program.
Process File: scvhost or scvhost.exe
Process Name: Scvhost
Description: Added to the System as a result of the W32/Agobot-S VIRUS!
which is a IRC backdoor Trojan and network worm. W32/Agobot-S copies itself
to network shares with weak passwords and attempts to spread to computers
using the DCOM RPC and the RPC locator vulnerabilities.
Company: N/A
System Process: No
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes

Bas wrote:
> Scvhost.exe is using all my CPU? Norton antivirus is not
> detecting any virus, and i just reinstalled XP. I Looked
> on the internet (hundreds of hits) and I'm NOT the only
> one having this problem. But does anyone have a solution?
> TIA
> Bas

mdhspam

January 8th 04, 02:25 PM

I think you might want to rethink that theory. At my work
all our computers are on a domain and behind a fire wall.
I currently have 5 "svhost.exe" services running. I don't
think the computer i'm using has a virus. Nor do I think
the 20 computers in my department have a virus. The
svhost.exe is a generic program that other programs use to
access the internet, if i'm not mistaken.

>-----Original Message-----
>The real process is SVCHOST.exe. If you have scvhost.exe
then you have a
>virus. Update nortons and scan again or try another av
program.
>Process File: scvhost or scvhost.exe
>Process Name: Scvhost
>Description: Added to the System as a result of the
W32/Agobot-S VIRUS!
>which is a IRC backdoor Trojan and network worm.
W32/Agobot-S copies itself
>to network shares with weak passwords and attempts to
spread to computers
>using the DCOM RPC and the RPC locator vulnerabilities.
>Company: N/A
>System Process: No
>Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
>
>
>Bas wrote:
>> Scvhost.exe is using all my CPU? Norton antivirus is not
>> detecting any virus, and i just reinstalled XP. I Looked
>> on the internet (hundreds of hits) and I'm NOT the only
>> one having this problem. But does anyone have a
solution?
>> TIA
>> Bas
>
>
>.
>

David H. Lipman

January 8th 04, 02:26 PM

You are VERY mistaken !

The SVCHOST.EXE file is the most commonly attacked and used name with variations to that
name of any files I have seen. If you see any variation on a Win9x/ME platform its a virus,
Internet worm or Trojan as there is no file of that name nor variation of that name in the
Win9x/ME Kernel.

It is a major part of Win2K and WinXP, scvhost.exe and svhost.exe are not.

As for your svhost.exe...

W32/Gaobot.worm.gen - http://vil.nai.com/vil/content/v_100785.htm
BAT/Mumu.worm.c - http://vil.nai.com/vil/content/v_100530.htm
MovieWorld - http://vil.nai.com/vil/content/v_99529.htm

As for scvhost.exe...

W32/Gaobot.worm.aa - http://vil.nai.com/vil/content/v_100611.htm
W32/Gaobot.worm.ai - http://vil.nai.com/vil/content/v_100725.htm

As for svchost.exe...

W32/CodeBlue.worm - http://vil.nai.com/vil/content/v_99202.htm
W32/Cozit.worm - http://vil.nai.com/vil/content/v_99761.htm
BackDoor-ASL - http://vil.nai.com/vil/content/v_100229.htm
W32/Lovsan.worm.a - http://vil.nai.com/vil/content/v_100547.htm
W32/Raleka.worm - http://vil.nai.com/vil/content/v_100574.htm
PWS-Sagic - http://vil.nai.com/vil/content/v_100896.htm
W32/Assarm.worm - http://vil.nai.com/vil/content/v_99601.htm
IRC-Demfire - http://vil.nai.com/vil/content/v_100054.htm
W32/Jeefo - http://vil.nai.com/vil/content/v_100277.htm
W32/Nachi.worm - http://vil.nai.com/vil/content/v_100559.htm
BackDoor-BAE - http://vil.nai.com/vil/content/v_100731.htm

I could go on but...it's too time consuming.

If you don't have AV software, and it sounds like you don't...Please go to McAfee
(http://www.mcafee.com/myapps/mfs/default.asp) and Trend
(http://housecall.antivirus.com ) and perform an online scan of your platforms ASAP !

In addition...
If you post to UseNet with your TRUE, not a munged, email address then you have now invited
the Swen Internet worm to visit you.

The Swen is news spelled backwards. The reason it is called this is because the Swen worm
harvests email addresses from UseNet News Groups. It has an engine that allows it to post
itself to UseNet News Groups and well as it has its own email engine. From the list of
email addresses that it has harvested, it will then email itself to those addresses.

Dave

"mdhspam" > wrote in message
...
| I think you might want to rethink that theory. At my work
| all our computers are on a domain and behind a fire wall.
| I currently have 5 "svhost.exe" services running. I don't
| think the computer i'm using has a virus. Nor do I think
| the 20 computers in my department have a virus. The
| svhost.exe is a generic program that other programs use to
| access the internet, if i'm not mistaken.

Mad Max

January 8th 04, 02:29 PM

David,
Just read your post (below). Did you mean to say that "svhost.exe" is the
w32/Gaobot.worm.gen ? If so, I have several instances of same, residing in
Task Manager and no doubt in additional areas.
If I misunderstood your post ,please correct me. My machine , as far as I
know, is operating perfectly. Tell me it isn't so.
Windows XPsp1Home.

"David H. Lipman" > wrote in message
...
> You are VERY mistaken !
>
> The SVCHOST.EXE file is the most commonly attacked and used name with
variations to that
> name of any files I have seen. If you see any variation on a Win9x/ME
platform its a virus,
> Internet worm or Trojan as there is no file of that name nor variation of
that name in the
> Win9x/ME Kernel.
>
> It is a major part of Win2K and WinXP, scvhost.exe and svhost.exe are not.
>
> As for your svhost.exe...
>
> W32/Gaobot.worm.gen - http://vil.nai.com/vil/content/v_100785.htm
> BAT/Mumu.worm.c - http://vil.nai.com/vil/content/v_100530.htm
> MovieWorld - http://vil.nai.com/vil/content/v_99529.htm
>
> As for scvhost.exe...
>
> W32/Gaobot.worm.aa - http://vil.nai.com/vil/content/v_100611.htm
> W32/Gaobot.worm.ai - http://vil.nai.com/vil/content/v_100725.htm
>
> As for svchost.exe...
>
> W32/CodeBlue.worm - http://vil.nai.com/vil/content/v_99202.htm
> W32/Cozit.worm - http://vil.nai.com/vil/content/v_99761.htm
> BackDoor-ASL - http://vil.nai.com/vil/content/v_100229.htm
> W32/Lovsan.worm.a - http://vil.nai.com/vil/content/v_100547.htm
> W32/Raleka.worm - http://vil.nai.com/vil/content/v_100574.htm
> PWS-Sagic - http://vil.nai.com/vil/content/v_100896.htm
> W32/Assarm.worm - http://vil.nai.com/vil/content/v_99601.htm
> IRC-Demfire - http://vil.nai.com/vil/content/v_100054.htm
> W32/Jeefo - http://vil.nai.com/vil/content/v_100277.htm
> W32/Nachi.worm - http://vil.nai.com/vil/content/v_100559.htm
> BackDoor-BAE - http://vil.nai.com/vil/content/v_100731.htm
>
> I could go on but...it's too time consuming.
>
> If you don't have AV software, and it sounds like you don't...Please go to
McAfee
> (http://www.mcafee.com/myapps/mfs/default.asp) and Trend
> (http://housecall.antivirus.com ) and perform an online scan of your
platforms ASAP !
>
> In addition...
> If you post to UseNet with your TRUE, not a munged, email address then you
have now invited
> the Swen Internet worm to visit you.
>
> The Swen is news spelled backwards. The reason it is called this is
because the Swen worm
> harvests email addresses from UseNet News Groups. It has an engine that
allows it to post
> itself to UseNet News Groups and well as it has its own email engine.
From the list of
> email addresses that it has harvested, it will then email itself to those
addresses.
>
> Dave
>
>
>
> "mdhspam" > wrote in message
> ...
> | I think you might want to rethink that theory. At my work
> | all our computers are on a domain and behind a fire wall.
> | I currently have 5 "svhost.exe" services running. I don't
> | think the computer i'm using has a virus. Nor do I think
> | the 20 computers in my department have a virus. The
> | svhost.exe is a generic program that other programs use to
> | access the internet, if i'm not mistaken.
>
>

Mad Max

January 8th 04, 02:29 PM

David,
Correction !! svchost is what I have. Gotta get these glasses updated.

"David H. Lipman" > wrote in message
...
> You are VERY mistaken !
>
> The SVCHOST.EXE file is the most commonly attacked and used name with
variations to that
> name of any files I have seen. If you see any variation on a Win9x/ME
platform its a virus,
> Internet worm or Trojan as there is no file of that name nor variation of
that name in the
> Win9x/ME Kernel.
>
> It is a major part of Win2K and WinXP, scvhost.exe and svhost.exe are not.
>
> As for your svhost.exe...
>
> W32/Gaobot.worm.gen - http://vil.nai.com/vil/content/v_100785.htm
> BAT/Mumu.worm.c - http://vil.nai.com/vil/content/v_100530.htm
> MovieWorld - http://vil.nai.com/vil/content/v_99529.htm
>
> As for scvhost.exe...
>
> W32/Gaobot.worm.aa - http://vil.nai.com/vil/content/v_100611.htm
> W32/Gaobot.worm.ai - http://vil.nai.com/vil/content/v_100725.htm
>
> As for svchost.exe...
>
> W32/CodeBlue.worm - http://vil.nai.com/vil/content/v_99202.htm
> W32/Cozit.worm - http://vil.nai.com/vil/content/v_99761.htm
> BackDoor-ASL - http://vil.nai.com/vil/content/v_100229.htm
> W32/Lovsan.worm.a - http://vil.nai.com/vil/content/v_100547.htm
> W32/Raleka.worm - http://vil.nai.com/vil/content/v_100574.htm
> PWS-Sagic - http://vil.nai.com/vil/content/v_100896.htm
> W32/Assarm.worm - http://vil.nai.com/vil/content/v_99601.htm
> IRC-Demfire - http://vil.nai.com/vil/content/v_100054.htm
> W32/Jeefo - http://vil.nai.com/vil/content/v_100277.htm
> W32/Nachi.worm - http://vil.nai.com/vil/content/v_100559.htm
> BackDoor-BAE - http://vil.nai.com/vil/content/v_100731.htm
>
> I could go on but...it's too time consuming.
>
> If you don't have AV software, and it sounds like you don't...Please go to
McAfee
> (http://www.mcafee.com/myapps/mfs/default.asp) and Trend
> (http://housecall.antivirus.com ) and perform an online scan of your
platforms ASAP !
>
> In addition...
> If you post to UseNet with your TRUE, not a munged, email address then you
have now invited
> the Swen Internet worm to visit you.
>
> The Swen is news spelled backwards. The reason it is called this is
because the Swen worm
> harvests email addresses from UseNet News Groups. It has an engine that
allows it to post
> itself to UseNet News Groups and well as it has its own email engine.
From the list of
> email addresses that it has harvested, it will then email itself to those
addresses.
>
> Dave
>
>
>
> "mdhspam" > wrote in message
> ...
> | I think you might want to rethink that theory. At my work
> | all our computers are on a domain and behind a fire wall.
> | I currently have 5 "svhost.exe" services running. I don't
> | think the computer i'm using has a virus. Nor do I think
> | the 20 computers in my department have a virus. The
> | svhost.exe is a generic program that other programs use to
> | access the internet, if i'm not mistaken.
>
>

David H. Lipman

January 8th 04, 02:31 PM

David H. Lipman

January 8th 04, 02:31 PM

purplehaz

January 8th 04, 04:39 PM

Uhhh........ next time actually read the words. One is a real process
SVCHOST (note: svc) the virus is SCVHOST (note: scv). They are different.
SVC and SCV. If you have SCVHOST then you have a virus. If you would have
took the time to actually read my post carefully you would have seen the
ERROR you have made. Thinking SCVHOST was the same as SVCHOST. That is why
the virus was named that way, to trick people like yourself who don't know
what the real process is named or even does. If your the admin at your work
you need to do some more studying on processes and viruses.

mdhspam wrote:
> I think you might want to rethink that theory. At my work
> all our computers are on a domain and behind a fire wall.
> I currently have 5 "svhost.exe" services running. I don't
> think the computer i'm using has a virus. Nor do I think
> the 20 computers in my department have a virus. The
> svhost.exe is a generic program that other programs use to
> access the internet, if i'm not mistaken.
>
>> -----Original Message-----
>> The real process is SVCHOST.exe. If you have scvhost.exe then you
>> have a virus. Update nortons and scan again or try another av
>> program. Process File: scvhost or scvhost.exe
>> Process Name: Scvhost
>> Description: Added to the System as a result of the W32/Agobot-S
>> VIRUS! which is a IRC backdoor Trojan and network worm. W32/Agobot-S
>> copies itself to network shares with weak passwords and attempts to
>> spread to computers using the DCOM RPC and the RPC locator
>> vulnerabilities. Company: N/A
>> System Process: No
>> Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
>>
>>
>> Bas wrote:
>>> Scvhost.exe is using all my CPU? Norton antivirus is not
>>> detecting any virus, and i just reinstalled XP. I Looked
>>> on the internet (hundreds of hits) and I'm NOT the only
>>> one having this problem. But does anyone have a solution?
>>> TIA
>>> Bas
>>
>>
>>

purplehaz

January 8th 04, 04:39 PM

SVCHOST is good. SCVHOST is a virus. Please read my first post.

Mad Max wrote:
> David,
> Correction !! svchost is what I have. Gotta get these glasses updated.
>
>
> "David H. Lipman" > wrote in message
> ...
>> You are VERY mistaken !
>>
>> The SVCHOST.EXE file is the most commonly attacked and used name
>> with variations to that name of any files I have seen. If you see
>> any variation on a Win9x/ME platform its a virus, Internet worm or
>> Trojan as there is no file of that name nor variation of that name
>> in the Win9x/ME Kernel.
>>
>> It is a major part of Win2K and WinXP, scvhost.exe and svhost.exe
>> are not.
>>
>> As for your svhost.exe...
>>
>> W32/Gaobot.worm.gen - http://vil.nai.com/vil/content/v_100785.htm
>> BAT/Mumu.worm.c - http://vil.nai.com/vil/content/v_100530.htm
>> MovieWorld - http://vil.nai.com/vil/content/v_99529.htm
>>
>> As for scvhost.exe...
>>
>> W32/Gaobot.worm.aa - http://vil.nai.com/vil/content/v_100611.htm
>> W32/Gaobot.worm.ai - http://vil.nai.com/vil/content/v_100725.htm
>>
>> As for svchost.exe...
>>
>> W32/CodeBlue.worm - http://vil.nai.com/vil/content/v_99202.htm
>> W32/Cozit.worm - http://vil.nai.com/vil/content/v_99761.htm
>> BackDoor-ASL - http://vil.nai.com/vil/content/v_100229.htm
>> W32/Lovsan.worm.a - http://vil.nai.com/vil/content/v_100547.htm
>> W32/Raleka.worm - http://vil.nai.com/vil/content/v_100574.htm
>> PWS-Sagic - http://vil.nai.com/vil/content/v_100896.htm
>> W32/Assarm.worm - http://vil.nai.com/vil/content/v_99601.htm
>> IRC-Demfire - http://vil.nai.com/vil/content/v_100054.htm
>> W32/Jeefo - http://vil.nai.com/vil/content/v_100277.htm
>> W32/Nachi.worm - http://vil.nai.com/vil/content/v_100559.htm
>> BackDoor-BAE - http://vil.nai.com/vil/content/v_100731.htm
>>
>> I could go on but...it's too time consuming.
>>
>> If you don't have AV software, and it sounds like you don't...Please
>> go to McAfee (http://www.mcafee.com/myapps/mfs/default.asp) and Trend
>> (http://housecall.antivirus.com ) and perform an online scan of your
>> platforms ASAP !
>>
>> In addition...
>> If you post to UseNet with your TRUE, not a munged, email address
>> then you have now invited the Swen Internet worm to visit you.
>>
>> The Swen is news spelled backwards. The reason it is called this is
>> because the Swen worm harvests email addresses from UseNet News
>> Groups. It has an engine that allows it to post itself to UseNet
>> News Groups and well as it has its own email engine. From the list
>> of email addresses that it has harvested, it will then email itself
>> to those addresses.
>>
>> Dave
>>
>>
>>
>> "mdhspam" > wrote in message
>> ...
>>> I think you might want to rethink that theory. At my work
>>> all our computers are on a domain and behind a fire wall.
>>> I currently have 5 "svhost.exe" services running. I don't
>>> think the computer i'm using has a virus. Nor do I think
>>> the 20 computers in my department have a virus. The
>>> svhost.exe is a generic program that other programs use to
>>> access the internet, if i'm not mistaken.

NRC

January 8th 04, 04:40 PM

"Bas" > wrote in message
...
> Scvhost.exe is using all my CPU? Norton antivirus is not
> detecting any virus, and i just reinstalled XP. I Looked
> on the internet (hundreds of hits) and I'm NOT the only
> one having this problem. But does anyone have a solution?
> TIA
> Bas
Do you mean svchost.exe instead of scvhost.exe?
Here is the link to Microsoft for a description of the above:
http://support.microsoft.com/default.aspx?scid=kb;en-us;314056

kim

January 8th 04, 05:28 PM

purplehaz wrote:
>
> SVCHOST is good. SCVHOST is a virus. Please read my first post.
>
Viruses also create SVCHOST files to hide behind. From
http://www.answersthatwork.com/Tasklist_pages/tasklist_s.htm

"Many viruses masquerade themselves as SVCHOST to escape detection. Some
have names that are similar, such as SCCHOST, while others actually drop a
program file called SVCHOST in the Windows or Windows System directory."

Kimmy

kim

January 8th 04, 05:28 PM

purplehaz

January 8th 04, 07:09 PM

Thanks for the added info.

"kim" > wrote in message
...
> purplehaz wrote:
> >
> > SVCHOST is good. SCVHOST is a virus. Please read my first post.
> >
> Viruses also create SVCHOST files to hide behind. From
> http://www.answersthatwork.com/Tasklist_pages/tasklist_s.htm
>
> "Many viruses masquerade themselves as SVCHOST to escape detection. Some
> have names that are similar, such as SCCHOST, while others actually drop a
> program file called SVCHOST in the Windows or Windows System directory."
>
> Kimmy
>
>