Jump to content


svchosd.exe and sachost.exe

  • Please log in to reply
No replies to this topic

#1 UED77



  • New Member
  • Pip
  • 1 posts

Posted 04 June 2004 - 08:12 PM

I thought this is worth of sharing.

Some time ago I downloaded the Personal Firewall from ZoneLabs. Since I was determined to protect against spyware, I set it so that if a program is trying to send data, a little dialog box pops up, and it the Firewall asks me if I let the program to access the internet.

Along with the usual ones (AIM, Real, etc.), there was this program, svchosd.exe, that always asked for permission, and I - don't know why - but never gave it to it. It asked periodically, perhaps every two hours or so. And for some strange reason I never let it access the net.

About that time I noticed that my comp was acting unusually. After I turned it on, it would just show the nice WinXP default background, no taskbar, no start button, no icons, etc. And it would just sit there like that forever. I always had to turn it off and then back on, and fortunately it worked normally after that. Until the next after-all-night-first-power-on.

Then one day I just got suspicious and did a google search for svchosd.exe and it returned a bunch of HijackThis logs at several different forums.
So I ran HijackThis and it showed at among my BHOs, I had svchosd.exe and sachost.exe. Neither CWSshredder nor Adaware recognized these files.
Then I looked in my windows directory, and there it was: sachost.exe, in windows\, lacking an icon (which is immediately suspicious), and missing a description too, which is not a promising thing in the windows directory. And in windows\system32\, there was svchosd.exe, no icon, no descr. So I deleted both of them, and used HijackThis to delete their BHO Run command.

Intrestingly, my computer no longer freezing at each power-on.

So basically, I have a good reason to believe that svchosd.exe and sachost.exe are spyware programs, with svchosd also trying to send information outbound.


Member of UNITE
Support SpywareInfo Forum - click the button