I thought this is worth of sharing.
Some time ago I downloaded the Personal Firewall from ZoneLabs. Since I was determined to protect against spyware, I set it so that if a program is trying to send data, a little dialog box pops up, and it the Firewall asks me if I let the program to access the internet.
Along with the usual ones (AIM, Real, etc.), there was this program, svchosd.exe, that always asked for permission, and I - don't know why - but never gave it to it. It asked periodically, perhaps every two hours or so. And for some strange reason I never let it access the net.
About that time I noticed that my comp was acting unusually. After I turned it on, it would just show the nice WinXP default background, no taskbar, no start button, no icons, etc. And it would just sit there like that forever. I always had to turn it off and then back on, and fortunately it worked normally after that. Until the next after-all-night-first-power-on.
Then one day I just got suspicious and did a google search for svchosd.exe and it returned a bunch of HijackThis logs at several different forums.
So I ran HijackThis and it showed at among my BHOs, I had svchosd.exe and sachost.exe. Neither CWSshredder nor Adaware recognized these files.
Then I looked in my windows directory, and there it was: sachost.exe, in windows\, lacking an icon (which is immediately suspicious), and missing a description too, which is not a promising thing in the windows directory. And in windows\system32\, there was svchosd.exe, no icon, no descr. So I deleted both of them, and used HijackThis to delete their BHO Run command.
Intrestingly, my computer no longer freezing at each power-on.
So basically, I have a good reason to believe that svchosd.exe and sachost.exe are spyware programs, with svchosd also trying to send information outbound.
svchosd.exe and sachost.exe
No replies to this topic