Jump to content


Photo

svchost.exe - what is it?


  • Please log in to reply
8 replies to this topic

#1 faramir50

faramir50

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 11 August 2004 - 08:53 AM

Hi,

My Sygate Personal Firewall keeps prompting me to allow the file svchost.exe to access the internet.
Should I allow it? I have no idea what this file does.

Thanks

#2 Untouchable J

Untouchable J

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 11 August 2004 - 09:13 AM

svchost - svchost.exe - Process Information
Process File: svchost or svchost.exe
Process Name: Service Host Process
Description: Application that works as a host process for services that run from dynamic link libraries.
Company: Microsoft Corp.
System Process: Yes
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A


Source

Its a legit Windows process so its ok. Just make sure you dont see any space before the process as this can be a spoof.

Hope this helps

-J

#3 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,758 posts

Posted 11 August 2004 - 06:17 PM

Actually, it depends on where the svchost is running from.

As far as I know, SVCHOST.EXE shouldn't be asking to access anything but 127.0.0.1 or 0.0.0.0. Just to be sure, you mind posting a HijackThis log?

Please click the link in my signature marked "HijackThis." Make a new folder for it on the Desktop, save it there, and run it. Click "Scan," then "Save Log," and copy and paste the _entire_ log into a reply to this thread.
Signature file is under revision. This will be back shortly.

#4 1st_evil

1st_evil

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 15 August 2004 - 07:29 PM

umm that happend to me to thats wierd kerio kept asking i just allowed it cause i thought it was normal :/ what you mean by hijack log?

#5 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,758 posts

Posted 15 August 2004 - 07:35 PM

A HijackThis log tells me what's running on startup and such, This version of SVCHOST may be malware, unless it's located in C:\windows\system32.
Signature file is under revision. This will be back shortly.

#6 1st_evil

1st_evil

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 15 August 2004 - 07:37 PM

well i dont think its anything to serious.. have mcafee pro and spysweeper so..

#7 Gwyrox732

Gwyrox732

    Gwy|is|here

  • Helper
  • PipPipPipPipPip
  • 514 posts

Posted 15 August 2004 - 09:53 PM

Tuxedo Jack, I think that when they say internet they can also be referring to localhost, since it's still trying to connect to an IP.
Quote from Original CWS Article at SWI: "There could be other domains involved in the future." ... We've come a long way since then

Malware esan mala, ji mi disaman. SWI ji kikan ekster!

PM me if you know what that says. Whoever gets it right gets put here!
Bagman wins, good job!

#8 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,758 posts

Posted 16 August 2004 - 03:14 AM

They can, but since the IP wasn't specified, one would start wondering. As long as it's one of those two IPs, it's good; if not, start worrying.
Signature file is under revision. This will be back shortly.

#9 co_ol

co_ol

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 17 August 2004 - 02:55 AM

Hi

In my case, the svchost.exe has requested access to the Internet as well, I have checked the IP addresses and they are all Microsoft sites. However I have chosen to block Internet accesss for svchost.exe and that made no difference to my system.
I believe there should be no legitimate reason for windows to leave the LAN since the computers work fine without connection to the Internet.

But that is only my opinion

Cheers




Member of UNITE
Support SpywareInfo Forum - click the button