Everytime I start up my comp, there are 4 instances of svhost.exe in the processes tab of the task manager. One owned by LOCAL SERVICE, nothing going on there. One owned by NETWORK SERVICE, again nothing going on. The last two are owned by SYSTEM, one is 4 megs, like the others, and the last one is 19 Megs.

The last one causes my net connection to hit something, somewhere at a constant 1.7k/sec, and use about 2% of my cpu. If I kill it, my connection is fine, and it quells the network activity... but then my soundcard "goes away". And in sound options it offers "Modem #0 Line Playback" and Modem #0 Handset Playback"...

ZAPRO shows that it is "generic host processes for Win32 services", that has activity.

Plus, my router has been saying this once every 6 hours or so...

"DoS Attack type : UDP Bomb!!"

Norton Antivirus reports everything is ok... I'm going to go buy the "system works" package soon.
Have I been pwned??

Oh yeah! Well... I have 5 svhost.exe processes running!

:p

(I wouldn't worry about it. Just make sure your NAV is updated, and you also run Spybot.)

No, you are likely fine (you have Zone ALarm, a router, and NAV running)... that makes for a pretty well protected machine.

Svchost, as the name implies, stands for "Service Host". Components are often implemented as services - a geek name for programs that run in the background, and aren't necessarily associated with whomever is logged into the machine.

what do these background programmes do?

I have no idea what you said, but I know that the word you want is cojones

Originally posted by gil_ong81
what do these background programmes do?

they can be a generic processes like the print spooler (for printing), the plug and play process to recognize new devices, etc.

If you have winxp type "tasklist /svc" in a cmd window. It will show you which services each svchost.exe is running. In win2k I believe it's tlist instead of tasklist.

http://vil.nai.com/vil/stinger
http://www.safer-networking.org/index.php?page=download
http://download.com.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

those 3 free tools are all you need. make sure you update spoybot & adware before you scan as they are both pretty out of date when first installed. also, you should run 'msconfig' (xp has it, 2k does not but there is a version available for download). that will show you exactly what is being loaded when you start your computer and is an invaluable tool to secure your system. pm me if you have any questions. :)

edit: oops, almost forgot. make sure all available critical and reccomended updates are installed. check http://windowsupdate.microsoft.com if you arent sure. also, run the ms baseline security analyzer to check to make sure you dont have any gaping security flaws. you can get it here: http://www.microsoft.com/technet/security/tools/mbsahome.mspx#XSLTsection123121120120

Originally posted by weitek
http://vil.nai.com/vil/stinger
http://www.safer-networking.org/index.php?page=download
http://download.com.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

those 3 free tools are all you need. make sure you update spoybot & adware before you scan as they are both pretty out of date when first installed. also, you should run 'msconfig' (xp has it, 2k does not but there is a version available for download). that will show you exactly what is being loaded when you start your computer and is an invaluable tool to secure your system. pm me if you have any questions. :)

svchost can run without an indentifiable reference... it can also be launched from with a dll and may not have an obvious program it is associated with... the only app that I know that will specifically identify them for you is WinTasks 4.

thanks for the replies.

at the command prompt with out any other programs running type "netstat". This will bring up a list of currrent network connections. On most computer the only connection you should see are you computer connecting back to your self. If you see connection to address other that your self start terminating services and check the the list after each service is killed. If you computer is owned by someone else Norton or most of the other utils that I'm aware of will not find it. Best way to deal with this is grab the original media that came with the computer. Backup all your data files and reformat. Disclaimer I'm not responsible for any data lose or lose of functionality of you computer. Good luck.

Originally posted by GZoomer
at the command prompt with out any other programs running type "netstat". This will bring up a list of currrent network connections. On most computer the only connection you should see are you computer connecting back to your self. If you see connection to address other that your self start terminating services and check the the list after each service is killed. If you computer is owned by someone else Norton or most of the other utils that I'm aware of will not find it. Best way to deal with this is grab the original media that came with the computer. Backup all your data files and reformat. Disclaimer I'm not responsible for any data lose or lose of functionality of you computer. Good luck.

reformatting and starting over is just about the worst suggestion you could make for him.

you are correct regarding netstat... it will show active connections

he has zone alarrm pro running (ZAPRO)... it can and does stop outward bound connections and does resolve the addresses for your connections... which is a lot easier than using netstat (he would still need to do an address translation).

Norton does get rid of trojans as long as it is kept up to date (which it does on its on)... other than running spybot and adawar... there really isn't much he shold worry about.