SVHOST.EXE - Dangerous

What you should do about SVHOST.EXE:

Your PC may be infected. The presence of a file called SVHOST.EXE is a possible sign of infection.

You should urgently check your PC to make sure it is not infected. The free version of Prevx CSI will scan your PC in less than two minutes and check for millions of spyware and malware infections including SVHOST.EXE. Don't take the risk, check your PC now.

Download Prevx CSI Now

What we know about SVHOST.EXE:

The filename SVHOST.EXE was first seen on May 31 2007 in BRAZIL. It has also been seen in the following geographical regions of the Prevx community:

  • SPAIN on Jun 20 2007
  • URUGUAY on Jun 20 2007
  • The UNITED KINGDOM on Mar 3 2008
  • The EUROPEAN UNION on Sep 2 2007
  • SWEDEN on Jul 8 2007
  • INDIA on Jul 8 2007
The filename SVHOST.EXE refers to many versions of an executable program.

The most common file size is 205,461 bytes. But the following file sizes have also been seen:

  • 1,232,384 bytes
  • 894,464 bytes
  • 230,400 bytes
  • 348,160 bytes
  • 1,490,813 bytes
  • 185,856 bytes

The unsafe files using this name are associated with the malware group Win32/PolyCrypt.Some files using the name SVHOST.EXE are also associated with the malware groups:
  • Trojan.SystemPoser
  • Trojan.Nudos

These files may have the following Vendor, Product, Version Information in the file header

  • The following Vendor, Product, Version Information has also been reported:
 ; ; 4.3.2.1 ; ; 1.0.0.0

SVHOST.EXE has been seen to perform the following behavior(s):

  • The Process is packed and/or encrypted using a software packing process
  • This Process Deletes Other Processes From Disk
  • Registers a Dynamic Link Library File
  • Can communicate with other computer systems using HTTP protocols
  • Executes a Process
  • Modifies Windows Security Policies to restrict/expand User Privileges on the machine
  • Terminates Processes
  • Adds a Registry Key (RUN) to auto start Programs on system start up
  • This Process Creates Other Processes On Disk
  • Writes to another Process's Virtual Memory (Process Hijacking)
  • Sends email using SMTP protocols
  • Deletes Links in the Start Menu
  • Adds a Link in the Start Menu
  • Sends mail without telling you
  • Opens browser pop ups
  • Uses DNS to retrieve the IP address for web sites
  • This Process tampers with Vulnerable System Files and Settings
  • The Process is polymorphic and can change its structure

SVHOST.EXE has been the subject of the following behavior(s):

  • Created as a process on disk
  • Deleted as a process from disk
  • Executed as a Process
  • Added as a Registry auto start to load Program on Boot up
  • Has code inserted into its Virtual Memory space by other programs
  • Deleted as a Link in the Start Menu
  • Added as a Link in the Start Menu
  • Copied to multiple locations on the system
  • Created as a new Background Service on the machine
  • Executed from Temporary Folders
  • Terminated as a Process

SVHOST.EXE can also use the following file names:

  • DC174.EXE
  • DC173.EXE
  • A0013231.EXE
  • IMGLOG.EXE
  • 88774538.SVD
  • DPTRREWKFM-733.PMS.EXE
  • 0DADB0A68D9A5A52B4F406529F9C5862.EXE
  • 3820192295.EXE
  • 4037585531.EXE
  • 1281566395.EX
  • 3335468805.EXE
  • SVHOST.EXE.Q_2CF2298_Q
  • 688833973.EXE
  • 119690E47843646B2A8873D0BABB6F2258B870A3E5E02173AA2B56CC7C7E3BC5.EXE
  • 1519832589.EXE
  • 2816373211.EXE
  • 2043881175.EXE
  • 1016934525.EXE
  • 4005183061.EXE
  • 2140759799.EXE
  • TMP0259061.LOG
  • 491185431.EXE
  • 3257243205.EXE
  • 3326126413.EXE
  • TMP7933588.LOG
  • 4174328091.EXE
  • 1900550727.EXE
  • 65649544.EXE
  • TMP7147027.LOG
  • 3062687941.EXE
  • TMP0894159.LOG

Virus, Spyware & Malware Center