SVCHOST.EXE - Dangerous

What you should do about SVCHOST.EXE:

Your PC may be infected. The presence of a file called SVCHOST.EXE is a possible sign of infection.

You should urgently check your PC to make sure it is not infected. The free version of Prevx CSI will scan your PC in less than two minutes and check for millions of spyware and malware infections including SVCHOST.EXE. Don't take the risk, check your PC now.

Download Prevx CSI Now

What we know about SVCHOST.EXE:

The filename SVCHOST.EXE was first seen on May 8 2007 in The UNITED KINGDOM. It has also been seen in the following geographical regions of the Prevx community:

  • SPAIN on Jun 8 2008
  • The EUROPEAN UNION on Oct 1 2007
  • KOREA, REPUBLIC OF on Jul 5 2008
  • FRANCE on Jul 9 2007
The filename SVCHOST.EXE refers to many versions of an executable program.

The most common file size is 106,496 bytes. But the following file sizes have also been seen:

  • 36,352 bytes
  • 17,408 bytes
  • 198,656 bytes
  • 102,400 bytes
  • 18,944 bytes
  • 646,656 bytes
  • 191,958 bytes
  • 28,000 bytes

The unsafe files using this name are associated with the malware group Win32/Small.U.Some files using the name SVCHOST.EXE are also associated with the malware groups:
  • Win32/Hidrag.A
  • Trojan.SystemPoser
  • Generic_c.DVH
  • Win32/Puce.E
  • Covert.Code
 These files have no vendor, product or version information specified in the file header.

SVCHOST.EXE has been seen to perform the following behavior(s):

  • This Process Creates Other Processes On Disk
  • Executes a Process
  • The Process is packed and/or encrypted using a software packing process
  • Adds a Registry Key (RUN) to auto start Programs on system start up
  • Creates a new Background Service on the machine
  • Changes to the file command map within the registry
  • Disables the built in Windows File Protection System
  • Adds a Link in the Start Menu
  • Deletes Links in the Start Menu
  • Creates a TCP port which listens and is available for communication initiated by other computers
  • Writes to another Process's Virtual Memory (Process Hijacking)
  • This Process Deletes Other Processes From Disk
  • Can communicate with other computer systems using HTTP protocols
  • Executes Processes stored in Temporary Folders
  • Injects code into other processes
  • This Process is a file infector which modifies program files to include a host a copy of the infection
  • Creates new folders in the file system
  • Looks at the contents of the autoexec.bat file
  • Reads email address and phone book details
  • Includes file creation code which could be used to test for interception by security products
  • Uses DNS to retrieve the IP address for web sites
  • Visits web sites on your PC without you knowing
  • Modifies System Runtime Policies to limit system usability
  • Registers a Dynamic Link Library File
  • Opens browser pop ups
  • The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
  • Terminates Processes
  • Enables an In Process Object/Server - Common with DLL Injections
  • Adds Products to the system registry
  • Ability to execute files Automatically on the machine
  • Registers or amends SMTP Mail Servers on the public internet

SVCHOST.EXE has been the subject of the following behavior(s):

  • Created as a process on disk
  • Executed as a Process
  • Created as a new Background Service on the machine
  • Changes to the file command map within the registry
  • Added as a Registry auto start to load Program on Boot up
  • Added as a Link in the Start Menu
  • Deleted as a Link in the Start Menu
  • Terminated as a Process
  • Copied to multiple locations on the system
  • Registered as a Dynamic Link Library File
  • Deleted as a process from disk
  • Has code inserted into its Virtual Memory space by other programs
  • Executed from Temporary Folders
  • Executed by Internet Explorer
  • Created by processes which appear to be checking for interception by security products

SVCHOST.EXE can also use the following file names:

  • DPTRRIWDXS-463.PMS.EXE
  • SERVICES.EXE
  • 441120611.EXE
  • USERINIT.EXE
  • DPTRKRIWBM-20.PMS.EXE
  • 03794202.SVD
  • MS-CA.EXE
  • GO[2].EXE
  • MS-E7.EXE
  • 17018487.DAT
  • 73172159.DAT
  • 00835446.EXE
  • 49966772.EXE
  • MS-60.EXE
  • GO[1].EXE
  • SVCHOST.EXE__DELETE_ON_REBOOT
  • 68393711.EXE
  • 31618669.EXE
  • 11079377.EXE
  • MS-2.EXE
  • 38644022.EXE
  • 54039756.EXE
  • 84828192.EXE
  • 40083461.EXE
  • MS-679.EXE
  • MS-1.EXE
  • MS-53F.EXE
  • MS-508.EXE
  • MS-633.EXE
  • MS-652.EXE
  • MS-676.EXE
  • MS-677.EXE
  • DC10.EXE
  • DC11.EXE
  • DC12.EXE
  • DC13.EXE
  • DC14.EXE
  • DC15.EXE
  • DC16.EXE
  • DC17.EXE
  • DC18.EXE
  • 61725207.EXE
  • MS-E.EXE
  • MS-F.EXE
  • MS-10.EXE
  • MS-67.EXE
  • 40448294.EXE
  • 65726867.EXE
  • 89179182.EXE
  • 40824243.EXE
  • MS-15A.EXE
  • TROJAN.CLICKER.SYSPOSE---SVCHOST(195387)[1].EXE
  • TROJAN.CLICKER.SYSPOSE---SVCHOST(195387).EXE
  • SETUP.EXE
  • ~.EXE
  • LOAD[1].EXE
  • DPTRIMYMSS-390.PMS.EXE
  • DEDD9CAACD42CA0BC3B2ADF0EC03496E.EXE
  • 81117472.SVD
  • _U_.EXE
  • INFO.EXE
  • DPTRROEKSW-590.PMS.EXE
  • XUE.XUE
  • BFBA46F5AB0C20032395D4AE017B33EF.EXE

Virus, Spyware & Malware Center