SVEHOST.EXE - Dangerous

What you should do about SVEHOST.EXE:

Check Your PC Now
Your PC may be infected. The presence of a file called SVEHOST.EXE is a possible sign of infection.


You should urgently check your PC to make sure it is not infected. The free version of Prevx CSI will scan your PC in less than two minutes and check for millions of spyware and malware infections including SVEHOST.EXE. Don't take the risk, check your PC now by clicking the green button.

Download Prevx CSI Now

Who Uses Prevx CSI?

Prevx has been detecting the threats that others miss since 2004.

More than 2,061,789 people have scanned with Prevx CSI and between them have checked 29.7 billion files. 66% of the PCs scanned had malware present.

What we know about SVEHOST.EXE:

The filename SVEHOST.EXE was first seen on May 19 2007 in The UNITED STATES. It has also been seen in the following geographical regions of the Prevx community:

  • IRELAND on Jul 5 2007
  • The EUROPEAN UNION on May 19 2007
  • NETHERLANDS on Oct 27 2007
  • ESTONIA on Jul 18 2007
The filename SVEHOST.EXE refers to many versions of an executable program.

The most common file size is 937,984 bytes. But the following file sizes have also been seen:

  • 73,728 bytes
  • 942,080 bytes
  • 14,336 bytes
  • 950,272 bytes

The unsafe files using this name are associated with the malware group WORM.SPYBOTAX.99328.Some files using the name SVEHOST.EXE are also associated with the malware groups:
  • Generic5.FNZ
  • Generic_c.FHX
 These files have no vendor, product or version information specified in the file header.

SVEHOST.EXE has been seen to perform the following behavior(s):

  • This Process Creates Other Processes On Disk
  • This Process Deletes Other Processes From Disk
  • Can communicate with other computer systems using HTTP protocols
  • Adds a Registry Key (RUN) to auto start Programs on system start up
  • Adds Products to the system registry
  • Adds a Registry Key (RUNONCE) to auto start Programs on system start up
  • Executes a Process
  • Registers a Dynamic Link Library File
  • Writes to another Process's Virtual Memory (Process Hijacking)
  • The Process is packed and/or encrypted using a software packing process
  • This Process uses Anti Dissasembly Tricks
  • The Process is polymorphic and can change its structure
  • This Process Contains User Mode Rootkit Functionality
  • Enables an In Process Object/Server - Common with DLL Injections
  • Disables the DCOM Ability within Windows
  • Disables Anonymous Access to the Windows Network Shares
  • Executes Processes stored in Temporary Folders
  • Makes outbound connections to other computers using NETBIOSOUT protocols

SVEHOST.EXE has been the subject of the following behavior(s):

  • Created as a process on disk
  • Added as a Registry auto start to load Program on Boot up
  • Executed as a Process
  • Executed from Temporary Folders
  • Deleted as a process from disk
  • Terminated as a Process
  • Has code inserted into its Virtual Memory space by other programs

SVEHOST.EXE can also use the following file names:

  • JCFK.EXE
  • KGKK.EXE
  • KOBF.EXE
  • ECOG.EXE
  • IDFP.EXE
  • OLLB.EXE
  • OMJF.EXE
  • DJAM.EXE
  • CKMG.EXE
  • PKGB.EXE
  • FBMK.EXE
  • JMJB.EXE
  • 5B7727FA94F094EBA590241E69C2AF23-D9E2E27400354C78203701F05F7852007D2B118B.EXE
  • APDC.EXE
  • ELEJ.EXE
  • HGKG.EXE
  • PMPF.EXE
  • BEPA.EXE
  • MOAF.EXE
  • MMJJ.EXE
  • NHHF.EXE
  • LFQDW[1].EXE
  • ACGN.EXE
  • QLNVAE[1].EXE
  • DCGB.EXE
  • MPGO.EXE
  • IDFJ.EXE
  • TTVCIXJ[1].EXE
  • KBKD.EXE
  • NHCHQ[1].EXE
  • MHEL.EXE
  • QDJPN[1].EXE
  • ECJI.EXE
  • QRMJYDJ[1].EXE
  • CCEM.EXE
  • COLL.EXE
  • MHAB.EXE
  • RIYPYU[1].EXE
  • HBAH.EXE
  • RDYEI[1].EXE
  • IJGO.EXE
  • OPOC.EXE
  • TEJB[1].EXE
  • DPPE.EXE
  • SVEHOST.EX_
  • AVI3.22.EXE
  • A0880539.EXE
  • UP[1].PHP
  • GUN4.EXE
  • 90760446.EXE
  • 17306646.EXE
  • 95359185.EXE
  • 36546821.EXE
  • 04460822.EXE
  • 16868628.EXE
  • 31306638.EXE
  • SVNHOST.EXE
  • A0036333.EXE
  • 72952452.EXE
  • DC6.EXE
  • SVEHOST.EXE.VZR