Spyware Horror Story: Confounded by hosts

The generic Windows process svchost.exe has a sinister history of hiding malware beneath it, but that's not always the case.

Spyware Horror Story

Published by Mesila; San Francisco, CA

I recently had unknown malware that was causing Windows to keep rebooting at odd moments. Another thing it did was install a kazillion services and then have all of them running at once. It wasn't something that any scanner would pick up--and being big on file sharing, I've made it a point to keep a whole army of antimalware programs around. I'm assuming the culprit was either one that was new at the time, or a variant that had morphed itself from an older version. Eventually, after a lot of fussing and cussing, I had to reinstall Windows XP. (The malware had also gacked the System Restore function.)

Services in general faze me, even as an intermediate-to-advanced user. I use Process Explorer to ferret out running services that do not belong to Windows or to programs that I am familiar with, but more than once I have shut down something I'll see running that hides under svchost.exe. It confuses me to see svchost.exe running multiple copies of itself--that's one place a lot of active malware hides, but too often I'll end up hosing something that I shouldn't have and screwing up my system in the process.

I wonder if there's some way to shut down services we're never going to use, or keep anything other than Windows from using them, because then I wouldn't have this happen so much. I'd imagine that would also save resources. Windows Help files about services are unfortunately not very helpful.

Photo of Download.com editor

Editor's response

Good move with Process Explorer. We've extolled its virtues in many an editorial as a clear way to see what's running and pick off what ought not to be. Yet despite Windows' proclivity to run multiple instances of the generically-named process, not all host files are troubled.

However, since you asked, one way we know about how to control a Windows service in XP is through the Service Control Manager. There are two methods of getting to this native control. Method one: Open the control panel, and then select Administration Tools. Select Services from the bottom of the pile. Method two: Press the Start button, select Run, and type in services.msc.

If you hover over an instance of the svchost.exe in Process Explorer, you'll see which services are associated with each process, and can then suspend the service from the Service Control Manager. You can also right-click any process in Process Explorer and click "Properties," then hit the "Service Tab" to stop or pause any of them without using services.msc.

That's my take, but if others of you out there have insight for Mesila or for anyone else confounded by hosts, now's your chance to pipe up in the comments.

CNET Top 5
Companies Apple could buy with their billions
Apple's sitting on a massive pile of cash. Here are five interesting ways they could spend it.
Play Video
 

Member Comments