Jump to content

"svchost.exe" appears several times in the Windows Task Manager.

Guest Frank Martin

By Guest Frank Martin
in Windows XP

 Share

Recommended Posts

Guest Frank Martin

Guest Frank Martin

Posted
Posted

Twice for the "SYSTEM" user name.

 

Twice for the "LOCAL SERVICE" user name.

 

Twice for the "NETWORK SERVICE" user name.

 

Also:

 

"rundll32.exe" appears twice too. As does

"csrss.exe".

 

Can someone help be to determine if these

extra ones are reduntant, and how to remove

them.

 

Frank

  • Replies 11
  • Created
  • Last Reply

Popular Days

Popular Days

Guest David H. Lipman

Guest David H. Lipman

Posted
Posted

Re: "svchost.exe" appears several times in the Windows Task Manager.

 

From: "Frank Martin" <fm@general.com.au>

 

| Twice for the "SYSTEM" user name.

 

| Twice for the "LOCAL SERVICE" user name.

 

| Twice for the "NETWORK SERVICE" user name.

 

| Also:

 

| "rundll32.exe" appears twice too. As does

| "csrss.exe".

 

| Can someone help be to determine if these

| extra ones are reduntant, and how to remove

| them.

 

| Frank

 

 

Multiple SVCHOST.EXE instances running from; c:\windows\system32 is normal. It is not

important how many instances of SVCHOST.EXE are running but from WHERE they are running

from. Having SVCHOST.EXE running from locations OTHER THAN c:\windows\system32 is a sign

of a malware infection.

 

However multiple CSRSS.EXE instances are not normal.

 

Download Process Explorer from Sysinternals and look at the fully qualified paths to the

files.

If you find a copy of CSRSS.EXE or SVCHOST.EXE running from locations OTHER THAN;

c:\windows\system32 kill the processes and delete the files.

If this is the case, your PC is infected with malware.

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Guest Jim

Guest Jim

Posted
Posted

Re: "svchost.exe" appears several times in the Windows Task Manager.

 

 

"Frank Martin" <fm@general.com.au> wrote in message

news:Om0MJAhtIHA.5892@TK2MSFTNGP02.phx.gbl...

> Twice for the "SYSTEM" user name.

>

> Twice for the "LOCAL SERVICE" user name.

>

> Twice for the "NETWORK SERVICE" user name.

>

> Also:

>

> "rundll32.exe" appears twice too. As does "csrss.exe".

>

> Can someone help be to determine if these extra ones are reduntant, and

> how to remove them.

>

> Frank

>

None of them are redundant.

 

Svchost.exe is a program which can perform various tasks. Hence, what you

are seeing is 6 different processes each running svchost.exe for 6 different

tasks.

The same comment applies to the other two programs.

 

Jim

Guest David H. Lipman

Guest David H. Lipman

Posted
Posted

Re: "svchost.exe" appears several times in the Windows Task Manager.

 

From: "Jim" <jim-norris@sbcglobal.com>

 

 

 

 

| None of them are redundant.

 

| Svchost.exe is a program which can perform various tasks. Hence, what you

| are seeing is 6 different processes each running svchost.exe for 6 different

| tasks.

| The same comment applies to the other two programs.

 

| Jim

 

The legitimate "csrss.exe" does NOT run in multiple instances.

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Guest Jim

Guest Jim

Posted
Posted

Re: "svchost.exe" appears several times in the Windows Task Manager.

 

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:%23ClJJWhtIHA.4560@TK2MSFTNGP03.phx.gbl...

> From: "Jim" <jim-norris@sbcglobal.com>

>

>

>

>

> | None of them are redundant.

>

> | Svchost.exe is a program which can perform various tasks. Hence, what

> you

> | are seeing is 6 different processes each running svchost.exe for 6

> different

> | tasks.

> | The same comment applies to the other two programs.

>

> | Jim

>

> The legitimate "csrss.exe" does NOT run in multiple instances.

>

>

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

>

>

Thanks for the info. The OP has malware...

Jim

Guest David H. Lipman

Guest David H. Lipman

Posted
Posted

Re: "svchost.exe" appears several times in the Windows Task Manager.

 

From: "Jim" <jim-norris@sbcglobal.com>

 

 

 

 

| Thanks for the info. The OP has malware...

| Jim

 

 

Strong possibility...

 

Examples:

http://vil.nai.com/vil/content/v_126644.htm

 

http://vil.nai.com/vil/content/v_137761.htm

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Guest Frank Martin

Guest Frank Martin

Posted
Posted

Re: "svchost.exe" appears several times in the Windows Task Manager.

 

 

"David H. Lipman"

<DLipman~nospam~@Verizon.Net> wrote in

message

news:O8uI7GhtIHA.1936@TK2MSFTNGP04.phx.gbl...

> From: "Frank Martin" <fm@general.com.au>

>

> | Twice for the "SYSTEM" user name.

>

> | Twice for the "LOCAL SERVICE" user name.

>

> | Twice for the "NETWORK SERVICE" user

> name.

>

> | Also:

>

> | "rundll32.exe" appears twice too. As does

> | "csrss.exe".

>

> | Can someone help be to determine if these

> | extra ones are reduntant, and how to

> remove

> | them.

>

> | Frank

>

>

> Multiple SVCHOST.EXE instances running

> from; c:\windows\system32 is normal. It

> is not

> important how many instances of SVCHOST.EXE

> are running but from WHERE they are running

> from. Having SVCHOST.EXE running from

> locations OTHER THAN c:\windows\system32 is

> a sign

> of a malware infection.

>

> However multiple CSRSS.EXE instances are

> not normal.

>

> Download Process Explorer from Sysinternals

> and look at the fully qualified paths to

> the

> files.

> If you find a copy of CSRSS.EXE or

> SVCHOST.EXE running from locations OTHER

> THAN;

> c:\windows\system32 kill the processes and

> delete the files.

> If this is the case, your PC is infected

> with malware.

>

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV -

> http://www.pctipp.ch/downloads/dl/35905.asp

 

Thank you. I have downloaded the "Process

Explorer" and all multiple examples of those

*.exe programs are operating under the

"System" section, which means they're OK, I

suppose.

 

The folder structure for "System" in Process

Explorer goes like this..."

System/smss.exe/csrss.exe/winlogon.exe/services.exe/*.*

 

However there is an example of "csrss.exe"

running under the "explorer.exe" section and

I will delete this.

 

Can the text under the "Description" header

be taken as true? The "csrss.exe" has no

description, whereas all the others do.

 

Regards, Frank

Guest David H. Lipman

Guest David H. Lipman

Posted
Posted

Re: "svchost.exe" appears several times in the Windows Task Manager.

 

From: "Frank Martin" <fm@general.com.au>

 

 

| Thank you. I have downloaded the "Process

| Explorer" and all multiple examples of those

| *.exe programs are operating under the

| "System" section, which means they're OK, I

| suppose.

 

| The folder structure for "System" in Process

| Explorer goes like this..."

| System/smss.exe/csrss.exe/winlogon.exe/services.exe/*.*

 

| However there is an example of "csrss.exe"

| running under the "explorer.exe" section and

| I will delete this.

 

| Can the text under the "Description" header

| be taken as true? The "csrss.exe" has no

| description, whereas all the others do.

 

| Regards, Frank

 

 

The file "csrss.exe" running under "explorer.exe" is illegitimate and its propensity of

being malware is high.

 

If you kill the process and move the file you can then submit the file to Virus Total [

http://www.virustotal.com/ ] and you'll find out if it is malware.

If you do that, please post the results from Virus Total.

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Guest Frank Martin

Guest Frank Martin

Posted
Posted

Re: "svchost.exe" appears several times in the Windows Task Manager.

 

 

"David H. Lipman"

<DLipman~nospam~@Verizon.Net> wrote in

message

news:u8ZwQeitIHA.3564@TK2MSFTNGP03.phx.gbl...

> From: "Frank Martin" <fm@general.com.au>

>

>

> | Thank you. I have downloaded the

> "Process

> | Explorer" and all multiple examples of

> those

> | *.exe programs are operating under the

> | "System" section, which means they're OK,

> I

> | suppose.

>

> | The folder structure for "System" in

> Process

> | Explorer goes like this..."

> |

> System/smss.exe/csrss.exe/winlogon.exe/services.exe/*.*

>

> | However there is an example of

> "csrss.exe"

> | running under the "explorer.exe" section

> and

> | I will delete this.

>

> | Can the text under the "Description"

> header

> | be taken as true? The "csrss.exe" has no

> | description, whereas all the others do.

>

> | Regards, Frank

>

>

> The file "csrss.exe" running under

> "explorer.exe" is illegitimate and its

> propensity of

> being malware is high.

>

> If you kill the process and move the file

> you can then submit the file to Virus Total

> [

> http://www.virustotal.com/ ] and you'll

> find out if it is malware.

> If you do that, please post the results

> from Virus Total.

>

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV -

> http://www.pctipp.ch/downloads/dl/35905.asp

 

 

 

I did this and gave it to "VirusTotal"

Result:

http://www.virustotal.com/analisis/eae8817bc6b2dba77e506e2ad88418f8

Guest PA Bear [MS MVP]

Guest PA Bear [MS MVP]

Posted
Posted

Re: "svchost.exe" appears several times in the Windows Task Manager.

 

I've got five (5) instances now & everything's fine.

 

"If it ain't broke, don't fix it."

--

~Robear Dyer (PA Bear)

MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

AumHa VSOP & Admin http://aumha.net

DTS-L http://dts-l.net/

 

 

Frank Martin wrote:

> Twice for the "SYSTEM" user name.

>

> Twice for the "LOCAL SERVICE" user name.

>

> Twice for the "NETWORK SERVICE" user name.

>

> Also:

>

> "rundll32.exe" appears twice too. As does

> "csrss.exe".

>

> Can someone help be to determine if these

> extra ones are reduntant, and how to remove

> them.

>

> Frank

Guest David H. Lipman

Guest David H. Lipman

Posted
Posted

Re: "svchost.exe" appears several times in the Windows Task Manager.

 

From: "Frank Martin" <fm@general.com.au>

 

 

| I did this and gave it to "VirusTotal"

| Result:

| http://www.virustotal.com/analisis/eae8817bc6b2dba77e506e2ad88418f8

 

 

 

Since this is a Trojan Downloader I suspect that you are infected with "more" that just

that !

 

 

Download MULTI_AV.EXE from the URL --

http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe

 

http://www.pctipp.ch/downloads/dl/35905.asp

 

English:

http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/

 

To use this utility, perform the following...

Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }

Choose; Unzip

Choose; Close

 

Execute; C:\AV-CLS\StartMenu.BAT

{ or Double-click on 'Start Menu' in C:\AV-CLS }

 

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your

FireWall to allow it to download the needed AV vendor related files.

 

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}

This will bring up the initial menu of choices and should be executed in Normal Mode.

This way all the components can be downloaded from each AV vendor's web site.

The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

 

You can choose to go to each menu item and just download the needed files or you can

download the files and perform a scan in Normal Mode. Once you have downloaded the files

needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key

during boot] and re-run the menu again and choose which scanner you want to run in Safe

Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

 

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help

file.

 

Additional Instructions:

http://pcdid.com/Multi_AV.htm

 

 

* * * Please report back your results * * *

 

 

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Guest Frank Martin

Guest Frank Martin

Posted
Posted

Re: "svchost.exe" appears several times in the Windows Task Manager.

 

Now that I have deleted the file I get an

error message from Windows on reboot, vis:

 

"Windows cannot find

"C:\Windows\Config\csrss.exe." Make sure you

typed the name correctly, and then try

again."

Is there some other adjustment to make?

 

Regards, Frank

 

 

 

 

 

 

"David H. Lipman"

<DLipman~nospam~@Verizon.Net> wrote in

message

news:uq5682stIHA.3564@TK2MSFTNGP03.phx.gbl...

> From: "Frank Martin" <fm@general.com.au>

>

>

> | I did this and gave it to "VirusTotal"

> | Result:

> |

> http://www.virustotal.com/analisis/eae8817bc6b2dba77e506e2ad88418f8

>

>

>

> Since this is a Trojan Downloader I suspect

> that you are infected with "more" that just

> that !

>

>

> Download MULTI_AV.EXE from the URL --

> http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe

>

> http://www.pctipp.ch/downloads/dl/35905.asp

>

> English:

> http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/

>

> To use this utility, perform the

> following...

> Execute; Multi_AV.exe { Note: You must use

> the default folder C:\AV-CLS }

> Choose; Unzip

> Choose; Close

>

> Execute; C:\AV-CLS\StartMenu.BAT

> { or Double-click on 'Start Menu' in

> C:\AV-CLS }

>

> NOTE: You may have to disable your software

> FireWall or allow WGET.EXE to go through

> your

> FireWall to allow it to download the needed

> AV vendor related files.

>

> C:\AV-CLS\StartMenu.BAT -- { or

> Double-click on 'Start Menu' in C:\AV-CLS}

> This will bring up the initial menu of

> choices and should be executed in Normal

> Mode.

> This way all the components can be

> downloaded from each AV vendor's web site.

> The choices are; Sophos, Trend, McAfee,

> Kaspersky, Exit this menu and Reboot the

> PC.

>

> You can choose to go to each menu item and

> just download the needed files or you can

> download the files and perform a scan in

> Normal Mode. Once you have downloaded the

> files

> needed for each scanner you want to use,

> you should reboot the PC into Safe Mode [F8

> key

> during boot] and re-run the menu again and

> choose which scanner you want to run in

> Safe

> Mode. It is suggested to run the scanners

> in both Safe Mode and Normal Mode.

>

> When the menu is displayed hitting 'H' or

> 'h' will bring up a more comprehensive PDF

> help

> file.

>

> Additional Instructions:

> http://pcdid.com/Multi_AV.htm

>

>

> * * * Please report back your results *

> * *

>

>

>

>

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV -

> http://www.pctipp.ch/downloads/dl/35905.asp

>

>

 Share
Go to topic listing
×
×
  • Create New...