Where is it alright for svchost.exe to be?

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

Hi Leo

I've done what you suggested and it worked perfectly. I haven't got the 100% cpu usage eny more. Thanks a lot for your help

Great artice, unfortunately it didn't help me. All my five SVCHOST.EXE files where in the right directory. But I could just shut down the one process that used 50 % of the CPU. I then got the one minute to shutdown warning. But that was easily avoided by typing shutdown -a in the run window. My computer ran smoother then, but I still experience a bit lag in certain games like Battlefield 2.

I just did a scan for svchost.exe
I not only found it in /system32 and /servicepack/i386 but also in /prefetch

I'm assuming the one in /prefetch is a virus

Not neccesarily. Prefetch is a valid place for it to be, but it's also ok to delete it from there. It'll probably come back. Prefetch is a performance optimization for loading windows.

Hi Leo. I found a copy of svchost in the directory C:/Windows/System32/wins/SVCHOST.EXE
What i should do??
This svchost file in property windows says:
TCP/IP Trivial file transfer daemon...What is this?

Hi Leo, I have Trend Micro installed and I keep getting a message that the virus TROJ_DLOADR.AD has been found in C;/windows/system32/directx/svchost.exe. The PC-cillin software always quarantines the file but I keep getting the message at various times when I try to connect to the internet. The good news is that the anti virus software seems to be working. The bad news is there is something on the computer that keeps installing a bad copy of svchost.exe in the directx directory. Any ideas on how to identify what is installing this bad copy of svchost?

I solved the problem. Windows Xp Pro SP 1.

In my case is Windows Update. I just turn off Automatic Updates. No more svchost 100% CPU. Now the problem is: I have to do manually updates.

I found a svchost.exe in my programs directory (C:/program/svchost/svchost.exe) which couldn't be removed since the system was using it somehow. I also saw that I had blocked it with my firewall. When I released the block for a short period of time it immediatley began connecting to a computer in Holland. I then blocked it again and searched for registry keys with that path name. It turns out the keys were about the eMando remote control software. After removing the keys I could delete the file. Shortly before this a buddy of mine had his pokeraccounts robbed for about $6000 and his hard drive erased, which was probably the result of this very file. Thanks to Leo for helping me identify the trojan.

I had the same problem with the Trojan installing a fake “svchost.exe” in the directX folder. What I did first was:

Using the free online virus scanner kaspersky which can be downloaded from:

http://www.kaspersky.com/virusscanner

After scanning found the “usbadpt32.dll” to be a Trojan which was located in the
c:\windows\system32 directory.

This was a pain to delete because Xp would not allow me to delete the DLL.
Steps that I had to take in order to delete this virus was the following:

1). Using the "eXtended Task manager.exe" program which you can try out
for 21 days free. I searched for the module name "usbadpt32.dll".

2). When found I told the program to unload the module.

3). Using the program name "registry crawler" I did a search for:

"usbadpt32.dll"

4). When found I deleted all keys associated with this DLL.

5). I deleted the file name "svchost.exe" which the virus used located
in the directory "c:\windows\system32\directX".

6). Restarted the system.

7). Upon entering windows I deleted the "usbadpt32.dll" from the directory
C:\windows\system32.

DONE!

Process Explorer is great. I've been looking for an application like this for a long time. I have 5 svchost.exe running and they are all from the legit directory. I'm glad to finally confirm this.

To post a comment on "Where is it alright for svchost.exe to be?", please return to that article's main page.