What is svchost, and why is there more than one copy running?

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

i cant seem to get rid of my popups, i have used ad-ware 6.0 and spybot but these pop-ups keep coming back...sometimes 60 at a time...i think it is a virus that may have attached itself to my svchost.exe file, i want to remove them, how do i go about this....
help please Leo

Well, you didn't say whether or not you've run an anti-virus check, so certainly do that. Also check out this article: http://ask-leo.com/archives/000059.html for more steps to take on the svchost problem (read the posted comments as well, many people contributed valuable info). You also didn't say what kind of popups. If you're running XP or Win2k you should disable the Windows Messenger Service (not the IM client, but the service.) I talk about that one in this article: http://ask-leo.com/archives/000017.html

Good luck!

Leo

I learnt about the existence of svchost.exe just
yesterday, when my Norman firewall, under Windows
XP professional, asked whether task
c:\windows\system32\svchost.exe should be allowed
outgoing communication with protocol UDP
to remote address 207.46.130.100.
What is the purpose of svchost.exe accessing
the internet? What if I deny access (which I did,
without observing any negative consequences)?
Who/What is behind 207.46.130.100 (Microsoft, I
guess!?!)?

Thanks for your reponse in advance

franz

I'll assume you meant "Norton" firewall :-).

So, to find out what 207.46.130.100 is, I went to a command prompt, and typed the following:

ping -a 207.46.130.100

And it tells me that that IP address is "time.microsoft.com" ... so you are correct, it was Microsoft. That instance of svchost is supporting the time service, and has asked time.microsoft.com for the current time. You can change the server it uses, or turn off the auto time update completely, in the same place you set your PC's clock in Windows.

Leo

My computer is running really slow. A lot of CPU usage is taken by svchost. What can I do? Where can I look for the problem?
10X

Hello Leo !
I have a question for you:
I hav norton NIS+NAV installed on win xp pro, and it can't run anymore, when I restart windows it I can see the icon of nav and nis(with x) and after a few seconds they disapear and I can't run any norton application besides live update, which dosen't work as well. I even tried to install windows on another partition and re-install NIS before even conecting to the internet, and the same happens again... I did update all the leasts updates from microsoft update. I think its a virus, but I can't find it with the pre-installed nis that on the nis-setup-cd or with trend micro online antivirus or fixblast.exe...
is the rpcs service of svchost run is normal ?
if I tried to close it I get the 60secs countdown as in the blaster worm... should this service run by normal use? or is it some kind of virus?

thanks!

rpcss is a normal service. Unfortunately it's also the service that had a vulnerability that virus writers exploited. You can read more about it, and try downloading the patch for that vulnerability from here: http://ask-leo.com/d-rpcvuln

Some variations of the viruses actually prevent virus scanners from updating, so it sounds like that's what you have. Try the patch above and see if that doesn't let you make progress.

Good luck!

Leo

i have a big problem. i have a 1.6 gig processor, and im constantly overloaded. the problem comes when C:windows/system32/svchost.exe gets pinged by a number of different ip adresses, and i get a pop up (ping) from different ip adresses that try to get my to pay 19.99 to www.windows-patch.info. i need a solution bad. can anybody help?

Step one: turn off the windows messaging *service*. There's a paragraph with the quick steps on how to do that about 2/3rds down this article: http://ask-leo.com/archives/000017.html - then, get youself a good spyware scanning program (recommendations here: http://pugetsoundsoftware.com/recommend.html ).

Good luck!

Leo

I had one of the Walchia worms and it said my svchost.exe was infected. Norton tried to get rid of it but it was unable to get into the file. To fix this i restarted in safe mode and ended the process trees of all the svchosts running on my computer after that i looked up where there were located and deleted them. While this was happening my computer was shutting down because of the msblast. When i restarted no a lot works including microsoft explorer. I'm not sure how to restore the correct svchost. I hope you can help.

To post a comment on "What is svchost, and why is there more than one copy running?", please return to that article's main page.