Aces High Bulletin Board

Help and Support Forums => Technical Support => Topic started by: Yossarian on October 14, 2008, 12:17:04 PM

Title: svchost and rundll32
Post by: Yossarian on October 14, 2008, 12:17:04 PM
That type of CPU usage is usually spyware/malware/virus activity, but can also be caused by network related activity.

Typically, spyware/malware/virus do not show up in the task manager.  They hide behind the rundll32 process or, possibly, the svchost process.

I saw this in another thread (ink's one about screen pauses), and I don't want to hijack his topic  :)

I'm wondering how you can tell if processes listed as rundll32 or svchost are actually spyware/malware/viruses.  On my AH computer, I've noticed in the past several svchosts running at the same time, but I can't remember about rundll32.

Thanks,

Yossarian
Title: Re: svchost and rundll32
Post by: Denholm on October 14, 2008, 06:21:39 PM
I'm sure there are other ways, yet the best method is to get Spybot Search & Destroy. If any of them are spyware or malware, Spybot will get rid of them.
Title: Re: svchost and rundll32
Post by: Auger on October 14, 2008, 08:27:08 PM
Finding the launcher is the best way to tell if something running as rundll32.exe is evil.  Usually you can find it in the registry fairly quickly if it is not evil.  In the registry editor, go to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.  See how many rundll32 command lines are there.  Nvidia's tray applet is usually one, but there may be others.  If you don't recognize something, look into it. 

Be careful deleting items from the Run key.  While it usually won't cause total system breakage, it can cause some programs to stop working properly.

Something running as svchost.exe can usually be found under Control Panel\Administrative Tools\Services.  If a started item has no description and runs as svchost when you look at its Properties, it is probably evil. (Except for Shell Hardware Notification in XP SP3. Its description got nuked somewhere along the way.)  The good thing about items in Services is that you can stop them and see what happens.  If nothing breaks, you can set it to Disabled.