Hi, please clarify this for me. Are the four instances of svchost.exe that appear in my list of processes supposed to be there? I noticed I had a bunch of spyware yesterday, and went crazy deleting things, among which was svcpack.exe from Windows/system32 (and slmss.exe from ProgramFiles/CommonFiles/Slmss). Was that a mistake, and if so, how can I fix it? My computer is running noticeably slower now, so I wonder where I screwed up. Also, my homepage gets set to sexpatriot.net after each reboot, so I obviously didn't get all the spyware I had off the machine(Adaware doesn't find anything anymore). Is the performance of my computer due to the fact that I still have spyware, that this svchost.exe is running, or that I deleted stuff like an idiot? Thanks Radu

Several instances of svchost.exe is normal. Here's the description from http://answersthatwork.com/ Svchost (1) Svchost.exe (Microsoft) Service Host – Generic Host Process for Win32 Services. Windows 2000/XP only. SVCHOST is a generic process which acts as a host for processes that run from DLLs rather than EXEs. At startup SVCHOST checks the Services portion of the Registry to construct a list of DLL-based services that it needs to load, and then loads them. There can be many instances of SVCHOST running, as there will be one instance of SVCHOST for every DLL-based service or grouping of services (the grouping of services is determined by the programmers who wrote the services in question). Under Windows XP Professional you can find out what DLL-based services SVCHOST is running by typing Tasklist /SVC at a Command Prompt (MS-DOS Prompt – this command is not available in Windows XP Home), while under Windows 2000 you need to use the TLIST –s command from a Command Prompt (MS-DOS Prompt). Recommendation : An integral part of the operating system, leave alone – multiple instances of SVCHOST is a normal occurrence. If you experience SVCHOST errors, the problem is most likely not with SVCHOST but with the DLLs it is hosting. Svchost (2) SVCHOST.exe (???) Many viruses masquerade themselves as SVCHOST to escape detection. Some have names that are similar, such as SCCHOST, while others actually drop a program file called SVCHOST in the Windows or Windows System directory. Recommendation : The first recommendation is a simple one : always have a good antivirus product which is regularly updated (automatically preferably) and always renew your updates subscription when it expires. To detect if you have a virus that calls itself SVCHOST, first see if it shows up in Starter – if it does, then it is almost certain you have a virus. Secondly, if you have Windows 95/98/ME rather than WinNT4/2000/XP, then it is almost certain you have a virus. Thirdly, go to "Control Panel \ Administrative Tools \ Services" and look for any of the following services – if you find any of them, then you probably have a virus : System Important Message service slmss.exe is detected by Norton AV as Downloader and you wee quite right to delete it. It sounds likely that your homepage has been hijacked. Please do a search on this forum for "hijack" and I'm sure you will come up with a cure. It also seems that you are NOT using any anti-virus or firewall or anti-hijacking software all of which is free to download. I recommend you update your AdAware and also download/install/update/run Spybot S&D. Good luck

Let's see if all the spyware is gone, Download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply. HijackThis!

Below is my hijackthis log. For some reason, it only shows that I have 2 svchost.exe processes running, when in fact I have four. Here is what they are: svchost.exe 728 RpcSs svchost.exe 772 AudioSrv, Browser, CryptSvc, Dhcp, dmserver, ERSvc, EventSystem, FastUserSwitchingCompatibility, helpsvc, lanmanserver, lanmanworkstation, Messenger, Netman, Nla, RasAuto, RasMan, Schedule, seclogon, SENS, ShellHWDetection, srservice, TapiSrv, TermService, Themes, TrkWks, uploadmgr, W32Time, winmgmt, wuauserv, WZCSVC svchost.exe 836 Dnscache svchost.exe 848 LmHosts, RemoteRegistry, SSDPSRV, WebClient What about the svcpack.exe file that I deleted- was it a legitimate file from system32? Logfile of HijackThis v1.97.3 Scan saved at 2:07:33 PM, on 11/2/2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Explorer.exe C:\Program Files\Winamp3\winampa.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\Downloads\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:/// R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.royalsearch.net/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sexpatriot.net/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.royalsearch.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.royalsearch.net/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.royalsearch.net/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.royalsearch.net/search.html R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:/// R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sexpatriot.net/search/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.royalsearch.net/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.royalsearch.net/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xwebsearch.biz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:/// R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=E2029DF5-DBB6-4DAF-A8E1-6CC58C2DD4D7&version_id=18 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/search.php?qq=%s R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://wso.williams.edu/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://66.250.130.194/main/hp.php O1 - Hosts: 66.98.142.163 auto.search.msn.com O1 - Hosts: 66.98.142.163 search.msn.com O1 - Hosts: 66.98.142.163 msn.com O1 - Hosts: 66.98.142.163 www.msn.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.exe O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: ICQ (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: FlashGet (HKLM) O9 - Extra 'Tools' menuitem: &FlashGet (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O9 - Extra button: Hot Video (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{F55676AB-F9D3-450C-8E75-09AEB148521B}: NameServer = 141.161.100.201 141.161.200.201

I think 2 to 4 instances is common. RpcSs--Remote Procedure Call Service--is required and is one SVCHOST A Bunch of services account for another SVCHOST (AudioSrv, CryptSvc, Dhcp, EventSystem, lanmanserver, lanmanworkstation, Netman, Nla, RasMan, SENS, ShellHWDetection, winmgmt....) If you have the DNS Client service running, I think that generates a third SVCHOST. Hope that helps

Also vist www.blackviper.com It tells you what services you can safely disable. You probably don't need all of "svchost.exe 848 LmHosts, RemoteRegistry, SSDPSRV, WebClient" running.

Svcpack.exe is a CoolWebSearch hijacker file... Run HT again and check the following items. Doublecheck so as to be sure not to miss one. Next, close all browser Windows, and have HT 'fix checked'. You Must restart your computer when you're done. R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:/// R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.royalsearch.net/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sexpatriot.net/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.royalsearch.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.royalsearch.net/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.royalsearch.net/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.royalsearch.net/search.html R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:/// R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sexpatriot.net/search/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.royalsearch.net/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.royalsearch.net/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xwebsearch.biz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:/// R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=E2029DF5-DBB6-4DAF-A8E1-6CC58C2DD4D7&version_id=18 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/search.php?qq=%s R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://66.250.130.194/main/hp.php O1 - Hosts: 66.98.142.163 auto.search.msn.com O1 - Hosts: 66.98.142.163 search.msn.com O1 - Hosts: 66.98.142.163 msn.com O1 - Hosts: 66.98.142.163 www.msn.com O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta After restarting delete the following: C:\WINDOWS\Fonts\msoffice.hta