Could I be hacked?

Discussion in 'other software & services' started by GuardianofNight, Jun 8, 2005.

Thread Status:
Not open for further replies.
  1. GuardianofNight

    GuardianofNight Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    76
    Hi everyone... I am hoping I am posting in the right part of the Forums but I noticed that my computer is running a little bit slow and there is 5 svchost.exe's in Processes. The only things I have running when I noticed it was a online game called The Sims Online, Spy Sweeper, NOD32 and Yahoo! Messenger.

    Is this normal or am I being hacked possibly?

    Thanks,

    Robert
     
  2. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    A computer slowdown could be from any number of things, I would first try a reboot and see if that brings things back to normal. Multiple instances of svchost are normal, as long as their path is the system32 folder. I only have three running but that is because I have quite a few services disabled. I would recommend downloading process explorer http://www.sysinternals.com/Utilities/ProcessExplorer.html you can then right click on all you instances of svchost and check the services tab to see which ones it is hosting. You should notice that a few of them are only hosting one service, such as remote procedure call, where as others may be hosting quite a few. If you have any questions about the services they are hosting them me know, but I highly doubt you are hacked.
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    I have five instances running. Download Process Explorer freeware and see what all those processes are doing.
     
  4. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I have four
     

    Attached Files:

  5. GuardianofNight

    GuardianofNight Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    76
    Hi everyone, thank you for your replies!!! I am really worried about this so I even deleted my character in the game. Because I restarted and the "slowness" still was there and so were the 5 svchost.exe's. I guess I should of waited to do that but anyway! The information from that program shows:

    5 of them show the description to be "Generic Host Process for Win32 Host Services". There is another one shown in the list so that makes 6 and it has the same description.

    Please look at the screenshot for more information if its needed.

    Thanks everyone...

    Robert
     

    Attached Files:

  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    Right click or double click those entries for more info, including google.
     
  7. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    Yes you can right click one, go to properties then go to the image tab to verify that they are in your system32 folder, under path it should say C:\WINDOWS\System32\svchost.exe. Also like I said click on the services tab to see which ones they are hosting, post a pic of the services if you want, I can let you know if they are normal or not.
     
  8. GuardianofNight

    GuardianofNight Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    76
    Alright I did...

    services.exe says NT AUTHORITY/System
    Svchost.exe says NT AUTHORITY/System
    Svchost.exe says NT AUTHORITY\NETWORK SERVICE
    Svchost.exe says NT AUTHORITY/System
    Svchost.exe says NT AUTHORITY\NETWORK SERVICE
    Svchost.exe says NT AUTHORITY\LOCAL SERVICE
    spoolsv.ese says NT AUTHORITY\SYSTEM - I believe that could be my printer?
    Svchost.exe says NT AUTHORITY\SYSTEM

    I went in the order as shown on the picture I attached.

    There is also wdfmgr.exe and its description is Windows User Mode Driver Manager... alg.exe and its description is Application layer gateway service and lsass.exe and its description is LSA Shell (Export Version).

    Hope this helps, if not, I'd be happy to provide more info or whatever you guys may need.

    Thanks so much everyone!!!!

    Robert
     
  9. GuardianofNight

    GuardianofNight Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    76
    I should note that I did Google it and it said:

    services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of servicse during shut-down. This program is important for the stable and secure running of your computer and should not be terminated. Note: services.exe is also a process which is registered as the W32.Randex.R (stored in %systemroot%\system32\ directory) and Sober.P (stored in %systemroot%\Connection Wizard\Status\ directory) Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

    Source: http://www.liutilities.com/products/wintaskspro/processlibrary/services/

    Also, when I open IE, the CPU usage goes to 75% or sometimes higher. This is shown by the program. To note, I do have the Yahoo! Toolbar...
     
  10. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    Hi, I think you went to the security tab, not the services tab. Under the services tab it should list the service and display name...BTW wdfmgr.exe and lsass are normal and so is Alg, Alg is part of windows built in firewall.
     
  11. GuardianofNight

    GuardianofNight Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    76
    Hi Again Matt,

    Ok... Yeah, I probably did. Sorry.... anyway, just to note the CPU usage is 100% and thats just with the game running, 2 IE windows, the program, Yahoo! Messenger, Spy Sweeper and NOD32 and Windows Firewall... I guess that is a lot? But anyway.. here is the info for everything:

    Starting from the top of the pic:

    services.exe: EventLog and PlugPlay.
    svchost.exe: DCOM Server Process Launcher and TermService
    svchost.exe: Remote Procedure Call (RPC)
    svchost.exe: This one has way to many to take the time and type. I will add it as a picture and name it "svchost 3".
    svchost.exe: DNS Client
    svchost.exe: TCP/IP NetBIOS Helper
    SSDPSRV SSDP Discovery Service
    WebClient WebClient
    spoolsv.exe: Print Spooler
    And the other things just say what they are like NOD32 says NOD32 Kernel Service.

    Hope this helps...
     

    Attached Files:

  12. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    All those you listed are normal legit windows services; I do not see anything suspect in there which means that all your instances of svchost are normal. In case you are wondering what I am talking about by these services you can view them by typing services.msc in the run box. I am going out for a while but I am sure if you have any other questions another member will help you out. But at least you know that there is nothing malicious being hosted by svchost. Next thing that I would do is check out the rest of your running processes, via process explorer or the task manager and look for anything suspect; this site will help greatly in telling you what is legit and what is not http://www.answersthatwork.com/Tasklist_pages/tasklist.htm My guess is still that you are having some software conflict, not hacked. Trying shutting down some apps like spysweeper and see if one of them is causing the problem.
     
  13. GuardianofNight

    GuardianofNight Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    76
    OK great! Thank you so much for helping me everyone!

    Take care all,

    Robert :D
     
  14. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    GuardianofNight,

    Check this Minimizing Windows network services article - following the steps it recommends will lower the number of copies of svchost running on your system.

    Use Process Explorer's System Performance window to keep an eye on your CPU utilisation - if it is high all the time then move your mouse pointer over the graph and a popup should appear showing which process was using the most CPU at the time. This, in conjunction with the "CPU Time" column (click on its heading to sort processes in order of CPU usage) should show you which programs are slowing your system down the most (note that Process Explorer itself can have quite an effect on your system due to the monitoring it does on every process, so don't be surprised if things seem a little slower with it running).

    Once you have identified the programs, check their configuration to see if there are any functions you can disable. Alternatively use FileMon to see what files they are accessing (this in turn can give a good idea of what the process is up to).

    I would suspect that the likely culprits would be NOD32 and SpySweeper - some of SpySweeper's options can slow your system down and you should find that using a non-IE browser with a web-filter (to remove Java, Javascript, ActiveX from non-trusted sites) prevents any spyware from getting on your system in the first place. Many firewalls offer such filtering (Outpost, Kerio, ZoneAlarm) but standalone filters like Proxomitron (free, more powerful but harder to use) or WebWasher Classic (more user-friendly, donationware) can be used also.

    In the case of NOD32, you may need to exclude certain frequently-modified files from being scanned by AMON. Examples include logfiles generated by your firewall and other security applications - these cannot harbour a virus but may trigger repeated (and unnecessary) background scans.
     
  15. GuardianofNight

    GuardianofNight Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    76
    Dear Paranoid2000,

    Thank you sir for taking the time for all that information. Right now, I am going to go to bed but I will do everything you mentioned in the morning or when I wake up.

    I appreciate you taking the time to help me sir,

    Robert :)
     
  16. GuardianofNight

    GuardianofNight Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    76
    Paranoid2000,

    I did what you said with Process Explorer and it showed that the game was taking up alot of CPU.

    And I did notice a lot a lot that the program (Process Explorer) was taking up alot to... maybe that is why because I've never ever experienced slowdowns on my computer except when I had that program running. It could of been it to I guess but anyway, thanks very much for your help.

    Everyone, the same to you.. Thank you! :D

    Robert
     
  17. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Games will normally take up all CPU that's available. However CPU usage can be affected by security applications like anti-virus/trojan/spyware scanners - if a program frequently updates a file, it can trigger multiple checks from such scanners, causing slowdowns elsewhere.

    As such, it may be worth experimenting by disabling SpySweeper (if you close your browser and only run the Sims Online, there should be little danger of spyware) and also temporarily disabling NOD32's AMON background scanner. If these make a noticeable difference, then you know that it is these programs' configuration that needs amending as discussed above.
     
  18. GuardianofNight

    GuardianofNight Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    76
    Hi Paranoid2000,

    I will try that... see if it helps.

    Thanks and I'll let you know asap...

    Robert
     
Loading...
Thread Status:
Not open for further replies.