Many malicious applications could hide under svchost.exe name. And finding them could be very tricky even for advanced user.
Here is a simple trick which may help you uncover all of them. To get this trick working you need to launch Registry Editor application first. To run it perform following steps:
- XP: Click Start->Run… In a Run window type regedit.exe into edit box and click Run button.
- Vista: Click Start. In “Start Search” box type “regedit” and press Enter.
After that in main menu select Edit->Find…, type “svchost.exe -k” in edit box and press Enter. This command will make Registry Editor to return you files which run under svchost.exe name one by one.
To iterate to next one you need to press F3. Even though you’re able to see all services which run under svchost.exe name it still could be tricky to find out which is malware and which is not. There are dozens of svchost.exe services on each computer. To make your task easier I prepared a list of standard windows services and file names associated with them. Services are guaranteed not to be malware (unless some very smart malware masks itself under one of their names – which happens – but quite rarely).
You can find this list on a svchost.exe standard services page.