The filename "svchost.exe" is also widely used for Trojans. See Paul Collins' ("Pacman"'s) home Web site (http://www.pacs-portal.co.uk/startup_content.php) on start-up programs, and search for "svchost". You'll find his assertion that all valid "Generic Host Process" (svchost.exe) files are found in %SystemRoot%\(WINDOWS or Winnt)\system32, along with scads of examples of Trojan-installed violations of this rule.
- This database is NOT of malware, but such are often listed since they often stealthily imitate start-up programs. Paul's database of start-up programs can be found at http://www.sysinfo.org/startupinfo.html, both as the online database and as programs which can be downloaded with the latest database contents.
- This database and Paul's background explanation at the home site are SHAREWARE and represent, in my estimation, a lot of research work. Please donate to his efforts to keep the information current.
I'll soon post a request for help in eliminating a Trojan problem which created an svchost.exe in %SystemRoot%\WINDOWS\Microsoft.NET\Framework\v3.0\ Windows Communication Foundation. This bogus svchost causes ZASS to ask for my decision on server access for incoming messages from IP addresses 184.108.40.206 (as DNS) and 220.127.116.11, both on the north coast of northwest Australia (as located by ZoneAlarm's "more info" line).