Upon doing some research, I have found that svchost.exe is essential to have, but at the same time very commonly a trojan/virus. How do I distinguish which is which? On firewall, I find multiple connections, and I’m not sure which connections to terminate (or should I terminate them at all). All I found is a listen port, I have not found what IP it is coming from, and if it is mine.

By the way, here is my “research”:

Help! I do not know if my computer is being invaded!

Edit: Now I’m really worried. I have total running 15 processes of svchost.exe


Firstly, Multiple connections and multiple runnings of svchost.exe is quite normal.

There are a number of ways to tell if svchost.exe is a virus. The easiest way is by checking which directory it’s located in.

In the Connections Window if you Right Click, there’s an option to show “full path”.

svchost.exe should be in your Windows/System32 directory.

You can also upload the file an have it analyzed by both of the following sites.

Further information as to why there are multiple svchost.exe connections/processes can be found here:

Microsoft detail information here:

15 svchosts is not normal. Too many… as Eric said, Scan them with virus total and cima.

On what grounds do you base this? Currently I have 12 svchost entries with “Show processes of all users” being enabled in Task Manager.

Don’t spread any panic. Eric gave Megamouth enough information to see for himself whether his system is compromised or not.

Another way to find out if svchost is kosher or not is to run Process Explorer instead of Task Manager. Set it to verify image signatures under Options. Svchost is digitally signed; this way it can be recognised to whether it is safe or not.

Ok thanks guys, when I went to task manager, processes, show file location, all 15 processes lead to the same file. When I scanned it, it was the valid one.

However, one more question. I keep on getting intrusion attempts on my firewall from other svchosts.exe, and none are from my IP Address. I blocked them of course, however there are a few incoming connections that I “accidentally” allowed. How do I know if they are trojans, because I can not see the host IP?

And more and more intrusions are coming…

Update: Now the number is reaching 200.

The destination port is consistently 54738. Are you using a p2p or other program that has an open port to the world on your router?

Now that you mention it, yes I do. uTorrent uses that port, and it is open on my firewall router to ensure better d/l speeds. One of the later “intrusions” was, which a found through WHOIS Search, Domain Name, Website, and IP Tools - that belongs to Microsoft. Is there any way to unblock a file from a specific IP?

I base this on a stock windows xp install there is only (7 or 8 going my memory svchosts on my system) I assumed that this would cross the board on all xp users… I have 5 svchosts running now because I’ve disabled any service I don’t use.

Btw, With utorrent traffic the logs should show “Windows operating system” being blocked.

This is funny, the second I open uTorrent for one second, about 20 intrusions come in.

Now Qwest Communications Corporation is trying to intrude, at like 30 per 5 min.

Before I got the firewall, I never knew that so many companies/files were trying to get into my system…

And by the way, instead of 54738, the port is now 50575?

Why would they be trying to intrude? (Their IP is

800 intrusions and growing from that company…

@Kyle. I am on Win 7 beta with no services disabled. I guess there may be a difference between Vista/Win7 on the one hand and XP on the other hand.

As Kyle states it is odd that the incoming traffic hits svchost and not System. Can you show us your Global Rules? Can you also show us your logs again but now with the path of the receiving Application fully visible?

Not getting a great deal googling the Qwest spam or Inbound attacks but full info of IP below…

IP Address:

Location Information

City: Salt Lake City
Region: Utah
Country: United States
Lat/Long: 40.7242 -111.8787

ISP Registry Information

Organization: Qwest Communications Corporation
NetHandle: NET-97-112-0-0-1
NetName: QWEST-INET-125
NetRange: -
Designation: ARIN
Country: United States
IP Range: -
Allocated: 2007-12-19

BGP Routing Information

Origin: AS209
Organization: Qwest

As you requested…

Actually, now its not Qwest anymore. It’s:

OrgName: RIPE Network Coordination Centre
Address: P.O. Box 10096
City: Amsterdam
PostalCode: 1001EB
Country: NL

ReferralServer: whois://

NetRange: -
NetName: 78-RIPE
NetHandle: NET-78-0-0-0-1
NetType: Allocated to RIPE NCC
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at Webupdates — RIPE Network Coordination Centre
RegDate: 2006-08-29
Updated: 2006-09-07

Kinda funny because whenever I restart my computer, a new consecutive set of intrusions come from a varied company. Same target, It’s been over 60 intrusions and my computer has been on for scarcely 15 min.

Just a thought, do you have Windows Media Player Multicasting enabled?? What about uPnP? & SSDP Network Discovery?

It tends to be multicasting that sometimes causes these alerts.


Windows Media Player Multicasting? SSDP Network Discovery? uPnP? I know what they are, but how do you check if they are enabled?

Even though I am behind a router, I still get alerts of an incoming connection to svchost every few hours. I have created a “block” rule for it now.

Edit:: this is weird. The connections were/are coming from my router (!!


Windows Media Player Multicasting? SSDP Network Discovery? uPnP? I know what they are, but how do you check if they are enabled?

according to microsoft

All key features in Windows Media Player are enabled by default. However, each can be disabled through Tools\Options in Windows Media Player, through the use of Group Policy,
This is for WMP 9, that I was reading (this should apply for vesions 9-11) :) If you like to read on controlling some of these features you can read it here

I’ve read that multicasting is NOT enabled by default, you must manually enable it

SSDP Network Discovery?
read here
Go to "run" type in: services.msc (vista has it set to manual by default)
in services.msc (vista has it set to manual by default except for vista ultimate, for ultimate it's set to automatic

This will probably only partially answer your question

Nope! None are, I just sent instead of “block” I put it to “ask”. I’ll tell you if the problem comes up again.

Leave it on block for now. I had something simular a few months back and I’m trying to remember the solution.