ddnsclient SvchoST.ExE

[EddieM]

Just solved an awkward little problem on the wifes laptop. Symptoms were that when you typed in a web address eg www.google.co.uk, it would redirect you to ebay or somewhere else. Sometimes to less savoury sites. Usual Spyware / Virus checkers (Spybot / Malwarebytes) and AVG didn't throw anything much up just the usual adware etc, but also didn't fix the problem.

So, hunting around, I noticed this rather odd entry in the services list

ddnsclient.

The start stop buttons were disabled, and the services description was blank.

So, obviously thinking a dynamic domain name service client looked a little suspicious to say the least, I disabled the service, and restarted. Hey presto, everythings now fine.

Therefore if you start getting redirected to odd pages in your browser, look for this pesky little fella, as I said does not seem to show up in the usual way.

Ta, Ed.

 

[Goldberg]

"SvchoST.ExE"?

 

[EddieM]

"SvchoST.ExE"?

indeed.

 

[Goldberg]

indeed.

OK, but it was "indeed" completely absent from your post.

OOI, where did you see it?

 

[EddieM]

oh sorry, yeah, this was the properties description of the service executable.

 

[Goldberg]

In that case you might have a rogue edition of svchost.exe somewhere in the system.

You'd be well advised to seek out and remove whatever files were running as this rogue service, and also the relevant services entry in the Windows Registry.

 

[EddieM]

No, the svchost.exe is fine it's the ddnsclient that's the culprit.

 

[Goldberg]

.

 

[empip]

Has been known to bet - on share movement ! - Bucks fizz will not be concerned about the old lappy...

 

[Goldberg]

No, the svchost.exe is fine it's the ddnsclient that's the culprit.

Your solution didn't make any mention of scanning the drive for any rogue occurences of svchost.exe, and you didn't say that you'd removed ddnsclient or the service.

Since there could be more than one copy of svchost.exe, and since they might not all be genuine, I don't share your confidence.

Do you put bets on horses?

 

[EddieM]

No, the svchost.exe is fine it's the ddnsclient that's the culprit.

Your solution didn't make any mention of scanning the drive for any rogue occerences of svchost.exe, and you didn't say that you'd removed ddnsclient or the service.

Since there could be more than copy of svchost.exe, and since they might not all be genuine, I don't share your confidence.

Do you put bets on horses?

There is only one copy of svchost.exe, the service was not removed as the service is svchost.exe just taking ddnsclient as a parameter. Most anti virus software detects rouge svchost software as this is or has been an oft used form of attack. I am pretty confident all is now well.

pip - you know me too well

 

[Goldberg]

the service was not removed as the service is svchost.exe just taking ddnsclient as a parameter.

But you disabled that service, so what's the reason for disabling it and not removing it?

Most anti virus software detects rouge svchost software as this is or has been an oft used form of attack.

What has anti-virus software got to do with anything?

 

[EddieM]

you cannot remove svchost service per se, as it is fundamental to the operation of the PC, you can remove or disable the service table entry for the offending usage of svchost.exe.

Antivirus software is designed to pick up false svchost.exe files that mimick the real and essential svchost.exe.

 

[Goldberg]

you cannot remove svchost service per se, as it is fundamental to the operation of the PC, you can remove or disable the service table entry for the offending usage of svchost.exe.

"service table entry"?

Where are you getting your terminlogy from? It certainly isn't from the people who wrote the software, i.e. Microsoft. I think you're making it up as you go along.

You disabled the service. You wrote "I disabled the service". Having disabled the service, there's nothing to stop you removing it. Making out that's an essential system service is just nonsense.

Antivirus software is designed to pick up false svchost.exe files that mimick the real and essential svchost.exe.

I repeat: What has anti-virus software got to do with anything? I didn't mention it, so why did you mention it?

 

[EddieM]

The service as defined by the ServiceMain function of the Win32 executable it is derived from is svchost.exe. This is an essential program for the operation of most windows systems it is used for the Server service the Workstation service and a few others, you will see in task manager that there are multiple instances of svchost.exe. The svchost.exe acts as a stub that provides network services to other "applications" these are denoted by parameters that are passed to the svchost service.

When writing a new service and instantiating a new service, it is added to the service table which is managed by the SCM (service control manager). Well at least that was my understaning when I was writing C++ MS services using Visual Studio over the 4/5 years that I did it, it might well all of changed by now of course.