Results 1 to 6 of 6
  1. #1
    2 Star Lounger
    Join Date
    Dec 2000
    Posts
    140
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Check / Replace SVCHOST (XP Home SP2)

    I asked this question in http://www.experts-exchange.com/Operating_...Q_21427676.html , but had no takers yet:

    Which should be the date, the size and the hash code of a legitimate SVCHOST file (Windows XP Home 5.1.2600 Service Pack 2 Build 2600, german if this matters) ?

    Alternatively: Where can I download a fresh one ? Did not find a single source, less a reliable one, and I thought I am quite good at internet searching....

    According to http://windowsxp.mvps.org/svchost.htm the MD5 of a legit Svchost.exe from XP (Professional ?) SP2 system (probably english) is 8f078ae4ed187aaabc0a305146de6716 determined using the File Checksum Integrity Verifier version 2.05.

    What I have is C:WINDOWSsystem32svchost.exe 14,336 .a.. 2004-08-04 1:58:16

    The same version of the a.m. tool results into something different, the hash >lenght< is only 24 instead the a.m. 32 characters.

    <?xml version="1.0" encoding="utf-8" ?>
    - <FCIV>
    - <FILE_ENTRY>
    <name>c:windowssystem32svchost.exe</name>
    <MD5>ZagZsSHrb9q0QA6kK9/+ZA==</MD5>
    <SHA1>Df3uKHFCfpxA7IJUEVaIT/m0v6M=</SHA1>
    </FILE_ENTRY>
    </FCIV>

    If I expand C:WINDOWSI386SVCHOST.EX_
    I get a smaller and older file C:Testsvchost.exe 12,800 .a.. 2001-08-18 4:55:04

    Reason for checking is I suspect having stowaway(s) on board maskerading as legitimate system files:
    - Delay of 1-2 minutes between login and desktop appearance
    - ZoneAlarm showed regularly pulsing outgoing traffic, without me refreshing or dowloading
    - All kinds of services loaded by svchost, they are difficult to identify despite tasklist, procexp and similar tools
    - Switched to Sygate Personal, but this Firewall shows more than I can understand yet

    Made the usual tests
    - SFC / scannow
    - Several and updated Anti Virus programs
    - Ad-Aware, SpyBot Search & Destroy, HijaakThis
    - Online checkers as www.grc.com

    Many thanks in advance

  2. #2
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,592
    Thanks
    5
    Thanked 1,059 Times in 928 Posts

    Re: Check / Replace SVCHOST (XP Home SP2)

    That's the same time, date and size of svchost on my system. Did this just start happening? Have you installed any new software? Have you checked the event logs for any errors or warnings during startup? What happens if you boot into safe mode? Have you checked this: Resources for troubleshooting startup problems in Windows XP?


    Joe
    Joe

  3. #3
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Check / Replace SVCHOST (XP Home SP2)

    Why not go into Zone Alarm and run down the list of programs using svchost.
    First, to see if the details give you any indication of what is using that svchost.
    Second, block those same entries and see what starts to complain with schost blocked?
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

  4. #4
    2 Star Lounger
    Join Date
    Dec 2000
    Posts
    140
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Check / Replace SVCHOST (XP Home SP2)

    joeperez, thank you for tackling this one. What is the hash value of your svchost ? Dates can be stamped and sizes finetuned to an certain extent. As for installing software: Yes, always thinkering a bit. Will look into the event logs, but IMO they are not easy to read. I had discarded booting into safe mode, but rethinking it would help to exclude other contamination.

  5. #5
    2 Star Lounger
    Join Date
    Dec 2000
    Posts
    140
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Check / Replace SVCHOST (XP Home SP2)

    Viking thank you too. I switched to Sygate. I can not remember the freeware version of ZoneAlarm Free giving away much information or offering many setup options. When asking for permission it shows only "svchost", but not the invoking service. Which is as a blantant security flaw as the svchost concept to start with. If I block svchost as whole, I can not access the internet anymore (I guess it is the missing DHCP service)

    svchost.exe, PID
    668 DcomLaunch, TermService
    744 RpcSs
    780 AudioSrv, CryptSvc, Dhcp, EventSystem, Iprip, lanmanworkstation, Netman, RasMan,
    SENS, SharedAccess, ShellHWDetection, TapiSrv, Themes, winmgmt, wuauserv
    904 Dnscache

  6. #6
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Check / Replace SVCHOST (XP Home SP2)

    ZA will give you more information if you open up the ZA control center>program control and highlite the particular entry. On the bottom of the screen it will give you the entry details.
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •