Check / Replace SVCHOST (XP Home SP2)

Topic

New Reply

I asked this question in http://www.experts-exchange.com/Operating_…Q_21427676.html%5B/url%5D , but had no takers yet:

Which should be the date, the size and the hash code of a legitimate SVCHOST file (Windows XP Home 5.1.2600 Service Pack 2 Build 2600, german if this matters) ?

Alternatively: Where can I download a fresh one ? Did not find a single source, less a reliable one, and I thought I am quite good at internet searching….

According to http://windowsxp.mvps.org/svchost.htm%5B/url%5D the MD5 of a legit Svchost.exe from XP (Professional ?) SP2 system (probably english) is 8f078ae4ed187aaabc0a305146de6716 determined using the File Checksum Integrity Verifier version 2.05.

What I have is C:WINDOWSsystem32svchost.exe 14,336 .a.. 2004-08-04 1:58:16

The same version of the a.m. tool results into something different, the hash >lenght< is only 24 instead the a.m. 32 characters.

–
–
c:windowssystem32svchost.exe
ZagZsSHrb9q0QA6kK9/+ZA==
Df3uKHFCfpxA7IJUEVaIT/m0v6M=

If I expand C:WINDOWSI386SVCHOST.EX_
I get a smaller and older file C:Testsvchost.exe 12,800 .a.. 2001-08-18 4:55:04

Reason for checking is I suspect having stowaway(s) on board maskerading as legitimate system files:
– Delay of 1-2 minutes between login and desktop appearance
– ZoneAlarm showed regularly pulsing outgoing traffic, without me refreshing or dowloading
– All kinds of services loaded by svchost, they are difficult to identify despite tasklist, procexp and similar tools
– Switched to Sygate Personal, but this Firewall shows more than I can understand yet

Made the usual tests
– SFC / scannow
– Several and updated Anti Virus programs
– Ad-Aware, SpyBot Search & Destroy, HijaakThis
– Online checkers as http://www.grc.com

Many thanks in advance

Reply | Quote

Replies

That’s the same time, date and size of svchost on my system. Did this just start happening? Have you installed any new software? Have you checked the event logs for any errors or warnings during startup? What happens if you boot into safe mode? Have you checked this: Resources for troubleshooting startup problems in Windows XP?

Joe

--Joe

Reply | Quote

joeperez, thank you for tackling this one. What is the hash value of your svchost ? Dates can be stamped and sizes finetuned to an certain extent. As for installing software: Yes, always thinkering a bit. Will look into the event logs, but IMO they are not easy to read. I had discarded booting into safe mode, but rethinking it would help to exclude other contamination.

Reply | Quote

Why not go into Zone Alarm and run down the list of programs using svchost.
First, to see if the details give you any indication of what is using that svchost.
Second, block those same entries and see what starts to complain with schost blocked?

Reply | Quote

Viking thank you too. I switched to Sygate. I can not remember the freeware version of ZoneAlarm Free giving away much information or offering many setup options. When asking for permission it shows only “svchost”, but not the invoking service. Which is as a blantant security flaw as the svchost concept to start with. If I block svchost as whole, I can not access the internet anymore (I guess it is the missing DHCP service)

svchost.exe, PID
668 DcomLaunch, TermService
744 RpcSs
780 AudioSrv, CryptSvc, Dhcp, EventSystem, Iprip, lanmanworkstation, Netman, RasMan,
SENS, SharedAccess, ShellHWDetection, TapiSrv, Themes, winmgmt, wuauserv
904 Dnscache

Reply | Quote

ZA will give you more information if you open up the ZA control center>program control and highlite the particular entry. On the bottom of the screen it will give you the entry details.

Reply | Quote