You should break out the SysInternals tools, particularly PROCEXP and PROCMON. As Ken said, SVCHOST.EXE is a valid Windows executable that is essentially a container for other services.
Because you already replaced the SVCHOST file, you don't have valuable information about the version of the file that might come in handy. Get the latest SysInternals tools here: http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx <http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx>Check out some very good debugging videos here: http://www.msteched.com/2010/NorthAmerica/WCL315 You always have to be careful when you've gotten malware on a system. "Cleaning" is not always to be preferred over "rebuilding", no matter how minor the damage appears to be. *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> *Exploiting Technology for Business Advantage...* * * Signature powered by WiseStamp <http://www.wisestamp.com/email-install> On Wed, Jul 28, 2010 at 5:53 AM, Richard Daawes <[email protected]> wrote: > Thanks for the input Ken, there are four copies of svchost.exe on my PC, > identical in size but different time stamps, see list derived from attrib > and dir in CLI. I used the one in the dllcache folder to replace the > system32 copy. BTW tried the others and same result, also system restore > fails because that doesn't replace svchost.exe > > > C:\>attrib svchost.exe /s > C:\WINDOWS\$NtServicePackUninstall$\svchost.exe > C:\WINDOWS\ServicePackFiles\i386\svchost.exe > A C:\WINDOWS\system32\dllcache\svchost.exe > A C:\WINDOWS\system32\SVCHOST.EXE > > C:\>dir svchost.exe /s > Volume in drive C is PC_No_1. > Volume Serial Number is 6458-9F33 > > Directory of C:\WINDOWS\$NtServicePackUninstall$ > > 04/08/2004 01:56 14,336 svchost.exe > 1 File(s) 14,336 bytes > > Directory of C:\WINDOWS\ServicePackFiles\i386 > > 14/04/2008 01:12 14,336 svchost.exe > 1 File(s) 14,336 bytes > > Directory of C:\WINDOWS\system32 > > 16/07/2010 18:34 14,336 SVCHOST.EXE > 1 File(s) 14,336 bytes > > Directory of C:\WINDOWS\system32\dllcache > > 19/03/2009 20:07 14,336 svchost.exe > 1 File(s) 14,336 bytes > > Total Files Listed: > 4 File(s) 57,344 bytes > 0 Dir(s) 216,816,939,008 bytes free > > > > This is going off on a big tangent and members please accept my apologies > but I have to respond to your "huh!", plenty of MSDOS apps were designed > allowing user info to be embeded in executables or libraries; DBase 2 and 3, > Paradox and Flexiguard (boot controlling app) immediately come to mind. > Serial numbers, owner ID, custom logos etc could be incorporated. The > original file would stay the same size but its time stamp changed. A > suitable block of blanks is replaced with meaningful data. As an example at > the uni I worked for Norton 2 replaced core commands in COMMAND.COM like > copy, del, md or rd with our secret equivalents to thwart mischievous > students and irresponsible staff; as long as replacement commands were the > same length as originals, MSDOS didn't wimp about it. > > Regarding Firefox not playing vids, Youtube has a white screen for movie to > play and no prompts, Flixy has a black screen for movie to play and states I > need to upgrade flash plugins etc - which of course makes no discernable > change. > > Richard > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
