So eloquent for 6:00 in the morning... On Wed, Jul 28, 2010 at 6:06 AM, Andrew S. Baker <[email protected]> wrote:
> You should break out the SysInternals tools, particularly PROCEXP and > PROCMON. As Ken said, SVCHOST.EXE is a valid Windows executable that is > essentially a container for other services. > > Because you already replaced the SVCHOST file, you don't have valuable > information about the version of the file that might come in handy. > > Get the latest SysInternals tools here: > http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx > > <http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx>Check out > some very good debugging videos here: > http://www.msteched.com/2010/NorthAmerica/WCL315 > > You always have to be careful when you've gotten malware on a system. > "Cleaning" is not always to be preferred over "rebuilding", no matter how > minor the damage appears to be. > > > *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> > *Exploiting Technology for Business Advantage...* > * * > Signature powered by WiseStamp <http://www.wisestamp.com/email-install> > > > On Wed, Jul 28, 2010 at 5:53 AM, Richard Daawes <[email protected]> wrote: > >> Thanks for the input Ken, there are four copies of svchost.exe on my PC, >> identical in size but different time stamps, see list derived from attrib >> and dir in CLI. I used the one in the dllcache folder to replace the >> system32 copy. BTW tried the others and same result, also system restore >> fails because that doesn't replace svchost.exe >> >> >> C:\>attrib svchost.exe /s >> C:\WINDOWS\$NtServicePackUninstall$\svchost.exe >> C:\WINDOWS\ServicePackFiles\i386\svchost.exe >> A C:\WINDOWS\system32\dllcache\svchost.exe >> A C:\WINDOWS\system32\SVCHOST.EXE >> >> C:\>dir svchost.exe /s >> Volume in drive C is PC_No_1. >> Volume Serial Number is 6458-9F33 >> >> Directory of C:\WINDOWS\$NtServicePackUninstall$ >> >> 04/08/2004 01:56 14,336 svchost.exe >> 1 File(s) 14,336 bytes >> >> Directory of C:\WINDOWS\ServicePackFiles\i386 >> >> 14/04/2008 01:12 14,336 svchost.exe >> 1 File(s) 14,336 bytes >> >> Directory of C:\WINDOWS\system32 >> >> 16/07/2010 18:34 14,336 SVCHOST.EXE >> 1 File(s) 14,336 bytes >> >> Directory of C:\WINDOWS\system32\dllcache >> >> 19/03/2009 20:07 14,336 svchost.exe >> 1 File(s) 14,336 bytes >> >> Total Files Listed: >> 4 File(s) 57,344 bytes >> 0 Dir(s) 216,816,939,008 bytes free >> >> >> >> This is going off on a big tangent and members please accept my apologies >> but I have to respond to your "huh!", plenty of MSDOS apps were designed >> allowing user info to be embeded in executables or libraries; DBase 2 and 3, >> Paradox and Flexiguard (boot controlling app) immediately come to mind. >> Serial numbers, owner ID, custom logos etc could be incorporated. The >> original file would stay the same size but its time stamp changed. A >> suitable block of blanks is replaced with meaningful data. As an example at >> the uni I worked for Norton 2 replaced core commands in COMMAND.COM like >> copy, del, md or rd with our secret equivalents to thwart mischievous >> students and irresponsible staff; as long as replacement commands were the >> same length as originals, MSDOS didn't wimp about it. >> >> Regarding Firefox not playing vids, Youtube has a white screen for movie >> to play and no prompts, Flixy has a black screen for movie to play and >> states I need to upgrade flash plugins etc - which of course makes no >> discernable change. >> >> Richard >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
