The MD5 and SHA1 hashes of the svchost.exe on my XP SP3 box, full patched are the following: 27c6d03bcdb8cfeb96b716f3d8be3e18 *svchost.exe (MD5 Hash) 49083ae3725a0488e0a8fbbe1335c745f70c4667 *svchost.exe (SHA-1 Hash)
Version 5.1.2600.5512 from 4/14/1008, size ( 14,336 Bytes) Svchost is usually a protected system process. Since it is the default loader for other critical system services. If you do a tasklist /svc and filter on svchost you will see how many services it does load. Can you verify that the svchost you have is the same as the one listed above? You can also run the signature verification tool ( Sigverif) to check the files accordingly. I would probably look into process explorer, and autoruns to see if there isn’t any embedded malware/spyware on the system loading. But without additional information might not be able to help ya. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 -----Original Message----- From: Richard Daawes [mailto:[email protected]] Sent: Wednesday, July 28, 2010 5:53 AM To: NT System Admin Issues Subject: RE: SVCHOST grabbing CPU time, leaking memory and hanging PC Thanks for the input Ken, there are four copies of svchost.exe on my PC, identical in size but different time stamps, see list derived from attrib and dir in CLI. I used the one in the dllcache folder to replace the system32 copy. BTW tried the others and same result, also system restore fails because that doesn't replace svchost.exe C:\>attrib svchost.exe /s C:\WINDOWS\$NtServicePackUninstall$\svchost.exe C:\WINDOWS\ServicePackFiles\i386\svchost.exe A C:\WINDOWS\system32\dllcache\svchost.exe A C:\WINDOWS\system32\SVCHOST.EXE C:\>dir svchost.exe /s Volume in drive C is PC_No_1. Volume Serial Number is 6458-9F33 Directory of C:\WINDOWS\$NtServicePackUninstall$ 04/08/2004 01:56 14,336 svchost.exe 1 File(s) 14,336 bytes Directory of C:\WINDOWS\ServicePackFiles\i386 14/04/2008 01:12 14,336 svchost.exe 1 File(s) 14,336 bytes Directory of C:\WINDOWS\system32 16/07/2010 18:34 14,336 SVCHOST.EXE 1 File(s) 14,336 bytes Directory of C:\WINDOWS\system32\dllcache 19/03/2009 20:07 14,336 svchost.exe 1 File(s) 14,336 bytes Total Files Listed: 4 File(s) 57,344 bytes 0 Dir(s) 216,816,939,008 bytes free This is going off on a big tangent and members please accept my apologies but I have to respond to your "huh!", plenty of MSDOS apps were designed allowing user info to be embeded in executables or libraries; DBase 2 and 3, Paradox and Flexiguard (boot controlling app) immediately come to mind. Serial numbers, owner ID, custom logos etc could be incorporated. The original file would stay the same size but its time stamp changed. A suitable block of blanks is replaced with meaningful data. As an example at the uni I worked for Norton 2 replaced core commands in COMMAND.COM like copy, del, md or rd with our secret equivalents to thwart mischievous students and irresponsible staff; as long as replacement commands were the same length as originals, MSDOS didn't wimp about it. Regarding Firefox not playing vids, Youtube has a white screen for movie to play and no prompts, Flixy has a black screen for movie to play and states I need to upgrade flash plugins etc - which of course makes no discernable change. Richard ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
