XP Home SP2: Verification SVCHOST ?
Which should be the date, the size and the hash code of legitimate SVCHOST file (XP _Home_, SP2, german if this matters) ? Alternatively: Where can I download a fresh one ? Did not find a single source, less a reliable one, and I thought I am quite good at internet searching....
According to http://windowsxp.mvps.org/svchost.htm the MD5 of a legit Svchost.exe from XP (Professional ?) SP2 system (probably english) is 8f078ae4ed187aaabc0a305146
What I have is C:\WINDOWS\system32\svchos
The same version of the a.m. tool results into something totally different, including the hash >lenght<
<?xml version="1.0" encoding="utf-8" ?>
- <FCIV>
- <FILE_ENTRY>
<name>c:\windows\system32\
<MD5>ZagZsSHrb9q0QA6kK9/+Z
<SHA1>Df3uKHFCfpxA7IJUEVaI
</FILE_ENTRY>
</FCIV>
If I expand C:\WINDOWS\I386\SVCHOST.EX
I get a smaller and older file C:\Test\svchost.exe 12,800 .a.. 2001-08-18 4:55:04
Reason for checking is I suspect having stowaway(s) on board maskerading as legitimate system files:
- Delay of 1-2 minutes between login and desktop appearance
- ZoneAlarm showed pulsing outgoing traffic without me refreshing or dowloading
- All kinds of services loaded by svchost, they are difficult to identify despite tasklist, procexp and similar tools
- Switched to Sygate Personal, but this Firewall shows more than I can understand yet
Made the usual tests (SFC / scan now, Anti Virus, Ad-Aware, SpyBot, HijaakThis, www.grc.com and other online checkers, etc.)
Many thanks in advance
According to http://windowsxp.mvps.org/svchost.htm the MD5 of a legit Svchost.exe from XP (Professional ?) SP2 system (probably english) is 8f078ae4ed187aaabc0a305146
What I have is C:\WINDOWS\system32\svchos
The same version of the a.m. tool results into something totally different, including the hash >lenght<
<?xml version="1.0" encoding="utf-8" ?>
- <FCIV>
- <FILE_ENTRY>
<name>c:\windows\system32\
<MD5>ZagZsSHrb9q0QA6kK9/+Z
<SHA1>Df3uKHFCfpxA7IJUEVaI
</FILE_ENTRY>
</FCIV>
If I expand C:\WINDOWS\I386\SVCHOST.EX
I get a smaller and older file C:\Test\svchost.exe 12,800 .a.. 2001-08-18 4:55:04
Reason for checking is I suspect having stowaway(s) on board maskerading as legitimate system files:
- Delay of 1-2 minutes between login and desktop appearance
- ZoneAlarm showed pulsing outgoing traffic without me refreshing or dowloading
- All kinds of services loaded by svchost, they are difficult to identify despite tasklist, procexp and similar tools
- Switched to Sygate Personal, but this Firewall shows more than I can understand yet
Made the usual tests (SFC / scan now, Anti Virus, Ad-Aware, SpyBot, HijaakThis, www.grc.com and other online checkers, etc.)
Many thanks in advance
Wish I could verify more, but as I don't have a German version here I can look to see if the hash is different then the English or not. Either way, downloading SP2 and extracting it should allow you to do a direct comparison to a valid one.
"What I have is C:\WINDOWS\system32\svchos
For what it's worth, the svchost.exe on my system (XP Pro SP2) has exactly the same date and size, though the time shows 12:56 AM.
I think your file is OK and has not been tampered with.
The reason the extracted file is smaller and older is most likely because that is the version from the original XP (before SP1 or SP2).
If you suspect a service hidden within SVCHOST, can you post the results of "tasklist /svc" here and we can take a look.
If you think something suspicious may be running on your system (other than through svchost), please try the following:
Get and install the utility Autoruns from:
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
When you first run it, it will show a bunch of startups.
Select "View" from the menu bar. Then select all the options within View one by one, from
"Show Appinit..." to "Hide Microsoft Entries". Then click on Refresh.
This will give you a new, shorter list of Startups.
Examine them carefully and uncheck the box next to any that seem suspicious or unnecessary. Then reboot, and hopefully the bad stuff will not start because you unchecked it.
After rebooting, run Autouns as above, and make sure the items you unchecked are still unchecked. Then you can delete or move the suspect files.
HTH.
For what it's worth, the svchost.exe on my system (XP Pro SP2) has exactly the same date and size, though the time shows 12:56 AM.
I think your file is OK and has not been tampered with.
The reason the extracted file is smaller and older is most likely because that is the version from the original XP (before SP1 or SP2).
If you suspect a service hidden within SVCHOST, can you post the results of "tasklist /svc" here and we can take a look.
If you think something suspicious may be running on your system (other than through svchost), please try the following:
Get and install the utility Autoruns from:
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
When you first run it, it will show a bunch of startups.
Select "View" from the menu bar. Then select all the options within View one by one, from
"Show Appinit..." to "Hide Microsoft Entries". Then click on Refresh.
This will give you a new, shorter list of Startups.
Examine them carefully and uncheck the box next to any that seem suspicious or unnecessary. Then reboot, and hopefully the bad stuff will not start because you unchecked it.
After rebooting, run Autouns as above, and make sure the items you unchecked are still unchecked. Then you can delete or move the suspect files.
HTH.
Also, you can use "netstat -ab" from a command window to see what what programs are using the network at any given time.
I defer to Germans to answer for more than a few reasons. File size can look different, when moved from one sectoring system to another. Dates from microsoft are too often suspect. Sometimes gettin a program with older date means they goofed again, and you need another patch. Sometimes, it is among their normal business, where newer files have older dates, go figure. With luck you can get answer from someone similar. I am back on SP1 for most access. Rebuilds and incompatibilities put us behind.
> ZoneAlarm showed pulsing outgoing traffic without me refreshing or dowloading
This is simple, IMO. Configure this software to not let anything go out without your specific approval, in writhing (actually, it should give you a popup to say yes or no to each one).
Deny ALL traffic.
Now when something wants to go out, review it. Most of them you should be abole to figure out as OK, from now and forever. Perhaps a DNS server, for example. Others however, can give you the clue for a culprit, and that can lead to a clue to ask again here about what to do about your beasts.
Unsaid
I now recall a coworker asking why 'everyone' was getting spammed by Germans. I hit a quick look, and while no one spammed me <sigh> (neglected again), I did quickly see that on some forum like Computerworld, a worm was modifed that hit german users pretty bad over the last weekend. I'll look it up, get you a link. Even if you do not have this problem, it is still hot, and a good time to defend against it.
> ZoneAlarm showed pulsing outgoing traffic without me refreshing or dowloading
This is simple, IMO. Configure this software to not let anything go out without your specific approval, in writhing (actually, it should give you a popup to say yes or no to each one).
Deny ALL traffic.
Now when something wants to go out, review it. Most of them you should be abole to figure out as OK, from now and forever. Perhaps a DNS server, for example. Others however, can give you the clue for a culprit, and that can lead to a clue to ask again here about what to do about your beasts.
Unsaid
I now recall a coworker asking why 'everyone' was getting spammed by Germans. I hit a quick look, and while no one spammed me <sigh> (neglected again), I did quickly see that on some forum like Computerworld, a worm was modifed that hit german users pretty bad over the last weekend. I'll look it up, get you a link. Even if you do not have this problem, it is still hot, and a good time to defend against it.
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,101760,00.html?source=NLT_VVR&nid=101760
Latest Sober worm sends German spam
Sober.q began spreading quickly online over the weekend
News Story by Scarlet Pruitt
MAY 16, 2005 (IDG NEWS SERVICE) - E-mail users perplexed by the barrage of German-language spam waiting in their in-boxes this morning can blame the latest version of the Sober mass-mailing worm, which began rapidly spreading over the weekend.
Sober.q uses both German- and English-language messages to direct recipients to Web sites with right-wing German nationalistic content, according to an advisory from e-mail security company MX Logic Inc. in Englewood, Colo. One of the URLs points to the Web site of the right-wing German National Democratic Party, the security firm said.
-(etc)-
Latest Sober worm sends German spam
Sober.q began spreading quickly online over the weekend
News Story by Scarlet Pruitt
MAY 16, 2005 (IDG NEWS SERVICE) - E-mail users perplexed by the barrage of German-language spam waiting in their in-boxes this morning can blame the latest version of the Sober mass-mailing worm, which began rapidly spreading over the weekend.
Sober.q uses both German- and English-language messages to direct recipients to Web sites with right-wing German nationalistic content, according to an advisory from e-mail security company MX Logic Inc. in Englewood, Colo. One of the URLs points to the Web site of the right-wing German National Democratic Party, the security firm said.
-(etc)-
http://securityresponse.symantec.com/avcenter/venc/data/trojan.ascetic.c.html
Trojan.Ascetic.C
Also Known As: Email-Worm.Win32.Sober.q [Kaspersky Lab]
Trojan.Ascetic.C is a Trojan horse that uses its own SMTP engine to send spam email to addresses gathered from the compromised computer. The email may be in either English or German.
When Trojan.Ascetic.C is executed, it performs the following actions:
Creates the following files:
%Windir%\Help\Help\csrss.e
%Windir%\Help\Help\smss.ex
%Windir%\Help\Help\service
%Windir%\Help\Help\sacri1.
%Windir%\Help\Help\sacri2.
%Windir%\Help\Help\sacri3.
%Windir%\Help\Help\voner1.
%Windir%\Help\Help\voner2.
%Windir%\Help\Help\voner3.
%Windir%\Help\Help\sysonce
%Windir%\Help\Help\fastso.
%System%\nonrunso.ber
%System%\langeinf.lin
%System%\gdfjgthv.cvq
%System%\seppelmx.smx
%System%\adcmmmmq.hjg
%System%\xcvfpokd.tqa
%System%\fastso.ber
Navigate to the subkeys:
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_CURRENT_USER\Software
delete the value: "SystemBoot" = "%Windir%\Help\Help\servic
Trojan.Ascetic.C
Also Known As: Email-Worm.Win32.Sober.q [Kaspersky Lab]
Trojan.Ascetic.C is a Trojan horse that uses its own SMTP engine to send spam email to addresses gathered from the compromised computer. The email may be in either English or German.
When Trojan.Ascetic.C is executed, it performs the following actions:
Creates the following files:
%Windir%\Help\Help\csrss.e
%Windir%\Help\Help\smss.ex
%Windir%\Help\Help\service
%Windir%\Help\Help\sacri1.
%Windir%\Help\Help\sacri2.
%Windir%\Help\Help\sacri3.
%Windir%\Help\Help\voner1.
%Windir%\Help\Help\voner2.
%Windir%\Help\Help\voner3.
%Windir%\Help\Help\sysonce
%Windir%\Help\Help\fastso.
%System%\nonrunso.ber
%System%\langeinf.lin
%System%\gdfjgthv.cvq
%System%\seppelmx.smx
%System%\adcmmmmq.hjg
%System%\xcvfpokd.tqa
%System%\fastso.ber
Navigate to the subkeys:
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_CURRENT_USER\Software
delete the value: "SystemBoot" = "%Windir%\Help\Help\servic
So I recommend that if you are compiling list of file sizes, do include these specifically as well: csrss.exe smss.exe services.exe
And consider, whether long boot time is new virus, and whether outgoing packets are more eSpam.
And consider, whether long boot time is new virus, and whether outgoing packets are more eSpam.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Whoaaa.... First nothing, now so many comments and hints. Many thanks. Will look into them this weekend. Will keep you posted.
cri, you are in best hands here at EE!
But sometimes people are very bussy, sometimes it takes hours just to review all posted questions in numerous EE Topic areas.
Hopefully we will fix the problem.
have a nice weekend
nedvis
But sometimes people are very bussy, sometimes it takes hours just to review all posted questions in numerous EE Topic areas.
Hopefully we will fix the problem.
have a nice weekend
nedvis
ASKER
I can give you only a partial feedback, had to work on sunday.
Re nedvis tips:
f-secure found nothing
rootkitrevealer this key
HKLM\SOFTWARE\Microsoft\Wi
Regarding the german right wing worm: I noticed this behaviour earlier, but I will have to look into it.
I will keep you posted, I will not abandone this one.
Re nedvis tips:
f-secure found nothing
rootkitrevealer this key
HKLM\SOFTWARE\Microsoft\Wi
Regarding the german right wing worm: I noticed this behaviour earlier, but I will have to look into it.
I will keep you posted, I will not abandone this one.
ASKER
I must apologize. First to the all experts which I kept waiting. Heavy workload, combined with a growing dismay regarding the blattant futility of of trying to secure Windows. Secondly to sirbounty, cleaning up after the askers is a tedious job.
"If I expand C:\WINDOWS\I386\SVCHOST.EX
I get a smaller and older file C:\Test\svchost.exe 12,800 .a.. 2001-08-18 4:55:04"
The I386 directory should contain the version that was on your oringial installation cd, if S2 was added later, then yes those versions would be different.
If you look in C:\WINDOWS\ServicePackFile
For direct comparison also you can dowlnoad the full SP2 package and reinstall it to replace svchost, or when you run the download it will ask you where to save files and you can browse there to compare versions.
http://www.microsoft.com/downloads/details.aspx?displaylang=de&FamilyID=049c9dbe-3b8e-4f30-8245-9e368d3cdb5a