SVCHOST.EXE question

  • Thread starter Thread starter elfa
  • Start date Start date
E

elfa

I have two files named SVCHOST.EXE......
One in lowercase residing in C:\WINNT\system32 dated 7\26\2000 and 8K in size...

Another in UPPERCASE residing in C:\WINNT\system32\wins dated 8\28\2003 and 20K
in size.

I found this after running AVG and finding the lovesan worm (AGAIN) and also
finding both svchost.exe's loaded in Windows Task Manager\Processes.

Question....I should only have one svchost.exe.....right?

I've renamed the one in uppercase just in case I shouldn't have it.

Any advice will be appreciated.

thanks

elfa
 
Question....I should only have one svchost.exe.....right?
Click to expand...

According to the Zone Alarm Firewall Forum, No.... You can and
usually do have more than one copy of svchost.exe on your system.
According to the forum, it is used by many applications that need to
use it for Internet/network trafficking and some applications go on
and make a copy of it in specific placed on your system for their own
use. This is why you usually get more than one firewall hit asking
you if your want svchost(xxxxx) where xxxx is the application using
svchost to access the Internet/network etc. You say yes and tell your
firewall to remember the yes and then it turns around and asks you
again in a few days. That's because it is another copy of svchost
being used by another application and not the one you said yes to.

This single file has been a headache for firewall configurations.
According to the forum, some firewall makers have made their firewall
just ignore the hits from svchost so they don't get cluttered with
question-traffic in their support areas. Zone Alarm, however, does
not ignore hits by svchost because they say any self respecting trojan
or virus could be using it for internet/network access and to ignore
it would be defeating the purpose of having a firewall in the first
place.

I guess you can tell a good firewall from a bad firewall depending on
how many hits you have to configure for svchost. If you don't get any
then you know the makers of your firewall programmed their firewall to
ignore it so they don't have to keep answering questions about multi
svchost hits and what to do about them.

Sorry, got off the subject..... Yes, according to the ZA forum, multi
copies of svchost is normal. However, you got to have a firewall that
will keep an eye on each one of them letting you know who is using
each one and why.

This is all according to what I have read on the ZA forum. Before
becoming a member of that forum, I knew nothing at all about this and
was running a firewall that had never ever received a configuration
hit on svchost. I still don't understand what svchost does or how
other applications use it but..... they do.....
 
T.R. pounced upon this pigeonhole and pronounced:
According to the Zone Alarm Firewall Forum, No.... You can and
usually do have more than one copy of svchost.exe on your system.
Click to expand...

While you are correct and it is normal to have three or four running
copies of svchost.exe, the original question was about two different local
files named that.

On my Win2K SP4 system, I have two copies, in:
c:\winnt\system32
c:\winnt\system32\dllcache

Both are 7,952 bytes and dated 12/7/1999 (Dec 7, 1999)
 
I have two files named SVCHOST.EXE......
One in lowercase residing in C:\WINNT\system32 dated 7\26\2000 and 8K
in size...

Another in UPPERCASE residing in C:\WINNT\system32\wins dated
8\28\2003 and 20K in size.

I found this after running AVG and finding the lovesan worm (AGAIN)
and also finding both svchost.exe's loaded in Windows Task
Manager\Processes.

Question....I should only have one svchost.exe.....right?

I've renamed the one in uppercase just in case I shouldn't have it.

Any advice will be appreciated.

thanks

elfa
Click to expand...

There should only be one svchost.exe that is valid when running, which is
out of Windows\system32, and there can be multiple occurrences of
svchost.exe running out of the system32 directory. The backup to
svchost.exe is in Windows\system32\dllcache which the O/S will use the
one in dllcache to replace the one in system32, if the one in system32 in
deleted. The file size, date, and time stamp should be the same for both
files.

You could have another svchost.exe that could be in a SP directory.

If there is another svchost.exe running and it's not out of Windows
\system32, it's not legit.

Duane :)
 
I have just one copy of svchost.exe with Windows XP. It is in the
\WINDOWS\system32 directory. I also have Zone Alarm Pro which I've installed
several times over the years for various reasons, and I only get asked once per
installation for an OK.

Manny
 
(e-mail address removed) (Manny) wrote in
I have just one copy of svchost.exe with Windows XP. It is in the
\WINDOWS\system32 directory. I also have Zone Alarm Pro which I've
installed several times over the years for various reasons, and I only
get asked once per installation for an OK.

Manny
Click to expand...

You have more than one on the Windows NT based O/S. You have to goto the
Tools\folder\view and uncheck *Hide O/S System Files* and check *Show hiden
files and directories* to see everything.

Duane :)
 
Duane Arnold said:
There should only be one svchost.exe that is valid when running, which is
out of Windows\system32, and there can be multiple occurrences of
svchost.exe running out of the system32 directory. The backup to
svchost.exe is in Windows\system32\dllcache which the O/S will use the
one in dllcache to replace the one in system32, if the one in system32 in
deleted. The file size, date, and time stamp should be the same for both
files.

You could have another svchost.exe that could be in a SP directory.

If there is another svchost.exe running and it's not out of Windows
\system32, it's not legit.

Duane :)
Click to expand...

thanks Duane....I seem to have a worm/virus problem.
Everytime I delete one, another shows up in a few days.

elfa
 
I have two files named SVCHOST.EXE......
One in lowercase residing in C:\WINNT\system32 dated 7\26\2000 and 8K in size...

Another in UPPERCASE residing in C:\WINNT\system32\wins dated 8\28\2003 and 20K
in size.

I found this after running AVG and finding the lovesan worm (AGAIN) and also
finding both svchost.exe's loaded in Windows Task Manager\Processes.

Question....I should only have one svchost.exe.....right?

I've renamed the one in uppercase just in case I shouldn't have it.

Any advice will be appreciated.
Click to expand...
If you have been **reinfected** with Lovesan (AKA Blaster) then I
would suggest that your AntiVirus program has not been updated, or is
not working properly. Have you tried running the Blaster and Welchia
removal programs from Symantec? They are free.

Cheers,

Cliff
 
If you have been **reinfected** with Lovesan (AKA Blaster) then I
would suggest that your AntiVirus program has not been updated, or is
not working properly. Have you tried running the Blaster and Welchia
removal programs from Symantec? They are free.

Cheers,

Cliff
Click to expand...

AVG updated weekly....last update 10/16/03. Will try the Symantec fix.

thanks

elfa

 
Duane Arnold said:
There should only be one svchost.exe that is valid when running, which is
out of Windows\system32, and there can be multiple occurrences of
svchost.exe running out of the system32 directory. The backup to
svchost.exe is in Windows\system32\dllcache which the O/S will use the
one in dllcache to replace the one in system32, if the one in system32 in
deleted. The file size, date, and time stamp should be the same for both
files.

You could have another svchost.exe that could be in a SP directory.

If there is another svchost.exe running and it's not out of Windows
\system32, it's not legit.

Duane :)
Click to expand...

I clicked on properties of SVCHOST.EXE I found in the C:\WINNT\system32\wins
directory.

Under the Version tab, I found the following

Description is TCP/IP Trivial file transfer daemon

Internal name is tftpd.exe

Original name is tftpd.exe

Product name is Microsoft Windows 2000 Operating System

Product Version is 5.00.2134.1

Looks like a legit file (tftpd.exe) that Windows renamed and put into the wins
subdirectory.

Just an FYI.

elfa
 
I clicked on properties of SVCHOST.EXE I found in the
C:\WINNT\system32\wins directory.

Under the Version tab, I found the following

Description is TCP/IP Trivial file transfer daemon

Internal name is tftpd.exe

Original name is tftpd.exe

Product name is Microsoft Windows 2000 Operating System

Product Version is 5.00.2134.1

Looks like a legit file (tftpd.exe) that Windows renamed and put into
the wins subdirectory.

Just an FYI.

elfa
Click to expand...

I don't think it's legit. There are only two places that are legit for
svchost.exe. That's system32 and dllcache directories. Any programmer
using a program language such as Visual Basic, C++, etc. etc can make an
DLL or EXE that looks valid with version information and Product Name in
the description of the DLL or EXE.

http://www.pspl.com/virus_info/worms/blasterd.htm

Duane :)
 
Bitstring <[email protected]>, from the
wonderful person Beauregard T. Shagnasty said:
T.R. pounced upon this pigeonhole and pronounced:

While you are correct and it is normal to have three or four running
copies of svchost.exe, the original question was about two different local
files named that.

On my Win2K SP4 system, I have two copies, in:
c:\winnt\system32
c:\winnt\system32\dllcache

Both are 7,952 bytes and dated 12/7/1999 (Dec 7, 1999)
Click to expand...

WinXP SP1 (Pro), same places, size 12,800, dated 29/Aug/02
version 5.1.2600.0 (Don't ya just love the way MS code grows like
topsy).

Yes, multiple copies get run, but not from anywhere else. Something
elsewhere on the disk is probably a trojan/worm, with a cunningly
disguised name. Especially if it is referenced in the startup folders or
run keys (the 'real' svchost.exe doesn't need any manual help to get
started, the OS does it quite automatically).
 
This is definitely malicious. Look at this page from Symantec on the
Welchia worm. See how many of these symptoms you have.
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

Number 4 from technical details explains how the worm puts a copy of the
trivial FTP daemon in the wins folder named svchost.exe.

Since this is a recent worm it may be what you have. Otherwise if you do
a search for svchost.exe on symantecs security response site it will
show you several known worms\trojans that manipulate svchost or add its
own files named the same to a system.
 
elfa said:
I have two files named SVCHOST.EXE......
One in lowercase residing in C:\WINNT\system32 dated 7\26\2000 and 8K in size...

Another in UPPERCASE residing in C:\WINNT\system32\wins dated 8\28\2003 and 20K
in size.

I found this after running AVG and finding the lovesan worm (AGAIN) and also
finding both svchost.exe's loaded in Windows Task Manager\Processes.

Question....I should only have one svchost.exe.....right?

I've renamed the one in uppercase just in case I shouldn't have it.

Any advice will be appreciated.

thanks

elfa
Click to expand...

The beast trojan (http://tataye.scripterz.org/Trojan.html) uses this name as
default for a server application, either in the windows directory or in the
system directory.



-
GPGKID: 0xC0539971
 
AVG updated weekly....last update 10/16/03. Will try the Symantec fix.
Click to expand...
I just thought - some of these viruses/trojans disable your Virus
Protection programs.

Cheers,

Cliff
 
Blaster runs svchost.dll out of the system32/wins directory.
Sadly you have blaster. There's a small removal tool on symantec.com. Get
that and also check for welchia while you're at it. Once you've killed
them patch for Blaster from Microsoft.com. But then you need to disable
DCOM so you don't get attacked again. Blaster logs your IP to a remote
server and keeps reattacking you. Its coded by a loser though and doesn't
really work properly so it guesses your OS and when it fails, svchost will
error. This is a really annoying sideeffect you'll get once you've removed
it. So go to

http://grc.com/dcom/

and download the DCOMbobulator. That will solve your virus and all the
crazy side-effects that come from removing it.



Good Luck

Andy
 
I have two files named SVCHOST.EXE......
One in lowercase residing in C:\WINNT\system32 dated 7\26\2000 and 8K in size...

Another in UPPERCASE residing in C:\WINNT\system32\wins dated 8\28\2003 and 20K
in size.

I found this after running AVG and finding the lovesan worm (AGAIN) and also
finding both svchost.exe's loaded in Windows Task Manager\Processes.

Question....I should only have one svchost.exe.....right?

I've renamed the one in uppercase just in case I shouldn't have it.

Any advice will be appreciated.

thanks

elfa
Click to expand...

I've just battled through the same problem.
You can delete the one in the wins folder. There are also two registry
entries to delete ie:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcPatch

and

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcTftpd

If you have these two entries you have the nachi worm

You can also delete

C:\WINNT\SYSTEM32\WINS\DLLHOST.EXE (10,240 bytes)

and

C:\WINNT\SYSTEM32\WINS\SVCHOST.EXE

Hope this helps.
 
Thanks for the advise. Just checked and no reg entries..Deleted SVCHOST.EXE
from the wins directory....for the unteenth time. DL'd and ran 3 of Symantecs
anti viral programs which didn't find anything.....this was after I reloaded
AVG (for the unteenth time), ran it, and deleted the 'nachi' worm (for the
unteenth time).

elfa
Click to expand...
Just remember, the Nachi worm is a network worm. I got mine from my
ISP >:O It's worth a try.
 
I've just battled through the same problem.
You can delete the one in the wins folder. There are also two registry
entries to delete ie:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcPatch

and

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcTftpd

If you have these two entries you have the nachi worm

You can also delete

C:\WINNT\SYSTEM32\WINS\DLLHOST.EXE (10,240 bytes)

and

C:\WINNT\SYSTEM32\WINS\SVCHOST.EXE

Hope this helps.
Click to expand...
Thanks for the advise. Just checked and no reg entries..Deleted SVCHOST.EXE
from the wins directory....for the unteenth time. DL'd and ran 3 of Symantecs
anti viral programs which didn't find anything.....this was after I reloaded
AVG (for the unteenth time), ran it, and deleted the 'nachi' worm (for the
unteenth time).

elfa
 
Back
Top