S.B.

Had the problems yesterday cleared out downloaded the patch and a firewall and i keep getting messages that it has blocked application generic host win 32 svchost.exe or something like that and nt kernel and system. Is it the same thing trying again?

swaussie

Good chance it is. Its a known exploit for some worms. I suggest you download an updated virus pattern or go to Grisoft and get the free virus scanner from there.

Nog

Looks like you're infected, I'm afraid!!! Another one bites the
dust!

Get a copy of McAfee 7.0 (from somewhere, nudge, nudge), as their updates are free (see www.nai.com).

Blue_Boy

This thing's getting worse by the second (everyone's coming down with it). And every new user a would be attacker for the next unlikely subject.

I'm getting at least 40 attempts a day (warning logs from firewall), saying port 135's had another attempt. It's constant.

Do a search for msblast.exe on your hard disk as it leaves this file when it's off and have a look at your processes running to see if there's an "svchost.exe" running without a corresponding username (it'll be blank). The first signs before you get the system shutdown warnings.

DSOTM

It's probably not an exploit or anything else.

Search on Google for it. It's normal OS behaviour for svchost.exe to go out to the internet. It handles most of the networking of your PC for you.

Have a nosey at this or this to find out what it is and does.

There are some trojans that infect svchost.exe, but a virus scan should confirm it is/isn't one of those.

Foot_Tapper

Dont panic if you have a couple of instances of svchost.exe,
it is part of the OS.
Instead of me trying to explain (badly) read this :

http://support.microsoft.com/default...NoWebContent=1

If you want to know what services svchost.exe is hosting when its running; use a mini dos util called tlist.exe, comes with a resource kit.
open command prompt , type tlist -t which will list all tasks running, and the sub tasks that svchost is hosting.
If you need tlist, i may be able to zip it & mail you.

Nog

Foot_Tapper is correct in saying that having multiple copies of svchost.exe is normal, as this is XP and Win Server 2003's new "generic service hosting" process. Basically this process spawns a number of services, look in:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

...to find out what can possibly get spawned.

Type the following from a command prompt (on XP, Win Server 2003):

tasklist /SVC /FI "IMAGENAME eq svchost.exe"

...to see what svchost.exe is currently hosting.

However, DSOTM is incorrect in saying it's normal for svchost.exe to try to connect to the Internet. This is definitely irregular behaviour.

DSOTM

Really ? I'm wrong.

Nice little extract from Outpost firewall FAQ

Personally, I'd call these protocols "normal" behaviour.



Should I allow or block SVCHOST?

We recommend to create the following rules for the svchost process. Please note that this will be okay for the majority of users but some will need to change it according to the services they use.

Allowing DHCP
Protocol: UDP
LocalPort: 68
RemotePort: 67
Direction: Inbound
AllowIt

Allowin HTTP connection
Protocol: TCP
RemotePort: 80
Direction: Outbound
AllowIt

Allowing HTTPS connection
Protocol: TCP
RemotePort: 443
Direction: Outbound
AllowIt

Blocking "SSDP Discovery Service" and "UPnP device Host" services
Protocol: UDP
RemotePort: 1900
RemoteHost: 239.255.255.250
Direction: Inbound
DenyIt

Blocking "SSDP Discovery Service" and "UPnP device Host" services
Protocol: TCP
RemotePort: 5000
RemoteHost: 239.255.255.250
Direction: Inbound
DenyIt

Blocking "SSDP Discovery Service" and "UPnP device Host" services
Protocol: UDP
RemotePort: 5000
RemoteHost: 239.255.255.250
Direction: Inbound
DenyIt

Blocking "Remote Procedure Call"
Protocol: TCP
Local port: 135
DenyIt

DSOTM

And just for complete clarity, these are the services/devices hosted by svchost.exe on a WinXP machine.

If you don't believe me, search HKLM\System\CurrentControlSet\Services in your registry for "svchost.exe"

Looking at the list, I would say there are a fair few there that would, without question, require network access to perform their correct function.

Windows Time, DHCP Client and DNS Client are just a few of the obvious ones.


Alerter
Application Management
Windows Audio
Background Intelligent Transfer Service
Computer Browser
Cryptographic Services
DHCP Client
Logical Disk Manager
DNS Client
Error Reporting Service
COM+ Event System
Fast User Switching Compatibility
Help and Support
Human Interface Device Access
Server (lanmanserver)
Workstation
TCP/IP NetBIOS Helper
Messenger
Network Connections
Network Location Awareness
Removable Storage
Remote Access Auto Connection Manager
Remote Access Connection Manager
Routing and Remote Access
Remote Registry
COM Infrastructure
Task Scheduler
Secondary Logon
System Event Notification
Internet Connection Firewall (ICF)
Shell Hardware Detection
System Restore Service
SSDP Discovery Service
Windows Image Acquisition (WIA)
Telephony
Terminal Services
Themes
Distributed Link Tracking Client
Upload Manager
Universal Plug and Play Device Host
Windows Time
WebClient
Windows Management Instrumentation
Portable Media Serial Number Service
Windows Management Instrumentation Driver Extensions
Automatic Updates
Wireless Zero Configuration

Chris L

Yep I'm with DSTOM.

Svchost is a generic name. It means that you have DLL based services running - every PC will have some of these running at some point. Some of these services could well be internet facing - they could include DNS/DHCP/netlogin - all things that could be internet facing.

I would strongly suggest reading up on this at MS Technet, or do a search on the topic.

Chris

Nog

Chaps

A little heated, me thinks!

OK, DNS and Time Service, they may connect to the Internet, unless your [external] firewall proxies these services, or you have DNS/NTP on your LAN.

The point I'm making is if something like DHCP tries a DORA request on an Internet facing NIC, then you've got something wrong, or bigger problems still.

DSOTM

Sorry Nog, you're still making no sense to me at all.

Discover, Offer, Request, Acknowledge....kind of what DHCP is meant to do.
Why on earth would that be a problem for a PC with a software firewall ?


[Edited by DSOTM - 8/17/2003 9:00:55 PM]

Chris L

So if I my ISP gives out dynamic IP addresses (which the vast majority do), how else would I request an IP address, other than by DHCP request which would be on my internet facing NIC???

Chris

DSOTM

I'm soooo glad it aint just me

Nog

Apologies folks. Was thinking "what's there to be confused about", so read the thread from top to bottom.

I have been making an assumption all along, which I shouldn't have made. Stupidly assumed that broadband/ISDN routers were being used, which would be doing the DHCP negotiations; thus the comment "if something like DHCP tries a DORA request on an Internet facing NIC, then you've got something wrong, or bigger problems still.". That is, the BOOTP traffic shouldn't traverse onto the Internet, as it should be satisfied by the router.

Completely forgot about dial-up modems and USB ISDN/Broadband adapters!

I shall retire to my hole.

Chris L

- People should be happy that there are enough of us willing to reply and sort these things out (for free!)

Chris