Had the problems yesterday cleared out downloaded the patch and a firewall and i keep getting messages that it has blocked application generic host win 32 svchost.exe or something like that and nt kernel and system. Is it the same thing trying again?
|
Good chance it is. Its a known exploit for some worms. I suggest you download an updated virus pattern or go to Grisoft and get the free virus scanner from there.
|
Looks like you're infected, I'm afraid!!! Another one bites the
dust! Get a copy of McAfee 7.0 (from somewhere, nudge, nudge), as their updates are free (see www.nai.com). |
This thing's getting worse by the second (everyone's coming down with it). And every new user a would be attacker for the next unlikely subject.
I'm getting at least 40 attempts a day (warning logs from firewall), saying port 135's had another attempt. It's constant. Do a search for msblast.exe on your hard disk as it leaves this file when it's off and have a look at your processes running to see if there's an "svchost.exe" running without a corresponding username (it'll be blank). The first signs before you get the system shutdown warnings. |
It's probably not an exploit or anything else.
Search on Google for it. It's normal OS behaviour for svchost.exe to go out to the internet. It handles most of the networking of your PC for you. Have a nosey at this or this to find out what it is and does. There are some trojans that infect svchost.exe, but a virus scan should confirm it is/isn't one of those. |
Dont panic if you have a couple of instances of svchost.exe,
it is part of the OS. Instead of me trying to explain (badly) read this : http://support.microsoft.com/default...NoWebContent=1 If you want to know what services svchost.exe is hosting when its running; use a mini dos util called tlist.exe, comes with a resource kit. open command prompt , type tlist -t which will list all tasks running, and the sub tasks that svchost is hosting. If you need tlist, i may be able to zip it & mail you. |
Foot_Tapper is correct in saying that having multiple copies of svchost.exe is normal, as this is XP and Win Server 2003's new "generic service hosting" process. Basically this process spawns a number of services, look in:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost ...to find out what can possibly get spawned. Type the following from a command prompt (on XP, Win Server 2003): tasklist /SVC /FI "IMAGENAME eq svchost.exe" ...to see what svchost.exe is currently hosting. However, DSOTM is incorrect in saying it's normal for svchost.exe to try to connect to the Internet. This is definitely irregular behaviour. |
Really ? I'm wrong.
Nice little extract from Outpost firewall FAQ Personally, I'd call these protocols "normal" behaviour. Should I allow or block SVCHOST? We recommend to create the following rules for the svchost process. Please note that this will be okay for the majority of users but some will need to change it according to the services they use. Allowing DHCP Protocol: UDP LocalPort: 68 RemotePort: 67 Direction: Inbound AllowIt Allowin HTTP connection Protocol: TCP RemotePort: 80 Direction: Outbound AllowIt Allowing HTTPS connection Protocol: TCP RemotePort: 443 Direction: Outbound AllowIt Blocking "SSDP Discovery Service" and "UPnP device Host" services Protocol: UDP RemotePort: 1900 RemoteHost: 239.255.255.250 Direction: Inbound DenyIt Blocking "SSDP Discovery Service" and "UPnP device Host" services Protocol: TCP RemotePort: 5000 RemoteHost: 239.255.255.250 Direction: Inbound DenyIt Blocking "SSDP Discovery Service" and "UPnP device Host" services Protocol: UDP RemotePort: 5000 RemoteHost: 239.255.255.250 Direction: Inbound DenyIt Blocking "Remote Procedure Call" Protocol: TCP Local port: 135 DenyIt |
And just for complete clarity, these are the services/devices hosted by svchost.exe on a WinXP machine.
If you don't believe me, search HKLM\System\CurrentControlSet\Services in your registry for "svchost.exe" Looking at the list, I would say there are a fair few there that would, without question, require network access to perform their correct function. Windows Time, DHCP Client and DNS Client are just a few of the obvious ones. Alerter Application Management Windows Audio Background Intelligent Transfer Service Computer Browser Cryptographic Services DHCP Client Logical Disk Manager DNS Client Error Reporting Service COM+ Event System Fast User Switching Compatibility Help and Support Human Interface Device Access Server (lanmanserver) Workstation TCP/IP NetBIOS Helper Messenger Network Connections Network Location Awareness Removable Storage Remote Access Auto Connection Manager Remote Access Connection Manager Routing and Remote Access Remote Registry COM Infrastructure Task Scheduler Secondary Logon System Event Notification Internet Connection Firewall (ICF) Shell Hardware Detection System Restore Service SSDP Discovery Service Windows Image Acquisition (WIA) Telephony Terminal Services Themes Distributed Link Tracking Client Upload Manager Universal Plug and Play Device Host Windows Time WebClient Windows Management Instrumentation Portable Media Serial Number Service Windows Management Instrumentation Driver Extensions Automatic Updates Wireless Zero Configuration |
Yep I'm with DSTOM.
Svchost is a generic name. It means that you have DLL based services running - every PC will have some of these running at some point. Some of these services could well be internet facing - they could include DNS/DHCP/netlogin - all things that could be internet facing. I would strongly suggest reading up on this at MS Technet, or do a search on the topic. Chris |
Chaps
A little heated, me thinks! OK, DNS and Time Service, they may connect to the Internet, unless your [external] firewall proxies these services, or you have DNS/NTP on your LAN. The point I'm making is if something like DHCP tries a DORA request on an Internet facing NIC, then you've got something wrong, or bigger problems still. |
The point I'm making is if something like DHCP tries a DORA request on an Internet facing NIC, then you've got something wrong, or bigger problems still. Discover, Offer, Request, Acknowledge....kind of what DHCP is meant to do. Why on earth would that be a problem for a PC with a software firewall ? [Edited by DSOTM - 8/17/2003 9:00:55 PM] |
So if I my ISP gives out dynamic IP addresses (which the vast majority do), how else would I request an IP address, other than by DHCP request which would be on my internet facing NIC???
Chris |
I'm soooo glad it aint just me ;)
|
Apologies folks. Was thinking "what's there to be confused about", so read the thread from top to bottom. I have been making an assumption all along, which I shouldn't have made. Stupidly assumed that broadband/ISDN routers were being used, which would be doing the DHCP negotiations; thus the comment "if something like DHCP tries a DORA request on an Internet facing NIC, then you've got something wrong, or bigger problems still.". That is, the BOOTP traffic shouldn't traverse onto the Internet, as it should be satisfied by the router. Completely forgot about dial-up modems and USB ISDN/Broadband adapters! I shall retire to my hole. |
:) - People should be happy that there are enough of us willing to reply and sort these things out (for free!)
Chris |
All times are GMT +1. The time now is 08:48 AM. |
© 2024 MH Sub I, LLC dba Internet Brands