Author Topic: new repeated (low level) security alerts (Read 3556 times)

Brynn · « **on:** February 16, 2006, 03:20:58 AM »

Hi Friends
Well I've bounced back and forth several times, whether to post this in the Anti-Spyware board, or this one. So I'm going with this one for now, and the mods can move it, if necessary.

Ok, this may just be a result of some setting change I've made recently, but I don't know where to start looking for it. The alert is a Norton Program Control alert. [DISCLAIMER: I realize a lot of you are anti-Norton/Symantec, so no need to repeat those sentiments. OK? Thanks

]

The alert says "Microsoft Generic Host Process for Win32 Services is attempting to access the Internet." It popped up yesterday (14th) while I was offline. I already know that this is a necessary program for IE/Windows, and that it already has access to the internet. So it doesn't make sense to me why it should trigger an alert. I know that something called the "host file" can be used for both spyware-type issues, as well as more serious virus-related problems. So seeing the alert sent up my own "warning flag".

Anyway, I selected to Block access, to be on the safe side. But the alert was immediately displayed again and again. And it was Block, alert, Block, alert, etc, until I chose "Always Block", to give me time to sort it out.

The only setting I remember changing in the last few days, is enabling IE > Tools > Internet Options > Advanced Tab > "Enable third-party browser extensions (requires restart)" to resolve the problem I posted in this thread: http://www.landzdown.com/index.php?topic=4591.0 ....which also explains why I don't go to Symantec for help. (I can't believe how arrogant is this business, to offer a product and service, for sale yet they basically refuse to offer support for either

. I may yet be looking into using other such products/services, before long

) However, I don't think this setting is anything related to the svchost.exe program. I could have changed something else, but I don't remember specifically.

So, does anyone know what's up with the svchost.exe alerts? Why would I be getting alerts when the program already has access to the internet. Why is it happening when I'm not even logged on to the internet (dialup)? What could be causing this, and is it a sign of trouble? Oh, btw, my last security scans were in the 10th -- NAV, Ad-Aware, CWShredder, Spybot S&D, and HijackThis. All were normal scans, no problems detected. Also, I did save the particulars of the alert; if they are needed, I can post them.

As always, thanks for your help and support

GR@PH;<'S · « **Reply #1 on:** February 16, 2006, 12:34:20 PM »

Brynn,
Your PC could have a few Microsoft Generic Host Process
(I can have something like 5 running at any one time)
But do a "Full Scan" with Ad-adaware and then post your logfile here by using the Add-Reply Feature .
also if you not already got it download CCleaner .
(Note in CCleaner: go to >options > advanced > Uncheck "Only delete files in Windows Temp folders older than 48 hours").
Also download and try Ewido
it is a trial version of the program.
once installed please update ewido to the latest definition files.
click the left hand side of the main screen click update.
Then click on Start UpdateThe update will start and a progress bar will show the updates being installed.
See this excellent Ewido Quick Guide by Die Hard.
GR@PH;<'S

Brynn · « **Reply #2 on:** February 18, 2006, 05:56:10 AM »

Ok, thanks GR@PH;<'S

I'm due for updates and scans all around, so I'll get started on that. And I'll post my logfile. Do you want me to post it, even if the scan comes up clean?

I do have CCleaner, so I'll use it before scanning.

On ewido, it looks like one can scan from the website, rather than downloading the program and then scanning. Just for now, could I use the online scan (if that's what I'm seeing)? The reason I'm feeling hesitant, is that I've been planning to download Spyware Blaster and Spyware Guard, which were recommended to me a while back. (I can be a great procrastinator!) But I don't see them in the list of compatible programs for ewido.

If it comes down to getting ewido or the 2 Spyware programs, should I assume you would recommend ewido? If so, I'll download ewido instead of the 2 Spyware programs. But meanwhile, can I scan from the website?

Thanks for your help, and back soon w/Ad-Aware results.

Ripley · « **Reply #3 on:** February 18, 2006, 11:17:44 AM »

Hey Brynn!

My read from GR@PH;<'S is download and install the 14 day trial version of Ewido. The online scanner that I've seen at Ewido website is described as an unfinished beta scanner?...I've never tried it.
But you can always uninstall Ewido after you use it's scanner, but it's free for 14 days and I think you'll find it handy to have it in your arsenal. After the 14 days, you can still keep the scanner for free, you just loose the real-time protection and auto updates. But I get do manual updates to Ewido thru the handy dandy Software Updates notifications that we get here at LzD.

I have Ewido and SpywareBlaster and even tho you don't find it on the compatibility list at Ewido, I have had no problems running them both.

ripley

Brynn · « **Reply #4 on:** February 18, 2006, 04:02:17 PM »

Ooooh! Thanks, ripley

For some reason when GR@PH;<'S said "trial version", I was thinking "beta", so I thought they were the same thing, at first. But I understand now.

Anyway, all my scans are clean, GR@PH;<'S. Do you still want me to post the Ad-Aware logfile?

Ok, I'm off to d-l ewido, now.
I appreciate your "translation", ripley.

GR@PH;<'S · « **Reply #5 on:** February 18, 2006, 04:38:13 PM »

Brynn,
If you want you can always post your log file but I recommend that if you are having problems then yes post it if not then as long as you know it clean no you do not need to post it .
as for downloading CCleaner that is ofcause up to you, but I do recommend you give Ewido a try.
(you can always uninstall it if it not to your liking but my guess is that once you try it you will love it)
what I meant by the trial is that it wil download the full version for you to try (Trial version) for 14 days then you can leave it on your PC and use it but it will convert to the free program with you can still use only you lose the auto updater and the real time monitor.

I also recommend that you download and use both SpyBlaster and
SpywareGuard
but so that you not got 2 real time monitors going at the same time leave SpywareGuard till off (or only download it but not install it untill your trial of Ewido has ended that way the two programs can not conflict

GR@PH;<'S

Brynn · « **Reply #6 on:** February 19, 2006, 11:43:42 AM »

Ok, I've completed all your instructions. Ewido scan is clean also, so I guess we can conclude it's not any malware triggering these alerts.

Is there any way to find out what is telling svchost.exe to acceses the internet, in this case? It's definitely something that has never happened before. I mean, yes, it was already configured to access internet, and I have no problem with that. But why am I suddenly getting these repeated alerts, when the program already has access.

The svchost.exe program already had been granted access....from the first time I went online with this system (3 to 4 years ago). So why am I getting alerts? Why doesn't whatever it is that's triggering them, use the current permission/configuration and access the internet without alerting me??

GR@PH;<'S · « **Reply #7 on:** February 19, 2006, 04:36:59 PM »

Brynn,
If you have not already got it can you please download
HijackThis
After you have downloaded it and Unzipped it, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and then can you please post you Logfile in the
HijackThis Logs forum.
Call it some ting like "my HijachThis log" in the Topic Title
and then put "referred by GR@PH;<'S" as the Topic Description
Also Please can you include a link to this post for reference
but please be patient one of the HJT team will advise you what to do if needed
GR@PH;<'S

Brynn · « **Reply #8 on:** February 19, 2006, 04:52:44 PM »

Yes, I have HijackThis.
Will post log per your instructions.
Although, it does not look like there is anything new in the log.
But anyway, THANK YOU, GR@PH;<'S

mitch · « **Reply #9 on:** February 19, 2006, 05:07:41 PM »

hope i am not jumping in here
but on ewido...it is 14 day trial and that if full coverage with it's active protection ( like ad-watch with aaw)

after 14 days it will be a good manual scanner and will manual update and be like the free aaw! BUT will catch a lot more of the bad boys. so play for 14 then just use it manually ;-D

GR@PH;<'S · « **Reply #10 on:** February 19, 2006, 05:29:52 PM »

mitch,
I agree

then after that I recommend the use of SpywareGuard.

By the way I not mind you can jump ,on my toes as and when you like as I not feel them

GR@PH;<'S

winchester73 · « **Reply #11 on:** February 20, 2006, 02:34:10 PM »

On Windows XP, svchost is a required system component ... it provides support to many required services.

You can see all the copies of svchost and what services they are running by doing this in XP Professional:

Start > Run and type cmd

Type tasklist /svc >c:\taskList.txt

I'm not sure the home edition has tasklist. Once you see the list, you'll be able to figure out what is prompting the "alert".

This Microsoft article will explain more: http://support.microsoft.com/?kbid=314056

SpyDie · « **Reply #12 on:** February 20, 2006, 05:49:41 PM »

Just a question, does Norton tell you what IP it was trying to access? Are you using a router?

illukka · « **Reply #13 on:** February 20, 2006, 08:38:07 PM »

just popped my mind that did you happen to visit windowsupdate.com before the alert ?

Brynn · « **Reply #14 on:** February 24, 2006, 12:33:17 PM »

Oh gosh, I was watching my thread in HT forum, and did not see the last 3 messages here. Sorry for delay in responding.

While waiting, I've done some research and learned more about the Generic Host Process. I came across the same instuctions that winchester73 posted, to reveal which services are using svchost.exe, and I'm not sure if XP Home is able to do this. When I go CMD > OK, the prompt which comes up says "C:\Documents and Settings\Owner\" or something close to that. So it looks like it can only display files in my Docs and Settings. Not sure if that's how the prompt is supposed to look?? Anyway, when I type as instructed, it comes back and says something like "Tasklist is not a recognized command" or something like that. (I can get the specifics of all of this, just too lazy to look them up at the moment)

SpyDie, yes the alert gives that IP address (Remote Address?), which looks very much like an IP address which my service provider assigns me (which is slightly different every time I log on to the internet). And no, not using a router, as I am a dialup user.

Illukka, I did visit Windows Update either just before or just after the alert. I don't remember the exact day. But I have the date of the alert, so if there is a way to find out what date I updated, we could know for sure. However, I do not get automatic updates. I let Windows Update tell me updates are ready, then I go and get them manually. I'm not sure if that's where you're going with this question, or not. But I don't think Windows Update was the source.

So, I've pretty much given up on the idea of learning what triggered the alert. It still does seem strange to me, that whatever it was should trigger an alert in the first place, since svchost.exe already had access to the internet, for one. And 2, why did it alert me when I was not connected to the internet, at the time? Maybe this will just be one of those many mysteries which many of us live with, when playing with computers! lol! But seriously, since so many security scans turned up nothing, I'm no longer as worried about it as I was at first. Although, as a mystery, I have to say, I will always be curious about it.

LandzDown Forum

News: