Q: Generic host process for Win32 Services

[PacMan]

Hi there,

I seem to have almost continuous activity going on, Internet-wise.
Zone Alarm informs me that this is generic host processes for Win32.

My question is: is this innocent communication between the computer
and the ADSL modem, or is there some Trojan which has fooled Zone
Alarm into thinking it's a legitimate process?

In addition to the products below, I also recently installed and
updated the free version of AVG, which also found nothing to report.

Am I just being paranoid, or do I have something to worry about?

I have Spybot Search and Destroy, resident enabled. I have Java Cools
Prerelease installed.
I'm running Zone Alarm Security Suite 6.5.737.000, Anti Virus Vet
engine 11.91.1.000 DAT version 11.9.10088.000, antispyware engine
5.0.83.0 DAT version 01.200612.585

Computer is Windows XP SP 2, automatic updates configured to tell me
whether I need to download and install.

I use an old version of MS Outlook for mail, Fire Fox 1.5.0.8 and
Internet Explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519IS.

 

[Mr. Arnold6]

Hi there,

I seem to have almost continuous activity going on, Internet-wise.
Zone Alarm informs me that this is generic host processes for Win32.

ZA, oh Lord

My question is: is this innocent communication between the computer
and the ADSL modem, or is there some Trojan which has fooled Zone
Alarm into thinking it's a legitimate process?

What is svchost.exe (generic host processes for Win32), which is the
messenger for the O/S programs and other non O/S programs to allow
communications, trying to connect to IP wise? Svchost.exe does nothing
on its own. It does it on the behalf of other programs that want to
communicate to the Internet WAN - Wide Area Network or with other
machines in a LAN, Local Area Network, situation. There can be several
svchost.exe(s) running too.

If svchost.exe is not running out of c:\windows\system32, then it's a
Trojan.

In addition to the products below, I also recently installed and
updated the free version of AVG, which also found nothing to report.

Am I just being paranoid, or do I have something to worry about?

I can't say you're being paranoid, but you may be over reacting,
possibly. However, malware can use svchost.exe on its behalf to
communicate as well. So you always must be aware of what svchost.exe is
connecting to and who is doing the asking.

None of the solutions you're talking about can really tell you what's
happening on the machine, and those solutions can be defeated by malware.

You have got to look for yourself from time to time with tools that are
going to allow you to *look*, for yourself.

The tools in the link will allow you to look and they are (free).

Long
http://www.windowsecurity.com/artic...d_Rootkit_Tools_in_a_Windows_Environment.html

Short
http://tinyurl.com/klw1

For a machine that has a driect connection to the modem, then you should
try to harden the XP O/S to attack as much as possible, like remove
Client for MS Network and MS File and Print Sharing off of the NIC or
dial-up connection. You have no need to be in any networking situation
with a computer that has a direct connection to the modem, with the
computer having a direct connection to the Internet, none period.

There are other things in the link you can do as well to harden the NT
based O/S to attack.

http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm

 

[Falcon]

Hi there,

I seem to have almost continuous activity going on, Internet-wise.
Zone Alarm informs me that this is generic host processes for Win32.

My question is: is this innocent communication between the computer
and the ADSL modem, or is there some Trojan which has fooled Zone
Alarm into thinking it's a legitimate process?

Process explorer will tell you much more than the default windows task
manager about what each process, including each instance of svchost.exe, is
doing.
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

 

[PacMan]

It was round about Sat, 02 Dec 2006 13:28:47 GMT,, when the famed Mr.
Arnold6 of the dreaded EarthLink Inc. -- http://www.EarthLink.net was
struck by a sudden insight:

ZA, oh Lord

There's something I should know?

[..]

If svchost.exe is not running out of c:\windows\system32, then it's a
Trojan.

Running out of correct location, up to 3 instances operational.

[..]

You have got to look for yourself from time to time with tools that are
going to allow you to *look*, for yourself.

The tools in the link will allow you to look and they are (free).

[..]

Thanks for the links: appreciated. I didn't find any that were free
when they discovered an infection though.
Oh well, Spyware Doctor has removed Ranky, which Symantec claims is a
very low risk, and few infections discovered in the wild.

ObZoneAlarm: I changed from Norton since Norton Internet Security
seemed to slow certain things down significantly. Perhaps I should
change back? Or go Kaspersky?

 

[Mr. Arnold6]

It was round about Sat, 02 Dec 2006 13:28:47 GMT,, when the famed Mr.
Arnold6 of the dreaded EarthLink Inc. -- http://www.EarthLink.net was
struck by a sudden insight:




There's something I should know?

Don't count on ZA too much

[..]

If svchost.exe is not running out of c:\windows\system32, then it's a
Trojan.

Running out of correct location, up to 3 instances operational.

[..]

You have got to look for yourself from time to time with tools that are
going to allow you to *look*, for yourself.

The tools in the link will allow you to look and they are (free).

[..]

Thanks for the links: appreciated. I didn't find any that were free
when they discovered an infection though.

The point is they can miss a whole lot of things, which you should look
around for yourself and not depend totally on such solutions, with the
tools in the link. You do the determination and detection from time to time.