1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

svchost.exe connecting to the Internet

Discussion in 'Windows XP' started by Christer, 2004/04/01.

Thread Status:
Not open for further replies.
  1. 2004/04/01
    Christer

    Christer Geek Member Staff Thread Starter

    Joined:
    2002/12/17
    Messages:
    6,585
    Likes Received:
    74
    Hello all!

    All of a sudden c:\windows\system32\svchost.exe nags about connecting to the Internet. It says TCP inbound. The firewall recommends to permit.

    Anyone who knows what it´s up to and if I should allow it permanently in the firewall?

    Thanks for Your time,
    Christer
     
    Christer,
    #1
  2. 2004/04/01
    mommacache

    mommacache Inactive

    Joined:
    2004/03/20
    Messages:
    7
    Likes Received:
    0
    There's a back door trojan out there that uses svchosts.exe. Its called sdbot. Check your machine for trojans and viruses. That may help.

    Good luck.
     
    mommacache,
    #2


  3. to hide this advert.

  4. 2004/04/01
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    The path is correct for svchost and it is a valid process. I would check to see what the already running svchost processes are doing, then allow it and see what it's doing. If you haven't seen it already, see this thread.
     
    noahdfear,
    #3
  5. 2004/04/01
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    From Symantec, sdbot copies itself as svchosts.exe in the C:\windows\system or C:\WINNT\system32.
     
    noahdfear,
    #4
  6. 2004/04/01
    Christer

    Christer Geek Member Staff Thread Starter

    Joined:
    2002/12/17
    Messages:
    6,585
    Likes Received:
    74
    Hello guys,
    thanks for Your replies!

    I knew about scvhost.exe and checked that there was no odd spelling in TaskManager. svchosts.exe was new to me, though but none to be seen.

    I ran Ad-aware and SpybotS&D but they didn´t find anything.

    In the last week or two I had downloaded and installed a few applications that I, after some thought, didn´t want to keep. I restored to a state when the computer was clean, using a Ghost Image created after a fresh installation and the first thing to try to connect to the Internet was svchost.exe. It even beat Symantec Live Update and Windows Update to it.

    Thats when I decided to ask ...... :confused: ...... !

    I´ll try the command prompt thingy to find out ...... :rolleyes: ...... if I can find anything out!

    Christer
     
    Christer,
    #5
  7. 2004/04/01
    Christer

    Christer Geek Member Staff Thread Starter

    Joined:
    2002/12/17
    Messages:
    6,585
    Likes Received:
    74
    Well, I went to the command prompt thingy and was looking at the tasklist when svchost.exe wanted to connect. I allowed it and typed the command again.
    No difference in the new list and nothing that makes me suspicious.

    Neither in TaskManager does anything get added when it connects.

    When it finally p*i*s*s*e*s me off, I think I´ll allow it permanently.

    Christer

    By the way, since Symantec recommends to allow, why haven´t they included it in the "automatic configuration list "?
     
    Christer,
    #6
  8. 2004/04/01
    Newt

    Newt Inactive

    Joined:
    2002/01/07
    Messages:
    10,974
    Likes Received:
    2
    I just ran a list of what I have running under svchost.exe
    Code:
    svchost.exe                  940 RpcSs                                        
svchost.exe                 1052 AudioSrv, CryptSvc, Dhcp, ERSvc,             
                                 EventSystem, helpsvc, Irmon, lanmanserver,   
                                 lanmanworkstation, Messenger, Netman, Nla,   
                                 RasMan, Schedule, seclogon, SENS,            
                                 ShellHWDetection, srservice, TapiSrv,        
                                 TermService, TrkWks, uploadmgr, w32time,     
                                 winmgmt, WmdmPmSp                            
svchost.exe                 1216 Dnscache                                     
svchost.exe                 1248 LmHosts, RemoteRegistry, SSDPSRV, WebClient
    I can see several right off hand that would try to talk to places outside my PC and depending on your network, very possibly to the internet.
     
    Newt,
    #7
  9. 2004/04/02
    Christer

    Christer Geek Member Staff Thread Starter

    Joined:
    2002/12/17
    Messages:
    6,585
    Likes Received:
    74
    This is what I have running:

    Code:
    svchost.exe                  708 RpcSs
svchost.exe                  752 AudioSrv, CryptSvc, Dhcp, EventSystem,
                                 FastUserSwitchingCompatibility, helpsvc,
                                 lanmanserver, lanmanworkstation, Netman,
                                 Nla, Schedule, SENS, ShellHWDetection,
                                 TermService, Themes, W32Time, winmgmt,
                                 wuauserv
svchost.exe                  804 Dnscache
svchost.exe                 1908 stisvc
    ...... :rolleyes: ...... and I clearly remember having disabled FastUserSwitching ...... :p ...... but I have now!

    Christer
     
    Last edited: 2004/04/02
    Christer,
    #8
  10. 2004/04/02
    Newt

    Newt Inactive

    Joined:
    2002/01/07
    Messages:
    10,974
    Likes Received:
    2
    From your list,

    - W32Time could easily be trying to get a time tic synch from an internet time server.

    - Not sure if stisvc[/b] involves having the devices check a web page for updates or not.

    - DHCP will look to the ISP if you are configured that way and that's a two-way conversation where the PC asks for an (impossible and never given) address, DHCP server refuses and offers another option, and the PC says OK.

    As a BTW, you only need TermService running if you use fast user switching, work with remote desktop / remote assistance, or use Terminal Service to directly remote control another system. From what you say, I doubt you need or want it running.
     
    Newt,
    #9
  11. 2004/04/04
    Christer

    Christer Geek Member Staff Thread Starter

    Joined:
    2002/12/17
    Messages:
    6,585
    Likes Received:
    74
    Newt,
    thanks for Your analysis!

    I would expect a time sync once a week, not several times a day and it has never bothered the firewall before.

    I had a look at stivc in Task List Programs and learned about the connection to scanners. Mine works fine and does not suffer from the "HP issue" mentioned on that site.

    DHCP is probably the culprit. I traced the IP# to a swedish broadband company. Not my own ISP but I don´t know how/if they cooperate.

    I have configured the Services according to Black Viper's recommendations and he recommends Manual for that one. It is started though so, since I don´t need it, I´ll disable it to see what happens.

    Christer
     
    Christer,
    #10
  12. 2004/04/04
    Christer

    Christer Geek Member Staff Thread Starter

    Joined:
    2002/12/17
    Messages:
    6,585
    Likes Received:
    74
    When I went to disable Terminal Services, the "status buttons" were all greyed out. I couldn´t stop the service before disabling it. I disabled it anyway and rebooted.
    It worked and is now disabled but I have never seen all the "status buttons" greyed out before.

    It has happened, though, that a service (don´t remember which) objected to being stopped. I watched the progress bar for quite a while and in the end the service wasn´t stopped. I used the same remedy as above with the same result.

    Christer
     
    Christer,
    #11
  13. 2004/04/15
    Christer

    Christer Geek Member Staff Thread Starter

    Joined:
    2002/12/17
    Messages:
    6,585
    Likes Received:
    74
    The firewall (Norton 2003) has automatically configured Internet access for Microsoft Generic Host Processes for Win32 Services which was done immediately when the firewall had been installed.

    The "new" instance of the same (my understanding of it), which hasn´t been automatically configured for internet access has to ask permission all the time and when I set the firewall to "block all ", the automatically configured Internet access is changed from automatic to "block all ".

    I wonder why two apparently different processes share the same firewall settings?

    I have used Visual Tracking to see where the attempts to connect to my computer originates and it is from all over the world and the common denominator is that all are network companies or network related.

    I wonder what they want with my computer?

    For now, I have "blocked all" Internet access and wonder if that is wise?

    ...... :confused: ...... Christer ...... :confused: ......
     
    Last edited: 2004/04/15
    Christer,
    #12
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...