Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost Trying To Accepts Connections From Internet


  • Please log in to reply
4 replies to this topic

#1 English Teacher

English Teacher

  • Members
  • 199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Salerno, Italy
  • Local time:03:06 AM

Posted 30 September 2008 - 02:46 AM

Hi,
I have ZoneAlarm Pro and an alert window has just poped up:
Generic Host Process for Win32 Services wants to accept connections from the internet
Identification: None
Application: svchost.exe
Source IP: 93.145.29.66:Port 60829

I have uploaded svchost, which is in C:\Windows\System32, to virustotal.com It was scanned with 36 AVs but nothing was detected.
Is it OK to allow this connection or not?
Thanks
It is better to remain silent and be thought a fool than to speak and remove all doubt.
Never argue with stupid people, they'll just bring you down to their level and beat you with experience.
If at first you do succeed, try not to look surprised.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,069 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:06 PM

Posted 30 September 2008 - 07:40 AM

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from DLLs. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load.

It is not unusual for multiple instances of Svchost.exe running at the same time in Task manager in order to optimize the running of the various services.

svchost.exe SYSTEM (there can be more than one listed)
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE (there can be more than one listed)

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location on your computer. In XP, the legitimate Svchost.exe file is located in your C:\WINDOWS\system32\ folder.

Other legitimate copies can be found in the following folders:
C:\I386
C:\WINDOWS\ServicePackFiles\i386\
C:\WINDOWS\$NtServicePackUninstall$\
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf

If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Make sure the spelling is correct. If it's scvhost.exe, then your dealing with a Trojan.

There are several ways to investigate svchost.exe and related processes. First, see "How to determine what services are running under a Svchost.exe process" using Proces Explorer.

Note: Process Explorer shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.

You can also download and use AnVir TaskManager Free or System Explorer to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 image

image

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 30 September 2008 - 09:11 AM

Very Nice explanation. :thumbsup:

#4 English Teacher

English Teacher
  • Topic Starter

  • Members
  • 199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Salerno, Italy
  • Local time:03:06 AM

Posted 30 September 2008 - 12:29 PM

I'd like to thank you very much "quietman7" you, as already said, have given a very good explanation.
I have downloaded and run the Process Explorer and uploaded everything in the system32 folder which was said to be running. Everything came back clean.

Once again thank you for your help
It is better to remain silent and be thought a fool than to speak and remove all doubt.
Never argue with stupid people, they'll just bring you down to their level and beat you with experience.
If at first you do succeed, try not to look surprised.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,069 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:06 PM

Posted 30 September 2008 - 12:37 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users