Eternal svchost security alerts

I have been experiencing never ending security alerts regarding svchost every time I connect to the Internet.
I have the choice of either allowing or denying one time only but there is no check box to always allow or always deny.
Can a kind member please help me fix this annoyance?
I have enclosed a picture of 1 of the alerts.
Thank you.

[attachment deleted by admin]

G’day eddiebubble and welcome to the forums.

If you have a close look at the alert, you’ll see that it’s saying that SVCHOST.EXE on your PC is trying to act as a server in response to a request from an external IP on port 138, which is used for MS networking.

The reason that there is no REMEMBER option for this is because you really don’t want this to be remembered.

Without further info, I would think that you have some form of malware on your PC that is attempting to create a connection to an outside address. I would recommend that you download HijackThis, run it and generate a log and attach the log file to a reply to this post. Hijack This examines your system and records all components that are set to start automatically on your system.

Hijack This can be downloaded from http://www.spywareinfo.com/~merijn/programs.php

Hope this helps,
Ewen :slight_smile:

Hello Ewen,

Thank you for your prompt reply. I have attached a Hijack This log file as you suggested:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:37:26, on 01/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Opera\Opera.exe
C:\Downloads\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188199555812
O17 - HKLM\System\CCS\Services\Tcpip..{6F3FE18B-46B2-433D-8FE3-5BA515197CD5}: NameServer = 194.168.4.100 194.168.8.100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe


End of file - 3400 bytes

Putting in my two centi-quatloos…

I’m presuming that your computer is connecting thru a modem, and not a NAT/router, as a router should block unrecognized traffic like that which you’re seeing.

The IP address in the screenshot is 86.30.1.36, which is an adsl customer address for ntlworld.com.
In your HJT log, I notice that your nameservers are 194.168.4.100 and 194.168.8.100, which appear to be caching nameservers for ntli.net (NTL International, UK).

If you are an NTL UK customer, then there would seem to be a strong chance that your getting queries from some other NTL customer who has a badly misconfigured, or infected, machine. In which case, bringing it to the attention of the NTL folks would be something to do.

With the caveat that I’m not a practiced HJT examiner, I’m not seeing any problems with your HJT log. Only that you’ve used the now obsolete 2.0.0 Beta version. The current 2.0.2 version is available from http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis, or from the trendmicro.com home page and follow the links. Your HJT log is actually remarkably straightforward, in comparison to a number of logs that I’ve seen.

Thanks grue155 - spot on with your analysis.

It would appear that there are attempted LAN connections from within the NTLI boundaries. As suggested, please raise this with the NTI support staff.

Ewen:-)

Thank you to Grue and Ewen for taking your time to help me. Happy November and I will raise this matter with NTL as suggest. Thanks again.