Upon doing some research, I have found that svchost.exe is essential to have, but at the same time very commonly a trojan/virus. How do I distinguish which is which? On firewall, I find multiple connections, and I’m not sure which connections to terminate (or should I terminate them at all). All I found is a listen port, I have not found what IP it is coming from, and if it is mine.
On what grounds do you base this? Currently I have 12 svchost entries with “Show processes of all users” being enabled in Task Manager.
Don’t spread any panic. Eric gave Megamouth enough information to see for himself whether his system is compromised or not.
Another way to find out if svchost is kosher or not is to run Process Explorer instead of Task Manager. Set it to verify image signatures under Options. Svchost is digitally signed; this way it can be recognised to whether it is safe or not.
Ok thanks guys, when I went to task manager, processes, show file location, all 15 processes lead to the same file. When I scanned it, it was the valid one.
However, one more question. I keep on getting intrusion attempts on my firewall from other svchosts.exe, and none are from my IP Address. I blocked them of course, however there are a few incoming connections that I “accidentally” allowed. How do I know if they are trojans, because I can not see the host IP?
Now that you mention it, yes I do. uTorrent uses that port, and it is open on my firewall router to ensure better d/l speeds. One of the later “intrusions” was 65.55.158.80, which a found through http://who.is/whois/ that belongs to Microsoft. Is there any way to unblock a file from a specific IP?
I base this on a stock windows xp install there is only (7 or 8 going my memory svchosts on my system) I assumed that this would cross the board on all xp users… I have 5 svchosts running now because I’ve disabled any service I don’t use.
Btw, With utorrent traffic the logs should show “Windows operating system” being blocked.
@Kyle. I am on Win 7 beta with no services disabled. I guess there may be a difference between Vista/Win7 on the one hand and XP on the other hand.
As Kyle states it is odd that the incoming traffic hits svchost and not System. Can you show us your Global Rules? Can you also show us your logs again but now with the path of the receiving Application fully visible?
NetRange: 78.0.0.0 - 78.255.255.255
CIDR: 78.0.0.0/8
NetName: 78-RIPE
NetHandle: NET-78-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: SUNIC.SUNET.SE
NameServer: NS.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at Webupdates — RIPE Network Coordination Centre
RegDate: 2006-08-29
Updated: 2006-09-07
Kinda funny because whenever I restart my computer, a new consecutive set of intrusions come from a varied company. Same target, It’s been over 60 intrusions and my computer has been on for scarcely 15 min.
Windows Media Player Multicasting? SSDP Network Discovery? uPnP? I know what they are, but how do you check if they are enabled?
according to microsoft
All key features in Windows Media Player are enabled by default. However, each can be disabled through Tools\Options in Windows Media Player, through the use of Group Policy,
This is for WMP 9, that I was reading (this should apply for vesions 9-11) :)
If you like to read on controlling some of these features you can read it here
http://technet.microsoft.com/en-us/library/bb457180.aspx
I’ve read that multicasting is NOT enabled by default, you must manually enable it
