Please advise me what I should do with these firewall alerts

[stevenoon]

Hi all,

On one of my PC's, when I login to desktop (XP Pro SP2) I receive several (approximately 8 ) outbound traffic - internet alerts from ESS (in interactive mode). This happens everytime I reboot the PC.

The request is for an application called "Generic Host Process for Win32 Services" and the publisher is "Microsoft Windows Publisher". The remote port is always 123 (ntp) but the remote computer's host name and IP address vary with each of the 8 to 10 alerts being for different hosts with the same remote computers appearing every time, but sometimes different ones appear as well.

I have been denying these requests to be safe.

I'm worried that this might be some kind of spyware or malware infection - just thought I'd ask here first.

Many thanks in advance for any advice.

Cheers,

Steve.

Some of the IPs are ... ?

A screenshot is much appreciated

[stevenoon]

xtal.pulsewidth.org.uk (80.82.141.70)
ntp4.ja.net (193.62.22.82)
admin.curacao.bitfolk.com (212.13.194.71)
ginny.provu.co.uk (213.2.4.70)
noisebox.positive-dedicated.net (80.87.128.243)
lyla.preshweb.co.uk ( 83.170.75.28 )
eu1.develooper.com (84.45.68.23)
ntpt1.core.theplanet.net (195.92.137.112)
dns0.rmplc.co.uk (194.238.48.2)
dns1.rmplc.co.uk (194.238.48.3)

I've never heard of most of these domains - except rmplc.co.uk which is Research Machines.

I hope this info helps - if you need a screen shot can someone please advise me how to post it here.

Many thanks,

Steve.

Download ESET SysInspector

Windows 2000, XP, Server 2003 and Vista (32-bit)
http://download.eset.com/download/sy...sInspector.exe

Windows XP, Server 2003 and Vista (64-bit)
http://download.eset.com/download/sy...sInspector.exe


Start the program . Goto File > Save Log and choose to save a log somewhere . Confirm your wish. Now that you have the file , send it to ESET Technical support (support@eset.com) , you might be infected . All these IPs ... I guess svchost.exe should not attemp connection to them . Block the connections so that you remain safe.

[wrathchild]

For remote port 123 and "Generic Host Process for Win32 Services" (svchost.exe) you can set:

protocol: UDP
remote port: 123
remote IP: time.windows.com (207.46.130.100)

the other attempts on port 123 you can block...unless you use the other server for time synchronization

[shansmi]

Do not respond when the firewall blocks the traffic to hang the application, then:

use process explorer from the Microsoft website to see if any wired tasks are running... that program is very easy to use...
it will also tell you what child tasks are under each parent i.e. what are all the svchost.exe's doing....if you leave it up long enough you can watch programs start and stop - it shows you the entire tree.....

hijack this is another good one....

Also you could use Wireshark to see the IP packets leaving your PC...are they really NTP or something else?


The generic response to anything you are not 100% sure of is DENY...if it keeps coming up, google the IP ,service or anything else you can find to see what it is...use process explorer if you have to to see what tasks are firing up....

[Jenee]

Stevenoon, do you have Windows Live Messenger installed. This program does have a tendency to try and contact all sorts of websites for advertising and promotion.