Generic host program?

Only for the last few days, this has started poping up when I restart my computer, and sometimes while it's running. I want to know why it is all the sudden comming up now? Can anyone tell me if I should allow it? And what is it?
Thanks

 

Have you made any recent changes to your system (updates, applications)?

You can block this from accessing the Internet and block Internet server. You can allow for the trusted zone or leave to prompt.

Regards,

CrazyM

 

The only changes I can remember making within the last few months, is installing PaintShop, and PhotoShop, and Picasa. And the first two were installed almost a month ago, and this generic host has only been poping up for the last few days.
I don't remember any aplications, or updates, unless they are automatic.
So it is not important that I allow it? If not I will block it.
Thank you!

 

Port 135 is Microsofts DCE Locator service aka. end-point mapper. Can you access your firewall's "listening state"? In Kerio, it's showing svchost listening on port 135, aka epmap (endpoint mapper). It's also what RPC/DCOM listens on. It was also used for NETBIOS.

That alert box doesn't give much information - what shows when you click Properties? Is there a remote IP address? Protocol? (TCP or UDP) What idoes your log show?

What is suspicious is the "acting as server" notification. Trojans will install a backdoor server to try and connect out TCP. For instance, it was the port used by m32/blaster.

Without more info (and not knowing ZA) I would post to your ZA forum for more analysis. Or post to

http://www.dslreports.com/forum/security,1

Port 135 is certainly not a port to permit access in or out without knowing what's going on.

regards,

-rich

 

Here is what shows when I click properties. If you want me to click one of the other tabs, let me know.

 

here is the version tab

 

That's the properties of svchost.

I guess your alert box doesn't provide additional information. Please post this question to the DSL SEcurity forum - the link I put in my post. Some ZA users over there can direct you further.

regards,

-rich

 

I just noticed the "more info" box - did you check that?

regards,

-rich

 

Yes, I just tried it, and it will not do anything . In other words, I click it, and it just sits there, no info. comes up.

 

OK, ZA is doing it's job with the alert. I would deny it until you get more info.

Does ZA have a forum? If not, post to the DSL forum.

Hope you get it sorted out!

Post back when you do - it's a curious situation...

regards,

-rich

 

I will Rmus, Thank you!!

 

It is quite normal on NT based systems to see svchost.exe listening on TCP port 135. The fact it is establishing a listening connection is why ZA indicated it is trying to "act as a server".

DCE endpoint resolution (epmap) is something that should be blocked from/to the Internet. So block Internet and block Internet Server.

As I noted above you can allow this for the trusted/local zone, leave it to promp or block. If you choose to block it in the trusted/local zone just watch things for awhile in the event something does not work as expected that may require it.

Regards,

CrazyM

 

Yes, I see it on both my Win2k and WinXP systems.

Thanks for clarifying the "act as server" message - it was confusing because that doesn't appear in my Kerio listening state window - it just indicates that svchost is listening on Port 135-epmap.

Why would Sonya just now be seeing that alert?

-rich

 

Hello Sonya i think that the information and the links provided in this thread may help you out. I hope so ayway.

Generic Host Process

https://www.wilderssecurity.com/showthread.php?t=82237

StevieO