Please advise me what I should do with these firewall alerts

Discussion in 'ESET Smart Security' started by stevenoon, Mar 27, 2008.

Thread Status:
Not open for further replies.
  1. stevenoon

    stevenoon Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    18
    Hi all,

    On one of my PC's, when I login to desktop (XP Pro SP2) I receive several (approximately 8 ) outbound traffic - internet alerts from ESS (in interactive mode). This happens everytime I reboot the PC.

    The request is for an application called "Generic Host Process for Win32 Services" and the publisher is "Microsoft Windows Publisher". The remote port is always 123 (ntp) but the remote computer's host name and IP address vary with each of the 8 to 10 alerts being for different hosts with the same remote computers appearing every time, but sometimes different ones appear as well.

    I have been denying these requests to be safe.

    I'm worried that this might be some kind of spyware or malware infection - just thought I'd ask here first.

    Many thanks in advance for any advice.

    Cheers,

    Steve.
     
  2. ASpace

    ASpace Guest

    Some of the IPs are ... ?

    A screenshot is much appreciated
     
  3. stevenoon

    stevenoon Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    18
    xtal.pulsewidth.org.uk (80.82.141.70)
    ntp4.ja.net (193.62.22.82)
    admin.curacao.bitfolk.com (212.13.194.71)
    ginny.provu.co.uk (213.2.4.70)
    noisebox.positive-dedicated.net (80.87.128.243)
    lyla.preshweb.co.uk ( 83.170.75.28 )
    eu1.develooper.com (84.45.68.23)
    ntpt1.core.theplanet.net (195.92.137.112)
    dns0.rmplc.co.uk (194.238.48.2)
    dns1.rmplc.co.uk (194.238.48.3)

    I've never heard of most of these domains - except rmplc.co.uk which is Research Machines.

    I hope this info helps - if you need a screen shot can someone please advise me how to post it here.

    Many thanks,

    Steve.
     
  4. ASpace

    ASpace Guest

    Download ESET SysInspector

    Windows 2000, XP, Server 2003 and Vista (32-bit)
    http://download.eset.com/download/sysinspector/32/ENU/SysInspector.exe

    Windows XP, Server 2003 and Vista (64-bit)
    http://download.eset.com/download/sysinspector/64/ENU/SysInspector.exe


    Start the program . Goto File > Save Log and choose to save a log somewhere . Confirm your wish. Now that you have the file , send it to ESET Technical support (support@eset.com) , you might be infected . All these IPs ... I guess svchost.exe should not attemp connection to them . Block the connections so that you remain safe.
     
  5. wrathchild

    wrathchild Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    170
    Location:
    Neoplantesis
    For remote port 123 and "Generic Host Process for Win32 Services" (svchost.exe) you can set:

    protocol: UDP
    remote port: 123
    remote IP: time.windows.com (207.46.130.100)

    the other attempts on port 123 you can block...unless you use the other server for time synchronization ;)
     
    Last edited: Mar 27, 2008
  6. shansmi

    shansmi Registered Member

    Joined:
    Feb 19, 2008
    Posts:
    130
    Do not respond when the firewall blocks the traffic to hang the application, then:

    use process explorer from the Microsoft website to see if any wired tasks are running... that program is very easy to use...
    it will also tell you what child tasks are under each parent i.e. what are all the svchost.exe's doing....if you leave it up long enough you can watch programs start and stop - it shows you the entire tree.....

    hijack this is another good one....

    Also you could use Wireshark to see the IP packets leaving your PC...are they really NTP or something else?


    The generic response to anything you are not 100% sure of is DENY...if it keeps coming up, google the IP ,service or anything else you can find to see what it is...use process explorer if you have to to see what tasks are firing up....
     
    Last edited: Mar 27, 2008
  7. Jenee

    Jenee Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    185
    Stevenoon, do you have Windows Live Messenger installed. This program does have a tendency to try and contact all sorts of websites for advertising and promotion.
     
Thread Status:
Not open for further replies.