svchost.exe service question?

Discussion in 'other firewalls' started by magoood, Dec 2, 2004.

Thread Status:
Not open for further replies.
  1. magoood

    magoood Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    67
    About that service, i found myself forced 2 grant it permission in order 2 access the net (although i really don't know what does it do) as i wasn't able 2 browse without granting it but ZA asked me if i wanna allow/deny it from accepting incoming connections and i don't know what 2 do in this case because i don't know what are these incoming connections. e.g. if i denied, will this have any hidden impact (so far, i feel that it cripples my connection after some time of surfing Okay but i can't confirm that. More info are below...). And if i allowed, is there any danger? Advices are highly appreciated.

    More Info:
    ---------
    After some time of being online, I suddenly find that my connection is still on (connected) but the 2 TV sets are blinking randomly and slowly (which means for me that there is almost no data transfer from/to my PC) while the normal case is that these 2 TV sets are ON, ALL THE TIME.
    The only remedy 2 this frustration is 2 disconnect and reconnect again and i get a nice connection but after sometime, the same situation happens allover again and i am not able 2 figure out why this happens to me. I have some supect towards the disallowance of svchost.exe from accepting connections from the internet to be the culprit but not sure at all
     
    Last edited: Dec 2, 2004
  2. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Click No.
     
  3. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    WHOIS results for 213.131.66.246

    Generated by www.DNSstuff.com

    status = "Getting WHOIS results..."; Country: Unknown


    % This is the RIPE Whois quaternary server.
    % The objects are in RPSL format.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/db/copyright.html

    inetnum: 213.131.64.0 - 213.131.79.255
    netname: LINK
    descr: Link *****
    country: **
    remarks: for any abuse complains please contact (******@link.net )
    admin-c: MG7699
    tech-c: AK7379-RIPE
    tech-c: MG7699
    status: ASSIGNED PA
    notify: ****@link.net
    mnt-by: MAINT-LINK
    changed: ********@link.net 20031110
    source: RIPE

    route: 213.131.66.0/24
    descr: LINKdotNET Route
    origin: AS24863
    mnt-by: MAINT-LINK
    changed: ********@link.net 20020724
    source: RIPE

    person: *****************
    address: ***************
    address: ****
    address: *****
    phone: +202 336 7711
    fax-no: +202 336 4910
    e-mail: ********@link.net
    nic-hdl: MG7699
    remarks:
    notify: *******@link.net
    mnt-by: MAINT-LINK
    changed: ********@link.net 20010709
    source: ripe

    person: *****
    address: *************
    address: ****
    address: *****
    phone: +202 336 7711
    fax-no: +202 336 4910
    nic-hdl: AK7379-RIPE
    e-mail: ********@link.net
    changed: ********@link.net 20030812
    mnt-by: MAINT-LINK
    source: RIPE
    #[TEMPLATES END]#




    [If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address.


    status = "Done!"; (C) Copyright 2000-2004 R. Scott Perry
     
    Last edited: Dec 2, 2004
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I suspect that a trojan is attempting to connect to svchost.exe on your computer. BLOCK it.
     
  5. magoood

    magoood Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    67
    I wonder what does that mean ? and why i have 2 choose no? if i choose no, then i "think" it leads 2 that connection problem i mentioned b4 but as i said, i am really not sure and totally confused o_O
     
  6. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I block svchost.exe on my computer and i've no problems. Could it be your ISP trying to connect to you?
    Is your ISP called: Link *****?
     
    Last edited: Dec 2, 2004
  7. magoood

    magoood Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    67
    I am not sure why they will want 2 connect 2 me ? and how can u connect 2 the net without - at least - giving outbound net access 2 this service. I tried blocking it but nothting was loading in my browser at all.

    Will do a full system scan now and check if there's a hidden Trojan although i believe that my system is clean
     
  8. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Ok. Go ahead and scan your system. Good luck. ;)
     
  9. zcv

    zcv Registered Member

    Joined:
    Dec 11, 2002
    Posts:
    355
    XP "bundles" services under SVCHOST.EXE. To see exactly what is running in each instance of svchost:

    Open a cmd box: start > run > type cmd > ok and type:
    tasklist /svc > c:\tasklist.txt

    To relate the Task Manager entries and the tasklist.txt entries: they are tied together thru the PID number. Make sure that in TM the PID is showing. If not, click on view > Select Columns.

    tasklist.exe is only on XP-pro, so if running Home you'll need to download it along with the instuctions from here:

    http://www.computerhope.com/download/winxp.htm

    Regards - Charles
     
  10. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    There should be no need to allow inbound traffic to Svchost. You should not allow Server access or inbound traffic. If this gives you a problem, then it might be time to try another firewall. ZA can be kinda quirky at times. I used to get inbound traffic to Services.Exe using ZA and I think it was just late responses from my DNS servers. ZA should show something in the window when it asks you for permission.. If it says DNS then you can allow it safely, otherwise I'd block it.
     
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I had Generic Host Process for Win32 (i.e. svchost.exe) trying to act as a server through my ZAP, but I settled the issue by giving it green ticks for Access but red crosses for Server rights. That means it can't even ask anymore! I've had no problems in doing this and I can't imagine why it would even want server rights.

    I don't think there is a trojan at work here and I don't think the other problems mentioned are connected with this (though you'd have to explain them a bit clearer!).
     
  12. magoood

    magoood Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    67
    Yes ZA can't do anything without my permission coz i have set that in the options and yes, it's as u say. It's a DNS coz it says in the dialog box that appears:

    Do u want 2 allow generic host process... from accepting incoming connections...
    Technical info
    Source IP:ww.xx.yy.zz: DNS
    Application: svchost.exe
    ...etc

    so i think i don't have 2 change ZA :D - right ?? - it's the most easiest firewall i have ever seen where it 'll give u the protection which is enough 4 my poor home PC against naughty kids :D. IMHO, i think that if someone is doing illegal stuff on the net, then i think no firewall in the world would be able 2 cover him up from being traced down :D
     
  13. magoood

    magoood Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    67
    BTW, anyone know how can i make a rule in ZA by which i accept incoming connections only from DNS servers and filter the non-welcomed rest? THX
     
  14. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    This is how its like in my sygate firewall, this setting gives no problems at all. ;)
     

    Attached Files:

  15. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Just put your DNS servers addresses in the Trusted Zone and then in the program options, allow Server Access to Svchost.Exe for the Trusted Zone ONLY. That should take care of the problem..
     
  16. magoood

    magoood Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    67
    But what's the use of that if the connection icon itself that i use 4 connecting 2 the internet is placed under the "Internet" zone and not the "trusted" zone where this means that i am using the "Internet" zone restriction and not the trusted one o_O
     
  17. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I'm not sure what you're saying, but all you need to do is give Svchost.Exe (Generic Host Process) Server rights for the Trusted Zone (not Internet Zone) and put your DNS servers in the Trusted Zone. Then, when your DNS servers try to send late packets and so on, ZA will allow the incoming packets from those servers only.

    Just do it... :)
     
Loading...
Thread Status:
Not open for further replies.