Security log full, why?

B

Bo Berglund

I am getting warnings on my DELL Dimension desktop running XP SP2 when
I log on using RDP. The warning is about the security log being full
and that an administrator should fix it...

After I use Event Viewer to clear all log entries it only takes a
short time until it fills up with new entries again. Almost all of
them are titled "Failure Audit". The text in the listbox when I open
one of these is:

The Windows Firewall has detected an application listening for
incoming traffic.

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1416
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1219
Allowed: No
User notified: No

If I use Taskmanager to find svchost.exe I find no less than 7 of
them. One of these stands out among the others because it has used
lots of CPU time (right now 0:05:52, whereas all others are below a
minute) and I/O Read Bytes is over 2.2 Gbytes and counting. This one
also has the PID mentioned in the event log.

When I use ProcessExplorer from SysInternals I get more info:
"Generic Host Process for Win32 Services"
Command line of process: C:\WINDOWS\System32\svchost.exe -k netsvcs
If I look in the Services tab I find no less than 30 entries...

How can I find out what is causing this audit failure and why?
And how can I stop it from doing whatever it is doing?

BTW: "Tasklist /SVC" gives the following output related to svchost:
Image Name PID Services
------------------------------------------
svchost.exe 1124 DcomLaunch, TermService
svchost.exe 1284 RpcSs
svchost.exe 1416 AppMgmt, AudioSrv, BITS, Browser, CryptSvc,
Dhcp, dmserver, ERSvc, EventSystem, helpsvc,
HidServ, lanmanserver, lanmanworkstation,
Messenger, Netman, Nla, RasMan, Schedule,
seclogon, SENS, SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, w32time, winmgmt, wuauserv,
WZCSVC
svchost.exe 1528 Dnscache
svchost.exe 1700 LmHosts, RemoteRegistry, SSDPSRV, WebClient
svchost.exe 3048 stisvc
svchost.exe 5268 HTTPFilter


Bo Berglund
bo.berglund(at)nospam.telia.com
 
J

Jim

Bo Berglund said:
I am getting warnings on my DELL Dimension desktop running XP SP2 when
I log on using RDP. The warning is about the security log being full
and that an administrator should fix it...

After I use Event Viewer to clear all log entries it only takes a
short time until it fills up with new entries again. Almost all of
them are titled "Failure Audit". The text in the listbox when I open
one of these is:

The Windows Firewall has detected an application listening for
incoming traffic.

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1416
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1219
Allowed: No
User notified: No

If I use Taskmanager to find svchost.exe I find no less than 7 of
them. One of these stands out among the others because it has used
lots of CPU time (right now 0:05:52, whereas all others are below a
minute) and I/O Read Bytes is over 2.2 Gbytes and counting. This one
also has the PID mentioned in the event log.

When I use ProcessExplorer from SysInternals I get more info:
"Generic Host Process for Win32 Services"
Command line of process: C:\WINDOWS\System32\svchost.exe -k netsvcs
If I look in the Services tab I find no less than 30 entries...

How can I find out what is causing this audit failure and why?
And how can I stop it from doing whatever it is doing?

BTW: "Tasklist /SVC" gives the following output related to svchost:
Image Name PID Services
------------------------------------------
svchost.exe 1124 DcomLaunch, TermService
svchost.exe 1284 RpcSs
svchost.exe 1416 AppMgmt, AudioSrv, BITS, Browser, CryptSvc,
Dhcp, dmserver, ERSvc, EventSystem, helpsvc,
HidServ, lanmanserver, lanmanworkstation,
Messenger, Netman, Nla, RasMan, Schedule,
seclogon, SENS, SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, w32time, winmgmt, wuauserv,
WZCSVC
svchost.exe 1528 Dnscache
svchost.exe 1700 LmHosts, RemoteRegistry, SSDPSRV, WebClient
svchost.exe 3048 stisvc
svchost.exe 5268 HTTPFilter


Bo Berglund
bo.berglund(at)nospam.telia.com
Click to expand...

Svchost.exe is a general purpose program which can be used for quite a few
different processes. It is not unusual to find 7 different processes
executing this program.

If I had your problem, the first thing I would do is to perforam a thorough
malware test. It does seem likely that you have a bad case of infestation.

The second thing I would do is dependent on what the results of the first
test are.

Jim
 
B

Bo Berglund

Svchost.exe is a general purpose program which can be used for quite a few
different processes. It is not unusual to find 7 different processes
executing this program.

If I had your problem, the first thing I would do is to perforam a thorough
malware test. It does seem likely that you have a bad case of infestation.

The second thing I would do is dependent on what the results of the first
test are.
Click to expand...

Thanks,
I have a fully up to date Symantec AntiVirus Corporate Edition v
10.1.3.B4000 running on this PC, so I'd assume it would find and
disable any spy/malware infestations...
But I don't know at which level it is able to detect these. Do you
have a suggestion on how to go about checking this?

And I forgot to say that the PC is part of a domain, but I only
occationally connect to the network where the domain controller
resides via VPN. I don't know if this is an issue, but I thought that
I should mention it.


Bo Berglund
 
J

Jim

Bo Berglund said:
Thanks,
I have a fully up to date Symantec AntiVirus Corporate Edition v
10.1.3.B4000 running on this PC, so I'd assume it would find and
disable any spy/malware infestations...
But I don't know at which level it is able to detect these. Do you
have a suggestion on how to go about checking this?

And I forgot to say that the PC is part of a domain, but I only
occationally connect to the network where the domain controller
resides via VPN. I don't know if this is an issue, but I thought that
I should mention it.


Bo Berglund
Click to expand...
I would not assume anything. What it can detect and how you know what it
can detect should be covered in the fine manual.
Do you know for a fact that the database is current?
My next step would be to get and run David Lipman's Multi_Av.exe package
(sorry, I don't have a url for it handy).
Jim
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Firewall Log 1
Critical updates and KB 890830 2
What should svchost tasklist look like? 1
svchost.exe eating up CPU all of a sudden... on BOTH my machines 4
Comper is slowing down and system 32 folder opens at bootup 1
hijack this startup - can someone tell me the hack i am experienci 4
Svchost.exe Trojan Virus Spyware?? 5
Windows slow to load and ultra slow to shut-down 3

Top