svchost.exe Inbound?

[Guest]

I'm getting an annoying firewall Program Control Alert, Inbound, svchost.exe How do I stop this, please? This has been happening for a few weeks now.

I'm using XP Home, Dell 2350, Pentium 4, Norton AntiVirus 2004 & Personal Firewall 2003. The Firewall keeps giving a Program Control alert, C:\Windows\System32\svchost.exe, TCP (Inbound), remote IP address (when using Norton's Tracking its mostly from other countries), TCP(Inbound), [MyIP]:1025. I block it each time. The Task Manager shows running SVCHOST.EXE (all caps) System(3), Network Service, Local Service. A search result for svchost.exe shows C:\I386\SVCHOST.EXE and C:\Windows\System32\SVCHOST.EXE (all caps).

I have scanned off line with Norton and at the Symantec site both virus & security scans, spywareguide.com free X-Cleaner scan, McAfee free scan, and PCPitstop Panda free scan and they found nothing. I use Spobot S&D 1.3 and it found nothing. GRC.com ShieldUP! shows that port 1025 is open and says to close it. I don't know how to do that. It also showed a "Danske Net Bank" plugin installed & I haven't been to any bank sites. How do I get rid of that? I did a Firewall program scan set to "automatic". Even tried a System Restore when all else failed but couldn't go back too far because I was afraid of previous driveby adware I couldn't get rid of. The firewall logs show the alert occuring every 5-20 min. Thanks for any help you can give me to stop this annoying alert.
Judy

 

[S.Sengupta]

Hi Judy,
These two viruses copies svchost.exe to the system

Symantec Security Response - W32.Welchia.Worm:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

Symantec Security Response - W32.Assarm@mm:
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

regards,

ssg MS-MVP
pronetworks.org

 

[Guest]

Hi S.Sengupta,
Thank you for replying. I updated all MS security patches when issued that are referenced for W32.Welchia.Worm and have not had any of these symptoms. As for W32.assarm@mm, I do not use Outlook Express or Outlook and have never had any of these symptoms. I have never had any attachments to any of my emails therefore never opened any. My ISP is EarthLink & I use their mailbox. What I am getting is a firewall alert "a remote system is attempting to access Microsoft Generic Host Process for Win32 services on your comuter" using port 1025 and ask if I want to Permit,Block or Manually configure rules. I have been blocking it because this is something new. Its only been happening the last few weeks. Do you have any suggestions?
Thanks so much for your help.
Judy

Hi Judy,
These two viruses copies svchost.exe to the system

Symantec Security Response - W32.Welchia.Worm:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

Symantec Security Response - W32.Assarm@mm:
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

regards,

ssg MS-MVP
pronetworks.org

I'm getting an annoying firewall Program Control Alert, Inbound, svchost.exe How do I stop this, please? This has been happening for a few weeks now.

I'm using XP Home, Dell 2350, Pentium 4, Norton AntiVirus 2004 & Personal Firewall 2003. The Firewall keeps giving a Program Control alert, C:\Windows\System32\svchost.exe, TCP (Inbound), remote IP address (when using Norton's Tracking its mostly from other countries), TCP(Inbound), [MyIP]:1025. I block it each time. The Task Manager shows running SVCHOST.EXE (all caps) System(3), Network Service, Local Service. A search result for svchost.exe shows C:\I386\SVCHOST.EXE and C:\Windows\System32\SVCHOST.EXE (all caps).

I have scanned off line with Norton and at the Symantec site both virus & security scans, spywareguide.com free X-Cleaner scan, McAfee free scan, and PCPitstop Panda free scan and they found nothing. I use Spobot S&D 1.3 and it found nothing. GRC.com ShieldUP! shows that port 1025 is open and says to close it. I don't know how to do that. It also showed a "Danske Net Bank" plugin installed & I haven't been to any bank sites. How do I get rid of that? I did a Firewall program scan set to "automatic". Even tried a System Restore when all else failed but couldn't go back too far because I was afraid of previous driveby adware I couldn't get rid of. The firewall logs show the alert occuring every 5-20 min. Thanks for any help you can give me to stop this annoying alert.
Judy

 

[Guest]

Hi S.Sengupta,
Thank you for your reply. I installed all of the security patches when issued referenced in (e-mail address removed). Under W32.assarm@mm, I don't use Outlook Express or Outlook. I'm on EarthLink and use their mailbox. I have never had any email attachments therefore never opened any. I have not had any of these symptoms. What I am getting is a Firewall Alert "a remote system is attempting to access MS Generic Host Process for win32 services on your computer" using port 1025. Do you have any suggestions?
Thank you so much for your help.
Judy

Hi Judy,
These two viruses copies svchost.exe to the system

Symantec Security Response - W32.Welchia.Worm:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

Symantec Security Response - W32.Assarm@mm:
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

regards,

ssg MS-MVP
pronetworks.org

I'm getting an annoying firewall Program Control Alert, Inbound, svchost.exe How do I stop this, please? This has been happening for a few weeks now.

I'm using XP Home, Dell 2350, Pentium 4, Norton AntiVirus 2004 & Personal Firewall 2003. The Firewall keeps giving a Program Control alert, C:\Windows\System32\svchost.exe, TCP (Inbound), remote IP address (when using Norton's Tracking its mostly from other countries), TCP(Inbound), [MyIP]:1025. I block it each time. The Task Manager shows running SVCHOST.EXE (all caps) System(3), Network Service, Local Service. A search result for svchost.exe shows C:\I386\SVCHOST.EXE and C:\Windows\System32\SVCHOST.EXE (all caps).

I have scanned off line with Norton and at the Symantec site both virus & security scans, spywareguide.com free X-Cleaner scan, McAfee free scan, and PCPitstop Panda free scan and they found nothing. I use Spobot S&D 1.3 and it found nothing. GRC.com ShieldUP! shows that port 1025 is open and says to close it. I don't know how to do that. It also showed a "Danske Net Bank" plugin installed & I haven't been to any bank sites. How do I get rid of that? I did a Firewall program scan set to "automatic". Even tried a System Restore when all else failed but couldn't go back too far because I was afraid of previous driveby adware I couldn't get rid of. The firewall logs show the alert occuring every 5-20 min. Thanks for any help you can give me to stop this annoying alert.
Judy

 

[V Green]

Hi S.Sengupta,
Thank you for your reply. I installed all of the security patches when

issued referenced in (e-mail address removed). Under W32.assarm@mm, I don't use
Outlook Express or Outlook. I'm on EarthLink and use their mailbox. I have
never had any email attachments therefore never opened any. I have not had
any of these symptoms. What I am getting is a Firewall Alert "a remote
system is attempting to access MS Generic Host Process for win32 services on
your computer" using port 1025. Do you have any suggestions?

Thank you so much for your help.
Judy

You are being attacked FROM the internet, hence the INBOUND.

The virii do NOT care whether or not you use either of those programs,
the problem is, they're still there for it to pick on-as long as you use an
OS
that the virus can recognize as one it can screw with, you will see these
attempts
to infect.

Which is one reason I run a software firewall and proxy server on
a dedicated W98SE machine. This crap passes me right by, as my
only 'Net presence (if it can be seen at all) is backed by an OS
that the latest virii don't care about.

The inbounds you are seeing are simply a fact of life now, your firewall's
just doin' its thing...if the alerts get too annoying, just turn them off
and
remember to check your logs manually.
svchost.exe How do I stop this, please? This has been happening for a few
weeks now.Personal Firewall 2003. The Firewall keeps giving a Program Control alert,
C:\Windows\System32\svchost.exe, TCP (Inbound), remote IP address (when
using Norton's Tracking its mostly from other countries), TCP(Inbound),
[MyIP]:1025. I block it each time. The Task Manager shows running
SVCHOST.EXE (all caps) System(3), Network Service, Local Service. A search
result for svchost.exe shows C:\I386\SVCHOST.EXE and
C:\Windows\System32\SVCHOST.EXE (all caps).virus & security scans, spywareguide.com free X-Cleaner scan, McAfee free
scan, and PCPitstop Panda free scan and they found nothing. I use Spobot S&D
1.3 and it found nothing. GRC.com ShieldUP! shows that port 1025 is open
and says to close it. I don't know how to do that. It also showed a "Danske
Net Bank" plugin installed & I haven't been to any bank sites. How do I get
rid of that? I did a Firewall program scan set to "automatic". Even tried
a System Restore when all else failed but couldn't go back too far because I
was afraid of previous driveby adware I couldn't get rid of. The firewall
logs show the alert occuring every 5-20 min. Thanks for any help you can
give me to stop this annoying alert.