Re: none of you smart fellers heard about GHP?

Do you have info as to which svchost instance it is, i.e. its process id
(pid)?
If so, what is shown as being hosted in that instance?
tasklist /svc
at cmd prompt
TcpView can also help one narrow down what module/dll is involved
in a network activity

As for what you say about the firewall behaviors, I will need to
believe you as I have stopped using such third-party firewalls on
client systems.

--
Roger

"needlove" <crunch@xxxxxxxxxxxxxxxxx> wrote in message
news:uQIv1t9aHHA.5044@xxxxxxxxxxxxxxxxxxxxxxx
I AM irritated because when I post the information you ask for and it
consumes more than three lines you get bored/confused/overwhelmed and I
get
no replies.

This could be a firewall problem. Lavasoft Personal firewall
v1.0.543.5722(433)

I have been to the firewall forums and though there are numerous posts
relating to this problem there is not a concrete solution that would apply
to all computer systems.

This could be a malware problem. Not likely since I am armed to the teeth.

See HIjackthis report. I will add this later if you really think its
needed.

This could be a Windows XPsp2 home edition stand-alone PC problem.

Now were getting somewhere...I have an ethernet cable connection to
internet that requires DHCP and DNS resolving therefore, requires that
Generic Host Process and svchost.exe be allowed some level of access.

The problem:

Running firewall in "rules wizard" mode I get aproximately 30 requests a
day (5 as I wrote this) to "Create rules for svchost.exe". The Application
making this request is my friend, Generic Host Process for Win 32
services.
Running In "block most" mode I don't have the problem. So why don't I run
in "block most" mode? I do most of the time but when running a virtual
machine or adding programs I need to allow the wizard mode or else the new
applications are blocked from even local connections.

Note. These connection requests are all blocked until I create a rule to
allow or block. But, by blocking, I am telling the intruder that, "this
computer exists that you just tried to contact but I'm blocking you" That
is a security risk in itself.

The vast majority of connection requests are inbound to local port UDP:
1026. The remote address is always different and worldwide. Different,
because I create a rule to block the specific offending address.

Examples from last 10 minutes:

Inbound, local port 1026, My address 69.146.x.xxx, remote addresses
53.242.38.185;24.64.212.156;203.165.149.23;24.64.224.78;24.64.90.93

Whois lookup for the above IP's respectively:


53.242.38.185
Host unreachable

53.0.0.0 - 53.255.255.255

cap debis ccs
RRZ-S/K
c/o Mercedes Benz AG
Postfach 6002 02
Mercedestr. 136
7000 Stuttgart 60
Germany

NS1.SNS-FELB.DEBIS.COM
NS2.SNS-UT.DEBIS.COM

DB-NET2


203.165.149.23
203-165-149-23.rev.home.ne.jp
Host unreachable

203.165.128.0 - 203.165.255.255

@Home Network Japan
@Home Network Japan intial HE and Infrastructure allocations
For abuse issues, please email abuse@xxxxxxxxxx

AtHome Japan Network Operations Centre
@Home Network Japan
4-7-1, Aobadai,Meguro-ku
Tokyo,Japan,153-0042
phone: +81-3-5452-3820
fax: +81-3-5452-3821
noc@xxxxxxxxxxxxxxxx

ATHOME IP MGMT
@Home Japan
4-7-1, Aobadai,Meguro-ku
Tokyo,Japan,153-0042
phone: +81-3-5452-3820
fax: +81-3-5452-3821
apnic_mail@xxxxxxxxxxxxxxxx

ATHOME-JP
Updated: 11-May-2001 by hostmaster@xxxxxxxxx
Source: whois.apnic.nec
Created: 1992-03-17
Updated: 1993-10-18
Source: whois.arin.net


24.64.212.156
S01060004e2381101.cg.shawcable.net
Host unreachable

24.64.0.0 - 24.71.255.255

Shaw Communications Inc.
Suite 800
630 - 3rd Ave. SW
Calgary
AB
T2P-4L4
Canada

Shaw High-Speed Internet
+1-403-750-7428
ipadmin@xxxxxxx

Abuse:
SHAW ABUSE
+1-403-750-7420
internet.abuse@xxxxxxx

NS7.NO.CG.SHAWCABLE.NET
NS8.SO.CG.SHAWCABLE.NET

SHAW-COMM
Created: 1996-06-03
Updated: 2006-02-08
Source: whois.arin.net

These connections, though they may be benign, UDP, DNS resolving attempts,
are absolutely unecessary and a security risk in my opinion. And they are
a
pain to monitor.

Lets move beyond the ol' "your infected with a malware answer" and tell me
whats really going on... go ahead, I can take it.






.

Relevant Pages

  • Re: none of you smart fellers heard about GHP?
    ... This could be a firewall problem. ... Now were getting somewhere...I have an ethernet cable connection to ... The vast majority of connection requests are inbound to local port UDP: ... @Home Network Japan intial HE and Infrastructure allocations ...
    (microsoft.public.security)
  • Re: none of you smart fellers heard about GHP?
    ... This could be a firewall problem. ... Now were getting somewhere...I have an ethernet cable connection to ... The vast majority of connection requests are inbound to local port UDP: ... @Home Network Japan intial HE and Infrastructure allocations ...
    (microsoft.public.security)
  • Re: none of you smart fellers heard about GHP?
    ... This could be a firewall problem. ... Now were getting somewhere...I have an ethernet cable connection to ... The vast majority of connection requests are inbound to local port UDP: ... @Home Network Japan intial HE and Infrastructure allocations ...
    (microsoft.public.security)
  • Re: none of you smart fellers heard about GHP?
    ... This could be a firewall problem. ... Now were getting somewhere...I have an ethernet cable connection to ... @Home Network Japan intial HE and Infrastructure allocations ... Restart your pc and give permission ...
    (microsoft.public.security)
  • Re: I am having connectivity problems
    ... firewall and turned ON Windows firewall. ... When I tried to install SP2 I was unable to get it thru Windows Update. ... does the connection problem persist? ...
    (microsoft.public.windows.inetexplorer.ie6.browser)