Re: none of you smart fellers heard about GHP?
- From: "Gerald309" <gerald309@xxxxxxxxx>
- Date: 27 Mar 2007 13:51:05 -0700
On Mar 21, 1:07 pm, "needlove" <cru...@xxxxxxxxxxxxxxxxx> wrote:
I AM irritated because when I post the information you ask for and it
consumes more than three lines you get bored/confused/overwhelmed and I get
no replies.
This could be a firewall problem. Lavasoft Personal firewall
v1.0.543.5722(433)
I have been to the firewall forums and though there are numerous posts
relating to this problem there is not a concrete solution that would apply
to all computer systems.
This could be a malware problem. Not likely since I am armed to the teeth.
See HIjackthis report. I will add this later if you really think its
needed.
This could be a Windows XPsp2 home edition stand-alone PC problem.
Now were getting somewhere...I have an ethernet cable connection to
internet that requires DHCP and DNS resolving therefore, requires that
Generic Host Process and svchost.exe be allowed some level of access.
The problem:
Running firewall in "rules wizard" mode I get aproximately 30 requests a
day (5 as I wrote this) to "Create rules for svchost.exe". The Application
making this request is my friend, Generic Host Process for Win 32 services.
Running In "block most" mode I don't have the problem. So why don't I run
in "block most" mode? I do most of the time but when running a virtual
machine or adding programs I need to allow the wizard mode or else the new
applications are blocked from even local connections.
Note. These connection requests are all blocked until I create a rule to
allow or block. But, by blocking, I am telling the intruder that, "this
computer exists that you just tried to contact but I'm blocking you" That
is a security risk in itself.
The vast majority of connection requests are inbound to local port UDP:
1026. The remote address is always different and worldwide. Different,
because I create a rule to block the specific offending address.
Examples from last 10 minutes:
Inbound, local port 1026, My address 69.146.x.xxx, remote addresses
53.242.38.185;24.64.212.156;203.165.149.23;24.64.224.78;24.64.90.93
Whois lookup for the above IP's respectively:
53.242.38.185
Host unreachable
53.0.0.0 - 53.255.255.255
cap debis ccs
RRZ-S/K
c/o Mercedes Benz AG
Postfach 6002 02
Mercedestr. 136
7000 Stuttgart 60
Germany
NS1.SNS-FELB.DEBIS.COM
NS2.SNS-UT.DEBIS.COM
DB-NET2
203.165.149.23
203-165-149-23.rev.home.ne.jp
Host unreachable
203.165.128.0 - 203.165.255.255
@Home Network Japan
@Home Network Japan intial HE and Infrastructure allocations
For abuse issues, please email a...@xxxxxxxxxx
AtHome Japan Network Operations Centre
@Home Network Japan
4-7-1, Aobadai,Meguro-ku
Tokyo,Japan,153-0042
phone: +81-3-5452-3820
fax: +81-3-5452-3821
n...@xxxxxxxxxxxxxxxx
ATHOME IP MGMT
@Home Japan
4-7-1, Aobadai,Meguro-ku
Tokyo,Japan,153-0042
phone: +81-3-5452-3820
fax: +81-3-5452-3821
apnic_m...@xxxxxxxxxxxxxxxx
ATHOME-JP
Updated: 11-May-2001 by hostmas...@xxxxxxxxx
Source: whois.apnic.nec
Created: 1992-03-17
Updated: 1993-10-18
Source: whois.arin.net
24.64.212.156
S01060004e2381101.cg.shawcable.net
Host unreachable
24.64.0.0 - 24.71.255.255
Shaw Communications Inc.
Suite 800
630 - 3rd Ave. SW
Calgary
AB
T2P-4L4
Canada
Shaw High-Speed Internet
+1-403-750-7428
ipad...@xxxxxxx
Abuse:
SHAW ABUSE
+1-403-750-7420
internet.ab...@xxxxxxx
NS7.NO.CG.SHAWCABLE.NET
NS8.SO.CG.SHAWCABLE.NET
SHAW-COMM
Created: 1996-06-03
Updated: 2006-02-08
Source: whois.arin.net
These connections, though they may be benign, UDP, DNS resolving attempts,
are absolutely unecessary and a security risk in my opinion. And they are a
pain to monitor.
Lets move beyond the ol' "your infected with a malware answer" and tell me
whats really going on... go ahead, I can take it.
There is simple unsolicited "noise" constantly all over the world with
all computers. It's a rat race out there and many times people will
look for an extra buck. There is no way to stop unsolicited pings.
Various software may be getting pinged for various reasons of sales
and other like they how their product is working across the univers.
Software vendors can be really nosey. The problem is the world web is
in FTC - a world mall rules rather than a policed communications like
FCC. Thus all the unsolicited traffic. Business gets a free hand. You
cannot change this, and I am saying all this to I guess ask - do you
know what simple unsolicited traffic is? Okay, fine. Or in other
words, the world web is like shopping in a mall and all the vendors
are all looking at all potential customers across the ailes. That is
simple "noise" that is blocked by a firewall.
Point two.... what the h*ll is outgoing 30 times a day is a real
question that sounds like could be a real security issue. What malware
does this ? It would be most likely a combination installation
involving a trojan and possibly a keylooger and a SMTP mailer.
There are "same name threats" which are many times a malware with the
same name as a part of the Windows Operating System. The "svchost.exe"
is one of them. There are a handful of these. If you do a HiJackThis -
I believe there is no way that can distinguish this.
Since apparently you have run reputible antivirus and antispyware and
this would be like a "worst offender" and well known and easily
detected even by the cheapest products (which are always included in
defintions) - it is one of two things. Either you have valid software
that is performing well or you have a "same name threat" . For example
the "svchost.exe" is part of the Windows OS and is also part of a
trojan among others. (Google it ).
One other possiblity is to download the Malicious Software Removal
Tool by Microsoft and others like the "Stinger" by McAfee. I recommend
you install it and boot into Safe Mode and do the scan with it. This
should only take between 10 and 20 minutes total for the full scan by
it. If infected by the 'malware svchost.exe' it will safely delete it.
That would seem to end the problem if infected. The need for booting
into Safe Mode is that you need this process stopped if you are going
to detect and remove it. Generally this cannot be performed in normal
operation mode according to the severity of the threat.
It is a little diificult to understand the exact question you have,
but I think you are referring to what I just said - either common
unsolicited noise occurring or a same name threat that indeed you want
to remove immediately and dare not give it permission to transmit or
operate.
You can also just do your firewall permissions all over again. Pick an
off-time and just deselect all permissions you already gave in the
firewall permissions - delete ALL permissions back to day one,
everything asks first. And do things rapidly to beat the pings (very
few in off hours like 2 per hour). Restart your pc and give permission
to all known processes and known software. Again do things rapidly.
Start any other softwares you use as to force them to ask permission
and grant it. If you are pretty sure everything you use is set for
permission to operate - then just slap the firewall all the way up to
full stealth. That is as invisible as you are going to get. Your
settings of constantly showing you common traffic noise across the
world web (unsolicited pings) does not need to be on and is very
aggravating. It is for diagnostics. You only need that if you are
nosey or searching out someone over something you may suspect. Turn it
off. You can get 100 or more of those notifications per session. But
do leave on that you get notified if your software needs permission.
Okay... you have run everything under the sun to detect infection, and
reset all permissions. If there are further questions post - or post
if you got it "fixed".
The only real suggestion I had was to run the Malicious Software
Removal Tool. I would also suggest lastly you run the free scans from
Trend Micro and Webroot. If there is a spyware involved they are going
to find it. Nobody else is in the same ballpark in detecting as these.
I know from personal experience and have created personal web
bluecollarpc.net and groups and so on specializing in manual spyware
removal. Couple years experience now and earned my "title" if you will
as Advanced User. Said that to say this - it is all I have to offer as
far as my observations or opinions and to be heeded. In other words I
did not just get back from kmart with my first pc - and you can take
that to the bank !
.
- References:
- none of you smart fellers heard about GHP?
- From: needlove
- Re: none of you smart fellers heard about GHP?
- From: Roger Abell [MVP]
- Re: none of you smart fellers heard about GHP?
- From: needlove
- none of you smart fellers heard about GHP?
- Prev by Date: email blocked as phishing by MS Mail
- Next by Date: Re: none of you smart fellers heard about GHP?
- Previous by thread: Re: none of you smart fellers heard about GHP?
- Next by thread: Re: none of you smart fellers heard about GHP?
- Index(es):
Relevant Pages
|
