June 20th, 2003, 05:57 PM
I have Norton personal firewall on a DSL line and run XP. The firewall periodically tells me c:windows\system32\svchost.exe is preparing to access the internet. I have blocked traffic whenever I see this. Symantec says this file is a legit filename and NAV does not identify it, but it is also the name of one of the files placed on the computer under BackDoor-AQT (McAfee)—and my thanks to whoever it was who published some of this info in another thread. I cannot find this file by searching Windows even with all files shown. I should assume it is a backdoor, but I am not clear what to do about it given the Norton ambivalence.
I have more questions but none matter if I have a backdoor open right now. I’m getting really twitchy watching the monitor every second. My ability to research this is limited by my paranoia about being online. Advice?
June 20th, 2003, 06:05 PM
this is for windows automatic update, it is not, or at least shouldn't be a trojan or backdoor. Here is an excerp from a cached site from google:
The easiest way to stop the auto updates is to look under services 'automatic updates'
the command line is this:
C:\WINDOWS\system32\svchost.exe -k netsvcs
I just stop the service and set it to manual. It's probably a good backup plan
to do the file switch that I did above.
June 20th, 2003, 07:25 PM
The definition is located here: http://www.igknighttec.com/Windows/W...vchost_exe.php
It isn't anything you should worry about... it just another one of these things Windows has to help it run. And if you don't trust the information from the link above, then try this one, straight from the horse's mouth:
= Cheers, jag291 =
June 20th, 2003, 08:02 PM
Thank you cross and jaguar291--what a relief. I mean it, I feel like I can breath again. I am grateful.
Now I need to make sure I fixed everything that allowed the problem to come up in the first place. After discovering an intrusion—it was about as subtle as a flaming bag of dog doo on the front steps, and thankfully no more destructive—I reset all my passwords, raised the security level for the firewall to max, searched all over the place for settings that would allow file sharing or remote operation (all reset by ? to "Take Me I’m Yours"), updated antivirus and ran a system scan, and erased all temp files and cookies. I did a system reset to two weeks before the intrusion, and traced down every renamed file to see if it was legit. I read over the various Norton logs and the Microsoft Events but I have no idea what most of it meant. Nothing seemed scary, and as you may have guessed, I scare easily. The firewall records were missing for the period when the hack occurred, of course. My questions now are, did I miss anything? Is there a simple one-stop comprehensive list of Windows filesharing or similar remote-access settings that I can check against the ones I know about? Next I'll get a hardware firewall and figure out if I really need all those ports. At least I am learning a lot.
June 21st, 2003, 05:44 AM
No problem on the help but I'm just curious how you know that there was an intrusion if it was "about as subtle as a flaming bag of dog doo on the front steps, and thankfully no more destructive"?
June 22nd, 2003, 08:56 PM
I hope I did not get carried away with my metaphor. Evidence consisted of (1) admin powers given to other users but taken away from mine, both for XP and for Firewall (2) all levels of protection on the firewall reduced to lowest level instead of default or medium level that I had them set to, and then the firewall was disabled (3) all settings--that i know of-- for remote access and file sharing set to Allow Access instead of No, where I had them (4) my OE address book copied and left on the desktop (same for other user profiles) (5) logs for a few days immediately before the discovery appear as if the computer was never on, so i assume they were erased. No one outside my family has physical access to this machine. Do you agree that sounds like a hack --even if one of the most ethical ones in history? Thanks again for your post.
June 22nd, 2003, 09:05 PM
Yeah, it sounds like an intrusion and some of those things have actually happened to my computer within the last month... I never thought it was an attack, I just assumed that I didn't save settings or I acidentally copied something but now I'm going to go check my firewall log ...
= Cheers, jag291 =
June 25th, 2003, 03:39 AM
Well, that is interesting, that you have seen similar activity. I can't interpret most of the log info. But if you can, I will be eager to see what you learn. Thanks again.