|
| If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|||||||
|
|
Thread Tools | Display Modes |
|
#1
December 20th 06, 08:25 AM
posted to microsoft.public.security.virus,microsoft.public.windowsxp.security_admin,alt.privacy.spyware,microsoft.public.security,microsoft.public.security.virus
|
|||
|
|||
Unknown svchost.exe DNS port 53 network activity
First off sorry for cross posting. I'm not sure what this is although
it resembles a trojan. I noticed heavy activity on my router as well as my workstation LAN connection icon in the tray. After some digging appears to be a svchost process that is listening on port 53 with a remote address of my ISP's DNS server. My router is not set to forward DNS traffic to a specific system. I have run the following without any success in catching this bug AntiVir antivirus Avast antivirus Spybot S&D Ad Aware AVG antispyware I got the following information for the related process from Port Explorer Command line: c:\windows\system32\svchost.exe -k Network Service Any help in identifying this bug and cleaning will be greatly appreciated. Thanks, Raffi 
|
| Ads |
|
#2
December 20th 06, 11:46 AM
posted to microsoft.public.security.virus,microsoft.public.windowsxp.security_admin,alt.privacy.spyware,microsoft.public.security,microsoft.public.security.virus
|
|||
|
|||
|
Unknown svchost.exe DNS port 53 network activity
Raffi wrote:
After some digging appears to be a svchost process that is listening on port 53 with a remote address of my ISP's DNS server. svchost port 53 http://www.google.com.au/search?hl=e...Search& meta=
|
|
#3
December 20th 06, 09:26 PM
posted to microsoft.public.security.virus,microsoft.public.windowsxp.security_admin,alt.privacy.spyware,microsoft.public.security
|
|||
|
|||
|
Unknown svchost.exe DNS port 53 network activity
From: "Raffi"
| First off sorry for cross posting. I'm not sure what this is although | it resembles a trojan. | | I noticed heavy activity on my router as well as my workstation LAN | connection icon in the tray. After some digging appears to be a svchost | process that is listening on port 53 with a remote address of my ISP's | DNS server. My router is not set to forward DNS traffic to a specific | system. | | I have run the following without any success in catching this bug | | AntiVir antivirus | Avast antivirus | Spybot S&D | Ad Aware | AVG antispyware | | I got the following information for the related process from Port | Explorer | | Command line: c:\windows\system32\svchost.exe -k Network Service | | Any help in identifying this bug and cleaning will be greatly | appreciated. | | Thanks, | Raffi Yaeh exxcessive Cross-Posting for Domain Name Resolution ! Unless you can prove that there is something causing DNS calls outside your ISP Domain, this is NORMAL. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
|
|
#4
December 21st 06, 01:01 AM
posted to microsoft.public.security.virus,microsoft.public.windowsxp.security_admin,alt.privacy.spyware,microsoft.public.security
|
|||
|
|||
|
Unknown svchost.exe DNS port 53 network activity
David H. Lipman wrote: From: "Raffi" | First off sorry for cross posting. I'm not sure what this is although | it resembles a trojan. | | I noticed heavy activity on my router as well as my workstation LAN | connection icon in the tray. After some digging appears to be a svchost | process that is listening on port 53 with a remote address of my ISP's | DNS server. My router is not set to forward DNS traffic to a specific | system. | | I have run the following without any success in catching this bug | | AntiVir antivirus | Avast antivirus | Spybot S&D | Ad Aware | AVG antispyware | | I got the following information for the related process from Port | Explorer | | Command line: c:\windows\system32\svchost.exe -k Network Service | | Any help in identifying this bug and cleaning will be greatly | appreciated. | | Thanks, | Raffi Yaeh exxcessive Cross-Posting for Domain Name Resolution ! Unless you can prove that there is something causing DNS calls outside your ISP Domain, this is NORMAL. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm It turns out it wasn't normal. I had recently installed a P2P program on my PC and it had added a ton of entries in my hosts file. I'm surprised none of the spyware programs gave me even the slightest warning about these entries. Raffi
|
|
#5
December 21st 06, 01:22 AM
posted to microsoft.public.security.virus,microsoft.public.windowsxp.security_admin,alt.privacy.spyware,microsoft.public.security
|
|||
|
|||
|
Unknown svchost.exe DNS port 53 network activity
From: "Raffi"
| It turns out it wasn't normal. I had recently installed a P2P program | on my PC and it had added a ton of entries in my hosts file. I'm | surprised none of the spyware programs gave me even the slightest | warning about these entries. | | Raffi Still normal. The ONLY way this would be abnormal is if a DNSChanger Trojan was installed and the PC was NOT using the ISP provided DNS servers but a tainted, malicious, set of DNS servers. Now having entries .\etc\hosts file will circumvent DNS calls. Based upon a Registry setting that sets the order of name to address resolution, first the OS calls the hosts files and if a name to IP address is listed the IP address of the .\etc\hosts table will be used. If a name (alias) is not in that hosts table then the TCP/.IP stack will cause a DNS call to a DNS server which will then return the IP address. The way you have your original post worded SVCHOST was found to communicate with your ISP's DNS server. One can only go by the wording of your original post and p\based upon what I read, I saw no normality. While having modifications to the hosts table can be indicative of malicious software, that is NOT always true. The owner/operator can apply the MVP Hosts file to their computer to block malicious sites and the application is not malicious. If you can post actuall FireWall logs of DNS activitry, Netstat dumps and the whol or extracts of the hosts table, one can make a more definite determination of malware. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
|
|
#6
December 21st 06, 02:03 AM
posted to microsoft.public.security.virus,microsoft.public.windowsxp.security_admin,alt.privacy.spyware,microsoft.public.security
|
|||
|
|||
|
Unknown svchost.exe DNS port 53 network activity
David H. Lipman wrote: From: "Raffi" | It turns out it wasn't normal. I had recently installed a P2P program | on my PC and it had added a ton of entries in my hosts file. I'm | surprised none of the spyware programs gave me even the slightest | warning about these entries. | | Raffi Still normal. The ONLY way this would be abnormal is if a DNSChanger Trojan was installed and the PC was NOT using the ISP provided DNS servers but a tainted, malicious, set of DNS servers. Now having entries .\etc\hosts file will circumvent DNS calls. Based upon a Registry setting that sets the order of name to address resolution, first the OS calls the hosts files and if a name to IP address is listed the IP address of the .\etc\hosts table will be used. If a name (alias) is not in that hosts table then the TCP/.IP stack will cause a DNS call to a DNS server which will then return the IP address. The way you have your original post worded SVCHOST was found to communicate with your ISP's DNS server. One can only go by the wording of your original post and p\based upon what I read, I saw no normality. While having modifications to the hosts table can be indicative of malicious software, that is NOT always true. The owner/operator can apply the MVP Hosts file to their computer to block malicious sites and the application is not malicious. If you can post actuall FireWall logs of DNS activitry, Netstat dumps and the whol or extracts of the hosts table, one can make a more definite determination of malware. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm Thanks for the reply. Removing the P2P software and clearing the \etc\hosts file did not correct the issue after all. I just logged in with the administrator account and the network activity is no longer there. This seems to be happenning only when I log into my personal account. During my last login, SERVICES.EXE was making the connections rather than SVCHOST.EXE. Is there a way to determine if these files have been tampered with? I'll try to get more information from netstat etc. Raffi
|
|
#7
December 21st 06, 02:13 AM
posted to microsoft.public.security.virus,microsoft.public.windowsxp.security_admin,alt.privacy.spyware,microsoft.public.security
|
|||
|
|||
|
Unknown svchost.exe DNS port 53 network activity
From: "Raffi"
| | Thanks for the reply. Removing the P2P software and clearing the | \etc\hosts file did not correct the issue after all. I just logged in | with the administrator account and the network activity is no longer | there. This seems to be happenning only when I log into my personal | account. During my last login, SERVICES.EXE was making the connections | rather than SVCHOST.EXE. Is there a way to determine if these files | have been tampered with? | | I'll try to get more information from netstat etc. | | Raffi Yes. Download and use Process Explorer http://www.microsoft.com/technet/sys...sExplorer.mspx And look at not only the file name SERVICES.EXE but the fully qualified name and path. SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder; %windir%\system32 If they are executed from any other location it is a sure sign of malware. Also, there are DLLs that can be loaded and use SERVICES.EXE and SVCHOST.EXE such that the legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but are loading malicuious DLL files. You can also run MSCONFIG.EXE and compare what is loaded as administrator vs. what is loaded in you everyday account. You indicated the activity stopped when you logged on as admin. thus what may be loaded to cause the activity is being loaded by that personal account. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
|
|
#8
December 21st 06, 09:03 AM
posted to microsoft.public.security.virus,microsoft.public.windowsxp.security_admin,alt.privacy.spyware,microsoft.public.security
|
|||
|
|||
|
Unknown svchost.exe DNS port 53 network activity
David H. Lipman wrote:
From: "Raffi" | | Thanks for the reply. Removing the P2P software and clearing the | \etc\hosts file did not correct the issue after all. I just logged in | with the administrator account and the network activity is no longer | there. This seems to be happenning only when I log into my personal | account. During my last login, SERVICES.EXE was making the connections | rather than SVCHOST.EXE. Is there a way to determine if these files | have been tampered with? | | I'll try to get more information from netstat etc. | | Raffi Yes. Download and use Process Explorer http://www.microsoft.com/technet/sys...sExplorer.mspx And look at not only the file name SERVICES.EXE but the fully qualified name and path. SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder; %windir%\system32 If they are executed from any other location it is a sure sign of malware. Also, there are DLLs that can be loaded and use SERVICES.EXE and SVCHOST.EXE such that the legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but are loading malicuious DLL files. You can also run MSCONFIG.EXE and compare what is loaded as administrator vs. what is loaded in you everyday account. You indicated the activity stopped when you logged on as admin. thus what may be loaded to cause the activity is being loaded by that personal account. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm Dave, Thanks for all the help and suggestions. I took the easy way out this time. I created a new user and transferred all important files (documents etc) to the new user. Then I deleted the original account. This fixed the issue. My guess is that this was some sort of malware. I did download process explorer for future use. Sorry I couldn't chase this any longer but this is my main workstation and I have alot of work to do which had been on hold while I was chasing this. Thanks, Raffi
|
|
#9
December 21st 06, 05:49 PM
posted to microsoft.public.security.virus,microsoft.public.windowsxp.security_admin,alt.privacy.spyware,microsoft.public.security
|
|||
|
|||
|
Unknown svchost.exe DNS port 53 network activity
"Raffi" wrote in message
ups.com... David H. Lipman wrote: From: "Raffi" | | Thanks for the reply. Removing the P2P software and clearing the | \etc\hosts file did not correct the issue after all. I just logged in | with the administrator account and the network activity is no longer | there. This seems to be happenning only when I log into my personal | account. During my last login, SERVICES.EXE was making the connections | rather than SVCHOST.EXE. Is there a way to determine if these files | have been tampered with? | | I'll try to get more information from netstat etc. | | Raffi Yes. Download and use Process Explorer http://www.microsoft.com/technet/sys...sExplorer.mspx And look at not only the file name SERVICES.EXE but the fully qualified name and path. SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder; %windir%\system32 If they are executed from any other location it is a sure sign of malware. Also, there are DLLs that can be loaded and use SERVICES.EXE and SVCHOST.EXE such that the legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but are loading malicuious DLL files. You can also run MSCONFIG.EXE and compare what is loaded as administrator vs. what is loaded in you everyday account. You indicated the activity stopped when you logged on as admin. thus what may be loaded to cause the activity is being loaded by that personal account. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm Dave, Thanks for all the help and suggestions. I took the easy way out this time. I created a new user and transferred all important files (documents etc) to the new user. Then I deleted the original account. This fixed the issue. My guess is that this was some sort of malware. I did download process explorer for future use. Sorry I couldn't chase this any longer but this is my main workstation and I have alot of work to do which had been on hold while I was chasing this. Since the problem is "fixed" by running under a different user, that really strongly points the finger at malware. However, I would definitely recommend that you not view this as being "fixed". It isn't. You still have that malware, and the "work" that you do on it is now exposed to the author of that malware, and anyone he chooses to share it with. Your most reliable bet would be to "flatten" the machine - take your work off to a backup device, reinstall the OS and your applications, and restore your work. And don't be running P2P applications on your work machine. P2P "file-sharing" is a great way to pick up malware, because you're downloading and then executing untrusted data and applications from unknown and untrusted third parties. Is it any wonder you got infected? Unless you remove the infection, and stop doing the things that got you infected, you'll stay infected, and you'll get infected again with the next thing that comes along. Eventually, your "work" will be spread around the world for everyone to enjoy. I don't think you want that. Alun. ~~~~
|
|
#10
December 21st 06, 06:18 PM
posted to microsoft.public.security.virus,microsoft.public.windowsxp.security_admin,alt.privacy.spyware,microsoft.public.security
|
|||
|
|||
|
Unknown svchost.exe DNS port 53 network activity
Alun Jones wrote: "Raffi" wrote in message ups.com... David H. Lipman wrote: From: "Raffi" | | Thanks for the reply. Removing the P2P software and clearing the | \etc\hosts file did not correct the issue after all. I just logged in | with the administrator account and the network activity is no longer | there. This seems to be happenning only when I log into my personal | account. During my last login, SERVICES.EXE was making the connections | rather than SVCHOST.EXE. Is there a way to determine if these files | have been tampered with? | | I'll try to get more information from netstat etc. | | Raffi Yes. Download and use Process Explorer http://www.microsoft.com/technet/sys...sExplorer.mspx And look at not only the file name SERVICES.EXE but the fully qualified name and path. SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder; %windir%\system32 If they are executed from any other location it is a sure sign of malware. Also, there are DLLs that can be loaded and use SERVICES.EXE and SVCHOST.EXE such that the legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but are loading malicuious DLL files. You can also run MSCONFIG.EXE and compare what is loaded as administrator vs. what is loaded in you everyday account. You indicated the activity stopped when you logged on as admin. thus what may be loaded to cause the activity is being loaded by that personal account. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm Dave, Thanks for all the help and suggestions. I took the easy way out this time. I created a new user and transferred all important files (documents etc) to the new user. Then I deleted the original account. This fixed the issue. My guess is that this was some sort of malware. I did download process explorer for future use. Sorry I couldn't chase this any longer but this is my main workstation and I have alot of work to do which had been on hold while I was chasing this. Since the problem is "fixed" by running under a different user, that really strongly points the finger at malware. However, I would definitely recommend that you not view this as being "fixed". It isn't. You still have that malware, and the "work" that you do on it is now exposed to the author of that malware, and anyone he chooses to share it with. Your most reliable bet would be to "flatten" the machine - take your work off to a backup device, reinstall the OS and your applications, and restore your work. And don't be running P2P applications on your work machine. P2P "file-sharing" is a great way to pick up malware, because you're downloading and then executing untrusted data and applications from unknown and untrusted third parties. Is it any wonder you got infected? Unless you remove the infection, and stop doing the things that got you infected, you'll stay infected, and you'll get infected again with the next thing that comes along. Eventually, your "work" will be spread around the world for everyone to enjoy. I don't think you want that. Alun. ~~~~ The "problem" was back overnight. I'll post more information soon. Raffi
|
|
#11
December 21st 06, 09:34 PM
posted to microsoft.public.security.virus,microsoft.public.windowsxp.security_admin,alt.privacy.spyware,microsoft.public.security
|
|||
|
|||
|
Unknown svchost.exe DNS port 53 network activity
From: "Raffi"
| | The "problem" was back overnight. I'll post more information soon. | | Raffi If you are using any version of Sun Java that is prior to JRE Version 6.0, then you are strongly urged to remove any/all versions. There are vulnerabilities in them and they are actively being exploited. It is highly suggested that you update to the latest version which is Sun Java JRE/JSE Version 6.0 Simple check, look under... C:\Program Files\Java The only folder under that folder should be the latest version. Such as... C:\Program Files\Java\jre1.6.0 http://java.sun.com/javase/downloads/index.jsp http://www.java.com/en/download/manual.jsp FYI: http://sunsolve.sun.com/search/docum...=1-26-102557-1 http://sunsolve.sun.com/search/docum...=1-26-102648-1 http://sunsolve.sun.com/search/docum...=1-26-102622-1 For non-viral malware... Please download, install and update the following software... * Ad-aware SE v1.06 http://www.lavasoft.de/ http://www.lavasoftusa.com/ http://www.lavasoft.de/ms/index.htm * SpyBot Search and Destroy v1.4 http://security.kolla.de/ http://www.safer-networking.org/microsoft.en.html * SuperAntiSpyware http://www.superantispyware.com/supe...freevspro.html After the software is updated, I suggest scanning the system in Safe Mode. I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects that may be on the PC. * BHODemon http://www.majorgeeks.com/downloadge...4332b4b8b8442d For viral malware... * Download MULTI_AV.EXE from the URL -- http://www.ik-cs.com/programs/virtools/Multi_AV.exe To use this utility, perform the following... Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS } Choose; Unzip Choose; Close Execute; C:\AV-CLS\StartMenu.BAT { or Double-click on 'Start Menu' in C:\AV-CLS } NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to allow it to download the needed AV vendor related files. C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS} This will bring up the initial menu of choices and should be executed in Normal Mode. This way all the components can be downloaded from each AV vendor's web site. The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode. Once you have downloaded the files needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key during boot] and re-run the menu again and choose which scanner you want to run in Safe Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help file. http://www.ik-cs.com/multi-av.htm Additional Instructions: http://pcdid.com/Multi_AV.htm * * * Please report back your results * * * -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
|
|
#12
December 22nd 06, 03:29 AM
posted to microsoft.public.security.virus,microsoft.public.windowsxp.security_admin,alt.privacy.spyware,microsoft.public.security
|
|||
|
|||
|
Unknown svchost.exe DNS port 53 network activity
David H. Lipman wrote: From: "Raffi" | | The "problem" was back overnight. I'll post more information soon. | | Raffi If you are using any version of Sun Java that is prior to JRE Version 6.0, then you are strongly urged to remove any/all versions. There are vulnerabilities in them and they are actively being exploited. It is highly suggested that you update to the latest version which is Sun Java JRE/JSE Version 6.0 Simple check, look under... C:\Program Files\Java The only folder under that folder should be the latest version. Such as... C:\Program Files\Java\jre1.6.0 http://java.sun.com/javase/downloads/index.jsp http://www.java.com/en/download/manual.jsp FYI: http://sunsolve.sun.com/search/docum...=1-26-102557-1 http://sunsolve.sun.com/search/docum...=1-26-102648-1 http://sunsolve.sun.com/search/docum...=1-26-102622-1 For non-viral malware... Please download, install and update the following software... * Ad-aware SE v1.06 http://www.lavasoft.de/ http://www.lavasoftusa.com/ http://www.lavasoft.de/ms/index.htm * SpyBot Search and Destroy v1.4 http://security.kolla.de/ http://www.safer-networking.org/microsoft.en.html * SuperAntiSpyware http://www.superantispyware.com/supe...freevspro.html After the software is updated, I suggest scanning the system in Safe Mode. I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects that may be on the PC. * BHODemon http://www.majorgeeks.com/downloadge...4332b4b8b8442d For viral malware... * Download MULTI_AV.EXE from the URL -- http://www.ik-cs.com/programs/virtools/Multi_AV.exe To use this utility, perform the following... Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS } Choose; Unzip Choose; Close Execute; C:\AV-CLS\StartMenu.BAT { or Double-click on 'Start Menu' in C:\AV-CLS } NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to allow it to download the needed AV vendor related files. C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS} This will bring up the initial menu of choices and should be executed in Normal Mode. This way all the components can be downloaded from each AV vendor's web site. The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode. Once you have downloaded the files needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key during boot] and re-run the menu again and choose which scanner you want to run in Safe Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode. When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help file. http://www.ik-cs.com/multi-av.htm Additional Instructions: http://pcdid.com/Multi_AV.htm * * * Please report back your results * * * -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm I have found the process responsible for the Port 53 traffic. Suspending this process in Process Explorer stops the network activity. Resuming it restarts the activity. Below are the details. Process: svchost.exe Pid: 944 Type Name Desktop \Default Directory \KnownDlls Directory \Windows Directory \BaseNamedObjects File C:\WINDOWS\system32 File \Device\KsecDD File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 File \Device\NamedPipe\net\NtControlPipe5 File \Device\Tcp File \Device\Ip File \Device\Tcp File \Device\Ip File \Device\Ip File C:\WINDOWS\system32\drivers\etc File \Device\Tcp File \Device\Udp File \Device\Afd\Endpoint File \Device\WMIDataDevice File \Device\WMIDataDevice File \Device\NamedPipe\lsarpc File \Device\Afd\Endpoint File \Device\Udp File \Device\Afd\Endpoint File \Device\Udp File \Device\Afd\Endpoint File \Device\Udp File \Device\Afd\Endpoint File \Device\Udp File \Device\Afd\Endpoint File \Device\Udp File \Device\Afd\Endpoint File \Device\Udp File \Device\Afd\Endpoint File \Device\Udp File \Device\Afd\Endpoint File \Device\Udp File \Device\Afd\Endpoint File \Device\Udp Key HKLM Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameter s Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameter s\Interfaces Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameter s Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parame ters\Protocol_Catalog9 Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parame ters\NameSpace_Catalog5 KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent Mutant \BaseNamedObjects\DCS_grd Port \RPC Control\DNSResolver Process svchost.exe(944) Section \BaseNamedObjects\DCS_raw Section \BaseNamedObjects\DCS_LOGraw Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1} Thread svchost.exe(944): 948 Thread svchost.exe(944): 3036 Thread svchost.exe(944): 972 Thread svchost.exe(944): 976 Thread svchost.exe(944): 3036 Thread svchost.exe(944): 460 Thread svchost.exe(944): 460 Thread svchost.exe(944): 1344 Thread svchost.exe(944): 3548 Thread svchost.exe(944): 3548 Thread svchost.exe(944): 1392 Thread svchost.exe(944): 1392 Thread svchost.exe(944): 1404 Thread svchost.exe(944): 1708 Thread svchost.exe(944): 1404 Thread svchost.exe(944): 1708 WindowStation \Windows\WindowStations\Service-0x0-3e4$ WindowStation \Windows\WindowStations\Service-0x0-3e4$
|
|
#13
December 22nd 06, 02:54 PM
posted to microsoft.public.security.virus,microsoft.public.windowsxp.security_admin,alt.privacy.spyware,microsoft.public.security
|
|||
|
|||
|
Unknown svchost.exe DNS port 53 network activity
"David H. Lipman" wrote:
From: "Raffi" | | The "problem" was back overnight. I'll post more information soon. | | Raffi If you are using any version of Sun Java that is prior to JRE Version 6.0, then you are strongly urged to remove any/all versions. There are vulnerabilities in them and they are actively being exploited. Stop spreading FUD! 1.5.0_10 as well as 1.4.2_13 have no known vulnerabilities! It is highly suggested that you update to the latest version which is Sun Java JRE/JSE Version 6.0 It's completely sufficient to have the latest version of 1.5.0 or 1.4.2 installed and all previous versions (manually!) removed. There are still quite some applets and java applications out there which won't run with JRE6 or even JRE5! Simple check, look under... C:\Program Files\Java | dir "C:\Program Files\" | | File not found When will you learn to use "%ProgramFiles%"? The only folder under that folder should be the latest version. Such as... C:\Program Files\Java\jre1.6.0 http://java.sun.com/javase/downloads/index.jsp http://www.java.com/en/download/manual.jsp FYI: http://sunsolve.sun.com/search/docum...=1-26-102557-1 http://sunsolve.sun.com/search/docum...=1-26-102648-1 http://sunsolve.sun.com/search/docum...=1-26-102622-1 For non-viral malware... Please download, install and update the following software... Alun already gave the ONLY CORRECT advice: flatten and rebuild. Stefan fup microsoft.public.security
|
|
#14
December 22nd 06, 04:11 PM
posted to microsoft.public.security.virus,microsoft.public.windowsxp.security_admin,alt.privacy.spyware,microsoft.public.security
|
|||
|
|||
|
Unknown svchost.exe DNS port 53 network activity
On this special day, David H. Lipman wrote :
If you are using any version of Sun Java that is prior to JRE Version 6.0, then you are strongly urged to remove any/all versions. You should replace the six with a nine or ten. http://sunsolve.sun.com/search/docum...=1-26-102729-1 http://sunsolve.sun.com/search/docum...=1-26-102731-1 http://sunsolve.sun.com/search/docum...=1-26-102732-1 are the newest alerts by Sun. Gabriele Neukam -- Bei Windows haut man raus was man nicht braucht. Bei Linux haut man rein was man braucht. (René 'vollmi' Vollmeier in de.comp.security.misc)
|
|
#15
December 22nd 06, 07:08 PM
posted to microsoft.public.security.virus,microsoft.public.windowsxp.security_admin,microsoft.public.security
|
|||
|
|||
|
Unknown svchost.exe DNS port 53 network activity
The most current version of JRE is now 6.0
https://sdlc6e.sun.com/ECom/EComActi...0 ACBEE0FC574 "Gabriele Neukam" wrote in message ... | On this special day, David H. Lipman wrote : | | If you are using any version of Sun Java that is prior to JRE Version 6.0, | then you are strongly urged to remove any/all versions. | | You should replace the six with a nine or ten. | | http://sunsolve.sun.com/search/docum...=1-26-102729-1 | http://sunsolve.sun.com/search/docum...=1-26-102731-1 | http://sunsolve.sun.com/search/docum...=1-26-102732-1 | | are the newest alerts by Sun. | | | Gabriele Neukam | | | | -- | Bei Windows haut man raus was man nicht braucht. | Bei Linux haut man rein was man braucht. | (René 'vollmi' Vollmeier in de.comp.security.misc) | |
|
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
