1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Norton Firewall says "permit" but I think it may be wrong

Discussion in 'Virus & Other Malware Removal' started by mandy123, Sep 18, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. mandy123

    mandy123 Thread Starter

    Joined:
    Aug 15, 2003
    Messages:
    204
    Norton Firewall is suggesting I "permit" the following:

    "A remote system is attempting to access Microsoft Generic Host Process for Win32 services. The program is "c:\windows\system32svchost.com."

    Is it ok to permit this? It is trying to access the pc every twenty minutes, eventhough I have permitted it a few times.
     
  2. hewee

    hewee

    Joined:
    Oct 26, 2001
    Messages:
    57,791
    I would say no.
    Do a scan for a virus and post your startup log.
     
  3. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    are you sure thats the exact message?
    c:\windows\system32svchost.com

    svchost is a legit process.
    usual rule of thumb.....if you dont know,deny access but dont check the "dont ask me again" box just incase its a needed process.then if things are ok and windows dosent implode,after a week or so check the box and forget.
     
  4. BillC

    BillC

    Joined:
    May 28, 2003
    Messages:
    2,366
    I'm confused about the .com instead of .exe after 'system32svchost.' I get confused about a lot of things but what am I missing here? :confused:
     
  5. hewee

    hewee

    Joined:
    Oct 26, 2001
    Messages:
    57,791
    Yea I would think it is c:\windows\system32\svchost.exe
     
  6. mandy123

    mandy123 Thread Starter

    Joined:
    Aug 15, 2003
    Messages:
    204
    To correct: it is c:\windows\system32\svchost.exe. Not .com. Sorry for the confusion.

    I think you are all saying deny, which I will do, but as I said I have permitted it previously b/c Norton suggested I permit it. Is there anything else I should do?

    To hewee: there is nothing in the startup log that I don't recognize. In the task manager/processes menu there are four different svchost.exe items. Maybe this means something.
     
  7. mandy123

    mandy123 Thread Starter

    Joined:
    Aug 15, 2003
    Messages:
    204
    I forgot to mention I ran Norton AntiVirus and it turned up nothing. Spybot also turned up nothing.
     
  8. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    multiple instances of svchost can run at the same time.
    it is a legitimate windows process.
    just make sure your A/v is up to date and your firewall is running and if you have any doubts come back here and post your H/T logfile.

    ;)
     
  9. BillC

    BillC

    Joined:
    May 28, 2003
    Messages:
    2,366
    I can tell you what I've done in my ZAP firewall. I have granted svchost.exe internet access but I recommend that you not give it server rights. Generic Host Process needs internet access for many services to function as they should. Hope this helps. :)
     
  10. hewee

    hewee

    Joined:
    Oct 26, 2001
    Messages:
    57,791
    Why do you need svchost.exe?

    I have ZA pro and use Netscape most of the time and IE when I have to but svchost.exe is not even listed in the "program control" because it has never asked to.

    I have windows 98se so after doing a search I see that I don't even have the svchost.exe on my PC so that is why it never asked to get online. :rolleyes:
     
  11. mandy123

    mandy123 Thread Starter

    Joined:
    Aug 15, 2003
    Messages:
    204
    Every instinct I have screams that there is something on the PC that should not be there. Here is my Hijack This log. It was recently reviewed, but perhaps something has recently been added. Thank you.

    Logfile of HijackThis v1.96.2
    Scan saved at 9:55:07 PM, on 9/18/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
    C:\Program Files\MSN\MSNCoreFiles\msn6.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Webshots\WebshotsTray.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://loginnet.passport.com/login....tw=0&fs=1&fsa=1&fsat=1296000&lc=1033&_lang=EN
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: IMI (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{845D62A6-A15D-4D68-9674-1CA1B3566D8A}: NameServer = 209.244.0.3 209.244.0.4
     
  12. marie500

    marie500

    Joined:
    May 6, 2002
    Messages:
    829
    Wow! I'm REALLY disappointed this wasn't ever resolved, because I have the EXACT same problem right now!! (One month after this thread was started.) We just got a new Dell computer with XP Home. It's being constantly pestered by the same thing:
    "A remote system is attempting to access Microsoft Generic Host Process for Win32 services. The program is "c:\windows\system32svchost.exe"

    Non-stop! I was clicking BLOCK each time, but it was so constant that I finally put these two things on permanent BLOCK on the firewall:
    MS Generic Host Process for Win32 Services
    AND
    svchost.exe

    They've been locked up there for a few days. Then...I realized I didn't even know what they are, and I couldn't find out for sure what they even are, and maybe I needed them...so I took them off a little while ago. Probably stupid - and EVEN WORSE, it just popped up & I said PERMIT - - thinking it might be Windows, or MS, or Updates or I don't even know what!! I'm really confused! Google isn't helping me at all.

    Since we're in an old thread, I know this might not get any replies, so if you don't mind, I'll repost my question in a separate post AFTER I give it a chance here first. I so wish that mandy123's post had been resolved!

    THANKS IF YOU CAN HELP!!
     
  13. BillC

    BillC

    Joined:
    May 28, 2003
    Messages:
    2,366
    I see this still is question and unfortunately, I've not got an answer. I too did some searches with poor results. I would like to suggest that you do a 'WhoIs' search on the IP that has been asking access as noted in your firewall.

    This could be very benign but I'm surprised I could not find anything about this. This system32svchost.exe is strange. All I could find is:
    Maybe you should follow your thought about a new thread with the header like: "What is system32svchost.exe?" :confused:
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    As a basic rule

    Any svchost outgoing should be allowed
    any svchost incoming should be denied

    your firewall should automatically let back in what it has let out
     
  15. brindle

    brindle

    Joined:
    Jun 14, 2002
    Messages:
    3,520
    Like hewee said NO........Forgive me but I'm in a pissy mood, so many people have norton problems since 3.11 I really can't understand why anyone uses there crappy products.....again JMHO
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Norton Firewall says
  1. DebbyR
    Replies:
    2
    Views:
    602
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165613

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice