Norton Firewall says "permit" but I think it may be wrong

[mandy123]

Norton Firewall is suggesting I "permit" the following:

"A remote system is attempting to access Microsoft Generic Host Process for Win32 services. The program is "c:\windows\system32svchost.com."

Is it ok to permit this? It is trying to access the pc every twenty minutes, eventhough I have permitted it a few times.

 

[hewee]

I would say no.
Do a scan for a virus and post your startup log.

 

[$teve]

are you sure thats the exact message?
c:\windows\system32svchost.com

svchost is a legit process.
usual rule of thumb.....if you dont know,deny access but dont check the "dont ask me again" box just incase its a needed process.then if things are ok and windows dosent implode,after a week or so check the box and forget.

 

[BillC]

I'm confused about the .com instead of .exe after 'system32svchost.' I get confused about a lot of things but what am I missing here?

 

[hewee]

Yea I would think it is c:\windows\system32\svchost.exe

 

[mandy123]

To correct: it is c:\windows\system32\svchost.exe. Not .com. Sorry for the confusion.

I think you are all saying deny, which I will do, but as I said I have permitted it previously b/c Norton suggested I permit it. Is there anything else I should do?

To hewee: there is nothing in the startup log that I don't recognize. In the task manager/processes menu there are four different svchost.exe items. Maybe this means something.

 

[mandy123]

I forgot to mention I ran Norton AntiVirus and it turned up nothing. Spybot also turned up nothing.

 

[$teve]

multiple instances of svchost can run at the same time.
it is a legitimate windows process.
just make sure your A/v is up to date and your firewall is running and if you have any doubts come back here and post your H/T logfile.

 

[BillC]

I can tell you what I've done in my ZAP firewall. I have granted svchost.exe internet access but I recommend that you not give it server rights. Generic Host Process needs internet access for many services to function as they should. Hope this helps.

 

[hewee]

Why do you need svchost.exe?

I have ZA pro and use Netscape most of the time and IE when I have to but svchost.exe is not even listed in the "program control" because it has never asked to.

I have windows 98se so after doing a search I see that I don't even have the svchost.exe on my PC so that is why it never asked to get online.

 

[mandy123]

Every instinct I have screams that there is something on the PC that should not be there. Here is my Hijack This log. It was recently reviewed, but perhaps something has recently been added. Thank you.

Logfile of HijackThis v1.96.2
Scan saved at 9:55:07 PM, on 9/18/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Webshots\WebshotsTray.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://loginnet.passport.com/login....tw=0&fs=1&fsa=1&fsat=1296000&lc=1033&_lang=EN
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{845D62A6-A15D-4D68-9674-1CA1B3566D8A}: NameServer = 209.244.0.3 209.244.0.4

 

[marie500]

Wow! I'm REALLY disappointed this wasn't ever resolved, because I have the EXACT same problem right now!! (One month after this thread was started.) We just got a new Dell computer with XP Home. It's being constantly pestered by the same thing:
"A remote system is attempting to access Microsoft Generic Host Process for Win32 services. The program is "c:\windows\system32svchost.exe"

Non-stop! I was clicking BLOCK each time, but it was so constant that I finally put these two things on permanent BLOCK on the firewall:
MS Generic Host Process for Win32 Services
AND
svchost.exe

They've been locked up there for a few days. Then...I realized I didn't even know what they are, and I couldn't find out for sure what they even are, and maybe I needed them...so I took them off a little while ago. Probably stupid - and EVEN WORSE, it just popped up & I said PERMIT - - thinking it might be Windows, or MS, or Updates or I don't even know what!! I'm really confused! Google isn't helping me at all.

Since we're in an old thread, I know this might not get any replies, so if you don't mind, I'll repost my question in a separate post AFTER I give it a chance here first. I so wish that mandy123's post had been resolved!

THANKS IF YOU CAN HELP!!

 

[BillC]

I see this still is question and unfortunately, I've not got an answer. I too did some searches with poor results. I would like to suggest that you do a 'WhoIs' search on the IP that has been asking access as noted in your firewall.

This could be very benign but I'm surprised I could not find anything about this. This system32svchost.exe is strange. All I could find is:

%SystemRoot%System32Svchost.exe is a generic process name for services that run from dynamic-link libraries (DLLs). When you start Windows XP, Svchost,exe constructs multiple lists of service groupings that need to be loaded. Each instance can run at the same time. Svchost,exe groups are delineated at: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersion
Svchost.

Maybe you should follow your thought about a new thread with the header like: "What is system32svchost.exe?"

 

[dvk01]

As a basic rule

Any svchost outgoing should be allowed
any svchost incoming should be denied

your firewall should automatically let back in what it has let out

 

[brindle]

Like hewee said NO........Forgive me but I'm in a pissy mood, so many people have norton problems since 3.11 I really can't understand why anyone uses there crappy products.....again JMHO