system vulnerability

[TechFobe]

Hi,
My firewall is blocking a couple of
processes from accessing the internet.
One is an application named 'ntoskrnl.exe'
and the other is 'svchost.exe' ...

Ideally I'd like to locate where in the
registry the lines kickstarting these
scripts exists and interrogate further.

I'm aware that svchost.exe serves a
multitude of tasks but I expect only a
few have scripts enabled to access the
internet.

Although no harm is being caused I'd like
to remove them from my system if possible.

Any suggestions on the best way to proceed
is appreciated.

Thanks,
TF.

[liam858]

Download TCPView http://www.sysinternals.com/Utilities/TcpView.html By default, TCPView updates every second, but you can use the Options|Refresh Rate menu item to change the rate. Endpoints that change state from one update to the next are highlighted in yellow; those that are deleted are shown in red, and new endpoints are shown in green.

Double click the process and check the command line, post back with what you find if you're unsure of what to do next.

Liam

[themanwhowas]

according to my firewall (mcafee v.6), svchost is a windows application that never needs access to the internet. the only time it will ask for permission to access the internet is when it has been highjacked by a trojan.

[liam858]

It will usually have a system process go through it to access the internet, and the way that virus/trojan writers have played it now is to use a windows system file as a trojan so that is it is accessing the internet through another standard file the user won't pick it up, and won't deny the access.


Liam