On Tue, 15 Jul 2008 05:53:36 -0700 (PDT), mkh
wrote:

>zonealarm firewall shows that its letting generic host process for
>win32 services access internet, even though i have not allowed it. i
>basically use FF, Opera, emule.
>
>can somebody please explain why generic host process for win32
>services wants to access the net
>
>also yesterday when i was browsing the net, a command prompt appeared
>for 2-3 seconds and disappeared by itself.

You're hacked. Get rid of ZA, and get Agnitum Outpost.

mkh wrote:
>zonealarm firewall shows that its letting generic host process for
>win32 services access internet, even though i have not allowed it. i
>basically use FF, Opera, emule.
>
>can somebody please explain why generic host process for win32
>services wants to access the net
>
>also yesterday when i was browsing the net, a command prompt appeared
>for 2-3 seconds and disappeared by itself.

That was your 'owned' system dropping to DOS so your botmaster could
accomplish something windows wouldn't let it do in broad daylight.

Cunnilingus wrote:
> On Tue, 15 Jul 2008 05:53:36 -0700 (PDT), mkh wrote:
>> zonealarm firewall shows that its letting generic host process for
>> win32 services access internet, even though i have not allowed it. i
>> basically use FF, Opera, emule.
>>
>> can somebody please explain why generic host process for win32
>> services wants to access the net
>>
>> also yesterday when i was browsing the net, a command prompt appeared
>> for 2-3 seconds and disappeared by itself.
>
> You're hacked. Get rid of ZA, and get Agnitum Outpost.

Which will somehow magically remove the supposed infection? Yeah, right.

http://technet.microsoft.com/en-us/l.../cc512587.aspx

First one should exiamine the system if there's some actual evidence for
an infection (the described symptoms can mean anything or nothing). Some
tools to start with are:

- netstat or TCPView [1] to show listening sockets and established
connections
- Process Explorer [2] to show information about the running processes
(Windows' Task Manager doesn't provide enough information to be useful
here)
- Autoruns [3] to show what's automatically started
- HijackThis! [4] to check for browser hijacking (use [5] to analyze the
log)

Further steps could be:

- check for rootkits (e.g. with RootkitRevealer [6] or Rootkit Hook
Analyzer [7])
- run a portscan against the system to check if there are open ports
that netstat or TCPview don't report (which would hint at a rootkit)
- Dump the memory (before you reboot/shutdown the computer) for later
analysis with a debugger
- Run a virus scan after booting the computer from some other medium
(e.g. UBCD [8] or TRK [9])
- inspect traffic with a protocol analyzer (e.g. Wireshark [10])

Yes, computer forensics do require quite some knowledge, why do you ask?

[1] http://technet.microsoft.com/en-us/s.../bb897437.aspx
[2] http://technet.microsoft.com/en-us/s.../bb896653.aspx
[3] http://technet.microsoft.com/en-us/s.../bb963902.aspx
[4] http://www.merijn.org/programs.php#hijackthis
[5] http://www.hijackthis.de/
[6] http://technet.microsoft.com/en-us/s.../bb897445.aspx
[7] http://www.resplendence.com/hookanalyzer
[8] http://www.ultimatebootcd.com/
[9] http://trinityhome.org/Home/index.ph...=1&front_id=12
[10] http://www.wireshark.org/

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

mkh wrote:
> zonealarm firewall shows that its letting generic host process for
> win32 services access internet, even though i have not allowed it. i
> basically use FF, Opera, emule.

This is, because Zonealarm is crap, and you better should not depend on
it.

Fortunately, you don't need a "Personal Firewall".

Yours,
VB.
--
Bitte beachten Sie auch die Rückseite dieses Schreibens!

Cunnilingus wrote:
> Agnitum Outpost.

Outpost? HAHAHAHA!

VB.
--
Bitte beachten Sie auch die Rückseite dieses Schreibens!