Results 1 to 2 of 2
Thread: Scary activity
2006-06-18, 20:59 #1
- Join Date
- Apr 2001
- Peterborough, Ontario, Canada
- Thanked 1 Time in 1 Post
<P ID="edit" class=small>(Edited by peterg on 18-Jun-06 21:59. Update)</P>Often when I go online with one particular computer (of two), ZoneAlarm indicates ferocious activity with Generic Host Process for Win32 Services, which is a vague term that indicates that it's a part of the system and not to be touched. It's hard to tell from any of the indicators that I can think to look at whether it's incoming or outgoing, but it does appear to be incoming. I have programs that I have set to automatically update and that sort of thing, and I have the latest ZoneAlarm Suite and up-to-date spyware protection.
Or so this post began when I started writing it.
I was about to say this is scary, when I checked Task Manager and it appeared that one of the Roboform functions was consuming resources. I don't have the removable version (I do have two subscriptions) but I keep the data on removable media.
I removed the media, and the activity ceased at once. Now it's really scary. I don't know who to ask or where to begin, or whether to just start phoning certain institutions to put a hold on everything and to start changing passwords.
Update: The alarm is now off, or half-off, because the machine is still downloading (or uploading) like a house on fire but without the external media (after a few reboots and experiments).
Are there programs or utilities to tell you what is going on in a case like this? I'll run a virus scan at once, but that may not tell me anything.
2006-06-18, 23:22 #2
- Join Date
- Oct 2002
- Thanked 0 Times in 0 Posts
Re: Scary activity
A quick answer, and I am also a little tired after a long day, so, if I may come with some general tip, and maybe we will se if something else comes up.
The "Generic Host Process for Win32 Services", or svchost.exe (the process name), as you know you have several running simultaneously, each one taking care of different services.
On my Home system I have, at a normal boot, 5 svchost.exe running; if I start a graphic application (Paint shop pro etc.) it starts the WIA service (Windows Image Acquisition). This service runs under a new svchost process, thus I will now find 6 svchost.exe processes. All this said as a background. A XP Pro system will have other number of processes.
It is good that you are up to date, and I think you know very well when the automatic updates takes place, so you can see if they are responsible for traffic.
I am afraid that I do know nothing about Roboform. Is it some general password-keeper?
You are correct that AV-scanning and even anti-spyware scanning maybe not will tell what is going on. However, you can do some things.
With Sysinternals Process Explorer, you can check what processes are running, like Task Manager. But there is lots of more information. You can see what service is running under the different "generic" name svchost.exe processes. Hover your mouse above the process. Right-click a process and click properties, several tabs with information are available. Check for example TCP/IP to see traffic running through that process.
At Sysinternals, you can also if you like download TcpView. It will "show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections." Very easy to use.