Network problem???

Jim,

 

Took over an hour just to get this far. Internet connects are still bad. Will paste the TCP View when the network system was disable and then right after it was enabled. Hope this helps.lsass.exe:928 UDP SETI6:isakmp *:*  
NAVAPW32.EXE:108 TCP SETI6:1029 SETI6:0 LISTENING 
svchost.exe:1184 TCP SETI6:epmap SETI6:0 LISTENING 
svchost.exe:1268 TCP SETI6:1025 SETI6:0 LISTENING 
svchost.exe:1268 TCP SETI6:1039 SETI6:0 LISTENING 
svchost.exe:1428 UDP SETI6:1030 *:*  
System:4 TCP SETI6:microsoft-ds SETI6:0 LISTENING 
System:4 TCP SETI6:1028 SETI6:0 LISTENING 
System:4 TCP seti6:netbios-ssn SETI6:0 LISTENING 
System:4 UDP SETI6:microsoft-ds *:*  
System:4 UDP seti6:netbios-ns *:*  
System:4 UDP seti6:netbios-dgm *:*  

No network connection
lsass.exe:928 UDP SETI6:isakmp *:*  
NAVAPW32.EXE:108 TCP SETI6:1029 SETI6:0 LISTENING 
svchost.exe:1184 TCP SETI6:epmap SETI6:0 LISTENING 
svchost.exe:1268 TCP SETI6:1025 SETI6:0 LISTENING 
svchost.exe:1268 TCP SETI6:1039 SETI6:0 LISTENING 
svchost.exe:1428 UDP SETI6:1030 *:*  
System:4 TCP SETI6:microsoft-ds SETI6:0 LISTENING 
System:4 TCP SETI6:1028 SETI6:0 LISTENING 
System:4 UDP SETI6:microsoft-ds *:*  
System:4 TCP seti6.mshome.net:netbios-ssn SETI6:0 LISTENING 
System:4 UDP seti6.mshome.net:netbios-ns *:*  
System:4 UDP seti6.mshome.net:netbios-dgm *:*  

Right after I turned on network this is what I got right after the connection was.this is SETI 6lsass.exe:928 UDP SETI6:isakmp *:*  
NAVAPW32.EXE:108 TCP SETI6:1029 SETI6:0 LISTENING 
svchost.exe:1184 TCP SETI6:epmap SETI6:0 LISTENING 
svchost.exe:1268 TCP SETI6:1025 SETI6:0 LISTENING 
svchost.exe:1268 TCP SETI6:1039 SETI6:0 LISTENING 
svchost.exe:1428 UDP SETI6:1030 *:*  
System:4 TCP SETI6:microsoft-ds SETI6:0 LISTENING 
System:4 TCP SETI6:1028 SETI6:0 LISTENING 
System:4 UDP SETI6:microsoft-ds *:*  
System:4 TCP seti6.mshome.net:netbios-ssn SETI6:0 LISTENING 
System:4 UDP seti6.mshome.net:netbios-ns *:*  
System:4 UDP seti6.mshome.net:netbios-dgm *:*  
lsass.exe:928 UDP SETI6:isakmp *:*  
NAVAPW32.EXE:108 TCP SETI6:1029 SETI6:0 LISTENING 
svchost.exe:1184 TCP SETI6:epmap SETI6:0 LISTENING 
svchost.exe:1268 TCP SETI6:1025 SETI6:0 LISTENING 
svchost.exe:1268 TCP SETI6:1039 SETI6:0 LISTENING 
svchost.exe:1428 UDP SETI6:1030 *:*  
System:4 TCP SETI6:microsoft-ds SETI6:0 LISTENING 
System:4 TCP SETI6:1028 SETI6:0 LISTENING 
System:4 UDP SETI6:microsoft-ds *:*  
System:4 TCP seti6.mshome.net:netbios-ssn SETI6:0 LISTENING 
System:4 UDP seti6.mshome.net:netbios-ns *:*  
System:4 UDP seti6.mshome.net:netbios-dgm *:*  

Jim,

Having bad problems with local phone. Used the hijackthis to get this information from Computer ONE. Next I will load Hijackthis on to Computer SETI 6C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\GIANT Company Software\Spam Inspector\siMain.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\hjt\hijackthis\HijackThis.exe
C:\hjt\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Hotmail Spam Filter - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - C:\Program Files\GIANT Company Software\Spam Inspector\siClientUIHotmail.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1072050547109
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37976.6550115741
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Jim, This is the read out of Comuter SETI 6 while it was connected to the internet.Logfile of HijackThis v1.97.7
Scan saved at 7:24:45 PM, on 3/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\vincent splain\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37775.5997916667
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

 

frazser,

Could you post the two HijackThis logs in the Virus Information and Removal board?

Thanks!

Jim

Jim,

I posted two other read out on the virus information and removal site. Everything good. I did follow his instruction on removing some stuff with out a problem. We still are now at square two. Any ideas of what I can do next. Same problem. I read your reply to Chris about firewalls. I do have one on Computer ONE but how do I use it on the other computers? Open to any and all suggestions.

Telephone company finally fixed the telephone lines.

I read your reply to Chris about firewalls. I do have one on Computer ONE but how do I use it on the other computers? Open to any and all suggestions.

We could hit it with a bludgeon by reinstalling XP, but I don't think that's a good way to resolve things. Even if it stops the problem, you don't really know what was wrong!

Since ONE isn't the source of the problem, I'd suggest focussing on one of the SETI machines, SETI6 for example. We have it set so there aren't any known sources of "call home" behavior running. With only SETI6 (and of course, ONE) on the LAN, the number of potential sources of unknown outbound traffic is reduced to that one system.

I'd get ZoneAlarm working on SETI6, as a representative machine that causes dialouts. One thing that ZoneAlarm will do is hold off programs that are trying to access the Internet until you approve them. If you approve the "culprit", there will be a dialout. That way, you don't actually need to know what each and every program does. If a dialout happens after you approve the connection, that's the program we need to focus on.

Is ZoneAlarm now running on ONE? I didn't see it in the HijackThis output.

The reason for suggesting ZoneAlarm just this - most of the folks who work on problems like this, including me, are familiar with ZoneAlarm and trust that it will report what it's doing accurately.

I was serious about the value of a dialup connection. It may be slow, but you immediately know if something odd's happening.

Jim

Jim,

How about this. Since I did load Zone Alarm on SETI 6 and had some problems what if I just delete SpyBot, Ad-Aware and spyware Guard. Download Zone Alarm and see what happens.

Also, since I disabled the PlugnP what if I enable it because it didn't matter and it stops the Internet Connection Icon on five computers from displaying.

In the mean while I ran Spybot on every  machine as well as Ad-aware. I also ran a defragmented of all the systems. I also ran a completed virus check by Norton systems works on all machines.

As soon as my system was back up and only SETI 6 connected via the Network to Comuter ONE something dialed out. No exchange of data was seen except in the area of about 4,000 packets.

Is it possible that this also is giving you a headache.

Vince

How about this. Since I did load Zone Alarm on SETI 6 and had some problems what if I just delete SpyBot, Ad-Aware and spyware Guard. Download Zone Alarm and see what happens.

The one program that might interfere with a firewall is Spyware Guard. Ordinarily, SpyBot and AdAware just scan things when you run the programs. If you've enabled anything beyond those basic features, I'd disable them.

Keep in mind, this thing's already present. So tools that prevent new programs from installing won't find this beast, because it's already there!

Also, since I disabled the PlugnP what if I enable it because it didn't matter and it stops the Internet Connection Icon on five computers from displaying.

The advantage in keeping UPnP off until we figure this out is that it could introduce more variables into the situation. Once we have the culprit identified, we should evaluate how this happened and make a decision about re-enabling UPnP based on the results of the evaluation.

In the mean while I ran Spybot on every machine as well as Ad-aware. I also ran a defragmented of all the systems. I also ran a completed virus check by Norton systems works on all machines.

That's further evidence we still don't know what's really going on! But it gets rid of a bunch of possible causes. That, naturally, is good!

Could this possibly have started after an update to the Seti@home program? I run it too, but on a Unix system, so I wouldn't have encountered that.

As soon as my system was back up and only SETI 6 connected via the Network to Comuter ONE something dialed out. No exchange of data was seen except in the area of about 4,000 packets.

I'd stay with the restricted net setup (SETI6 and ONE) until we figure out what's causing the dialouts. We know that it's something on SETI6, but it's also known that one SETI machine connected to ONE will produce this symptom. The fewer variables the better!

I wonder what would happen if you dropped the inactivity timer to one minute. Since only 4000 packets were seen, that suggests something fairly simple occurred, and then was over. If the connection were dropped sooner, we might be able to get a sense of how often the process on SETI6 wants to "call home".

Is it possible that this also is giving you a headache.

The headache is that we're not getting this one pinned down!!!!!!

Jim

I just install Zone Alarm on SETI 6. Deleted Spy Guard.

The hunt begins anew! The suggestion about the modem inactivity timeout's actually related.

[I said...] I wonder what would happen if you dropped the inactivity timer to one minute. Since only 4000 packets were seen, that suggests something fairly simple occurred, and then was over. If the connection were dropped sooner, we might be able to get a sense of how often the process on SETI6 wants to "call home".

Don't understand?

I think you'd said somewhere along the way that the dialup was set to disconnect after five minutes of activity. So I was wondering whether the timer's being reset by other (unexpected) traffic occuring within five minutes. If the timeout were shorter, maybe it would be easier to spot what's causing the dialouts if the connection were dropped after the shortest possible inactivity timeout.

Jim

Jim,

 

I just install Zone Alarm on SETI 6. Deleted Spy Guard.

Vince

I wonder what would happen if you dropped the inactivity timer to one minute. Since only 4000 packets were seen, that suggests something fairly simple occurred, and then was over. If the connection were dropped sooner, we might be able to get a sense of how often the process on SETI6 wants to "call home".

Don't understand?

Have zone alarm on Computer SETI 6. Don't know how this systems works yet but, just as I turned off the internet connection this time a box starts flashing on zone alarm and a connection is made to the internet. Placing the mouse under this icon it reads "Generic Host Process for Win32 services". On the top of the zone alarm page just to the right of the picture of a lock are two gray boxes with a blue strip acroos the top, and then a picture of my SETI program. These two boxes are labeled the same "Generic Host Process for Win32 services.

The images to the right of the lock picture are programs that have active network connections. SETI seems to set up some network connections between its components on the same machine.

There are a bunch of things that the "Generic Host Process...", program name "svchost.exe", can do. Using "tlist -s", my Win2K machine lists these:

456 SVCHOST.EXE Svcs: RpcSs
560 SVCHOST.EXE Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
1004 SVCHOST.EXE Svcs: wuauserv

(edit) Under XP, the name of the "task list" utility is "tasklist", and the way to get it to list associated services is with the argument "/svc" or "-svc".

Can you paste the output of tasklist /svc from SETI6 into a reply? It needs to be run from a "cmd.exe" window. I'm still researching what my list of things reported by tlist about "svchost.exe" are!

Given the reproducibility of this result, we can now focus on what's being funneled through "svchost.exe".

(edit) The list of services that run via "svchost.exe" on XP is very long. Here's an article including a table of them. Take a look at all the entries for svchost!

I've also been spending some time reading through Internet Connection Sharing troubleshooting articles. One that was mentioned is "Windows Update". Is it set to never check for updates on the SETI machines?

(edit #2) I found an  article that claims that the Windows Messenger can do outbound UPnP broadcasts, even if UPnP is disabled! Try disabling that "feature" as described in the article.

Jim

Message Edited by jimw on 03-05-2004 03:31 PM

Message Edited by jimw on 03-05-2004 04:00 PM

Jim,

Did the test three times. Disconnected the Internet connection and immediaelty the computer dialed out to the Internet. The same gray/blue strip box that reads Generic Host Process for Win32 Services when the mouse is placed under it starts blinking as the connection to the internet is made..

Jim,

Have zone alarm on Computer SETI  6. Don't know how this systems works yet but, just as I turned off the internet connection this time a box starts flashing on zone alarm and a connection is made to the internet. Placing the mouse under this icon it reads "Generic Host Process for Win32 services". On the top of the zone alarm page just to the right of the picture of a lock are two gray boxes with a blue strip acroos the top, and then a picture of my SETI program. These two boxes are labeled the same "Generic Host Process for Win32 services.

Does this mean anything?

Hmmm...I wonder if the fact that it's in the  XP Pro section of Microsoft Technet means it isn't shipped with XP Home? That would be annoying!

After you've blocked an access attempt by svchost.exe, take a look at "Alerts and Logs" in ZoneAlarm. Look for entries about svchost.exe, and check the columns labelled "Source IP" and "Destination IP". The "interesting" ones will be IP addresses that are not on your own LAN.

I hope there are some! We certainly haven't been able to see them with netstat or tcpview!

Jim