Sygate also major slowdown?

I suspect you have some kind of problem going on there, virus or something. I run Win2k and Svchost NEVER tries to connect out here. Have run almost every software firewall out there and no problems like you describe. Sygate does run a little higher than most on cpu usage, but when I used it, it only used 2-4% cpu. If you're getting 100% then you have a problem of some kind unrelated to the firewalls. I'd check for viruses and/or malware.

I'll cut short my clever rejoinder. I'm looking for help in understanding what I specified. Thank you.

You should get yourself a $20 NAT router and put the machine behind it.

That all depends like if you block svchost.exe you may not have access to the Internet. In general you should leave it alone. A PFW solution can heighten a user's paranoia by popping-up the unwarranted messages as they set there and whine.

I didn't prevent any of the above from doing their job when I was into PFW solutions on any machines and don't do it now.

If you're the only user then you should know what's happening and pratice safe hex.

This too is on the Win 2k O/S and can be used to supplement a NAT router to stop outbound if need be and it ask no rediculous questions about what should and should not have access.

If you get a NAT router, then get one that you can use Wallwatcher.

Duane :)

What, besides the latest versions of the programs listed (AVAST!, AdAware, SpybotSD) do you recommend for this?

No idea there.. I use Avast also. That should catch any virus happening. Sounds like you have the usual programs for spyware/adware/malware. Sorry, I'm not of much help. Just sounds like something is amiss, obviously. If you can figure out why Svchost.Exe is trying to connect out that might put you on the right track.

My own solution to any serious problem is to just reformat, but I realize that might not be practical for many. But it does tend to solve problems..

Quaestor wrote in news:11bh23q27c3uk45 @news.supernews.com:

No.

True. I have to wonder about those programs, which did not do anything like this when I first installed w2k, and only began acting like that after I started getting the lsass problem. Oh well, maybe someone has a solution. So far I have been operating with the reinstall stated above for 12 hours with no problems, no increase in cpu use over a background noise of 1-2%. Maybe I'm fixed? Should know tomorrow. Svchost has stopped trying to connect so much. Maybe it will stay that way.

Thanks.

Duane :)

Detroit is one Hell of a defensive team. The Spurs better be up by some points in the 4th quarter late in the game or they are not going to make it.

Duane :)

I am talking about game seven. :)

Duane :)

UPDATE:

Oh my @#$% GAWD! was I wrong!!!!! *exclamatory expression*

Turns out my problem was not svchost, but scvhost (not the VC anc CV thingy), a well known component of various virus/trojan/worm attacks. I suppose those sasser hits were what put it there. Naturally, after clearing this I went to every place I use passwords and changed things.

I also did something no one recommended, but which I do: created a folder in the winnt\\system32 directory named scvhost.exe, set to Read Only. If another attempt is made to create such a file there this will cause it to fail.

Now the scarey part: AVAST let it run for days and never detected it. Checked around, found Kaspersky which found and removed it no problem.

I'm still wondering why ntoskrnl, inetinfo, and winlogon feel a need to be calling out from my system. So far nothing concrete.

As you most likely know, svchost.exe is the messenger for the O/S and one should not kill the messenger. You find out what's using the messager by using the proper tools like Process Explorer and look inside svchost.exe at the processes that are using svchost.exe and kill that. Svchost.exe does connect out for legit or not legit reasons, because some process is asking it to do it on its behalf. Of course, if svchost.exe is not running out of the System32 directory, it is a Trojan. If one wants to find backdoors, malware, Trojans etc that have circumvented and defeated malware detection applications, including APP Control in PFW solutions, then one must use the proper tools and look for them.

Duane :)

Svchost.exe is always in use by the O/S with multiples running out the system32 directory and it cannot be overlaid by malware. And if it was somehow deleted, then the O/S would put it back from its Windows or Winnt System32\\dllchche directory a failsafe. If svchost.exe was somehow replaced by a malware svchost.exe in the System32 directroy, the O/S would stop working -- period.

However, a Trojan svchost.exe can be running that is not running out of the System32 directory and one must recognize that and most don't, just like the a Trojan DllHost.exe can be running that not out of the System32 directory and other fake O/S componet names that are not running out of the System32 directory can be Trojans.

Malware detection applications are always a diem short and a dollar late.

It's not who but what is making the requests as they are only doing their jobs. ;-)

Duane :)

I would not worry much about ntoskrnl or winlogon. When I ran Sygate I do recall seeing ntoskrnl occasionally asking for permission and I just allowed it I think. There was nothing wrong with my system at the time and it just seemed like normal OS behavior. I don't know about inetinfo. So far the only one that sounds bad is that 'scvhost' (not svchost) program.

If you reinstalled and put in a firewall right away, and are getting no

100% cpu utilization, then I wouldn't worry much about those programs connecting outbound. If it appears to be normal behavior then you can most likely allow them outbound access (no inbound though). Just my opinion..

ntoskrnl gets discussed a lot on boards and such, apparenly not giving anyont any trouble, whether they let it call out or not. I won't worry too much. But the others, I want to know what they are doing before I let them do it. I own this machine, not billgates, and not the hackers. Right now it is sweet again, and I plan to keep things that way.

That's my conclusion.

After I created the dummy folder named scvhost.exe (read only) to block installation of another (you can't be too careful) I rebooted and the folder opened. Obviously something was trying to restart the program. I went into regedit, searched for all instances of that file name in the registry, deleted all such records/values, and things are fine.

So far.

Next month I will build a new system, and this one will become a firewall that shields that one. Considering how whatever got me got past my AVAST protection, I will run all the virus/trojan/worm protection I can pack into it that will run compatibly, since that will not impact my game machine.

Quaestor wrote in news:11bh23q27c3uk45 @news.supernews.com:

I found that the excellent (but currently defunct) blackviper.com is being mirrored here:

This page can tell you lots of things about what services you need, don't need, etc.

Personally, I never let anything connect that doesn't need to. Windows

2000/XP come with all kinds of services that not only want to connect to the Internet, but are not at all needed by a home user. Blackviper tells you which ones are safe to disable.

Thanks, this is most helpful. It still doesn't directly address the question of what to let through the firewall and what not, but it deals with some of that.

It amazes me what a vast effort is needed to overcome the vast effort MS puts into making their OS the biggest vulnerability and resource problem on the net. :-\\