David H. Lipman wrote:
> From: "Raffi" <thegrizzzly@yahoo.com>
>
>
> | It turns out it wasn't normal. I had recently installed a P2P program
> | on my PC and it had added a ton of entries in my hosts file. I'm
> | surprised none of the spyware programs gave me even the slightest
> | warning about these entries.
> |
> | Raffi
>
> Still normal. The ONLY way this would be abnormal is if a DNSChanger Trojan was installed
> and the PC was NOT using the ISP provided DNS servers but a tainted, malicious, set of DNS
> servers.
>
> Now having entries .\etc\hosts file will circumvent DNS calls. Based upon a Registry
> setting that sets the order of name to address resolution, first the OS calls the hosts
> files and if a name to IP address is listed the IP address of the .\etc\hosts table will be
> used. If a name (alias) is not in that hosts table then the TCP/.IP stack will cause a DNS
> call to a DNS server which will then return the IP address.
>
> The way you have your original post worded SVCHOST was found to communicate with your ISP's
> DNS server.
>
> One can only go by the wording of your original post and p\based upon what I read, I saw no
> normality. While having modifications to the hosts table can be indicative of malicious
> software, that is NOT always true. The owner/operator can apply the MVP Hosts file to their
> computer to block malicious sites and the application is not malicious. If you can post
> actuall FireWall logs of DNS activitry, Netstat dumps and the whol or extracts of the hosts
> table, one can make a more definite determination of malware.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm

Thanks for the reply. Removing the P2P software and clearing the
\etc\hosts file did not correct the issue after all. I just logged in
with the administrator account and the network activity is no longer
there. This seems to be happenning only when I log into my personal
account. During my last login, SERVICES.EXE was making the connections
rather than SVCHOST.EXE. Is there a way to determine if these files
have been tampered with?

I'll try to get more information from netstat etc.

Raffi