2 Replies Latest reply on Aug 17, 2011 4:00 AM by amanisdude

    McSvHost.exe - Is this normal behaviour or malware please?

      I am looking for help from you cleverer people out there.

       

      I use the latest version of Mcafee Total Protection.

       

      I use a program called TCP view to keep an eye on the TCP and UDP endpoints on my system, which provides a more informative and conveniently presented  subset of the Netstat program that ships with Windows; this was written by Sysinternals, but Microsoft purchased it a few years ago - see http://technet.microsoft.com/en-gb/sysinternals/bb897437.aspx.

       

      When I look in TCP View recently, I see entries every 10 or so seconds as follows:

       

      Process: McSvHost.exe:1724

      Protocol: TCP

      Local Address: $MyComputerName:3692

      Remote Address: 192.168.168.1:microsoft-ds

      State - SYN_SENT

       

      Then very shortly afterwards

       

      Process: McSvHost.exe:1724

      Protocol: UDP

      Local Address: $MyComputerName:3694

      Remote Address: 192.168.168.1:microsoft-ds

      State - SYN_SENT

       

      Then very shortly afterwards another TCP entry with port 3696, and then UDP 3698 etc etc; and carries on like this all day. Each entry only stays for a few seconds, and then in terminated.

       

      I am trying to see if this is some sort of malware, and hope it is just McAfee sniffing my PC for activity, but obviously I am concerned that this is pointing to my router and going through all my ports one by one; almost as if malware is trying to find an open port.

       

      My router blocks the attempts, and it appears to be FTP traffic, although I might be wrong.

       

      I have scanned with Mcafee, Spysweeper, Malwarebyte Anti-Malware, Stinger and all come up clean.

       

      Any thoughts? I cannot see anything online about this, and wonder if there is a strong technical person out there who might be able to tell me what this is, or if they have the same software help work it out for me?

       

      Many thanks

        • 1. Re: McSvHost.exe - Is this normal behaviour or malware please?

          I have had an email response which does not show on the forum - "I found out that McSvHost.exe was new with the 2010 upgrade. On my XP SP3 machine it was causing serious system degradation, using too much CPU. I found out that if I lower the priority to McSvHost to below normal my PC ran much better. However, I had to do this after every restart. Was McSvHost causing issues on your PC?"

          My answer to this is no - I have not previously had any problems with the widely reported McSvHost issues.

          • 2. Re: McSvHost.exe - Is this normal behaviour or malware please?

            I seem to have almost the exact same problem, except McSvHost also spams port 80 on all hosts on the local network with HTTP/1.0 requests. I am using McAfee Anti-Virus Plus and have known about this problem ever since I installed it around the same time as your post last year, so I assume this is "normal behavior", although it sucks for my server. My server logs are also saturated with logs of these empty HTTP requests, and it sometimes takes me hours to accurately calculate web statistics because of it. (I bet your McSvHost.exe does this too, but you don't have any HTTP servers on your network.)

             

            As for the SYN packets, I believe they're used to determine what computers are active on your local network. (TCP/UDP Port 445, a.k.a. Microsoft-DS, is used for network filesharing on Windows systems).

             

            Being that you never received a response to this question in nearly a year, it doesn't lend much hope to my question posted at https://community.mcafee.com/message/202429#202429. At any rate, I hope somebody answers this question in some official capacity at some point for both our sakes.

             

            Message was edited by: amanisdude on 8/17/11 4:00:02 AM CDT