If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
svchost communication concerns - Who is it talking to.
Hello group,
I've had some viruses of some sort which forced me to reformat my drives. Before reformating I transfered all my stuff to an external backup hard drive. I've been monitoring svchost.exe to see where it is communicating and to determine if I still have the virus; here are my findings: Kaspersky says it's rating is suspicious, danger index on 67 svchost.exe was created 27/07/07 and modified 13/04/08 I used Process explorer to verify each instance of svchost and check it's location and that is all fine c:\windows\system32\. for network communications I found the following: UDP packet to router, local port 1900 - this one comes up often UDP packet to router, remote port 53 - this one comes up often too TCP to remote computer 64.211.21.134 , remote port 80 TCP to remote computer 65.55.27.220 , remote port 443 recieved UDP from other computer on network, local port 1900 TCP to remote computer 24.66.94.138 , remote port 80 UDP to router, remote port 67 TCP incomming from remote computer, local port 2869 UDP to remote computer 255.255.255.255 , remote port 67 TCP to remote computer 207.138.126.184 , remote port 80 " " " " " " " .192 , " " " TCP with remote computer 65.55.200.155 , remote port 80 And here is one that tipped me off: svchost was connecting to akamaitechnologies.com , I tried that web address and nothing comes up, but if I go to www.akamai.com and get a video related website that has partnered with microsoft. Is this a concern or normal traffic. thank you for reading this long winded message. any help would be appreciated. Shaun Epp |
Ads |
#2
|
|||
|
|||
svchost communication concerns - Who is it talking to.
"Shaun" wrote in message ... Hello group, I've had some viruses of some sort which forced me to reformat my drives. Before reformating I transfered all my stuff to an external backup hard drive. I've been monitoring svchost.exe to see where it is communicating and to determine if I still have the virus; here are my findings: Kaspersky says it's rating is suspicious, danger index on 67 svchost.exe was created 27/07/07 and modified 13/04/08 I used Process explorer to verify each instance of svchost and check it's location and that is all fine c:\windows\system32\. for network communications I found the following: UDP packet to router, local port 1900 - this one comes up often UDP packet to router, remote port 53 - this one comes up often too TCP to remote computer 64.211.21.134 , remote port 80 TCP to remote computer 65.55.27.220 , remote port 443 recieved UDP from other computer on network, local port 1900 TCP to remote computer 24.66.94.138 , remote port 80 UDP to router, remote port 67 TCP incomming from remote computer, local port 2869 UDP to remote computer 255.255.255.255 , remote port 67 TCP to remote computer 207.138.126.184 , remote port 80 " " " " " " " .192 , " " " TCP with remote computer 65.55.200.155 , remote port 80 And here is one that tipped me off: svchost was connecting to akamaitechnologies.com , I tried that web address and nothing comes up, but if I go to www.akamai.com and get a video related website that has partnered with microsoft. Is this a concern or normal traffic. thank you for reading this long winded message. any help would be appreciated. Shaun Epp I forgot to mention that the program that gave me the virus as a DivX codec and player that I downloaded off the net. I think I got it from www.DivX.com , either was the offer the save codec and player that I'm using. I uninstalled it before reformating my drive and it tried contacting akamaitechnologies.com, and that is the web site that svchost.exe in triing to contact. Shaun |
#3
|
|||
|
|||
svchost communication concerns - Who is it talking to.
"Shaun" wrote:
I forgot to mention that the program that gave me the virus as a DivX codec and player that I downloaded off the net. I think I got it from www.DivX.com , either was the offer the save codec and player that I'm using. I uninstalled it before reformating my drive and it tried contacting akamaitechnologies.com, and that is the web site that svchost.exe in triing to contact. I have had DivX on my machine for several months... no problems at all. |
#4
|
|||
|
|||
svchost communication concerns - Who is it talking to.
"Bennett Marco" wrote in message ... "Shaun" wrote: I forgot to mention that the program that gave me the virus as a DivX codec and player that I downloaded off the net. I think I got it from www.DivX.com , either was the offer the save codec and player that I'm using. I uninstalled it before reformating my drive and it tried contacting akamaitechnologies.com, and that is the web site that svchost.exe in triing to contact. I have had DivX on my machine for several months... no problems at all. Well I'm suspecting that it spies on us, or worse. If you AV program / Firewall let you, set it so that it "prompts" you instead of "allow" in your firewall settings for svchost.exe. Monitor the requests you get and see if "akamaitechnologies.com" comes up as a prompt, It took 1 1/2 days before I noticed it. Are you familiar with svchost.exe, do you know what those other outgoing requests were in my initial post? thanks, Shaun |
#5
|
|||
|
|||
svchost communication concerns - Who is it talking to.
"Shaun" wrote:
"Bennett Marco" wrote in message .. . "Shaun" wrote: I forgot to mention that the program that gave me the virus as a DivX codec and player that I downloaded off the net. I think I got it from www.DivX.com , either was the offer the save codec and player that I'm using. I uninstalled it before reformating my drive and it tried contacting akamaitechnologies.com, and that is the web site that svchost.exe in triing to contact. I have had DivX on my machine for several months... no problems at all. Well I'm suspecting that it spies on us, or worse. [snip] Nope. But for peace of mind, you might find something useful he http://zapatopi.net/afdb/ |
#6
|
|||
|
|||
svchost communication concerns - Who is it talking to.
"Bennett Marco" wrote in message ... "Shaun" wrote: "Bennett Marco" wrote in message . .. "Shaun" wrote: I forgot to mention that the program that gave me the virus as a DivX codec and player that I downloaded off the net. I think I got it from www.DivX.com , either was the offer the save codec and player that I'm using. I uninstalled it before reformating my drive and it tried contacting akamaitechnologies.com, and that is the web site that svchost.exe in triing to contact. I have had DivX on my machine for several months... no problems at all. Well I'm suspecting that it spies on us, or worse. [snip] Nope. But for peace of mind, you might find something useful he http://zapatopi.net/afdb/ Ha haaa,...... that's real funny! I'll have to pass that web site around. OK... I've found the contact. Svchost send TCP to a remote computer at IP address 96.6.45.34, akamai technologies. I even did a who is query and it's confirmed. I know that this is from the DivX codec and player pack that I installed a couple of months ago, when I uninstalled, the program tried contacting akamai technologies. So I either still have the virus / spy after reformatting or I reinstalled it after getting a good copy of a DivX software. The question is "Why are they spying on me?" Is anyone familiar with normal communications with svchost that could shed some light on my original post?? thanks, Shaun |
#7
|
|||
|
|||
svchost communication concerns - Who is it talking to.
Akamai is a server provider used by many companies (reputable ones) to host
their files, etc. See http://en.wikipedia.org/wiki/Akamai_Technologies Possibly Divx uses it, I don't know, but Microsoft, for example does.. svchost.exe is a Windows server that is used by quite a few Windows services that may or may not occasionally use the internet maybe to check for updates or synchronise time, for example. Could well be that they use the Akamai IP for that. A description is given in http://support.microsoft.com/kb/314056 Divx.com is a perfectly respectable site/company and if you did download the divx player and codecs from there, that download would have contained any virus or malware. Also, in so far as divx may occasionally go out to check for updates, it would not use wsvchost.exe but its own update checker. So in my honest opinion: a) svchost connecting to an Akamai IP is normal b) in any case that has nothing to do with divx. c) if you suspect your PC is infected, download and run a good antimalware app, such as superantispyware (free version) http://www.superantispyware.com/ "Shaun" wrote in message ... "Bennett Marco" wrote in message ... "Shaun" wrote: "Bennett Marco" wrote in message ... "Shaun" wrote: I forgot to mention that the program that gave me the virus as a DivX codec and player that I downloaded off the net. I think I got it from www.DivX.com , either was the offer the save codec and player that I'm using. I uninstalled it before reformating my drive and it tried contacting akamaitechnologies.com, and that is the web site that svchost.exe in triing to contact. I have had DivX on my machine for several months... no problems at all. Well I'm suspecting that it spies on us, or worse. [snip] Nope. But for peace of mind, you might find something useful he http://zapatopi.net/afdb/ Ha haaa,...... that's real funny! I'll have to pass that web site around. OK... I've found the contact. Svchost send TCP to a remote computer at IP address 96.6.45.34, akamai technologies. I even did a who is query and it's confirmed. I know that this is from the DivX codec and player pack that I installed a couple of months ago, when I uninstalled, the program tried contacting akamai technologies. So I either still have the virus / spy after reformatting or I reinstalled it after getting a good copy of a DivX software. The question is "Why are they spying on me?" Is anyone familiar with normal communications with svchost that could shed some light on my original post?? thanks, Shaun |
#8
|
|||
|
|||
svchost communication concerns - Who is it talking to.
Minor correction. I meant to say that svchost is a Windows process, not a
server. "Jean Rosenfeld" wrote in message ... Akamai is a server provider used by many companies (reputable ones) to host their files, etc. See http://en.wikipedia.org/wiki/Akamai_Technologies Possibly Divx uses it, I don't know, but Microsoft, for example does.. svchost.exe is a Windows server that is used by quite a few Windows services that may or may not occasionally use the internet maybe to check for updates or synchronise time, for example. Could well be that they use the Akamai IP for that. A description is given in http://support.microsoft.com/kb/314056 Divx.com is a perfectly respectable site/company and if you did download the divx player and codecs from there, that download would have contained any virus or malware. Also, in so far as divx may occasionally go out to check for updates, it would not use wsvchost.exe but its own update checker. So in my honest opinion: a) svchost connecting to an Akamai IP is normal b) in any case that has nothing to do with divx. c) if you suspect your PC is infected, download and run a good antimalware app, such as superantispyware (free version) http://www.superantispyware.com/ "Shaun" wrote in message ... "Bennett Marco" wrote in message ... "Shaun" wrote: "Bennett Marco" wrote in message m... "Shaun" wrote: I forgot to mention that the program that gave me the virus as a DivX codec and player that I downloaded off the net. I think I got it from www.DivX.com , either was the offer the save codec and player that I'm using. I uninstalled it before reformating my drive and it tried contacting akamaitechnologies.com, and that is the web site that svchost.exe in triing to contact. I have had DivX on my machine for several months... no problems at all. Well I'm suspecting that it spies on us, or worse. [snip] Nope. But for peace of mind, you might find something useful he http://zapatopi.net/afdb/ Ha haaa,...... that's real funny! I'll have to pass that web site around. OK... I've found the contact. Svchost send TCP to a remote computer at IP address 96.6.45.34, akamai technologies. I even did a who is query and it's confirmed. I know that this is from the DivX codec and player pack that I installed a couple of months ago, when I uninstalled, the program tried contacting akamai technologies. So I either still have the virus / spy after reformatting or I reinstalled it after getting a good copy of a DivX software. The question is "Why are they spying on me?" Is anyone familiar with normal communications with svchost that could shed some light on my original post?? thanks, Shaun |
#9
|
|||
|
|||
svchost communication concerns - Who is it talking to.
Second minor correction (apologies, it's late here and I did not check what
I was writing properly) Divx downloads do NOT contain malware or virus. "Jean Rosenfeld" wrote in message ... Akamai is a server provider used by many companies (reputable ones) to host their files, etc. See http://en.wikipedia.org/wiki/Akamai_Technologies Possibly Divx uses it, I don't know, but Microsoft, for example does.. svchost.exe is a Windows server that is used by quite a few Windows services that may or may not occasionally use the internet maybe to check for updates or synchronise time, for example. Could well be that they use the Akamai IP for that. A description is given in http://support.microsoft.com/kb/314056 Divx.com is a perfectly respectable site/company and if you did download the divx player and codecs from there, that download would have contained any virus or malware. Also, in so far as divx may occasionally go out to check for updates, it would not use wsvchost.exe but its own update checker. So in my honest opinion: a) svchost connecting to an Akamai IP is normal b) in any case that has nothing to do with divx. c) if you suspect your PC is infected, download and run a good antimalware app, such as superantispyware (free version) http://www.superantispyware.com/ "Shaun" wrote in message ... "Bennett Marco" wrote in message ... "Shaun" wrote: "Bennett Marco" wrote in message m... "Shaun" wrote: I forgot to mention that the program that gave me the virus as a DivX codec and player that I downloaded off the net. I think I got it from www.DivX.com , either was the offer the save codec and player that I'm using. I uninstalled it before reformating my drive and it tried contacting akamaitechnologies.com, and that is the web site that svchost.exe in triing to contact. I have had DivX on my machine for several months... no problems at all. Well I'm suspecting that it spies on us, or worse. [snip] Nope. But for peace of mind, you might find something useful he http://zapatopi.net/afdb/ Ha haaa,...... that's real funny! I'll have to pass that web site around. OK... I've found the contact. Svchost send TCP to a remote computer at IP address 96.6.45.34, akamai technologies. I even did a who is query and it's confirmed. I know that this is from the DivX codec and player pack that I installed a couple of months ago, when I uninstalled, the program tried contacting akamai technologies. So I either still have the virus / spy after reformatting or I reinstalled it after getting a good copy of a DivX software. The question is "Why are they spying on me?" Is anyone familiar with normal communications with svchost that could shed some light on my original post?? thanks, Shaun |
#10
|
|||
|
|||
svchost communication concerns - Who is it talking to.
"Shaun" wrote in message
"Bennett Marco" wrote in message ... "Shaun" wrote: "Bennett Marco" wrote in message ... "Shaun" wrote: I forgot to mention that the program that gave me the virus as a DivX codec and player that I downloaded off the net. I think I got it from www.DivX.com , either was the offer the save codec and player that I'm using. I uninstalled it before reformating my drive and it tried contacting akamaitechnologies.com, and that is the web site that svchost.exe in triing to contact. I have had DivX on my machine for several months... no problems at all. Well I'm suspecting that it spies on us, or worse. [snip] Nope. But for peace of mind, you might find something useful he http://zapatopi.net/afdb/ Ha haaa,...... that's real funny! I'll have to pass that web site around. OK... I've found the contact. Svchost send TCP to a remote computer at IP address 96.6.45.34, akamai technologies. I even did a who is query and it's confirmed. I know that this is from the DivX codec and player pack that I installed a couple of months ago, when I uninstalled, the program tried contacting akamai technologies. So I either still have the virus / spy after reformatting or I reinstalled it after getting a good copy of a DivX software. The question is "Why are they spying on me?" Is anyone familiar with normal communications with svchost that could shed some light on my original post?? thanks, Shaun It's probably simply checking for updates. Some programs "call home" when they are installed or uninstalled, too, if there is an active net connection; they use it to track their success rate. If I catch them, they go to my "never allow" file though. It might not even be div/x initiating it; are you positive of that? If so, you can turn off the auto update feature to stop it from checking. Twayne` |
#11
|
|||
|
|||
svchost communication concerns - Who is it talking to.
"Twayne" wrote in message ... "Shaun" wrote in message "Bennett Marco" wrote in message ... "Shaun" wrote: "Bennett Marco" wrote in message ... "Shaun" wrote: I forgot to mention that the program that gave me the virus as a DivX codec and player that I downloaded off the net. I think I got it from www.DivX.com , either was the offer the save codec and player that I'm using. I uninstalled it before reformating my drive and it tried contacting akamaitechnologies.com, and that is the web site that svchost.exe in triing to contact. I have had DivX on my machine for several months... no problems at all. Well I'm suspecting that it spies on us, or worse. [snip] Nope. But for peace of mind, you might find something useful he http://zapatopi.net/afdb/ Ha haaa,...... that's real funny! I'll have to pass that web site around. OK... I've found the contact. Svchost send TCP to a remote computer at IP address 96.6.45.34, akamai technologies. I even did a who is query and it's confirmed. I know that this is from the DivX codec and player pack that I installed a couple of months ago, when I uninstalled, the program tried contacting akamai technologies. So I either still have the virus / spy after reformatting or I reinstalled it after getting a good copy of a DivX software. The question is "Why are they spying on me?" Is anyone familiar with normal communications with svchost that could shed some light on my original post?? thanks, Shaun It's probably simply checking for updates. Some programs "call home" when they are installed or uninstalled, too, if there is an active net connection; they use it to track their success rate. If I catch them, they go to my "never allow" file though. It might not even be div/x initiating it; are you positive of that? If so, you can turn off the auto update feature to stop it from checking. Twayne` Thanks for your input, both of you, it is alot more helpful then that Bennett Marco. I know that the DivX program is the one using akamai technologies, since when I uninstalled it, it called to that website. And they are used svchost.exe to make the connections to akamai technologies which seems kinda odd. later, Shaun |
Thread Tools | |
Display Modes | |
|
|