Hi, only me.

I know it seems common plcae for svchost.exe to phone home but recently it's been dong it more often on my pc. I know the system is malware free so I am jsut trying to find some mroe infromation on it. The sites I googled were rather breif so I was hopng you CC guys could shine some light on it.


Thanks

Tib

Hello Tib,

do you have logs from your firewall, if you are using one? Please explain what you mean by "phoning home". svchost should not be connecting out routinely other than for DNS lookups on port 53, UDP. it will also connect on ports 80 and 443 when you are scanning for Microsoft updates, as well as rarely for ssdp discovery service/UPnP device host TCP 2869 and UDP 1900 (I even have this rule disabled for svchost) and time synchronization on ports 123 or 37.

**EDIT**

I have not listed all the possibilities for svchost connecting to the network, but it should not be routinely "phoning home".

It appareas (although I cant check as im not on my home pc) to be connecting to the source of my bt connection which isukcoreserver.bt.bet or something along those lines.

ok here it is:

destination IP: 62.6.40.178.53.

Idnsc71.uk.bt.net.

Direction: outgoing

action taken: blocked

Hmmm a more unusual problem I think is at hand. A program I use for Im called xfire (which is safe and everything) Had an outgoing intrusion blocked except it was going to a website called cluchkill.com or clutchkill.com something along those lines. As far as im aware my computer is malware free. I use AVG, ewido anti spyware free, Spybot, and ad aware and they picked up nothing so I don't think a trojans at work. Just very odd as I have seen programs connect back to there own site or the BT adress above but never to another random site. Any comments much aprechiated.

Tib

P.S Im going on holiday for two weeks so obviously I might not respond till then.

Sorry for another psot but can't log in on this pc. The destination Ip for the xfire adress was: 72.232.215.230.29000.

Thanks


Tib

Thansk so much m8. I jsut got a bit scared and ran an onlien virsus can plus a hijackthis log. Now I can relax on my holiday. Thanks check mate.

Tib

Uh, that IP address should properly be read as 72.232.215.230 Port 29000. Here's the whois:

http://www.layeredtech.com/

_________________

Microsoft MVP Consumer Security 2006, 2007 & 2008

Sorry for the mistake Prince Serendip. Will continue this thread when im back from holiday. BTW does it still appaear to be a game server of some sort?


Tib

No worries Tib,

I had already figured out the last numbers, 53 & 29000, appended at the end of the ip addresses were ports

Below I have attached a ss of the site: Clutchkill.com (72.232.215.230)

However, when I connected to the site it connected at that ip, but on remote port 80 (http). My feeling is it is a site that your xfire utility sometimes connects to and is probably nothing to worry about, but I am not completely certain. I am not an expert in this area. Tib, I want to offer some more information but I really need to run. We are entertaining guests tonight. I will post back tomorrow am.

By for now.

Clutchkill_com.png
Description:
Filesize:	27.25 KB
Viewed:	48 Time(s)

Hi again Tib.

If you ever need a detailed listing of any and all TCP and UDP endpoints from your computer, there is a nifty, free utility I recommend from Sysinternals here:

If you are running Windows NT/2000/XP or Windows 98/Me, then download TCPView from here:

http://www.sysinternals.com/Utilities/TcpView.html Just scroll to the bottom of the page and choose the first download (81 KB). Create a folder under your Program files and name it whatever you want, then extract the download to the folder (4 files). Create a shortcut on your desktop to the Tcpview.exe file . Close any and all browsers then double-click the shortcut to launch TCPView. If you are running under a limited account, use the right-click->Run as option to launch it under administrative priveledges.

You will see 5 columns named: Process, Protocol, Local Address, Remote Address and State. This will enable you to see local and remote network status of all related processes. You can even right-click the process for its properties to see what directory it resides in. This is a very handy utility especially for anything that looks like a suspicious connection.