Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

very very odd(svchost.exe)

Options
  • 04-05-2005 9:24pm
    #1
    CyberGhost
    Registered Users Posts: 5,553 ✭✭✭


    Hi, today I noticed a very odd thing

    svchost.exe is trying to connect to some strange sites and ips:

    www.eyeblaster.com
    dd.connextra.com
    i.i.com.com

    here's a screenshot of a log
    snag0000jg.jpg
    snag0010wh.jpg

    I'm kinda panicing, is it some serious danger?(could there be some danger of information stealing? like passwords and what I type?) I did all scans with Kaspersky AV, SpyBot, Ad-Aware, MS AntiSpyware, Dr.Web AV, none detected anything.

    what could it be? I'm not too keen on reinstalling the whole OS


Comments

  • Options
    #2
    aidan_walsh
    Closed Accounts Posts: 17,208 ✭✭✭✭aidan_walsh


    http://www.liutilities.com/products/wintaskspro/processlibrary/svchost/
    svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated. Note: svchost.exe is a process which is registered as the W32.Welchia.Worm. It takes advantage of the Windows LSASS vulnerability, which creates a buffer overflow and instigates your computer to shut down. To see more information about this vulnerability please look at the following Microsoft bulletin: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx This is a registered security risk and should be removed immediately.


  • Options
    #3
    CyberGhost
    Registered Users Posts: 5,553 ✭✭✭CyberGhost


    ermm... I knew what svchost was, I just don't know why it's connecting to the ad addsites and what is instructing it to connect?


  • Options
    #4
    Mutant_Fruit
    Closed Accounts Posts: 4,943 ✭✭✭Mutant_Fruit


    hit ctrl-alt-del and list out all the processes running... theres probably some dodgy program running in the background. There may be a few instances of SVCHOST running, list em all :p

    Or first you could just run Adaware and Spybot and see if they help .


  • Options
    #5
    Dinner
    Registered Users Posts: 2,132 ✭✭✭Dinner


    What I'd do if I was you would be to panic and run to Tech support Guy forums with my hijack this log.

    But, thats me. :cool:


  • Options
    #6
    CyberGhost
    Registered Users Posts: 5,553 ✭✭✭CyberGhost


    Mutant, nope, nothing dodgy :?
    there are multiple instances of svchost running, but isn't that normal?

    Arabel, I'll ask there.

    Thanks Guys!


  • Advertisement
  • Options
    #7
    DonkeyStyle \o/
    Closed Accounts Posts: 7,145 ✭✭✭DonkeyStyle \o/


    CyberGhost wrote:
    Mutant, nope, nothing dodgy :?
    there are multiple instances of svchost running, but isn't that normal?
    Seems normal in my experience yeah.
    I wouldn't stop at just checking running processes though, check out what services you're running... probably the fastest way of looking is: running "net start" in a cmd window, that should list what services are running.
    You can post the list here if you're unsure what's a standard windows service and what looks dodgy.

    I had a dodgy service running some time last year, I can't remember exactly, but it was something stupid like "windows secruty" (sic), the pathetic spelling error made it stand out even more than the fact that I didn't recognise it as a windows service.

    Having said that, yeah some will be more clever about hiding themselves, but you never know :rolleyes:


  • Options
    #8
    Mutant_Fruit
    Closed Accounts Posts: 4,943 ✭✭✭Mutant_Fruit


    DonkeyStyle \o/ wrote:
    but it was something stupid like "windows secruty" (sic), the pathetic spelling error made it stand out even more than the fact that I didn't recognise it as a windows service
    Yeah, imagine windows having security! That'd be the biggest give away imo ;):D


  • Options
    #9
    MrPinK
    Closed Accounts Posts: 1,502 ✭✭✭MrPinK


    Run 'Tasklist /SVC' from the command line. If you're using XP Home Edition, you'll have to download it from here and unzip it to C:\WINDOWS\system32.

    This tells you which service is running in each instance of svchost. It is normal to have multiple instances btw. If you don't see anything immediately dodgy, kill the instances of svchost one at a time until you've determined which one is making all these connections. Note all the services running under this instace (run tasklist again and see which svchost you killed).To find out which of the services on the list was the culprit, open up services under Administration Tools and shut them down one by one until the connections stop.


  • Options
    #10
    snappieT
    Registered Users Posts: 3,357 ✭✭✭snappieT


    us.i1.yimg.com is yahoo ads, fully legit.


  • Options
    #11
    MrPinK
    Closed Accounts Posts: 1,502 ✭✭✭MrPinK


    I'd say they're all fully legit. But not knowing what was filling up my logs so I could kill it would really piss me off :)


  • Advertisement
  • Options
    #12
    masterK
    Registered Users Posts: 2,757 ✭✭✭masterK


    As far as I know dd.connextra.com is some sort of betting related ads site, I know it always gets hit when you log on to the Racing Post website. It's harmless.


  • Options
    #13
    vibe666
    Registered Users Posts: 13,016 ✭✭✭✭vibe666


    snapscan1212p wrote:
    us.i1.yimg.com is yahoo ads, fully legit.
    i really wouldn't describe ANYTHING remotely related to yahoo as 'legit'.

    go with the tasklist/svc as mrpink suggested and google all the results for svchost's sub-processes and see what you come up with.

    it's the only way to be sure.


Advertisement