hundaa
February 13th, 2011, 05:35 PM
Hi
heres the deal: When I start the computer (winxp x64) svchost.exe tries to create a http connection to: 95.100.3.235
After it creates the connection, it changes into https. It stays like that for minutes. I prevented it from connecting to that address through the firewall and I used wireshark to packet sniff what it is trying to do but it showed only a few lines of what I couldn't make up what it was.
TCPVIEW shows the following:
svchost.exe:1052 TCP localhost:1053 95.100.3.235:https ESTABLISHED
After it created the https connection, it was garbage data (encrypted ofcourse) that I saw with wireshark and couldn't make up what it was. There was not much data going but some. It goes off in some minutes.
Tcpview and DiamondCS port explorer all say the file is svchost.exe but when I try to hit "properties", I get "Unable to query properties for svchost.exe:1052".
When I look what ip that is, it says:
"Location: United Kingdom [City: ]
inetnum: 95.100.0.0 - 95.100.15.255
netname: AKAMAI-PA
descr: Akamai Technologies
role: Network Architecture Role Account
address: Akamai Technologies
address: 8 Cambridge Center
address: Cambridge, MA 02142
country: EU
"
and so on.
What could this be? Could this be some e-mail spambot or Microsoft/NSA call home feature? For example sending the current ip to the "hive server" along with some unique windows installation signature/serial so they know my current ip?
Svchost is "trusted" software in most firewalls as default so people might have this program connecting to who knows where without their knowledge if they dont check their settings.
I have done a "run: sfc /scannow" and restored all windows files to their original versions but this keeps happening.
heres the deal: When I start the computer (winxp x64) svchost.exe tries to create a http connection to: 95.100.3.235
After it creates the connection, it changes into https. It stays like that for minutes. I prevented it from connecting to that address through the firewall and I used wireshark to packet sniff what it is trying to do but it showed only a few lines of what I couldn't make up what it was.
TCPVIEW shows the following:
svchost.exe:1052 TCP localhost:1053 95.100.3.235:https ESTABLISHED
After it created the https connection, it was garbage data (encrypted ofcourse) that I saw with wireshark and couldn't make up what it was. There was not much data going but some. It goes off in some minutes.
Tcpview and DiamondCS port explorer all say the file is svchost.exe but when I try to hit "properties", I get "Unable to query properties for svchost.exe:1052".
When I look what ip that is, it says:
"Location: United Kingdom [City: ]
inetnum: 95.100.0.0 - 95.100.15.255
netname: AKAMAI-PA
descr: Akamai Technologies
role: Network Architecture Role Account
address: Akamai Technologies
address: 8 Cambridge Center
address: Cambridge, MA 02142
country: EU
"
and so on.
What could this be? Could this be some e-mail spambot or Microsoft/NSA call home feature? For example sending the current ip to the "hive server" along with some unique windows installation signature/serial so they know my current ip?
Svchost is "trusted" software in most firewalls as default so people might have this program connecting to who knows where without their knowledge if they dont check their settings.
I have done a "run: sfc /scannow" and restored all windows files to their original versions but this keeps happening.