Need help identifying a process trying to 'phone home' - Please help

I have a process which is that is always trying to send packets out from my PC, which automatically runs at boot up. It is always identified and stopped by my Zone Alarm Firewall. ZA identifies the port.

I then open PE and can get the PID which matches this process. BTW, it is a svchost which complicates matters. By using Whois, I am able detect that the process maps only to a Cablevision web address. If I use Process Explorer and look up the PID, I find the responsible process to be the service DNSCache with a Display name of DNSClient. Since DNSCache is an essential service, I hit a roadblock at that point, in my attempts to figure out exactly what application/process is behind all this.

Of course, I can kill the process, and I have with no ill effects, but I am curious and would like to know who is phoning home and the reasoning behind it. If I do kill the process, it does not restart until the next reboot. Any suggestions in isolating what application is causing this, as I feel I am being spied upon?

Just for the record, all my security programs are set to 'prompt' before updating. And automatic updates are set to manual for XP WIndows Updates.
My system is completely clean according to my AV, Trojan program, Ad-aware, GAS, Spybot S&D, and HijackThis scans.

 

Hi Zorra, Is cablevision your ISP? As it may be that your PC is updating information from your ISP's DNS.
Could you do a screenshot or post any relevant info' from your logfile.
You can also Download Sysinternal Process Explorer to find out what particuler services svchosts is running by clicking on svchosts and checking th properties.

HTH Pilli

 

Hi Pilli, thanks for responding. Here are the pics. I did use Process Explorer once I obtained the PID from Port Explorer:

Zone Alarm alert log and text:

http://img.photobucket.com/albums/v221/negster22/ZA-call-out-log.jpg
Description Packet sent from XXXXX (UDP Port 1027) to 167.206.3.219 (DNS) was blocked
Rating Medium
Date / Time 2005/02/18 19:14:50-5:00 GMT
Type Firewall
Protocol UDP
Program svchost.exe
Source IP XXXXXX
Destination IP 167.206.3.219:53
Direction Outgoing
Action Taken Blocked
Count 1
Source DNS SOPHIA
Destination DNS dhcp69.srv.hcvlny.cv.net

Svchost properties for process #952 from Process Explorer

http://img.photobucket.com/albums/v221/negster22/Proc-exp-ss.jpg

Thread window for process #952 from Process Explorer

http://img.photobucket.com/albums/v221/negster22/proc-exp-threads.jpg

BTW, the pavshook.dll is associated with Panda TruPrevent
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TRUPREVENT PERSONAL\PAVSHOOK.DLL
This is probably a relevant piece of info which I just discovered. But why would that have to phone home?

Cablevision is my ISP, but still I cannot understand their frequent calling out attempts, considering these calls are always blocked how necessary could they be?

 

Hi zorra, I am no expert at these things so hopefully someone else may be able to comment, Panda may be just testing it's connection or seeking some sort of update I suppose? Think we need a firewall expert.


Edit, Care of LowWaterMark:

HTH Pilli

 

Great ideas by LWM.. which I will definitely implement to investigate this. Yeah, I suspected it wasn't Panda even thought the DLL was associated with that service. I will try all of the above suggestions by LowWaterMark and report back. I have seen him/her on other forums and know know he/she is an expert in troubleshooting.

Maybe you can provide me with some instructions on using Packet Sniffer as I have never used it before, and want to make sure I am getting the proper info to send back here.

Thanks. I appreciate your help!