Need help identifying a process trying to 'phone home' - Please help

Discussion in 'Port Explorer' started by Zorra, Feb 21, 2005.

Thread Status:
Not open for further replies.
  1. Zorra

    Zorra Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    19
    I have a process which is that is always trying to send packets out from my PC, which automatically runs at boot up. It is always identified and stopped by my Zone Alarm Firewall. ZA identifies the port.

    I then open PE and can get the PID which matches this process. BTW, it is a svchost which complicates matters. By using Whois, I am able detect that the process maps only to a Cablevision web address. If I use Process Explorer and look up the PID, I find the responsible process to be the service DNSCache with a Display name of DNSClient. Since DNSCache is an essential service, I hit a roadblock at that point, in my attempts to figure out exactly what application/process is behind all this.

    Of course, I can kill the process, and I have with no ill effects, but I am curious and would like to know who is phoning home and the reasoning behind it. If I do kill the process, it does not restart until the next reboot. Any suggestions in isolating what application is causing this, as I feel I am being spied upon?

    Just for the record, all my security programs are set to 'prompt' before updating. And automatic updates are set to manual for XP WIndows Updates.
    My system is completely clean according to my AV, Trojan program, Ad-aware, GAS, Spybot S&D, and HijackThis scans.
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Zorra, Is cablevision your ISP? As it may be that your PC is updating information from your ISP's DNS.
    Could you do a screenshot or post any relevant info' from your logfile.
    You can also Download Sysinternal Process Explorer to find out what particuler services svchosts is running by clicking on svchosts and checking th properties.

    HTH Pilli
     
  3. Zorra

    Zorra Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    19
    Hi Pilli, thanks for responding. :) Here are the pics. I did use Process Explorer once I obtained the PID from Port Explorer:

    Zone Alarm alert log and text:

    http://img.photobucket.com/albums/v221/negster22/ZA-call-out-log.jpg
    Description Packet sent from XXXXX (UDP Port 1027) to 167.206.3.219 (DNS) was blocked
    Rating Medium
    Date / Time 2005/02/18 19:14:50-5:00 GMT
    Type Firewall
    Protocol UDP
    Program svchost.exe
    Source IP XXXXXX
    Destination IP 167.206.3.219:53
    Direction Outgoing
    Action Taken Blocked
    Count 1
    Source DNS SOPHIA
    Destination DNS dhcp69.srv.hcvlny.cv.net

    Svchost properties for process #952 from Process Explorer

    http://img.photobucket.com/albums/v221/negster22/Proc-exp-ss.jpg

    Thread window for process #952 from Process Explorer

    http://img.photobucket.com/albums/v221/negster22/proc-exp-threads.jpg

    BTW, the pavshook.dll is associated with Panda TruPrevent
    C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TRUPREVENT PERSONAL\PAVSHOOK.DLL
    This is probably a relevant piece of info which I just discovered. But why would that have to phone home?


    Cablevision is my ISP, but still I cannot understand their frequent calling out attempts, considering these calls are always blocked how necessary could they be?
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi zorra, I am no expert at these things so hopefully someone else may be able to comment, Panda may be just testing it's connection or seeking some sort of update I suppose? Think we need a firewall expert.


    Edit, Care of LowWaterMark:
    HTH Pilli
     
    Last edited: Feb 21, 2005
  5. Zorra

    Zorra Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    19
    Great ideas by LWM.. which I will definitely implement to investigate this. Yeah, I suspected it wasn't Panda even thought the DLL was associated with that service. I will try all of the above suggestions by LowWaterMark and report back. I have seen him/her on other forums and know know he/she is an expert in troubleshooting.

    Maybe you can provide me with some instructions on using Packet Sniffer as I have never used it before, and want to make sure I am getting the proper info to send back here.

    Thanks. I appreciate your help!
     
Thread Status:
Not open for further replies.