Tracing SVCHOST Hijack

Discussion in 'other security issues & news' started by asloane, Oct 10, 2007.

Thread Status:
Not open for further replies.
  1. asloane

    asloane Registered Member

    Joined:
    Oct 10, 2007
    Posts:
    4
    How can I trace which process is suddenly using SVCHOST.EXE to call out to wwwimages.adobe.com and edge.quantserve.com?

    There does not seem to be any visible service, process nor product running that would be related to Adobe.
     
  2. asloane

    asloane Registered Member

    Joined:
    Oct 10, 2007
    Posts:
    4
    The SVCHOST TCP OUts have been traced to Dreamweaver. No Problem. The firewall log was not in time sequence.:rolleyes:
     
  3. asloane

    asloane Registered Member

    Joined:
    Oct 10, 2007
    Posts:
    4
    There is a problem!

    My firewall logs are showing for svchost.exe
    OUT REFUSED TCP edge.quantserve.com HTTP
    OUT REFUSED TCP us.js2.yimg.com HTTP

    How to discover what is "hijacking" svchost.exe ?
     
  4. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    This won't help your specific sleuth-work, but ...

    Because so many things, good and bad, can use Svchost, it was recommended to me that I not tick the "always remember" when permitting firewall access, so it has to ask each time.

    So far, the only time it asks is when connecting to MS Update. I know it's needed to complete my dialup connection too, but that specific function must already be OK'd behind the scenes, so to speak.
     
  5. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    To see the list of services hosted by each instance of svchost.exe, you may use the Tasklist.exe console utility available in Windows XP Professional Edition.

    Click Start, Run and type CMD.EXE

    Type tasklist /svc >c:\taskList.txt
     
  6. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
Loading...
Thread Status:
Not open for further replies.