|
Posted by Pam on February 25, 2006, 1:04 am
If you were Registered and logged in, you could reply and use other advanced thread options
>> WINDOWSXP_SP2> netstat -a -n -b
>> Proto Local Address Foreign Address State
PID
>> TCP 192.168.0.101:1058 63.236.111.222:80 SYN_SENT 912
>> C:\WINDOWS\system32\WS2_32.dll
>> C:\WINDOWS\System32\WINHTTP.dll
>> -- unknown component(s) --
>> [svchost.exe]
>What process had PID 912?
I rebooted and ran netstat again a few times and at first did not know how to
see what process was 912 until I found and installed something called NirSoft
CurrProcess http://www.nirsoft.net/utils/cprocess.html which told me it was
the "svchost.exe" process and that this process was owned by the "NT
AUTHORITY\SYSTEM".
I tried finding more information about that process by downloading something
called Sysinternals Process Explorer by Mark Russinovich
http://www.sysinternals.com but I could not comprehend the information in the
bottom bar of the window (Thread, Semaphore, Port, Mutant, KeyedEvent, Key,
WindowStation, etc).
It seems that one of my many svchost "Generic Host Process for Win32 Services"
processes is the culprit which is initiating "SYN_SENT" signals on random
ports to Quest Communications (63.236.111.222) at port 80.
But why?
Even though I ran and reran a virus scan, malware scan, Ad-Aware scan, Spybot
Search and Destroy scan, etc., do you think this unsolicited request to
63.236.111.222 at port 80 might be related to the strange C:\TEMP\GLB1A2B.EXE
file I saw but which went away after a reboot?
| 
XML site map