Is there some Windows Utility which can track which programs or
processes are linking to some IP address and log them?
I am interested particularly in svchost.exe as it seems to protect a
multitude of villains and those other registry based processes named
with CLSID.
Most software firewalls will do that.
www.zonealarm.com is free.
One other tool [that I think is less helpful to you than a software
firewall] is the free Microsoft Port Reporter tool you can download.
However, both of these methods are going to tell you that every port
accessed by Svchost, and that won't help you any.
If you want to know what is hiding behind svchost, what you want is the free
Process Explorer from
www.sysinternals.com Most people run it only for
short time periods during troubleshooting, and I'm not sure if it logs the
information you're looking for or not, as opposed to requiring you to look
in the right place at the right time when the activity is occuring, but it's
one of the few ways this info is made available.
Most people just monitor port use, for example on a firewall, and then do
more in depth investigation into what is running on the computer when
something odd is seen. If something is generating traffic on your system,
then it is most likely a running process or service, and furthermore it is
probably launching at boot up. There are a variety of tools that will help
you enumerate those sorts of things without necessarily telling you about
TCP/IP traffic. For example, you might try running Hijack This and posting
the log to the Highjack This support forum, or try
www.silentrunners.org.
If you have something foreign that is hard to remove, re-installing Windows
is also an option that might save you some time and effort.
I am also interested in programs that can monitor which processes are
accessing, creating or updating named files to track those programs
which replace spyware after they have been deleted.
I don't believe Windows does that by default. You would have to use
something like Filemon free from
www.sysinternals.com. You'd probably want
to set up a lot of filters so your logs don't fill up and get huge. Most
people only run this program for a short time period when troubleshooting.
You could run it when you run your spyware removal software, to see whether
files are being put back by another running process. It would be even
easier to just run your spyware removal program twice in a row to ensure
that all spyware removed is really gone.
I don't think you really need to do any of this stuff, it seems excessive
compared to the way most people handle spyware... unless you have a specific
problem that you haven't yet described.
Does this IP address click a bell - 194.221.62.207? It seems to be
showing up a lot in my logs but appears not to be hosted by any major
provider
Searching Google for that IP address tells you some things. It appears to
be known as ""sip1.sipdiscount.com"
www.sipdiscount.com offers low cost VOIP phone calls over the Internet.
Do you have any software that might do that sort of thing?
