svchost communication concerns - Who is it talking to.

[Shaun]

Hello group,

I've had some viruses of some sort which forced me to reformat my drives.
Before reformating I transfered all my stuff to an external backup hard
drive.

I've been monitoring svchost.exe to see where it is communicating and to
determine if I still have the virus; here are my findings:

Kaspersky says it's rating is suspicious, danger index on 67

svchost.exe was created 27/07/07 and modified 13/04/08

I used Process explorer to verify each instance of svchost and check it's
location and that is all fine c:\windows\system32\.

for network communications I found the following:
UDP packet to router, local port 1900 - this one comes up often

UDP packet to router, remote port 53 - this one comes up often too

TCP to remote computer 64.211.21.134 , remote port 80

TCP to remote computer 65.55.27.220 , remote port 443

recieved UDP from other computer on network, local port 1900

TCP to remote computer 24.66.94.138 , remote port 80

UDP to router, remote port 67

TCP incomming from remote computer, local port 2869

UDP to remote computer 255.255.255.255 , remote port 67

TCP to remote computer 207.138.126.184 , remote port 80
" " " " " " " .192 , "
" "


TCP with remote computer 65.55.200.155 , remote port 80



And here is one that tipped me off:

svchost was connecting to akamaitechnologies.com , I tried that web
address and nothing comes up, but if I go to www.akamai.com and get a video
related website that has partnered with microsoft.

Is this a concern or normal traffic.

thank you for reading this long winded message.
any help would be appreciated.

Shaun Epp

 

[Shaun]

Hello group,

I've had some viruses of some sort which forced me to reformat my drives.
Before reformating I transfered all my stuff to an external backup hard
drive.

I've been monitoring svchost.exe to see where it is communicating and to
determine if I still have the virus; here are my findings:

Kaspersky says it's rating is suspicious, danger index on 67

svchost.exe was created 27/07/07 and modified 13/04/08

I used Process explorer to verify each instance of svchost and check it's
location and that is all fine c:\windows\system32\.

for network communications I found the following:
UDP packet to router, local port 1900 - this one comes up often

UDP packet to router, remote port 53 - this one comes up often too

TCP to remote computer 64.211.21.134 , remote port 80

TCP to remote computer 65.55.27.220 , remote port 443

recieved UDP from other computer on network, local port 1900

TCP to remote computer 24.66.94.138 , remote port 80

UDP to router, remote port 67

TCP incomming from remote computer, local port 2869

UDP to remote computer 255.255.255.255 , remote port 67

TCP to remote computer 207.138.126.184 , remote port 80
" " " " " " " .192 , " "
"


TCP with remote computer 65.55.200.155 , remote port 80



And here is one that tipped me off:

svchost was connecting to akamaitechnologies.com , I tried that web
address and nothing comes up, but if I go to www.akamai.com and get a
video related website that has partnered with microsoft.

Is this a concern or normal traffic.

thank you for reading this long winded message.
any help would be appreciated.

Shaun Epp

I forgot to mention that the program that gave me the virus as a DivX codec
and player that I downloaded off the net. I think I got it from
www.DivX.com , either was the offer the save codec and player that I'm
using. I uninstalled it before reformating my drive and it tried contacting
akamaitechnologies.com, and that is the web site that svchost.exe in triing
to contact.

Shaun

 

[Bennett Marco]

I forgot to mention that the program that gave me the virus as a DivX codec
and player that I downloaded off the net. I think I got it from
www.DivX.com , either was the offer the save codec and player that I'm
using. I uninstalled it before reformating my drive and it tried contacting
akamaitechnologies.com, and that is the web site that svchost.exe in triing
to contact.

I have had DivX on my machine for several months... no problems at
all.

 

[Shaun]

I have had DivX on my machine for several months... no problems at
all.

Well I'm suspecting that it spies on us, or worse.

If you AV program / Firewall let you, set it so that it "prompts" you
instead of "allow" in your firewall settings for svchost.exe. Monitor the
requests you get and see if "akamaitechnologies.com" comes up as a prompt,
It took 1 1/2 days before I noticed it.

Are you familiar with svchost.exe, do you know what those other outgoing
requests were in my initial post?

thanks,

Shaun

 

[Bennett Marco]

Well I'm suspecting that it spies on us, or worse.

[snip]

Nope. But for peace of mind, you might find something useful here:

http://zapatopi.net/afdb/

 

[Shaun]

Well I'm suspecting that it spies on us, or worse.

[snip]

Nope. But for peace of mind, you might find something useful here:

http://zapatopi.net/afdb/

Ha haaa,...... that's real funny! I'll have to pass that web site around.

OK... I've found the contact. Svchost send TCP to a remote computer at IP
address 96.6.45.34, akamai technologies. I even did a who is query and it's
confirmed. I know that this is from the DivX codec and player pack that I
installed a couple of months ago, when I uninstalled, the program tried
contacting akamai technologies. So I either still have the virus / spy
after reformatting or I reinstalled it after getting a good copy of a DivX
software.

The question is "Why are they spying on me?"

Is anyone familiar with normal communications with svchost that could shed
some light on my original post??


thanks,

Shaun

 

[Jean Rosenfeld]

Akamai is a server provider used by many companies (reputable ones) to host
their files, etc. See
http://en.wikipedia.org/wiki/Akamai_Technologies

Possibly Divx uses it, I don't know, but Microsoft, for example does..
svchost.exe is a Windows server that is used by quite a few Windows services
that may or may not occasionally use the internet maybe to check for updates
or synchronise time, for example. Could well be that they use the Akamai IP
for that.

A description is given in

http://support.microsoft.com/kb/314056

Divx.com is a perfectly respectable site/company and if you did download the
divx player and codecs from there, that download would have contained any
virus or malware. Also, in so far as divx may occasionally go out to check
for updates, it would not use wsvchost.exe but its own update checker.

So in my honest opinion:
a) svchost connecting to an Akamai IP is normal
b) in any case that has nothing to do with divx.
c) if you suspect your PC is infected, download and run a good antimalware
app, such as superantispyware (free version)
http://www.superantispyware.com/

I forgot to mention that the program that gave me the virus as a DivX
codec
and player that I downloaded off the net. I think I got it from
www.DivX.com , either was the offer the save codec and player that I'm
using. I uninstalled it before reformating my drive and it tried
contacting
akamaitechnologies.com, and that is the web site that svchost.exe in
triing
to contact.

I have had DivX on my machine for several months... no problems at
all.


Well I'm suspecting that it spies on us, or worse.

[snip]

Nope. But for peace of mind, you might find something useful here:

http://zapatopi.net/afdb/

Ha haaa,...... that's real funny! I'll have to pass that web site around.

OK... I've found the contact. Svchost send TCP to a remote computer at IP
address 96.6.45.34, akamai technologies. I even did a who is query and
it's confirmed. I know that this is from the DivX codec and player pack
that I installed a couple of months ago, when I uninstalled, the program
tried contacting akamai technologies. So I either still have the virus /
spy after reformatting or I reinstalled it after getting a good copy of a
DivX software.

The question is "Why are they spying on me?"

Is anyone familiar with normal communications with svchost that could shed
some light on my original post??


thanks,

Shaun

 

[Jean Rosenfeld]

Minor correction. I meant to say that svchost is a Windows process, not a
server.

Akamai is a server provider used by many companies (reputable ones) to
host their files, etc. See
http://en.wikipedia.org/wiki/Akamai_Technologies

Possibly Divx uses it, I don't know, but Microsoft, for example does..
svchost.exe is a Windows server that is used by quite a few Windows
services that may or may not occasionally use the internet maybe to check
for updates or synchronise time, for example. Could well be that they use
the Akamai IP for that.

A description is given in

http://support.microsoft.com/kb/314056

Divx.com is a perfectly respectable site/company and if you did download
the divx player and codecs from there, that download would have contained
any virus or malware. Also, in so far as divx may occasionally go out to
check for updates, it would not use wsvchost.exe but its own update
checker.

So in my honest opinion:
a) svchost connecting to an Akamai IP is normal
b) in any case that has nothing to do with divx.
c) if you suspect your PC is infected, download and run a good antimalware
app, such as superantispyware (free version)
http://www.superantispyware.com/

I forgot to mention that the program that gave me the virus as a DivX
codec
and player that I downloaded off the net. I think I got it from
www.DivX.com , either was the offer the save codec and player that
I'm
using. I uninstalled it before reformating my drive and it tried
contacting
akamaitechnologies.com, and that is the web site that svchost.exe in
triing
to contact.

I have had DivX on my machine for several months... no problems at
all.


Well I'm suspecting that it spies on us, or worse.

[snip]

Nope. But for peace of mind, you might find something useful here:

http://zapatopi.net/afdb/

Ha haaa,...... that's real funny! I'll have to pass that web site
around.

OK... I've found the contact. Svchost send TCP to a remote computer at
IP address 96.6.45.34, akamai technologies. I even did a who is query
and it's confirmed. I know that this is from the DivX codec and player
pack that I installed a couple of months ago, when I uninstalled, the
program tried contacting akamai technologies. So I either still have the
virus / spy after reformatting or I reinstalled it after getting a good
copy of a DivX software.

The question is "Why are they spying on me?"

Is anyone familiar with normal communications with svchost that could
shed some light on my original post??


thanks,

Shaun

 

[Jean Rosenfeld]

Second minor correction (apologies, it's late here and I did not check what
I was writing properly)
Divx downloads do NOT contain malware or virus.

Akamai is a server provider used by many companies (reputable ones) to
host their files, etc. See
http://en.wikipedia.org/wiki/Akamai_Technologies

Possibly Divx uses it, I don't know, but Microsoft, for example does..
svchost.exe is a Windows server that is used by quite a few Windows
services that may or may not occasionally use the internet maybe to check
for updates or synchronise time, for example. Could well be that they use
the Akamai IP for that.

A description is given in

http://support.microsoft.com/kb/314056

Divx.com is a perfectly respectable site/company and if you did download
the divx player and codecs from there, that download would have contained
any virus or malware. Also, in so far as divx may occasionally go out to
check for updates, it would not use wsvchost.exe but its own update
checker.

So in my honest opinion:
a) svchost connecting to an Akamai IP is normal
b) in any case that has nothing to do with divx.
c) if you suspect your PC is infected, download and run a good antimalware
app, such as superantispyware (free version)
http://www.superantispyware.com/

I forgot to mention that the program that gave me the virus as a DivX
codec
and player that I downloaded off the net. I think I got it from
www.DivX.com , either was the offer the save codec and player that
I'm
using. I uninstalled it before reformating my drive and it tried
contacting
akamaitechnologies.com, and that is the web site that svchost.exe in
triing
to contact.

I have had DivX on my machine for several months... no problems at
all.


Well I'm suspecting that it spies on us, or worse.

[snip]

Nope. But for peace of mind, you might find something useful here:

http://zapatopi.net/afdb/

Ha haaa,...... that's real funny! I'll have to pass that web site
around.

OK... I've found the contact. Svchost send TCP to a remote computer at
IP address 96.6.45.34, akamai technologies. I even did a who is query
and it's confirmed. I know that this is from the DivX codec and player
pack that I installed a couple of months ago, when I uninstalled, the
program tried contacting akamai technologies. So I either still have the
virus / spy after reformatting or I reinstalled it after getting a good
copy of a DivX software.

The question is "Why are they spying on me?"

Is anyone familiar with normal communications with svchost that could
shed some light on my original post??


thanks,

Shaun

 

[Twayne]

I forgot to mention that the program that gave me the virus as a
DivX codec
and player that I downloaded off the net. I think I got it from
www.DivX.com , either was the offer the save codec and player
that I'm using. I uninstalled it before reformating my drive and
it tried contacting
akamaitechnologies.com, and that is the web site that svchost.exe
in triing
to contact.

I have had DivX on my machine for several months... no problems at
all.


Well I'm suspecting that it spies on us, or worse.

[snip]

Nope. But for peace of mind, you might find something useful here:

http://zapatopi.net/afdb/

Ha haaa,...... that's real funny! I'll have to pass that web site
around.
OK... I've found the contact. Svchost send TCP to a remote computer
at IP address 96.6.45.34, akamai technologies. I even did a who is
query and it's confirmed. I know that this is from the DivX codec
and player pack that I installed a couple of months ago, when I
uninstalled, the program tried contacting akamai technologies. So I
either still have the virus / spy after reformatting or I reinstalled
it after getting a good copy of a DivX software.

The question is "Why are they spying on me?"

Is anyone familiar with normal communications with svchost that could
shed some light on my original post??


thanks,

Shaun

It's probably simply checking for updates. Some programs "call home"
when they are installed or uninstalled, too, if there is an active net
connection; they use it to track their success rate. If I catch them,
they go to my "never allow" file though.
It might not even be div/x initiating it; are you positive of that?
If so, you can turn off the auto update feature to stop it from
checking.

Twayne`

 

[Shaun]

I forgot to mention that the program that gave me the virus as a
DivX codec
and player that I downloaded off the net. I think I got it from
www.DivX.com , either was the offer the save codec and player
that I'm using. I uninstalled it before reformating my drive and
it tried contacting
akamaitechnologies.com, and that is the web site that svchost.exe
in triing
to contact.

I have had DivX on my machine for several months... no problems at
all.


Well I'm suspecting that it spies on us, or worse.

[snip]

Nope. But for peace of mind, you might find something useful here:

http://zapatopi.net/afdb/

Ha haaa,...... that's real funny! I'll have to pass that web site
around.
OK... I've found the contact. Svchost send TCP to a remote computer
at IP address 96.6.45.34, akamai technologies. I even did a who is
query and it's confirmed. I know that this is from the DivX codec
and player pack that I installed a couple of months ago, when I
uninstalled, the program tried contacting akamai technologies. So I
either still have the virus / spy after reformatting or I reinstalled
it after getting a good copy of a DivX software.

The question is "Why are they spying on me?"

Is anyone familiar with normal communications with svchost that could
shed some light on my original post??


thanks,

Shaun

It's probably simply checking for updates. Some programs "call home" when
they are installed or uninstalled, too, if there is an active net
connection; they use it to track their success rate. If I catch them,
they go to my "never allow" file though.
It might not even be div/x initiating it; are you positive of that? If
so, you can turn off the auto update feature to stop it from checking.

Twayne`

Thanks for your input, both of you, it is alot more helpful then that
Bennett Marco.

I know that the DivX program is the one using akamai technologies, since
when I uninstalled it, it called to that website. And they are used
svchost.exe to make the connections to akamai technologies which seems kinda
odd.

later,

Shaun