Re: unknown outgoing tcp traffic - should I be worried?



On Sat, 10 Nov 2007 15:16:05 +0000, abc@xxxxxxx wrote:

On Fri, 09 Nov 2007 13:36:05 GMT, bok118@xxxxxxxxx (Gerard Bok) wrote:

I think my problem is to identify what program is using the errant
svchost.

From a cmd prompt if I enter "tasklist /svc" I get a list of what is
running in each svchost instance.

I'm not 100% but I think the one causing the trouble has only one
entry "rpcss" because after suspending the svchost.exe process in Task
Manager I can no longer use the "tasklist" command and get an "rpc
server not available" error.

Any suggestions as to what to look for next??

Well, personally I would install a sniffer (e.g. Wireshark) and
find out, what is actually insite the traffic on port 80 to
60.246.179.201

These may be rather harmless http-get requests to a server that
is no longer available. (Indicating: originally bad traffic, but
now harmless because a bad server was taken of the air.)
Or you might see, that your PC is actually sending (your) data
over to 60.246.179.201. Which would be unacceptable.

Another way to go could be, examining your startup items,
disabling them one by one untill you get the one, responsible for
this traffic.
Or --if it is not an automatic process-- find out at which point
after reboot, the traffic starts.

--
Kind regards,
Gerard Bok
.