Finding out strange traffic

I have been investingating strange traffic that tries to connect to remote
port 80 on the Internet. There has been tens of different sites and they seem
to have nothing in common.

Virus DATs are in order, I have scanned the computers with Spybot and
Adaware.
And still it continues. I installed desktop firewalls even to desktops and
blocked port 80 and took a log. I'm pretty sure that no program that was
intentionally installed is causing the traggic.

Log shows that svchost.exe is connecting all around the world very
frequently on port 80.

Windows networking maybe easy to use as a programmer as you can use these
svchost etc. services for your networking needs, but how the hell do I find
out which program has started them (including from where)? Programs like
TCPView show that which command line has been used to start for example
svchost. But I have never seen anything except legimate looking rpcss or
something like that.

I think this is a shortcoming in Windows networking. Any ideas how can I dig
deeper?

Hi, Antti -

This may be an undetected piece of spyware still ;-)

If you want to know what's running under svchost, open a command prompt
window and type 'tasklist /svc' - you'll be able to tell which services
are running under each instance of svchost.

Hope this helps -

Thanks that helps a lot. Strange that have tried MS Antispyware, Spybot and
Adaware for two weeks and they detect nothing...

"allan_grossman@hotmail.com" kirjoitti:

> Hi, Antti -
>
> This may be an undetected piece of spyware still ;-)
>
> If you want to know what's running under svchost, open a command prompt
> window and type 'tasklist /svc' - you'll be able to tell which services
> are running under each instance of svchost.
>
> Hope this helps -
>
>

Sometimes here will open a cmd window and do a netstat -o (owner) which ties
product id to connected ip#'s then look in taskmanger to ID match the
product.


"Antti Mattila" <antti.mattilaremovethis@kcigroup.com> wrote in message
news:0F11FF20-B453-440A-A44B-E27BA8C14DE4@microsoft.com...
>I have been investingating strange traffic that tries to connect to remote
> port 80 on the Internet. There has been tens of different sites and they
> seem
> to have nothing in common.
>
> Virus DATs are in order, I have scanned the computers with Spybot and
> Adaware.
> And still it continues. I installed desktop firewalls even to desktops and
> blocked port 80 and took a log. I'm pretty sure that no program that was
> intentionally installed is causing the traggic.
>
> Log shows that svchost.exe is connecting all around the world very
> frequently on port 80.
>
> Windows networking maybe easy to use as a programmer as you can use these
> svchost etc. services for your networking needs, but how the hell do I
> find
> out which program has started them (including from where)? Programs like
> TCPView show that which command line has been used to start for example
> svchost. But I have never seen anything except legimate looking rpcss or
> something like that.
>
> I think this is a shortcoming in Windows networking. Any ideas how can I
> dig
> deeper?