I just found out by using TCPView that one of my svchost.exe had an http connection in "CLOSE_WAIT" to a strange IP address, although no other visible program was running.
With the help of Process Explorer I discovered that this svchost was using the WebClient Windows service.
I'm wondering how I can figure out what program used WebClient to connect to this IP, in order to determine if it's malware.
No comments:
Post a Comment