Hey gents and ladies,
XP x64
I have what appears to be a legit service (unconfirmed) in XP x64 called "Wireless configuration" (WZCSVC)
Description:
"Enables automatic configuration for IEEE 802.11 adapters. If this service is stopped, automatic configuration will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start."
Path to EXE:
C:\WINDOWS\System32\svchost.exe -k netsvcs
When running I have a svchost that tries talking to 221.237.152.171
which resolves to 171.152.237.221.broad.cd.sc.dynamic.163data.com.cn (CHINA)
I was able to block it at my firewall (Comodo) and I disabled the service to stop the activity. I also scanned my machine with Malwarebytes, Avast boot scan, and Eset online scanner....all of which found nothing.
SFC is also clean
svchost.exe is clean according to virustotal
So my question:
I am assuming this is some sort of zero day thing that aren't in any signature databases yet, how would I find the hooks in to the bad file and eliminate this possible threat. I have to believe it's a real issue since there is no reason for my machine to be talking to a dynamic IP in china.
Thanks in advance, Deek
