100 svchost.exe on port 25

Please help, i have since a few days over 100 connection from svchost.exe with port 25!
Antivirus finds no virus…

See the picture:

[attachment deleted by admin]

Port 25 is used for SMTP - outgoing email.

Have you accidentally blocked your email package or reduced its rights?

What porcesses are running when these logs are recorded?

Ewen :slight_smile:

Unless you are corresponding over the world, you’ve got yourself a spambot on your desk. The IP addresses in your log are in China, Poland, Finland, the US. Legit mail processes won’t do outbound mail thru svchost, but thru their own process so they can control bounce traffic and error conditions in the connection.

Edit: Until you can get the bot removed, I’ll suggest adding a Global Rule to block all outbound traffic to TCP port 25 and 587.

Action: Block (no logging, unless you want to fill your CIS log quickly)
Direction: Out (select from the pulldown list)
Protocol: TCP (select from the pulldown list)
Source Address: any
Destination Address: any
Source Port: any
Destination Port: 25

And the same, but with a Destination Port of 587.

Have these as the very first two rules of your Global Rules.

The spambot is probably connecting to web sites for instructions. At worst, you may want to have a Global Rule to log all of your outbound port 80 and port 443 traffic. (Use the rule action of “Allow and Log”). Then you might be able to set up rules to slow down the bot from calling home. It’s probably going to be svchost again doing the connection work.

Thank, but why do comod find no bot?

I have scanned many times.
Scanned with ad-aware, online scanner panda, comodo antivirus, spybot search & destroy…

With no results…


Please follow the instructions in this sticky topic What to do if you’re infected - eXPerience Rev.2 and let us know how it goes.