Help - Need to find source of rouge traffic

Recently I noticed that I am pumping a lot of bytes through my net connection, even when I don’t have much going on or major apps open (like Outlook and FF).

I immediately though that perhaps I had picked up a trojan or something so I did a spyware/AV check. But it came back clean.

So looking closer, I discovered that the traffic is coming from some thread running under one of those generic SVCHOST processes.

Here is a screenshot:

You can see that there is a lot going on in terms of the number of threads under this Process. I don’t know any way to to isolate this traffic further to specific thread. Are there any network specialists who might know how to do this or what tools might help me do it?.

I did try to manually suspend the whole process but this led to the machine freezing, requiring a hard reboot. However, when I turn off all traffic through the firewall, I was able to turn it back on hours later w/o any problems.

Since this traffic is almost evenly divided up/down (totaling about 15MB/hour), it looks almost like some sort of TORRENT is running node to me. But that would also be characteristic of a trojan where I might be zombied, wouldn’t it?

I have added a firewall rule to block this data transfer until/if I understand WHAT is being transferred and WHY. SO far, blocking the traffic doesn’t seem to be causing any problems. After about 10-15 minutes of trying to get through from different source ports, the process/task gives up and goes back to sleep.

After creating a blocking rule for this traffic, I looked at the log and saw many events being blocked (log1).

Today I looked at the log again and all I see are 2 events blocked! (log2)

SO what is happening to all the other event entries? Why isn’t Comodo showing them?

[attachment deleted by admin]

[attachment deleted by admin]

Probablly logs were deleted after the size exceeded the default MB (Miscellaneous setting\Logging)

The Log entries looks connections to some device on your LAN (eg: Router, PC).

Port 5431 has been related to uPNP but the svchost.exe in your case doesn’t include the “SSDP Discovery Service”

It looks like Messenger service is enabled as well along with windows Firewall/ICS service

Messenger service should have been disabled by default since XP SP2 update
It might worth stopping Windows Firewall \Internet Connection Sharing service without disabling it to check if those connections are suppressed.

Though it’s only a guess and it’s likely other members might provide better advices. :-[

Does this tutorial help: How to determine what services are running under a SVCHOST.EXE process ?

That’s a neat tutorial. I’ll want to spend some more detailed time looking at it.

But I already know the services under the particular svchost entry. What would be REALLY useful would be a way to pinpoint WHAT service is driving what traffic.

If the log was deleted, it should have filled up fairly quickly. Yet I am still seeing just the same 2 events from 2 days ago! So something looks wrong with the logging. Or the source has realized it is blocked and has shut itself down (uh oh).

All of this would be a lot easier to test if Comodo supported rule disable/enable (which I know is on the wish list already).

I’d also say that there should also be a circular option to write over the the older log entries. This is kind of standard in logs.

As to devices connected to this system, I don’t have any.

In the original report, I was seeing approximately 15MB per hour (divided about 60% down and 40% up) moving through that port 5431. That’s a lot of unexplained traffic. Since I have blocked this connection, I have not noticed any problems. What I am trying to find out is what was generating that 15MB of hourly data.

Come this weekend, I am going to try and run a Wireshark trace and see what comes up.

Yes, I initially came across the UPNP and Discovery Service refs originally. So I tried turning those service off but there wasn’t any change. Windows Massager is currently running. I can try and disable that when I delete the blocking rule also.

I don’t think that’s a rouge traffic.
That’s nomal activity between your PC and router.

Please give me some detail for your statement. I don’t think that 15MB transfer each and every hour between my PC & the router is normal. What would the purpose of that be?

Are you seeing this traffic on your system?

Though you made your point clear, meanwhile it would be possible to have old logs preserved and moved to a folder automatically (Miscellaneous setting\Logging).

Messenger service is disabled on Win XP SP2 and later. What OS/SP do you have?

Windows Firewall \Internet Connection Sharing service was unexpected too. Did you try to stop that service as well?

Will you attach that Wireshark trace log in this topic along some more info about your router brand/model?

Haven’t been able to get back into this problem yet BUT want to update my previous statement:

“All of this would be a lot easier to test if Comodo supported rule disable/enable (which I know is on the wish list already).”

In looking closely at the rule I created, I realized that under the ACTION drop-down on the 1st screen of the rule in editing mode, you can choose either ALLOW or BLOCK.

This seems to me to be an effective disable/enable function w/o having to delete the rule and rebuild it. Looks to me like that WISH list request for rule disable can be canceled.

Wonder why no one picked this up before?