svchost.exe / msnmsgr.exe strange issues!

Just downloaded COMODO Firewall Pro yesterday (after missing a Firewall for a month or so, bad I know. Used McAfee before) and i’m already having some odd issues.

The main issue i’m worried about is with svchost.exe
Every now and then I get a Chinese IP requesting to do something with svchost.exe, its been happening all day. I play World of Warcraft and most keyloggers originate in China so this one worries me the most. I’ve scanned my PC with Spybot, Ad-Aware, and Avast! but not found anything so i’m not sure what it could mean.
Screenshot of log:
new ones not included in that picture:
Source IP: Source Port: 33315 same destination and whatnot as other requests.
Source IP: Source Port: 34896 same destination and whatnot as other requests.
Source IP: Source Port:

The other issue is with msnmsgr.exe
The program itself seems to be working fine but i’m getting odd requests being blocked just like with svchost.exe. I’ve looked up the IPs and they seem to be from various locations in Europe and somewhere in North Carolina. These requests have been spammed often every 2 seconds at various times today and they seem to be getting more frequent.
Screenshots of log (more may come while I post this): imageshack and both stopped working for me (connection closed by remote server???), switching to tinypic now.

New ones:
TCP SourceIP: SourcePort: 49233 Destination Port:2054 x3

For now i’m too worried to log in to much of anything so i’m hoping someone can help clear this up ASAP! :slight_smile:
Thanks in advance!

edit: Seems like both the MSN and SVCHOST requests are getting more frequent for whatever reason.

Hello ttraveler,

The first thing just looks like “probes” to udp port 1026, but as it’s being dropped is shouldn’t worry about it to much.
Those systems are “scanning” the internet to find or infect systems with flaws on that port, regardless of being vulnerable it get’s dropped so no problem there, if you don’t like the stuff messing up the logging i suggest making a firewall rule under global rules (Firewall, Advanced, Network Security Policy, Tab Global Rules).
Add, Block, Udp, In, Source Address Any, Destination Address Any, Source Port any, Destination port 1026.
Apply, Apply. And it is blocked and no longer logged.

I’m not to much of an MSN user, but i think it connects to all people in you contact list en tries to connect to them, but maybe there is something else wrong, there’s although msn malware, anyone more experience with MSN msgr ?

Sorry if I don’t understand some of what you’re saying, I use PCs a lot/know quite a bit but i’m not too familiar when it comes to this kind of thing.
What I don’t understand is why its tried 20+ times (and it continues to try). When I first saw it my mind told me it was trying to collect data from a possible keylogger but like I said, I don’t know much about this, its just my mind being negative :stuck_out_tongue: That most likely isn’t the case but it was what I was worried about.

I’m not quite sure about the MSN. I do have a contact from Supply, NC (In Brunswick County) and quite a few from the UK but I don’t understand why it wouldn’t be from other locations as well.

edit: Now i’m getting the msn issue from Toronto, Canada.
and Denver, CO

The stuff in your logs that is showing port 1026 is very likely to be what is called “net send” spam. This is a Windows LAN message packet sent over the Internet that, if you received it, would cause a popup message with wording like this: “Attention! Your machine is not working properly! Visit and download immediately to repair your machine.”

This junk is always sent by UDP packet, in volume, to ports 1026, 1027, and 1028. They’re trying to hit an unprotected Windows RPC control port.

The other logs about MSN Messenger traffic, I would presume it to be the same kind of traffic. I haven’t seen packet captures for Messenger traffic before (not installed here). I understand how UDP could carry the spam messages, I’m not clear on why all the TCP traffic. Probes maybe? It’d take doing a packet capture to find out, but that would mean letting traffic in enough to get a capture, which is not something I’d recommend.

Since it is being blocked, it’s not a hazard, beyond filling up the CFP log to no good effect.

But, on a thought, is how does CFP know that traffic is associated with MSN Messenger, when it is presumably unsolicited traffic? CFP would show “Windows Operating System”, not MSN. Just a curiosity, from a command prompt, run “netstat -an” to see what your machine is connecting to at the moment. Then post the corresponding CFP log.

So since the 1026 stuff is being blocked, its no use worrying over it, aye?
Havn’t been getting any pop-ups or anything, PC seems to be working as normal aside from the firewall being all spammed up.

I did the netstat -an in cmd but i’m not exactly sure what most of it means. Would you like to see what it says or something else? Not exactly sure which CFP log you’re wanting…
The first time I did netstat -an it was a relatively short list, did it again and it got a bit longer. Just tried it again now (for the hell of it) and the list is much longer for whatever reason.

That’s correct, the 1026 port stuff isn’t anything to be worried about. Ronny’s post about the CFP rules is a good one, to keep that junk from filling up your CFP logs.

The netstat output would be good to see, along with the CFP firewall log that matches that moment. The netstat output will tell what your machine is doing overall on the Internet, and the CFP log will show the corresponding blocked traffic. I want to see if there is any relationship.

Alright, good to hear :slight_smile: <-I went out from around 5:15-7:15, turned off my router/PC during that time.

Sorry for the delay, was kind of a pain to crop it due to it being so huge. Had to scroll down and take a 2nd SS.

edit: Havn’t got any of the weird msn spam since I got back

Sorry to cause you all that work.

The netstat output looks like normal stuff. I’m presuming though, that the first few lines represent some kind of MSN Messenger connection, as the ports in use are not normal server ports (like the web uses port 80), and the 207.46.x.x address is a Messenger gateway.

Since you haven’t gotten any MSN spam-like traffic, it could be those were old connection attempts if your IP address changes each time you reconnect to the Internet.

Everything seems clean, and CFP is blocking what it is supposed to be blocking.

Thanks for clearing that up :slight_smile:
The main thing that confused me with the MSN spam was that it was from an entirely different location each time. Not sure what that could mean but I suppose if everything is being blocked then I have nothing to worry about.

I’ll be sure to post back if it starts back up again.
edit: Seems like the MSN spam is gone for now, just the other thing persisting on.

The MSN spam is back :frowning:

I got back from watching TV and it was here so it can’t be caused by what i’m doing (i’d assume).
edit: new ones
SourceIP: SourcePort: 60465 Destination Port: 2455 TCP x3
SourceIP: SourcePort: 60440 Destination Port: 2453 TCP x2
SourceIP: SourcePort: 60439 Destination Port: 2453 TCP

Keeps trying different ports each time :confused:
Went into active connections and it showed a connection with that IP via msn.

Hi TTraveler,

Based on this article there is a large range of ports used by MSN/Live Messenger

My rules for Live messenger are as follows now:
Allow OUT TCP any any HTTP Ports.
Allow OUT TCP/UDP any any 1024 - 65535.

If you need more it will prompt you, and if you still keep the dropping packets in your logging let us know.